Page 1 ECS4120-28F/28F-I ECS4120-28T/28P C L I R e f e r e n c e G u i d e ECS4120-52T 28/52-Port Layer 2+ Gigabit Ethernet Switch Software Release v1.0.2.25 www.edge-core.com...
Page 2: Cli Reference Guide
ECS4120-28T Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Ports ECS4120-28F Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 20 100/1000 SFP Ports, 4 10/100/1000 BASE-T (RJ-45) / 100/1000 SFP Combo Ports, 4 10 Gigabit SFP+ Ports , and DC Power Supply °...
Page 3: How To Use This Guide
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4 This section summarizes the changes in each revision of this guide. Revision Date Change Description v1.0.2.25 09/2017 Added: ECS4120-28F-I ◆ "ip dhcp l2 relay" on page 841 ◆ "ip dhcp l3 relay" on page 841 ◆ "ip dhcp snooping information option tr101 board- ◆...
Page 5: Table Of Contents
Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections (Network Interface) Configuring the Switch for Remote Management Setting an IP Address Enabling SNMP Management Access...
Page 6 Contents Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 7 Contents hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status show access-list tcam-utilization show location-led status show memory...
Page 8 Contents General Commands boot system copy delete umount usbdisk whichboot Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path upgrade opcode reload show upgrade TFTP Configuration Commands ip tftp retry ip tftp timeout show ip tftp Line line databits exec-timeout login parity...
Page 9 Contents logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands sntp client sntp poll sntp server show sntp NTP Commands ntp authenticate ntp authentication-key...
Page 10 Contents show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 5 SNMP Commands General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps mac-notification...
Page 11 Contents show nlm oper-status show snmp notify-filter Additional Trap Commands memory process cpu process cpu guard 6 Remote Monitoring Commands rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Flow Sampling Commands sflow owner sflow polling instance...
Page 12 Contents radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting...
Page 13 Contents ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x eapol-pass-through dot1x system-auth-control Authenticator Commands...
Page 14 Contents pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent port-format-type remote-id pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics show pppoe intermediate-agent info show pppoe intermediate-agent statistics 9 General Security Measures Port Security mac-learning port security port security mac-address-as-permanent show port security Network Access (MAC Address Authentication) network-access aging...
Page 15 Contents Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCPv4 Snooping ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information option encode no-subtype ip dhcp snooping information option remote-id ip dhcp snooping information option tr101 board-id information policy...
Page 16 Contents ipv6 dhcp snooping trust clear ipv6 dhcp snooping binding clear ipv6 dhcp snooping statistics show ipv6 dhcp snooping show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics IPv4 Source Guard ip source-guard binding ip source-guard ip source-guard max-binding ip source-guard mode clear ip source-guard binding blocked show ip source-guard...
Page 17 Contents dos-protection tcp-null-scan dos-protection tcp-syn-fin-scan dos-protection tcp-xmas-scan show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 10 Access Control Lists IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs...
Page 18 Contents show access-list arp show arp access-list ACL Information clear access-list hardware counters show access-group show access-list 11 Interface Commands Interface Configuration interface alias capabilities description discard flowcontrol history media-type negotiation shutdown speed-duplex switchport block switchport mtu clear counters show discard show interfaces brief show interfaces counters show interfaces history...
Page 19 Contents transceiver-threshold tx-power transceiver-threshold voltage show interfaces transceiver show interfaces transceiver-threshold Cable Diagnostics test cable-diagnostics test loop internal show cable-diagnostics show loop internal Power Savings power-save show power-save 12 Link Aggregation Commands Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority...
Page 20 Contents show power mainpower 14 Port Mirroring Commands Local Port Mirroring Commands port monitor show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 15 Congestion Control Commands Rate Limit Commands rate-limit Storm Control Commands switchport packet-rate Automatic Traffic Control Commands...
Page 21 Contents snmp-server enable port-traps atc multicast-control-release ATC Display Commands show auto-traffic-control show auto-traffic-control interface 16 Loopback Detection Commands loopback-detection loopback-detection action loopback-detection recover-time loopback-detection transmit-interval loopback detection trap loopback-detection release show loopback-detection 17 UniDirectional Link Detection Commands udld detection-interval udld message-interval udld recovery udld recovery-interval udld aggressive...
Page 22 Contents spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree system-bpdu-flooding spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection action spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-bpdu-flooding...
Page 23 Contents enable guard-timer holdoff-timer major-domain meg-level mep-monitor node-id non-erps-dev-protect non-revertive propagate-tc raps-def-mac raps-without-vc ring-port rpl neighbor rpl owner version wtr-timer clear erps statistics erps clear erps forced-switch erps manual-switch show erps 21 VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp...
Page 24 Contents Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode switchport native vlan vlan-trunking Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel priority map switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid show dot1q-tunnel Configuring L2PT Tunneling...
Page 25 Contents Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security show voice vlan 22 Class of Service Commands Priority Commands (Layer 2) queue mode queue weight switchport priority default show queue mode...
Page 26 Contents class-map description match rename policy-map class police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface 24 Multicast Filtering Commands IGMP Snooping ip igmp snooping ip igmp snooping priority ip igmp snooping proxy-reporting ip igmp snooping querier ip igmp snooping router-alert-option-check...
Page 27 Contents ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static clear ip igmp snooping groups dynamic clear ip igmp snooping statistics show ip igmp snooping show ip igmp snooping group show ip igmp snooping mrouter show ip igmp snooping statistics...
Page 28 Contents ipv6 mld snooping proxy-reporting ipv6 mld snooping robustness ipv6 mld snooping router-port-expire-time ipv6 mld snooping unknown-multicast mode ipv6 mld snooping unsolicited-report-interval ipv6 mld snooping version ipv6 mld snooping vlan immediate-leave ipv6 mld snooping vlan mrouter ipv6 mld snooping vlan static clear ipv6 mld snooping groups dynamic clear ipv6 mld snooping statistics show ipv6 mld snooping...
Page 29 Contents mvr profile mvr proxy-query-interval mvr priority mvr proxy-switching mvr robustness-value mvr source-port-mode dynamic mvr upstream-source-ip mvr vlan mvr immediate-leave mvr type mvr vlan group clear mvr groups dynamic clear mvr statistics show mvr show mvr associated-profile show mvr interface show mvr members show mvr profile show mvr statistics...
Page 30 Contents show mvr6 show mvr6 associated-profile show mvr6 interface show mvr6 members show mvr6 profile show mvr6 statistics 25 LLDP Commands lldp lldp holdtime-multiplier lldp med-fast-start-count lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name...
Page 31 Contents lldp med-tlv network-policy lldp notification show lldp config show lldp info local-device show lldp info remote-device show lldp info statistics show lldp info statistics 26 CFM Commands Defining CFM Structures ethernet cfm ais level ethernet cfm ais ma ethernet cfm ais period ethernet cfm ais suppress alarm ethernet cfm domain ethernet cfm enable...
Page 32 Contents Cross Check Operations ethernet cfm mep crosscheck start-delay snmp-server enable traps ethernet cfm crosscheck mep crosscheck mpid ethernet cfm mep crosscheck show ethernet cfm maintenance-points remote crosscheck Link Trace Operations ethernet cfm linktrace cache ethernet cfm linktrace cache hold-time ethernet cfm linktrace cache size ethernet cfm linktrace clear ethernet cfm linktrace-cache...
Page 33 Contents show efm oam event-log interface show efm oam remote-loopback interface show efm oam status interface show efm oam status remote interface 28 Domain Name Service Commands ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache...
Page 34 Contents ip address ip default-gateway show ip interface show ip traffic traceroute ping ARP Configuration ip proxy-arp arp timeout clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu...
Page 35 Contents show ipv6 neighbors ND Snooping ipv6 nd snooping ipv6 nd snooping auto-detect ipv6 nd snooping auto-detect retransmit count ipv6 nd snooping auto-detect retransmit interval ipv6 nd snooping prefix timeout ipv6 nd snooping max-binding ipv6 nd snooping trust clear ipv6 nd snooping binding clear ipv6 nd snooping prefix show ipv6 nd snooping show ipv6 nd snooping binding...
Page 36 Contents – 36 –...
Page 37: Figures
Figures Figure 1: Storm Control by Limiting the Traffic Rate Figure 2: Storm Control by Shutting Down a Port Figure 3: Non-ERPS Device Protection Figure 4: Sub-ring with Virtual Channel Figure 5: Sub-ring without Virtual Channel Figure 6: Configuring VLAN Trunking Figure 7: Mapping QinQ Service VLAN to Customer VLAN Figure 8: Configuring VLAN Translation –...
Page 38 Figures – 38 –...
Page 39: Tables
Tables Table 1: Options 60, 66 and 67 Statements Table 2: Options 55 and 124 Statements Table 3: General Command Modes Table 4: Configuration Command Modes Table 5: Keystroke Commands Table 6: Command Group Index Table 7: General Commands Table 8: System Management Commands Table 9: Device Designation Commands Table 10: Banner Commands Table 11: System Status Commands...
Page 40 Tables Table 30: show snmp engine-id - display description Table 31: show snmp group - display description Table 32: show snmp user - display description Table 33: show snmp view - display description Table 34: RMON Commands Table 35: sFlow Commands Table 36: Authentication Commands Table 37: User Access Commands Table 38: Default Login Settings...
Page 41 Tables Table 65: DoS Protection Commands Table 66: Commands for Configuring Traffic Segmentation Table 67: Traffic Segmentation Forwarding Table 68: Access Control List Commands Table 69: IPv4 ACL Commands Table 70: IPv6 ACL Commands Table 71: MAC ACL Commands Table 72: ARP ACL Commands Table 73: ACL Information Commands Table 74: Interface Commands Table 75: show interfaces counters - display description...
Page 42 Tables Table 100: ERPS Commands Table 101: ERPS Request/State Priority Table 102: show erps - summary display description Table 103: show erps domain - detailed display description Table 104: show erps statistics - detailed display description Table 105: VLAN Commands Table 106: GVRP and Bridge Extension Commands Table 107: show bridge-ext - display description Table 108: Commands for Editing VLAN Groups...
Page 43 Tables Table 135: IGMP Authentication RADIUS Attribute Value Pairs Table 136: MLD Snooping Commands Table 137: MLD Filtering and Throttling Commands Table 138: Multicast VLAN Registration for IPv4 Commands Table 139: show mvr - display description Table 140: show mvr interface - display description Table 141: show mvr members - display description Table 142: show mvr statistics input - display description Table 143: show mvr statistics output - display description...
Page 44 Tables Table 170: DHCP Commands Table 171: DHCP Client Commands Table 172: Options 60, 66 and 67 Statements Table 173: Options 55 and 124 Statements Table 174: DHCP Relay Option 82 Commands Table 175: IP Interface Commands Table 176: IPv4 Interface Commands Table 177: Basic IP Configuration Commands Table 178: Address Resolution Protocol Commands Table 179: IPv6 Configuration Commands...
Page 45: Section I
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: ◆ "Initial Switch Configuration" on page 47 –...
Page 46 Section I | Getting Started – 46 –...
Page 47: Initial Switch Configuration
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 48: Connecting To The Console Port
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 49: Logging Onto The Command Line Interface
Chapter 1 | Initial Switch Configuration Connecting to the Switch Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec).
Page 50: Remote Connections (Network Interface)
Console(config)# * This manual covers the ECS4120-28T/52T Gigabit Ethernet switches, the ECS4120-28F/28F-I Gigabit Ethernet fiber switch, and the ECS4120-28P Gigabit Ethernet PoE switch. Other than the difference in port types, and support for PoE (ECS4120-28P), there are no significant differences. Therefore most of the screen display examples are based on the ECS4120-28T.
Page 51: Configuring The Switch For Remote Management
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management The switch can be managed through the operational network, known as in-band management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Page 52 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask, ”...
Page 53 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): (None) Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff11:6700...
Page 54: Dynamic Configuration
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway, ”...
Page 55 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode.
Page 56 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1...
Page 57: Enabling Snmp Management Access
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Joined group address(es): ff02::1:ff00:fd ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds...
Page 58 Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp- server community string mode, ” where “string” is the community access string and “mode”...
Page 59: Managing System Files
Chapter 1 | Initial Switch Configuration Managing System Files another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace”...
Page 60: Upgrading The Operation Code
Chapter 1 | Initial Switch Configuration Managing System Files Note: The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. Due to the size limit of the flash memory, the switch supports only two operation code files.
Page 61: Saving Or Restoring Configuration Settings
Chapter 1 | Initial Switch Configuration Managing System Files Saving or Restoring Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in Configuration nonvolatile storage, you must copy the running configuration file to the start-up Settings configuration file using the “copy”...
Page 62: Automatic Installation Of Operation Code And Configuration Settings
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Console#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success. Console# Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code from...
Page 63 Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings upgrade file is stored as ECS4120-Series.BIX (or even ECS4120-series.bix) on a case-sensitive server, then the switch (requesting ECS4120-serieS.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Page 64 Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/ Console(config)# Set the switch to automatically reboot and load the new code after the opcode...
Page 65: Specifying A Dhcp Client Identifier
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Specifying a DHCP DHCP servers index their database of address bindings using the client’s Media Access Control (MAC) Address or a unique client identifier. The client identifier is Client Identifier used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or...
Page 66: Table 1: Options 60, 66 And 67 Statements
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ If the switch fails to download the bootup configuration file based on information passed by the DHCP server, it will not send any further DHCP client requests.
Page 67: Setting The System Clock
Chapter 1 | Initial Switch Configuration Setting the System Clock log-facility local7; server-name "Server1"; Server-identifier 192.168.255.250; #option 66, 67 option space dynamicProvision code width 1 length 1 hash size 2; option dynamicProvision.tftp-server-name code 66 = text; option dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200;...
Page 68: Setting The Time Manually
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command. Manually Console#calendar set 14 11 36 1 April 2013 Console# To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following.
Page 69: Configuring Ntp
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 70 Chapter 1 | Initial Switch Configuration Setting the System Clock – 70 –...
Page 71: Command Line Interface
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ “Using the Command Line Interface” on page 73 ◆ “General Commands” on page 87 ◆...
Page 72 Section II | Command Line Interface ◆ “Spanning Tree Commands” on page 495 ◆ “VLAN Commands” on page 555 ◆ “ERPS Commands” on page 523 ◆ “Class of Service Commands” on page 601 ◆ “Quality of Service Commands” on page 621 ◆...
Page 73: Using The Command Line Interface
Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Page 74 Chapter 2 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Page 75: Entering Commands
Chapter 2 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5, ”...
Page 76: Getting Help On Commands
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list Commands keywords or parameters.
Page 77 Chapter 2 | Using the Command Line Interface Entering Commands power Shows power power-save Shows the power saving information pppoe Displays PPPoE configuration privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server...
Page 78: Partial Keyword Lookup
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command Lookup and question mark.) For example “s?”...
Page 79: Exec Commands
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Access Control List Global Class Map ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Page 80: Configuration Commands
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not Commands saved when the switch is rebooted. To store the running configuration in non- volatile storage, use the copy running-config startup-config command.
Page 81: Table 4: Configuration Command Modes
Chapter 2 | Using the Command Line Interface Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following...
Page 82: Command Line Processing
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 83: Cli Command Groups
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below Table 6: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes of...
Page 84 Chapter 2 | Using the Command Line Interface CLI Command Groups (Continued) Table 6: Command Group Index Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks ERPS Configures Ethernet Ring Protection Switching for increased 1257 availability of Ethernet rings commonly used in service...
Page 85 Chapter 2 | Using the Command Line Interface CLI Command Groups IPC (IGMP Profile Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) – 85 –...
Page 86 Chapter 2 | Using the Command Line Interface CLI Command Groups – 86 –...
Page 87: General Commands
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 7: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 88: Reload (Global Configuration)
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Page 89: Enable
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. ◆...
Page 90: Quit
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (92) enable password (218) quit This command exits the configuration program.
Page 91: Show History
Chapter 3 | General Commands show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Page 92: Disable
Chapter 3 | General Commands Command Mode Privileged Exec Example Console#configure Console(config)# Related Commands end (93) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
Page 93: Show Reload
Chapter 3 | General Commands Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y show reload This command displays the current reload settings, and the time at which next scheduled reload will take place.
Page 94: Command Mode
Chapter 3 | General Commands Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit % CLI exit session *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES Station's information: Floor / Row / Rack / Sub-Rack DC power supply:...
Page 95: System Management Commands
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 8: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location System Status...
Page 96: Table 10: Banner Commands
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 97: Banner Configure
Chapter 4 | System Management Commands Banner Information (Continued) Table 10: Banner Commands Command Function Mode banner configure Configures the Department information that is displayed department by banner banner configure Configures the Equipment information that is displayed by equipment-info banner banner configure Configures the Equipment Location information that is equipment-location...
Page 98: Banner Configure Company
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure Company: Edge-Core Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213...
Page 99: Banner Configure Dc-Power-Info
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure company Big-Ben Console(config)# banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Page 100: Banner Configure Department
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the department information displayed in the banner. Use the no form to restore the default setting. department Syntax banner configure department dept-name no banner configure department dept-name - The name of the department.
Page 101: Banner Configure Equipment-Location
Example Console(config)#banner configure equipment-info manufacturer-id ECS4120-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner.
Page 102: Banner Configure Ip-Lan
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. ip-lan Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device.
Page 103: Banner Configure Manager-Info
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure lp-number 12 Console(config)# banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number...
Page 104: Banner Configure Mux
Chapter 4 | System Management Commands Banner Information banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected.
Page 105: Table 11: System Status Commands
R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis Edge-Core - ECS4120-28T Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.2...
Page 106: Show Access-List Tcam-Utilization
Chapter 4 | System Management Commands System Status (Continued) Table 11: System Status Commands Command Function Mode show process cpu Shows CPU utilization parameters NE, PE show process cpu guard Shows the CPU utilization watermark and threshold show process cpu task Shows CPU utilization per process show running-config Displays the configuration data currently in use...
Page 107: Show Location-Led Status
Chapter 4 | System Management Commands System Status L - Link local, Reserved - Reserved, ALL - All supported function, Unit Device Pool Total Used Free Capability ---- ------ ---- ----- ----- ----- ---------------------------------------- 128 A6S D6S 128 A6E D6E C L 128 A4 D4 128 AM DM 0 I6...
Page 108: Show Process Cpu
Chapter 4 | System Management Commands System Status Related Commands memory (198) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds. Command Mode Normal Exec, Privileged Exec Example Console#show process cpu CPU Utilization in the past 5 seconds : 7% CPU Utilization in the past 60 seconds Average Utilization : 8%...
Page 109: Table 12: Show Process Cpu Guard - Display Description
Chapter 4 | System Management Commands System Status Table 12: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high- watermark,the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Page 110: Show Running-Config
Chapter 4 | System Management Commands System Status IML_RX 0.00 0.00 0.00 IML_TX 0.00 0.00 0.00 KEYGEN_TD 0.00 0.00 0.00 L2_L4_PROCESS 0.00 0.00 0.00 L2MCAST_GROUP 0.00 0.00 0.00 L2MUX_GROUP 0.00 0.00 0.00 L4_GROUP 0.00 0.00 0.00 LACP_GROUP 0.00 0.00 0.00 MSL_TD 0.00 0.00...
Page 111 Chapter 4 | System Management Commands System Status port-channel channel-id (Range: 1-26) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage ◆ Use the interface keyword to display configuration data for the specified interface. ◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non- volatile memory.
Page 112: Show Startup-Config
Chapter 4 | System Management Commands System Status capabilities 1000full interface ethernet 1/1 interface vlan 1 ipv6 enable ipv6 address 2001:db8:2222:7272::/64 ipv6 address fe80::260:3eff:fe11:6700 link-local ipv6 default-gateway 2001:db8:2222:7272::254 line console line vty Console# Related Commands show startup-config (112) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system.
Page 113: Show System
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (110) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage ◆...
Page 114: Table 13: Show System - Display Description
Chapter 4 | System Management Commands System Status Main Power Status : Up Redundant Power Status : Not present Console# Table 13: show system – display description Parameter Description System Description Brief description of device type. System OID String MIB II object ID for switch’s network management subsystem. System Up Time Length of time the management agent has been up.
Page 115: Show Users
Chapter 4 | System Management Commands System Status runtime.bix OpCode 1970-01-01 00:00:16 20971520 Factory_Default_Config.cfg Config 2015-05-15 06:40:35 startup1.cfg Config 2015-05-15 06:40:44 1737 ---------------------------------------------------------------------------- Free space for compressed user config files: 50393088 show arp: ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface...
Page 116: Table 14: Show Version - Display Description
Chapter 4 | System Management Commands System Status Console# show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Example Console#show version Unit 1 Serial Number : S123456 Hardware Version : R0A EPLD Version : 0.00 Number of Ports...
Page 117: Table 15: Fan Control Commands
Chapter 4 | System Management Commands Fan Control show watchdog This command shows if watchdog debugging is enabled. Command Mode Privileged Exec Example Console#show watchdog Software Watchdog Information Status : Enabled Console# watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly.
Page 118: Table 16: Frame Size Commands
Chapter 4 | System Management Commands Frame Size fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed. Syntax [no] fan-speed force-full Default Setting Normal speed Command Mode Global Configuration Example Console(config)#fan-speed force-full...
Page 119: File Management
Chapter 4 | System Management Commands File Management ◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
Page 120: Table 17: Flash/File Commands
Chapter 4 | System Management Commands File Management can be copied to the FTP/TFTP server, but cannot be used as the destination on the switch. Table 17: Flash/File Commands Command Function Mode General Commands boot system Specifies the file or image used to start up the system copy Copies a code image or a switch configuration to or from flash memory or an FTP/TFTP server...
Page 121: General Commands
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.
Page 122: Copy
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server or a USB memory stick. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 123 Chapter 4 | System Management Commands File Management ◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “. ” , “-”) ◆...
Page 124 Chapter 4 | System Management Commands File Management Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish.
Page 125: Delete
Chapter 4 | System Management Commands File Management Username: steve TFTP Download Success. Write to FLASH Programming. Success. Console# This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: bob@sample.com Password[]: ***** Choose file type: 1.
Page 126: Table 18: File Directory Information
Chapter 4 | System Management Commands File Management ◆ If the public key type is not specified, then both DSA and RSA keys will be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands...
Page 127: Umount Usbdisk
Chapter 4 | System Management Commands File Management (Continued) Table 18: File Directory Information Column Heading Description Startup Shows if this file is used when the system is started. Modified Time The date and time the file was last modified. Size The length of the file in bytes.
Page 128: Whichboot
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Page 129: Upgrade Opcode Path
Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
Page 130: Upgrade Opcode Reload
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS4120- Seroes.bix.
Page 131: Show Upgrade
Chapter 4 | System Management Commands File Management Example This shows how to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example...
Page 132: Ip Tftp Timeout
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Page 133: Table 19: Line Commands
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 19: Line Commands Command Function...
Page 134: Line
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 135: Exec-Timeout
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Page 136: Login
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 137: Parity
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity...
Page 138: Password-Thresh
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the...
Page 139: Silent-Time
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (139) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 140: Speed
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Page 141: Timeout Login Response
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response...
Page 142: Disconnect
Chapter 4 | System Management Commands Line disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0”...
Page 143: Show Line
Chapter 4 | System Management Commands Line width - The number of character columns displayed on the terminal. (Range: 0-80) Default Setting Escape Character: 27 (ASCII-number) History: 10 Length: 24 Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config...
Page 144: Table 20: Event Logging Commands
Chapter 4 | System Management Commands Event Logging Silent Time : Disabled Baud Rate : 115200 Data Bits Parity : None Stop Bits VTY Configuration: Password Threshold : 3 times EXEC Timeout : 600 seconds Login Timeout : 300 sec. Silent Time : Disabled Console#...
Page 145: Table 21: Logging Levels
Chapter 4 | System Management Commands Event Logging Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Page 146: Logging Host
Chapter 4 | System Management Commands Event Logging Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages.
Page 147: Logging Trap
Chapter 4 | System Management Commands Event Logging Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory.
Page 148: Clear Log
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging trap level 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 149: Show Logging
Chapter 4 | System Management Commands Event Logging ◆ All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification."...
Page 150: Table 22: Show Logging Flash/Ram - Display Description
Chapter 4 | System Management Commands Event Logging Ram Logging Configuration: History Logging in RAM : Level Debugging (7) Console# Table 22: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command.
Page 151: Table 24: Event Logging Commands
Chapter 4 | System Management Commands SMTP Alerts SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Table 24: Event Logging Commands Command Function Mode logging sendmail Enables SMTP event handling logging sendmail host SMTP servers to receive alert messages logging sendmail level...
Page 152: Logging Sendmail Level
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆...
Page 153: Logging Sendmail Destination-Email
Chapter 4 | System Management Commands SMTP Alerts Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.
Page 154: Table 25: Time Commands
Chapter 4 | System Management Commands Time Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec...
Page 155: Sntp Commands
Chapter 4 | System Management Commands Time (Continued) Table 25: Time Commands Command Function Mode NTP Commands ntp authenticate Enables authentication for NTP traffic ntp authentication-key Configures authentication keys ntp client Enables the NTP client for time updates from specified servers ntp server Specifies NTP servers to poll for time updates...
Page 156: Sntp Poll
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time : Mar 12 02:33:00 2015 Poll Interval : 60 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 10.1.0.19 Current Server : 137.92.140.80 Console#...
Page 157: Sntp Server
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Page 158: Ntp Commands
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications.
Page 159: Ntp Authentication-Key
Chapter 4 | System Management Commands Time This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication-key authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number]...
Page 160: Ntp Client
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode...
Page 161: Show Ntp
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command.
Page 162: Manual Configuration Commands
Chapter 4 | System Management Commands Time NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console#...
Page 163: Clock Summer-Time (Predefined)
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Page 164: Table 26: Predefined Summer-Time Parameters
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time relative to the configured time zone. To specify the time corresponding to your local time when summer time is in effect, select the predefined summer-time time zone appropriate for your location, or manually configure summer time if these predefined...
Page 165 Chapter 4 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin.
Page 166: Clock Timezone
Chapter 4 | System Management Commands Time clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC.
Page 167: Show Calendar
Chapter 4 | System Management Commands Time month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit). (Range: 1970-2037) Default Setting None Command Mode Privileged Exec...
Page 168: Table 27: Time Range Commands
Chapter 4 | System Management Commands Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 27: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute...
Page 169: Absolute
Chapter 4 | System Management Commands Time Range absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute...
Page 170: Periodic
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range. Syntax [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend | hour minute}...
Page 171: Table 28: Switch Cluster Commands
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Privileged Exec Example Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic...
Page 172: Cluster
Chapter 4 | System Management Commands Switch Clustering Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Page 173: Cluster Commander
Chapter 4 | System Management Commands Switch Clustering ◆ There can be up to 100 candidates and 16 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes.
Page 174: Cluster Ip-Pool
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Page 175: Rcommand
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 16. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration.
Page 176: Show Cluster Members
Chapter 4 | System Management Commands Switch Clustering Example Console#show cluster Role : commander Interval Heartbeat : 30 Heartbeat Loss Count : 3 seconds Number of Members Number of Candidates : 2 Console# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example...
Page 177: Table 29: Snmp Commands
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 178 Chapter 5 | SNMP Commands (Continued) Table 29: SNMP Commands Command Function Mode show snmp user Shows the SNMP users show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter...
Page 179: General Snmp Commands
Chapter 5 | SNMP Commands General SNMP Commands (Continued) Table 29: SNMP Commands Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm process cpu guard Sets the CPU utilization watermark and threshold...
Page 180: Snmp-Server Community
Chapter 5 | SNMP Commands General SNMP Commands snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Page 181: Snmp-Server Location
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (181) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Page 182: Snmp Target Host Commands
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled MAC-notification : Disabled MAC-notification interval : 1 second(s) SNMP Communities : 1. public, and the access level is read-only 2.
Page 183 Chapter 5 | SNMP Commands SNMP Target Host Commands Default Setting Issue authentication. Other traps are disabled. Command Mode Global Configuration Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 184: Snmp-Server Host
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr...
Page 185 Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally.
Page 186: Snmp-Server Enable Port-Traps Mac-Notification
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (182) snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the default setting.
Page 187: Snmpv3 Commands
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------- Eth 1/1 Eth 1/2 Eth 1/3 SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Page 188: Snmp-Server Group
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789”...
Page 189: Snmp-Server User
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
Page 190 Chapter 5 | SNMP Commands SNMPv3 Commands md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password) If the encrypted option is selected, enter an encrypted password.
Page 191: Snmp-Server View
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)#...
Page 192: Table 30: Show Snmp Engine-Id - Display Description
Chapter 5 | SNMP Commands SNMPv3 Commands Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example...
Page 193: Table 31: Show Snmp Group - Display Description
Chapter 5 | SNMP Commands SNMPv3 Commands Read View: defaultview Write View: daily Notify View: none Storage Type: permanent Row Status: active Group Name: public Security Model: v1 Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: public Security Model: v2c...
Page 194: Table 32: Show Snmp User - Display Description
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user Engine ID : 8000018403fc0a81b7c7e00000 User Name : steve Group Name : r&d Security Model : v3 Security Level : Authentication and privacy Authentication Protocol : MD5...
Page 195: Table 33: Show Snmp View - Display Description
Chapter 5 | SNMP Commands Notification Log Commands Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : permanent Row Status : active View Name : defaultview Subtree OID View Type : included Storage Type : volatile Row Status : active Console# Table 33: show snmp view - display description...
Page 196: Snmp-Server Notify-Filter
Chapter 5 | SNMP Commands Notification Log Commands Example This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server This command creates an SNMP notification log. Use the no form to remove this notify-filter log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
Page 197: Show Nlm Oper-Status
Chapter 5 | SNMP Commands Notification Log Commands ◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014). Notification logging is enabled by default (see the command), but will not start recording information until a logging profile specified with this command is enabled with the command.
Page 198: Show Snmp Notify-Filter
Chapter 5 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ----------------...
Page 199: Process Cpu
Chapter 5 | SNMP Commands Additional Trap Commands Related Commands show memory (107) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Page 200: Process Cpu Guard
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Page 201 Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered. Example Console(config)#process cpu guard high-watermark 80 Console(config)#process cpu guard low-watermark 60 Console(config)#...
Page 202 Chapter 5 | SNMP Commands Additional Trap Commands – 202 –...
Page 203: Table 34: Rmon Commands
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 204: Rmon Alarm
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 205: Rmon Event
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Page 206: Rmon Collection History
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Page 207: Rmon Collection Rmon1
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running- config...
Page 208: Show Rmon Alarms
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Page 209: Show Rmon History
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Page 210 Chapter 6 | Remote Monitoring Commands – 210 –...
Page 211: Table 35: Sflow Commands
Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 212: Sflow Owner
Chapter 7 | Flow Sampling Commands sflow owner This command creates an sFlow collector on the switch. Use the no form to remove the sFlow receiver. Syntax sflow owner owner-name timeout timeout-value [destination {ipv4-address | ipv6-address} [max-datagram-size max-datagram-size] [port destination-udp-port] [version {v4 | v5]] [port destination-udp-port] no sflow owner owner-name owner-name - Name of the collector.
Page 213: Sflow Polling Instance
Chapter 7 | Flow Sampling Commands ◆ Use the no sflow owner command to remove the collector. ◆ When the sflow owner command is issued, it’s associated timeout value will immediately begin to count down. Once the timeout value has reached zero seconds, the sFlow owner and it’s associated sampling sources will be deleted from the configuration.
Page 214: Sflow Sampling Instance
Chapter 7 | Flow Sampling Commands Command Mode Privileged Exec Command Usage This command enables a polling data source and configures the interval at which counter values are added to the sample datagram. Example This example sets the polling interval to 10 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow polling-interval 10 Console(config-if)#...
Page 215: Show Sflow
Chapter 7 | Flow Sampling Commands Example This example enables a sampling data source on Ethernet interface 1/1, an associated receiver named “owner1”, and a sampling rate of one out of 100. The maximum header size is also set to 200 bytes. Console# sflow sampling interface ethernet 1/1 instance 1 receiver owner1 sampling-rate 100 max-header-size 200 Console#...
Page 216 Chapter 7 | Flow Sampling Commands – 216 –...
Page 217: Table 36: Authentication Commands
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 218: Table 37: User Access Commands
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 133), user authentication via a remote authentication server...
Page 219: Username
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command.
Page 220: Table 38: Default Login Settings
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using privilege command.
Page 221: Privilege
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command.
Page 222: Table 39: Authentication Sequence Commands
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access.
Page 223: Authentication Login
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Page 224: Table 40: Radius Client Commands
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local, ” the user name and password on the RADIUS server is verified first.
Page 225: Radius-Server Auth-Port
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 226: Radius-Server Key
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 227: Radius-Server Retransmit
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 228: Table 41: Tacacs+ Client Commands
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times...
Page 229: Tacacs-Server Host
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server.
Page 230: Tacacs-Server Port
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 231: Tacacs-Server Timeout
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 232: Table 42: Aaa Commands
Chapter 8 | Authentication Commands TACACS+ Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 42: AAA Commands Command Function...
Page 233: Aaa Accounting Exec
Chapter 8 | Authentication Commands group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 234: Aaa Accounting Update
Chapter 8 | Authentication Commands Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Page 235: Aaa Authorization Exec
Chapter 8 | Authentication Commands Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Page 236: Aaa Group Server
Chapter 8 | Authentication Commands aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Page 237: Accounting Dot1X
Chapter 8 | Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the...
Page 238: Authorization Exec
Chapter 8 | Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec...
Page 239: Table 43: Web Server Commands
Chapter 8 | Authentication Commands Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) Default Setting None Command Mode Privileged Exec Example Console#show accounting...
Page 240: Ip Http Port
Chapter 8 | Authentication Commands Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Page 241: Ip Http Secure-Port
Chapter 8 | Authentication Commands Web Server ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
Page 242: Table 44: Https System Support
Chapter 8 | Authentication Commands Web Server Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆...
Page 243: Table 45: Telnet Server Commands
Chapter 8 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch. Table 45: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Page 244: Ip Telnet Port
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Page 245: Telnet (Client)
Chapter 8 | Authentication Commands Telnet Server telnet (client) This command accesses a remote device using a Telnet connection. Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254... *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES User Access Verification...
Page 246: Table 46: Secure Shell Commands
Chapter 8 | Authentication Commands Secure Shell Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Page 247 Chapter 8 | Authentication Commands Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 248 Chapter 8 | Authentication Commands Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Page 249: Ip Ssh Authentication-Retries
Chapter 8 | Authentication Commands Secure Shell ip ssh authentication- This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. retries Syntax ip ssh authentication-retries count no ip ssh authentication-retries count –...
Page 250: Ip Ssh Server-Key Size
Chapter 8 | Authentication Commands Secure Shell Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (252) show ssh (255) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting.
Page 251: Delete Public-Key
Chapter 8 | Authentication Commands Secure Shell Default Setting 120 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 252: Ip Ssh Crypto Host-Key Generate
Chapter 8 | Authentication Commands Secure Shell ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs.
Page 253: Ip Ssh Save Host-Key
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Page 254: Show Public-Key
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username –...
Page 255: Table 47: Show Ssh - Display Description
Chapter 8 | Authentication Commands 802.1X Port Authentication show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 47: show ssh - display description Field Description Connection...
Page 256: General Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication (Continued) Table 48: 802.1X Port Authentication Commands Command Function Mode dot1x operation-mode Allows single or multiple hosts on an dot1x port dot1x port-control Sets dot1x mode for a port interface dot1x re-authentication Enables re-authentication for all ports dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request...
Page 257: Dot1X Eapol-Pass-Through
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state through when dot1x is globally disabled. Use the no form to restore the default. Syntax [no] dot1x eapol-pass-through Default Setting...
Page 258: Authenticator Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Page 259: Dot1X Max-Reauth-Req
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAP- request/identity frame to the client before restarting the authentication process. Use the no form to restore the default. Syntax dot1x max-reauth-req count no dot1x max-reauth-req...
Page 260: Dot1X Operation-Mode
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form mode with the multi-host max-count keywords to restore the default maximum count.
Page 261: Dot1X Port-Control
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 262: Dot1X Timeout Quiet-Period
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (262) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 259) has been exceeded before attempting to acquire a new client.
Page 263: Dot1X Timeout Supp-Timeout
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 264: Dot1X Re-Authenticate
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 265: Information Display Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier.
Page 266 Chapter 8 | Authentication Commands 802.1X Port Authentication Max Request – Maximum number of times a port will retransmit an EAP ■ request/identity packet to the client before it times out the authentication session (page 259). Operation Mode– Shows if single or multiple hosts (clients) can connect to ■...
Page 267: Table 49: Management Ip Filter Commands
Chapter 8 | Authentication Commands Management IP Filter Console#show dot1x interface ethernet 1/28 802.1X Authenticator is enabled on port 28 Reauthentication : Enabled Reauth Period : 3600 Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries Max Request...
Page 268: Management
Chapter 8 | Authentication Commands Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. A list of up to 15 IP addresses or IP address groups can be specified. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address]...
Page 269: Show Management
Chapter 8 | Authentication Commands Management IP Filter Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups.
Page 270: Table 50: Pppoe Intermediate Agent Commands
Chapter 8 | Authentication Commands PPPoE Intermediate Agent PPPoE Intermediate Agent This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers. Table 50: PPPoE Intermediate Agent Commands Command Function Mode...
Page 271: Pppoe Intermediate-Agent Format-Type
Chapter 8 | Authentication Commands PPPoE Intermediate Agent forwards this information to all trusted ports designated by the pppoe intermediate-agent trust command. The BRAS detects the presence of the subscriber’s circuit-ID tag inserted by the switch during the PPPoE discovery phase, and sends this tag as a NAS-port-ID attribute in PPP authentication and AAA accounting requests to a RADIUS server.
Page 272: Pppoe Intermediate-Agent Port-Enable
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# pppoe intermediate- This command enables the PPPoE IA on an interface. Use the no form to disable this agent port-enable feature. Syntax [no] pppoe intermediate-agent port-enable Default Setting Disabled Command Mode...
Page 273: Pppoe Intermediate-Agent Port-Format-Type Remote-Id
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage ◆ The PPPoE server extracts the Line-ID tag from PPPoE discovery stage messages, and uses the Circuit-ID field of that tag as a NAS-Port-Id attribute in AAA access and accounting requests. ◆...
Page 274: Pppoe Intermediate-Agent Trust
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage If the delimiter is enabled and it occurs in the remote ID string, the string will be truncated at that point. Example This command enables the delimiter for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-format-type remote-id Console(config-if)#...
Page 275: Clear Pppoe Intermediate-Agent Statistics
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command only applies to trusted interfaces. It is used to strip off vendor- specific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user.
Page 276: Show Pppoe Intermediate-Agent Statistics
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Privileged Exec Example Console#show pppoe intermediate-agent info PPPoE Intermediate Agent Global Status : Disabled PPPoE Intermediate Agent Vendor ID : 3561 PPPoE Intermediate Agent Admin Access Node Identifier : PPPoE Intermediate Agent Oper Access Node Identifier 192.168.2.12 PPPoE Intermediate Agent Admin Generic Error Message PPPoE Intermediate Agent Oper Generic Error Message...
Page 277: Table 51: Show Pppoe Intermediate-Agent Statistics - Display Description
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 51: show pppoe intermediate-agent statistics - display description Field Description Received PADI PPPoE Active Discovery Initiation PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped...
Page 278 Chapter 8 | Authentication Commands PPPoE Intermediate Agent – 278 –...
Page 279: Table 52: General Security Commands
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes.
Page 280: Table 53: Port Security Commands
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 281: Port Security
Chapter 9 | General Security Measures Port Security security function such as 802.1X or DHCP snooping is enabled and mac- learning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 282 Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 283: Port Security Mac-Address-As-Permanent
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (407) shutdown (394) mac-address-table static (490)
Page 284: Table 54: Show Port Security - Display Description
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports. Console#show port security Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Port Summary Port Port Security Port Status...
Page 285: Table 55: Network Access Commands
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Console#show port security interface ethernet 1/2 Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Details Port : 1/2 Port Security : Enabled Port Status : Secure/Up Intrusion Action : None Max MAC Count...
Page 286: Network-Access Aging
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) (Continued) Table 55: Network Access Commands Command Function Mode network-access dynamic-qos Enables the dynamic quality of service feature network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN network-access link-detection...
Page 287: Network-Access Mac-Filter
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Page 288: Mac-Authentication Reauth-Time
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ There is no limitation on the number of entries that can entered in a filter table. Example Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66 Console(config)# mac-authentication Use this command to set the time period after which a connected MAC address reauth-time must be re-authenticated.
Page 289: Table 56: Dynamic Qos Profiles
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user. The “Filter-ID” attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 56: Dynamic QoS Profiles Profile...
Page 290: Network-Access Guest-Vlan
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Enabled Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch.
Page 291: Network-Access Link-Detection
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ The VLAN to be used as the guest VLAN must be defined and set as active (See vlan database command). ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan”...
Page 292: Network-Access Link-Detection Link-Down
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to detection link-down disable this feature.
Page 293: Network-Access Link-Detection Link-Up-Down
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link- Use this command to detect link-up and link-down events. When either event is detection link-up- detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Page 294: Network-Access Mode Mac-Authentication
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 295: Network-Access Port-Mac-Filter
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Page 296: Mac-Authentication Intrusion-Action
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. intrusion-action Syntax mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action Default Setting Block Traffic...
Page 297: Clear Network-Access
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 298: Show Network-Access Mac-Address-Table
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion Action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Page 299: Show Network-Access Mac-Filter
Chapter 9 | General Security Measures Web Authentication 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF- FF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ---------------------- -------...
Page 300: Table 57: Web Authentication
Chapter 9 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 222). Note: Web authentication cannot be configured on trunk ports. Table 57: Web Authentication Command Function Mode...
Page 301: Web-Auth Quiet-Period
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Page 302: Web-Auth System-Auth-Control
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 303: Web-Auth Re-Authenticate (Port)
Chapter 9 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Page 304: Show Web-Auth
Chapter 9 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period...
Page 305: Table 58: Dhcp Snooping Commands
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ----...
Page 306: Ip Dhcp Snooping
Chapter 9 | General Security Measures DHCPv4 Snooping (Continued) Table 58: DHCP Snooping Commands Command Function Mode ip dhcp snooping information Enables or disables the use of DHCP Option 82 option circuit-id information circuit-id suboption ip dhcp snooping configures the maximum number of DHCP clients which max-number can be supported per interface ip dhcp snooping trust...
Page 307 Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆...
Page 308: Ip Dhcp Snooping Information Option
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (314) ip dhcp snooping trust (317) ip dhcp snooping...
Page 309: Ip Dhcp Snooping Information Option Encode No-Subtype
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 310: Table 59: Option 82 Information
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Enabled Command Mode Global Configuration Command Usage ◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below: Table 59: Option 82 information 3-69 1-67 opt82 opt-len sub-opt1 string-len...
Page 311: Ip Dhcp Snooping Information Option Remote-Id
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, or arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from the end information option of the TR101 field.
Page 312: Ip Dhcp Snooping Information Option Tr101 Board-Id
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the remote ID to the switch’s IP address. Console(config)#ip dhcp snooping information option remote-id tr101 node-identifier ip Console(config)# ip dhcp snooping This command sets the board identifier used in Option 82 information based on TR-101 syntax.
Page 313: Ip Dhcp Snooping Limit Rate
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets.
Page 314: Ip Dhcp Snooping Verify Mac Address
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable verify mac address this function.
Page 315: Ip Dhcp Snooping Information Option Circuit-Id
Chapter 9 | General Security Measures DHCPv4 Snooping will be performed on any untrusted ports within the VLAN as specified by the dhcp snooping trust command. ◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
Page 316: Table 60: Option 82 Information
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting VLAN-Unit-Port Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients.
Page 317: Ip Dhcp Snooping Max-Number
Chapter 9 | General Security Measures DHCPv4 Snooping untagged packets. Use the no form of this command to add the PVID for untagged packets at the end of the TR101 field. Example This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 4500 Console(config-if)#...
Page 318: Clear Ip Dhcp Snooping Binding
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall. ◆...
Page 319: Clear Ip Dhcp Snooping Database Flash
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#clear ip dhcp snooping binding 11-22-33-44-55-66 vlan 1 Console# clear ip dhcp This command removes all dynamically learned snooping entries from flash snooping database memory. flash Command Mode Privileged Exec Example Console#ip dhcp snooping database flash Console# ip dhcp snooping...
Page 320: Show Ip Dhcp Snooping
Chapter 9 | General Security Measures DHCPv4 Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping Status: disabled DHCP Snooping Information Option Status: disabled DHCP Snooping Information Option Sub-option Format: extra subtype included DHCP Snooping Information Option Remote ID: MAC Address (hex encoded) DHCP Snooping Information Policy: replace...
Page 321: Table 61: Dhcp Snooping Commands
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Page 322 Chapter 9 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping...
Page 323 Chapter 9 | General Security Measures DHCPv6 Snooping DHCP Server Packet If a DHCP server packet is received on an untrusted port, drop this ■ packet and add a log entry in the system. If a DHCPv6 Reply packet is received from a server on a trusted port, it ■...
Page 324: Ipv6 Dhcp Snooping Option Remote-Id
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (326) ipv6 dhcp snooping trust (327) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Page 325: Ipv6 Dhcp Snooping Option Remote-Id Policy
Chapter 9 | General Security Measures DHCPv6 Snooping If an incoming packet is a DHCPv6 request packet with option 37 ■ information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Page 326: Ipv6 Dhcp Snooping Vlan
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the no form to restore the default setting.
Page 327: Ipv6 Dhcp Snooping Max-Binding
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the binding database for an interface. Use the no form to restore the default setting. max-binding Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding...
Page 328: Clear Ipv6 Dhcp Snooping Binding
Chapter 9 | General Security Measures DHCPv6 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
Page 329: Clear Ipv6 Dhcp Snooping Statistics
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and relay packets. snooping statistics Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Page 330: Table 62: Ipv4 Source Guard Commands
Chapter 9 | General Security Measures IPv4 Source Guard IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---- 2001:b000::1 2591912 1 Eth 1/3 Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Page 331: Ip Source-Guard Binding
Chapter 9 | General Security Measures IPv4 Source Guard Table 62: IPv4 Source Guard Commands Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface show ip source-guard Shows the source guard binding table binding ip source-guard This command adds a static address to the source-guard ACL or MAC address...
Page 332 Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Page 333: Ip Source-Guard
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...
Page 334: Ip Source-Guard Max-Binding
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. If the DHCP snooping is enabled, IP source guard will check the VLAN ID, ■...
Page 335: Ip Source-Guard Mode
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard...
Page 336: Clear Ip Source-Guard Binding Blocked
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Page 337: Show Ip Source-Guard Binding
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard ACL Table MAC Table Interface Filter-type Filter-table Max-binding Max-binding --------- ----------- ------------ ----------- ----------- Eth 1/1 DISABLED 1024 Eth 1/2 DISABLED 1024 Eth 1/3 DISABLED 1024 Eth 1/4 DISABLED 1024 Eth 1/5...
Page 338: Table 63: Ipv6 Source Guard Commands
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping”...
Page 339 Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6- Snooping), VLAN identifier, and port identifier. ◆...
Page 340: Ipv6 Source-Guard
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (321) ipv6 dhcp snooping vlan (326) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function. Syntax ipv6 source-guard sip no ipv6 source-guard...
Page 341: Ipv6 Source-Guard Max-Binding
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will ■ check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded.
Page 342: Show Ipv6 Source-Guard
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command.
Page 343: Table 64: Arp Inspection Commands
Chapter 9 | General Security Measures ARP Inspection show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 321)
Page 344: Ip Arp Inspection
Chapter 9 | General Security Measures ARP Inspection (Continued) Table 64: ARP Inspection Commands Command Function Mode ip arp inspection validate Specifies additional validation of address components in an ARP packet ip arp inspection vlan Enables ARP Inspection for a specified VLAN or range of VLANs ip arp inspection limit Sets a rate limit for the ARP packets received on a port...
Page 345: Ip Arp Inspection Filter
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets. ◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs.
Page 346: Ip Arp Inspection Log-Buffer Logs
Chapter 9 | General Security Measures ARP Inspection ◆ If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database. Example Console(config)#ip arp inspection filter sales vlan 1 Console(config)#...
Page 347: Ip Arp Inspection Validate
Chapter 9 | General Security Measures ARP Inspection ◆ The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer. Example Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an ARP...
Page 348: Ip Arp Inspection Vlan
Chapter 9 | General Security Measures ARP Inspection ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Page 349: Ip Arp Inspection Limit
Chapter 9 | General Security Measures ARP Inspection ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Page 350: Show Ip Arp Inspection Configuration
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection This command displays the global configuration settings for ARP Inspection. configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP Inspection Global Information: Global IP ARP Inspection Status : disabled Log Message Interval...
Page 351: Show Ip Arp Inspection Log
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Page 352: Table 65: Dos Protection Commands
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 353: Dos-Protection Tcp-Null-Scan
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection land Console(config)# dos-protection This command protects against TCP-null-scan attacks in which a TCP NULL scan tcp-null-scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Page 354: Dos-Protection Tcp-Xmas-Scan
Chapter 9 | General Security Measures Denial of Service Protection Command Usage In these packets, SYN=1 and FIN=1. Example Console(config)#dos-protection syn-fin-scan Console(config)# dos-protection This command protects against TCP-xmas-scan in which a so-called TCP XMAS scan tcp-xmas-scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Page 355: Table 66: Commands For Configuring Traffic Segmentation
Chapter 9 | General Security Measures Port-based Traffic Segmentation Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Page 356: Table 67: Traffic Segmentation Forwarding
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below. Table 67: Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2...
Page 357: Traffic-Segmentation Uplink/Downlink
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Page 358: Traffic-Segmentation Uplink-To-Uplink
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆...
Page 359: Show Traffic-Segmentation
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments. traffic-segmentation Command Mode Privileged Exec Example Console#show traffic-segmentation Private VLAN Status Enabled Uplink-to-Uplink Mode : Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet Ethernet Ethernet...
Page 360 Chapter 9 | General Security Measures Port-based Traffic Segmentation – 360 –...
Page 361: Table 68: Access Control List Commands
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on source address or destination address), or any frames (based on MAC address or Ethernet type).
Page 362: Access-List Ip
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...
Page 363 Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. (Standard IP ACL) Syntax {permit | deny} {any | source bitmask | host source}...
Page 364: Permit, Deny (Extended Ipv4 Acl)
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source (Extended IPv4 ACL) or destination protocol ports, or TCP control codes.
Page 365 Chapter 10 | Access Control Lists IPv4 ACLs dport – Protocol destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 366: Ip Access-Group
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination...
Page 367: Show Ip Access-Group
Chapter 10 | Access Control Lists IPv4 ACLs Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands...
Page 368: Table 70: Ipv6 Acl Commands
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (363) ip access-group (366) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 369: Permit, Deny (Standard Ipv6 Acl)
Chapter 10 | Access Control Lists IPv6 ACLs Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
Page 370: Permit, Deny (Extended Ipv6 Acl)
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 371: Ipv6 Access-Group
Chapter 10 | Access Control Lists IPv6 ACLs Command Mode Extended IPv6 ACL Command Usage All new rules are appended to the end of the list. Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79 Console(config-ext-ipv6-acl)# Related Commands access-list ipv6 (368)
Page 372: Show Ipv6 Access-List
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands show ipv6 access-list (372) Time Range (168) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended –...
Page 373: Table 71: Mac Acl Commands
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 374: Permit, Deny (Mac Acl)
Chapter 10 | Access Control Lists MAC ACLs Related Commands permit, deny (374) mac access-group (376) show mac access-list (377) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a (MAC ACL) specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Page 375 Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.3...
Page 376: Mac Access-Group
Chapter 10 | Access Control Lists MAC ACLs 8137 - IPX ■ Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (373) Time Range (168)
Page 377: Show Mac Access-Group
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (376) show mac access-list This command displays the rules for configured MAC ACLs.
Page 378: Table 72: Arp Acl Commands
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Page 379: Permit, Deny (Arp Acl)
Chapter 10 | Access Control Lists ARP ACLs Related Commands permit, deny (379) show arp access-list (380) permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Page 380: Show Access-List Arp
Chapter 10 | Access Control Lists ARP ACLs Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (378) show access-list arp This command displays the rules for configured ARP ACLs.
Page 381: Table 73: Acl Information Commands
Chapter 10 | Access Control Lists ACL Information Related Commands permit, deny (379) ACL Information This section describes commands used to display ACL information. Table 73: ACL Information Commands Command Function Mode clear access-list hardware Clears hit counter for rules in all ACLs, or in a specified ACL. PE counters show access-group Shows the ACLs assigned to each port...
Page 382: Show Access-Group
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] |...
Page 383 Chapter 10 | Access Control Lists ACL Information MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console# – 383 –...
Page 384 Chapter 10 | Access Control Lists ACL Information – 384 –...
Page 385: Table 74: Interface Commands
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 74: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 386 Chapter 11 | Interface Commands (Continued) Table 74: Interface Commands Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent transceiver-threshold Sets thresholds for transceiver current which can be used...
Page 387: Interface Configuration
Chapter 11 | Interface Commands Interface Configuration Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. Syntax [no] interface interface-list interface-list –...
Page 388: Capabilities
(Gigabit SFP only) - When specified, the port transmits and receives symmetric pause frames. Default Setting 100BASE-FX (SFP ): 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX//LHX/ZX (SFP / SFP+): 1000full 10GBASE- CR/SR/LR/ER (SFP+): 10Gfull Command Mode Interface Configuration (Ethernet, Port Channel) ECS4120-28F/28F-I – 388 –...
Page 389: Description
Chapter 11 | Interface Commands Interface Configuration Command Usage ◆ 10GBASE-SFP+ connections are fixed at 10G, full duplex. When auto- negotiation is enabled, the only attribute which can be advertised is flow control. ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 390: Discard
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Page 391: Flowcontrol
Chapter 11 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 392: History
- Always uses the built-in RJ-45 port. sfp-forced - Forces transceiver mode for the SFP/SFP+ port. mode 1000sfp - Always uses 1000BASE SFP mode. 100fx - Always uses 100BASE-FX mode. 10gsfp - Always uses 10GBASE SFP mode. 10. ECS4120-28F/28F-I – 392 –...
Page 393: Negotiation
ECS4120-52T: Ports 49-52 (10G SFP+) support 1000sfp ECS4120-28T/P: Ports 25-28 (10G SFP+) support 1000sfp ECS4120-28F/28F-I: Ports 25-28 (10G SFP+) support 1000sfp Ports 1-24 (1000BASE SFP) support 1000sfp or 100fx Example This forces the switch to use the 1000sfp mode for SFP port 28.
Page 394: Shutdown
Chapter 11 | Interface Commands Interface Configuration Note: Auto-negotiation is not supported for 1000BASE SFP transceivers used in 10G SFP+ Ports 25-28/49-52. ◆ A connection can only be enabled on a port in which a recognized transceiver is inserted. Refer to the Installation Guide for a list of compliant transceivers. Example The following example configures port 10 to use auto-negotiation.
Page 395: Speed-Duplex
Chapter 11 | Interface Commands Interface Configuration speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default. Syntax speed-duplex {100full | 100half | 10full | 10half } no speed-duplex 10000full - Forces 10 Gbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Page 396: Switchport Block
Chapter 11 | Interface Commands Interface Configuration Related Commands negotiation (393) capabilities (388) switchport block This command prevents the flooding of broadcast, unknown multicast, or unknown unicast packets onto an interface. Use the no form to restore the default setting. Syntax [no] switchport block {broadcast | multicast | unicast} broadcast - Specifies broadcast packets.
Page 397: Switchport Mtu
Chapter 11 | Interface Commands Interface Configuration switchport mtu This command configures the maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. Use the no form to restore the default setting. Syntax switchport mtu size no switchport mtu...
Page 398: Clear Counters
Chapter 11 | Interface Commands Interface Configuration Example The following first enables jumbo frames for layer 2 packets, and then sets the MTU for port 1: Console(config)#jumbo frame Console(config)#interface ethernet 1/1 Console(config-if)#switchport mtu 9216 Console(config-if)# Related Commands jumbo frame (118) show interfaces status (407) clear counters This command clears statistics on an interface.
Page 399: Show Discard
Chapter 11 | Interface Commands Interface Configuration show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded. Console#show discard Port PVST -------- ------- -------...
Page 400: Show Interfaces Counters
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Default Setting Shows the counters for all interfaces.
Page 401: Table 75: Show Interfaces Counters - Display Description
Chapter 11 | Interface Commands Interface Configuration 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions...
Page 402 Chapter 11 | Interface Commands Interface Configuration (Continued) Table 75: show interfaces counters - display description Parameter Description QLen Output The length of the output packet queue (in packets). Extended IF Table Stats Multicast Input The number of packets, delivered by this sub-layer to a higher (sub- )layer, which were addressed to a multicast address at this sub-layer.
Page 403 Chapter 11 | Interface Commands Interface Configuration (Continued) Table 75: show interfaces counters - display description Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present. For an interface operating in half-duplex mode at 1000 Mb/s, the number of times the receiving media is non-idle (a carrier event) for a period of time equal to or greater than slotTime, and during which...
Page 404: Show Interfaces History
Chapter 11 | Interface Commands Interface Configuration (Continued) Table 75: show interfaces counters - display description Parameter Description Input utilization The input utilization rate for this interface. Octets Output in kbits per Number of octets leaving this interface in kbits per second. second Packets output per second Number of packets leaving this interface in packets per second.
Page 405 Chapter 11 | Interface Commands Interface Configuration Example This example shows the statistics recorded for all named entries in the sampling table. Console#show interfaces history ethernet 1/1 Interface : Eth 1/ 1 Name : 15min Interval : 900 second(s) Buckets Requested : 96 Buckets Granted Status : Active...
Page 406 Chapter 11 | Interface Commands Interface Configuration This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name : 1min Interval : 60 second(s) Buckets Requested : 10 Buckets Granted Status : Active...
Page 407: Show Interfaces Status
Chapter 11 | Interface Commands Interface Configuration show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Page 408: Show Interfaces Switchport
Chapter 11 | Interface Commands Interface Configuration MAC Learning Status : Enabled Console# show interfaces This command displays the administrative and operational status of the specified interfaces. switchport Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 409: Table 76: Show Interfaces Switchport - Display Description
Chapter 11 | Interface Commands Interface Configuration Table 76: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it also Threshold shows the threshold level (page 459). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 459).
Page 410: Transceiver Threshold Configuration
Interface Configuration (ECS4120-28F SFP+ Ports 25-28 Other models: SFP/SFP+ Ports) Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold-auto Console# 12. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 410 –...
Page 411: Transceiver-Threshold Current
13. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 411 –...
Page 412: Transceiver-Threshold Rx-Power
14. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 412 –...
Page 413: Transceiver-Threshold Temperature
15. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 413 –...
Page 414: Transceiver-Threshold Tx-Power
16. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 414 –...
Page 415: Transceiver-Threshold Voltage
17. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 415 –...
Page 416: Show Interfaces Transceiver
Baud Rate : 2100 MBd Vendor OUI : 00-90-65 Vendor Name : FINISAR CORP. Vendor PN : FTLF8519P2BNL Vendor Rev 18. Due to a chip limitation, transceiver data cannot be displayed on ports 1-20 on the ECS4120-28F. – 416 –...
Page 417: Show Interfaces Transceiver-Threshold
◆ The DDM thresholds displayed by this command only apply to ports which have a DDM-compliant transceiver inserted. 19. Due to a chip limitation, transceiver data cannot be displayed on ports 1-20 on the ECS4120-28F. – 417 –...
Page 418: Cable Diagnostics
(short, open, etc.) and report the cable length. Syntax test cable-diagnostics interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (ECS4120-28F/28F-I: 21-24, Other models: 1-24/48) Command Mode Privileged Exec Command Usage Command Usage Cable diagnostics detects per pair cable faults (accuracy ≤...
Page 419: Test Loop Internal
Chapter 11 | Interface Commands Cable Diagnostics ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 1 second. Use the show cable-diagnostics command to display the results of the test, including common cable failures, as well as the status and approximate length of each cable pair.
Page 420: Show Cable-Diagnostics
Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (ECS4120-28F/28F-I: 21-24, Other models: 1-24/48) Command Mode Privileged Exec Command Usage ◆ The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
Page 421: Show Loop Internal
Chapter 11 | Interface Commands Power Savings Example Console#show cable-diagnostics interface ethernet 1/24 Port Type Link Pair A Pair B Pair C Pair D Last Status meters meters meters meters Updated -------- ---- -------- -------- -------- -------- -------- ------------------- Eth 1/24 GE Down NC (0) NC (0)
Page 422 Chapter 11 | Interface Commands Power Savings Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
Page 423: Show Power-Save
This command shows the configuration settings for power savings. Syntax show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (ECS4120-28F/28F-I: 21-24, Other models: 1-24/48) Command Mode Privileged Exec Example Console#show power-save interface ethernet 1/24...
Page 424 Chapter 11 | Interface Commands Power Savings – 424 –...
Page 425: Table 77: Link Aggregation Commands
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 426 Chapter 12 | Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 26 ports. ◆...
Page 427: Manual Configuration Commands
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Manual Configuration Commands port channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac}...
Page 428: Channel-Group
Chapter 12 | Link Aggregation Commands Manual Configuration Commands router trunk links where traffic through the switch is received from and destined for many different hosts. src-dst-mac: All traffic with the same source and destination MAC address ■ is output on the same link in a trunk. This mode works best for switch-to- switch trunk links where traffic through the switch is received from and destined for many different hosts.
Page 429: Dynamic Configuration Commands
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 10-12: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10-12 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface.
Page 430: Lacp Admin-Key (Ethernet Interface)
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following shows LACP enabled on ports 1-3. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port- channel 1 command shows that Trunk1 has been established.
Page 431: Lacp Port-Priority
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Actor: 1, Partner: 0 Command Mode Interface Configuration (Ethernet) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Page 432: Lacp System-Priority
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Setting a lower value indicates a higher effective priority. ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link.
Page 433: Lacp Admin-Key (Port Channel)
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Page 434: Lacp Timeout
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout...
Page 435: Table 78: Show Lacp Counters - Display Description
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-26) counters - Statistics for LACP protocol messages.
Page 436: Table 79: Show Lacp Internal - Display Description
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------- Oper Key Admin Key : 0 Timeout : long Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Internal : 30 seconds LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key...
Page 437: Table 80: Show Lacp Neighbors - Display Description
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number Port Admin Priority : 32768...
Page 438: Table 81: Show Lacp Sysid - Display Description
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 81: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC System MAC address.
Page 439: Table 82: Poe Commands
Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-24 on the ECS4120-28P. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Page 440: Power Inline
Chapter 13 | Power over Ethernet Commands Command Mode Global Configuration Command Usage ◆ Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. ◆ If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Page 441: Table 83: Maximum Number Of Ports Providing Simultaneous Power
Chapter 13 | Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#no power inline Console(config-if)# Related Commands time-range (168) power inline This command limits the power allocated to specific ports. Use the no form to restore the default setting.
Page 442: Power Inline Priority
Chapter 13 | Power over Ethernet Commands power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port. Options: 1 (critical), 2 (high), or 3 (low) Default Setting 3 (low)
Page 443: Power Inline Time-Range
Chapter 13 | Power over Ethernet Commands power inline This command binds a time-range to a port during which PoE is supplied to the attached device. Use the no form to remove this binding. time-range Syntax power inline time-range time-range-name no power inline time-range time-range-name - Name of the time range.
Page 444: Table 84: Show Power Inline Status - Display Description
Chapter 13 | Power over Ethernet Commands Eth 1/ 5 Enabled 30000 mW 0 mW Low Eth 1/ 6 Enabled 30000 mW 0 mW Low Eth 1/ 7 Enabled 30000 mW 0 mW Low Eth 1/ 8 Enabled 30000 mW 0 mW Low Eth 1/ 9 Enabled...
Page 445: Table 85: Show Power Mainpower - Display Description
Chapter 13 | Power over Ethernet Commands Related Commands power inline (440) show power Use this command to display the current power status for the switch. mainpower Command Mode Privileged Exec Example This example shows the maximum available PoE power and maximum allocated PoE power for the ECS4120-28P.
Page 446 Chapter 13 | Power over Ethernet Commands – 446 –...
Page 447: Table 86: Port Mirroring Commands
Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 86: Port Mirroring Commands Command Function...
Page 448 Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Page 449: Table 88: Rspan Commands
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) Default Setting Shows all sessions.
Page 450 Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands (Continued) Table 88: RSPAN Commands Command Function Mode rspan remote vlan Specifies the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports no rspan session Deletes a configured RSPAN session show rspan Displays the configuration settings for an RSPAN session...
Page 451: Rspan Source
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports. ◆ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured.
Page 452: Rspan Destination
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only ports can be configured as an RSPAN source – static and dynamic trunks are not allowed. ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN source port –...
Page 453: Rspan Remote Vlan
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only ports can be configured as an RSPAN destination – static and dynamic trunks are not allowed. ◆ The source port and destination port cannot be configured on the same switch. ◆...
Page 454: No Rspan Session
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch.
Page 455: Show Rspan
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Command Mode Privileged Exec Example Console#show rspan session...
Page 456 Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands – 456 –...
Page 457: Table 89: Congestion Control Commands
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 458: Rate-Limit
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input –...
Page 459: Table 91: Rate Limit Commands
Chapter 15 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Page 460: Table 92: Atc Commands
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆...
Page 461 Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands (Continued) Table 92: ATC Commands Command Function Mode auto-traffic-control Sets the upper threshold for ingress traffic beyond IC (Port) alarm-fire-threshold which a storm control response is triggered after the apply timer expires auto-traffic-control auto- Automatically releases a control response IC (Port)
Page 462: Figure 1: Storm Control By Limiting The Traffic Rate
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams. Figure 1: Storm Control by Limiting the Traffic Rate Traffic without storm control Traffic without storm control TrafficControl...
Page 463: Figure 2: Storm Control By Shutting Down A Port
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port.
Page 464: Auto-Traffic-Control Release-Timer
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp- server enable port-traps atc multicast-control-apply...
Page 465: Auto-Traffic-Control
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 466: Auto-Traffic-Control Alarm-Clear-Threshold
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage ◆...
Page 467: Auto-Traffic-Control Alarm-Fire-Threshold
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm- clear command or...
Page 468: Auto-Traffic-Control Auto-Control-Release
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Page 469: Auto-Traffic-Control Control-Release
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#auto-traffic-control broadcast auto-control-release interface ethernet 1/1 Console(config)# auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 470: Snmp-Server Enable Port-Traps Atc Broadcast-Alarm-Fire
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (465) auto-traffic-control alarm-clear-threshold (466) snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Page 471: Snmp-Server Enable Port-Traps Atc Broadcast-Control-Release
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (467) auto-traffic-control apply-timer (463) snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release timer expires.
Page 472: Snmp-Server Enable Port-Traps Atc Multicast-Alarm-Fire
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (465) auto-traffic-control alarm-clear-threshold (466) snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Page 473: Snmp-Server Enable Port-Traps Atc Multicast-Control-Release
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (467) auto-traffic-control apply-timer (463) snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release timer expires.
Page 474: Show Auto-Traffic-Control Interface
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface...
Page 475: Table 93: Loopback Detection Commands
Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When When loopback detection (LBD) is enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 93: Loopback Detection Commands Command Function...
Page 476: Loopback-Detection
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Page 477: Loopback-Detection Recover-Time
Chapter 16 | Loopback Detection Commands Command Mode Global Configuration Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆...
Page 478: Loopback-Detection Transmit-Interval
Chapter 16 | Loopback Detection Commands ◆ The recover-time is the maximum time when recovery is triggered after a loop is detected. The actual interval between recovery and detection will be less than or equal to the recover-time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release command.
Page 479: Loopback-Detection Release
Chapter 16 | Loopback Detection Commands none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition. Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time...
Page 480 Chapter 16 | Loopback Detection Commands Command Mode Privileged Exec Example Console#show loopback-detection Loopback Detection Global Information Global Status : Enabled Transmit Interval : 10 Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State --------...
Page 481: Table 94: Unidirectional Link Detection Commands
UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache.
Page 482: Udld Message-Interval
Chapter 17 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detection- interval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Page 483: Udld Recovery
Chapter 17 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled...
Page 484: Udld Aggressive
Chapter 17 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage...
Page 485: Udld Port
Chapter 17 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Page 486: Table 95: Show Udld - Display Description
Chapter 17 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 487 Chapter 17 | UniDirectional Link Detection Commands (Continued) Table 95: show udld - display description Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State...
Page 488 Chapter 17 | UniDirectional Link Detection Commands – 488 –...
Page 489: Table 96: Address Table Commands
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 96: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table static Maps a static address to a port in a VLAN...
Page 490: Mac-Address-Table Static
Chapter 18 | Address Table Commands mac-address-table This command maps a static address to a port in a VLAN, and optionally designates the address as permanent, or to be deleted on reset. Use the no form to remove an static address.
Page 491: Clear Mac-Address-Table Dynamic
Chapter 18 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
Page 492: Show Mac-Address-Table Aging-Time
Chapter 18 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...
Page 493: Show Mac-Address-Table Count
Chapter 18 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. table count Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Page 494 Chapter 18 | Address Table Commands – 494 –...
Page 495: Table 97: Spanning Tree Commands
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 97: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...
Page 496: Spanning-Tree
Chapter 19 | Spanning Tree Commands (Continued) Table 97: Spanning Tree Commands Command Function Mode spanning-tree loopback- Configures loopback release mode for a port detection release-mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a port detection trap spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST...
Page 497: Spanning-Tree Forward-Time
Chapter 19 | Spanning Tree Commands Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...
Page 498: Spanning-Tree Hello-Time
Chapter 19 | Spanning Tree Commands spanning-tree hello- This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. time Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) - 1].
Page 499: Spanning-Tree Mode
Chapter 19 | Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals.
Page 500: Spanning-Tree Pathcost Method
Chapter 19 | Spanning Tree Commands ◆ Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: STP Mode –...
Page 501: Spanning-Tree Priority
Chapter 19 | Spanning Tree Commands Command Mode Global Configuration Command Usage ◆ The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 509) takes precedence over port priority (page...
Page 502: Spanning-Tree Mst Configuration
Chapter 19 | Spanning Tree Commands spanning-tree mst This command changes to Multiple Spanning Tree (MST) configuration mode. configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address. Command Mode Global Configuration Example...
Page 503: Spanning-Tree Transmission-Limit
Chapter 19 | Spanning Tree Commands Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree This command configures the minimum interval between the transmission of transmission-limit consecutive RSTP/MSTP BPDUs.
Page 504: Mst Priority
Chapter 19 | Spanning Tree Commands Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 505: Mst Vlan
Chapter 19 | Spanning Tree Commands Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Page 506: Name
Chapter 19 | Spanning Tree Commands name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode...
Page 507: Spanning-Tree Bpdu-Filter
Chapter 19 | Spanning Tree Commands Example Console(config-mstp)#revision 1 Console(config-mstp)# Related Commands name (506) spanning-tree This command allows you to avoid transmitting BPDUs on configured edge ports bpdu-filter that are connected to end nodes. Use the no form to disable this feature. Syntax [no] spanning-tree bpdu-filter Default Setting...
Page 508: Spanning-Tree Bpdu-Guard
Chapter 19 | Spanning Tree Commands spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or bpdu-guard with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]]...
Page 509: Table 98: Recommended Sta Path Cost Range
Chapter 19 | Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method , 1-200,000,000 for long path cost method) Table 98: Recommended STA Path Cost Range...
Page 510: Spanning-Tree Edge-Port
Chapter 19 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 500) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port.
Page 511: Spanning-Tree Link-Type
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. link-type Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 512: Spanning-Tree Loopback-Detection Action
Chapter 19 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W- 2001 9.3.4 (Note 1). ◆...
Page 513: Spanning-Tree Loopback-Detection Release-Mode
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore loopback-detection the default. release-mode Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode...
Page 514: Spanning-Tree Loopback-Detection Trap
Chapter 19 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. loopback-detection trap Syntax [no] spanning-tree loopback-detection trap Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Page 515: Spanning-Tree Mst Port-Priority
Chapter 19 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50...
Page 516: Spanning-Tree Port-Bpdu-Flooding
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree mst cost (514) spanning-tree port- This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port. Use the no form to restore the default setting. bpdu-flooding Syntax [no] spanning-tree port-bpdu-flooding...
Page 517: Spanning-Tree Root-Guard
Chapter 19 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 518: Spanning-Tree Spanning-Disabled
Chapter 19 | Spanning Tree Commands by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed. ◆...
Page 519: Spanning-Tree Loopback-Detection Release
Chapter 19 | Spanning Tree Commands Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Page 520: Spanning-Tree Protocol-Migration
Chapter 19 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Command Mode Privileged Exec...
Page 521 Chapter 19 | Spanning Tree Commands Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. ◆...
Page 522: Show Spanning-Tree Mst Configuration
Chapter 19 | Spanning Tree Commands Admin Edge Port : Auto Oper Edge Port : Disabled Admin Link Type : Auto Oper Link Type : Point-to-point Flooding Behavior : Enabled Spanning-Tree Status : Enabled Loopback Detection Release Mode : Auto Loopback Detection Trap : Disabled Loopback Detection Action...
Page 523: Table 100: Erps Commands
ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS. Table 100: ERPS Commands Command Function Mode erps Enables ERPS globally on the switch...
Page 524 Chapter 20 | ERPS Commands (Continued) Table 100: ERPS Commands Command Function Mode clear erps Clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health statistics protocol messages erps clear Manually clears protection state which has been invoked by a Forced Switch or Manual Switch command, and the node is operating under non-revertive mode;...
Page 525: Erps
Chapter 20 | ERPS Commands Enable ERPS: Before enabling a ring as described in the next step, first use the erps command to globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled with the no erps command, no ERPS rings will work.
Page 526: Control-Vlan
Chapter 20 | ERPS Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 6 ERPS rings can be configured on the switch.
Page 527: Enable
Chapter 20 | ERPS Commands In addition, only ring ports may be added to the Control VLAN. No other ■ ports can be members of this VLAN. Also, the ring ports of the Control VLAN must be tagged. ■ ◆ Once the ring has been activated with the enable command, the configuration...
Page 528: Guard-Timer
Chapter 20 | ERPS Commands Related Commands erps (525) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Page 529: Major-Domain
Chapter 20 | ERPS Commands Command Usage In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
Page 530: Meg-Level
Chapter 20 | ERPS Commands Example Console(config-erps)#major-domain rd0 Console(config-erps)# meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting. Syntax meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information.
Page 531: Mep-Monitor
Chapter 20 | ERPS Commands mep-monitor This command specifies the CFM MEPs used to monitor the link on a ring node. Use the no form to restore the default setting. Syntax mep-monitor {east | west} mep mpid east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Page 532: Node-Id
Chapter 20 | ERPS Commands Related Commands ethernet cfm domain (779) ethernet cfm mep (784) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 533: Figure 3: Non-Erps Device Protection
Chapter 20 | ERPS Commands non-erps-dev-protect This command sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through SF messages. Use the no form to disable this feature. Syntax [no] non-erps-dev-protect Default Setting Disabled Command Mode...
Page 534: Non-Revertive
Chapter 20 | ERPS Commands Example Console(config-erps)#non-erps-dev-protect Console(config-erps)# non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode. Syntax [no] non-revertive Default Setting Disabled Command Mode ERPS Configuration...
Page 535 Chapter 20 | ERPS Commands The WTR timer is cancelled if during the WTR period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. When the WTR timer expires, without the presence of any other higher priority request, the RPL Owner Node initiates reversion by blocking its traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and...
Page 536 Chapter 20 | ERPS Commands Recovery with revertive mode is handled in the following way: ■ The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTB timer. The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node.
Page 537 Chapter 20 | ERPS Commands If the ring node where the Manual Switch was cleared receives an R-APS (NR) message with a Node ID higher than its own Node ID, it unblocks any ring port which does not have an SF condition and stops transmitting R-APS (NR) message on both ring ports.
Page 538: Propagate-Tc
Chapter 20 | ERPS Commands propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. Syntax [no] propagate-tc Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆...
Page 539: Raps-Without-Vc
Chapter 20 | ERPS Commands ◆ If this command is disabled, the following strings are used as the node identifier: ERPSv1: 01-19-A7-00-00-01 ■ ERPSv2: 01-19-A7-00-00-[Ring ID] ■ Example Console(config-erps)#propagate-tc Console(config-erps)# raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes.
Page 540: Figure 4: Sub-Ring With Virtual Channel
Chapter 20 | ERPS Commands may be affected if R-APS messages traverse a long distance over an R-APS virtual channel. Figure 4: Sub-ring with Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring with Virtual Channel Virtual Channel ◆...
Page 541: Ring-Port
Chapter 20 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Page 542: Rpl Neighbor
Chapter 20 | ERPS Commands rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting. Syntax rpl neighbor no rpl Default Setting None (that is, neither owner nor neighbor) Command Mode ERPS Configuration Command Usage...
Page 543: Version
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the erps forced-switch erps manual-switch...
Page 544: Wtr-Timer
Chapter 20 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”.
Page 545: Clear Erps Statistics
Chapter 20 | ERPS Commands clear erps statistics This command clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages. Syntax clear erps statistics [domain ring-name] ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) Command Mode Privileged Exec Example...
Page 546: Erps Forced-Switch
Chapter 20 | ERPS Commands Example Console#erps clear domain r&d Console# erps forced-switch This command blocks the specified ring port. Syntax erps forced-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port.
Page 547: Table 101: Erps Request/State Priority
Chapter 20 | ERPS Commands While an existing forced switch request is present in a ring, any new forced switch request is accepted, except on a ring node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued.
Page 548: Erps Manual-Switch
Chapter 20 | ERPS Commands node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Example Console#erps forced-switch domain r&d west Console# erps manual-switch This command blocks the specified ring port, in the absence of a failure or an erps forced-switch command.
Page 549: Show Erps
Chapter 20 | ERPS Commands A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. A ring node receiving an R-APS (MS) message flushes its FDB. ◆ Protection switching on a manual switch request is completed when the above actions are performed by each ring node.
Page 550: Table 102: Show Erps - Summary Display Description
Chapter 20 | ERPS Commands Example This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ERPS Status : Enabled Number of ERPS Domains Domain Enabled Ver MEL Ctrl VLAN State Type Revertive ------------ --- ------- --- --- --------- ---------- ------------ --------- r&d 1 Yes 1 Idle...
Page 551: Table 103: Show Erps Domain - Detailed Display Description
Chapter 20 | ERPS Commands (Continued) Table 102: show erps - summary display description Field Description Port State The operational state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R- APS messages is allowed.
Page 552 Chapter 20 | ERPS Commands (Continued) Table 103: show erps domain - detailed display description Field Description R-APS with VC The R-APS Virtual Channel is the R-APS channel connection used to tunnel R-APS messages between two interconnection nodes of a sub- ring in another Ethernet ring or network.
Page 553: Table 104: Show Erps Statistics - Detailed Display Description
Chapter 20 | ERPS Commands Console# Table 104: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node. Local Clear SF The number of times a clear command was issued to terminate protection state entered through a forced switch or manual switch...
Page 554 Chapter 20 | ERPS Commands – 554 –...
Page 555: Table 105: Vlan Commands
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 556: Table 106: Gvrp And Bridge Extension Commands
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Page 557: Garp Timer
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Page 558: Switchport Forbidden Vlan
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. vlan Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Page 559: Table 107: Show Bridge-Ext - Display Description
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
Page 560: Show Garp Timer
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands (Continued) Table 107: show bridge-ext - display description Field Description Configurable PVID This switch allows you to override the default Port VLAN ID (PVID used in frame Tagging tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to the switchport allowed vlan command.) Local VLAN Capable This switch does not support multiple local bridges outside of the scope of...
Page 561: Show Gvrp Configuration
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Default Setting Shows both global and interface-specific configuration.
Page 562: Table 108: Commands For Editing Vlan Groups
Chapter 21 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 108: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs vlan Configures a VLAN, including VID, name and state vlan database This command enters VLAN database mode.
Page 563: Vlan
Chapter 21 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 564: Table 109: Commands For Configuring Vlan Interfaces
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Related Commands show vlan (571) Configuring VLAN Interfaces Table 109: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN switchport acceptable- Configures frame types to be accepted by an interface frame-types switchport allowed vlan Configures the VLANs associated with an interface...
Page 565: Switchport Acceptable-Frame-Types
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Related Commands shutdown (394) interface (387) vlan (563) switchport This command configures the acceptable frame types for a port. Use the no form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged.
Page 566: Switchport Allowed Vlan
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form to restore the default. vlan Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the...
Page 567: Switchport Ingress-Filtering
Chapter 21 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged...
Page 568: Switchport Mode
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only.
Page 569: Switchport Native Vlan
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Page 570: Figure 6: Configuring Vlan Trunking
Chapter 21 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 6: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches –...
Page 571: Table 110: Commands For Displaying Vlan Information
Chapter 21 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 110: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an...
Page 572: Table 111: 802.1Q Tunneling Commands
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 573: Dot1Q-Tunnel System-Tunnel-Control
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆...
Page 574: Switchport Dot1Q-Tunnel Mode
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. dot1q-tunnel mode Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access –...
Page 575: Switchport Dot1Q-Tunnel Priority Map
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command copies the inner tag 802.1p value to the outer tag 802.1p value. Use the no form of this command to use port default priority. dot1q-tunnel priority map Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled...
Page 576: Figure 7: Mapping Qinq Service Vlan To Customer Vlan
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling VLAN that will carry this traffic across the 802.1Q tunnel. This process is performed in a transparent manner. ◆ When priority bits are found in the inner tag, these are also copied to the outer tag.
Page 577 Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Step 1. Configure Switch A and B. Create VLANs 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active Enable QinQ. Console(config)#dot1q-tunnel system-tunnel-control Configure port 2 as a tagged member of VLANs 100, 200 and 300 using uplink mode.
Page 578: Switchport Dot1Q-Tunnel Tpid
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. dot1q-tunnel tpid Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid –...
Page 579: Show Dot1Q-Tunnel
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) svid - VLAN ID for the outer VLAN tag (SPVID).
Page 580: Table 112: L2 Protocol Tunnel Commands
Chapter 21 | VLAN Commands Configuring L2PT Tunneling Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT). Table 112: L2 Protocol Tunnel Commands Command Function Mode l2protocol-tunnel tunnel- Configures the destination address for Layer 2 Protocol dmac Tunneling switchport...
Page 581 Chapter 21 | VLAN Commands Configuring L2PT Tunneling encapsulated packets in the same way as normal data, forwarding them across to the tunnel’s egress port. The egress port decapsulates these packets, restores the proper protocol and MAC address information, and then floods them onto the same VLANs at the customer’s remote site (via all of the appropriate tunnel ports and access ports connected to the same metro VLAN).
Page 582: Switchport L2Protocol-Tunnel
Chapter 21 | VLAN Commands Configuring L2PT Tunneling other access ports for which L2PT is enabled after decapsulating the ■ packet and restoring the proper protocol and MAC address information. all uplink ports. ■ ◆ When a Cisco-compatible L2PT packet is received on an access port, and recognized as a CDP/VTP/STP/PVST+ protocol packet, and ■...
Page 583: Show L2Protocol-Tunnel
Chapter 21 | VLAN Commands Configuring L2PT Tunneling vtp - Cisco VLAN Trunking Protocol Default Setting Disabled for all protocols Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Refer to the Command Usage section for the l2protocol-tunnel tunnel-dmac command.
Page 584: Table 113: Vlan Translation Commands
Chapter 21 | VLAN Commands Configuring VLAN Translation Configuring VLAN Translation QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network. However, if any switch in the path crossing the service provider’s network does not support this feature, then the switches directly connected to that device can be configured to swap the customer’s VLAN ID with the service provider’s VLAN ID for upstream traffic, or the service provider’s VLAN ID with the customer’s VLAN ID for downstream traffic.
Page 585: Figure 8: Configuring Vlan Translation
Chapter 21 | VLAN Commands Configuring VLAN Translation Figure 8: Configuring VLAN Translation (VLAN 10) (VLAN 100) upstream (VLAN 100) (VLAN 10) downstream ◆ The maximum number of VLAN translation entries is 8 per port, and up to 96 for the system.
Page 586: Table 114: Protocol-Based Vlan Commands
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Command Mode Privileged Exec Example Console#show vlan-translation Interface Old VID New VID --------- ------- ------- Eth 1/ 1 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
Page 587: Protocol-Vlan Protocol-Group (Configuring Groups)
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group.
Page 588: Protocol-Vlan Protocol-Group (Configuring Interfaces)
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. protocol-group (Configuring Interfaces) Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group.
Page 589: Show Protocol-Vlan Protocol-Group
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs show protocol-vlan This command shows the frame and protocol type associated with protocol groups. protocol-group Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group. (Range: 1-2147483647) Default Setting All protocol groups are displayed.
Page 590: Table 115: Ip Subnet Vlan Commands
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port Protocol Group ID VLAN ID -------- ----------------- ------- Eth 1/ 2 1 Console#...
Page 591: Show Subnet-Vlan
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs Default Setting Priority: 0 Command Mode Global Configuration Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a subnet mask. The specified VLAN need not be an existing VLAN.
Page 592: Table 116: Mac Based Vlan Commands
Chapter 21 | VLAN Commands Configuring MAC Based VLANs 192.168.12.224 255.255.255.240 192.168.12.240 255.255.255.248 192.168.12.248 255.255.255.252 192.168.12.252 255.255.255.254 192.168.12.254 255.255.255.255 192.168.12.255 255.255.255.255 Console# Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Page 593: Show Mac-Vlan
Chapter 21 | VLAN Commands Configuring MAC Based VLANs Command Mode Global Configuration Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆...
Page 594: Table 117: Voice Vlan Commands
Chapter 21 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
Page 595: Voice Vlan Aging
Chapter 21 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN.
Page 596: Voice Vlan Mac-Address
Chapter 21 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.
Page 597: Switchport Voice Vlan
Chapter 21 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00- 00 description A new phone Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Page 598: Switchport Voice Vlan Priority
Chapter 21 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port. priority Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value.
Page 599: Switchport Voice Vlan Security
Chapter 21 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.
Page 600: Show Voice Vlan
Chapter 21 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Page 601: Table 118: Priority Commands
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 602: Queue Mode
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Page 603: Queue Weight
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Page 604: Switchport Priority Default
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (602)
Page 605: Show Queue Mode
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (408) show queue mode This command shows the current queue mode.
Page 606: Table 120: Priority Commands (Layer 3 And 4)
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 120: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 607: Table 121: Mapping Internal Per-Hop Behavior To Hardware Queues
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ...
Page 608: Table 122: Default Mapping Of Cos/Cfi To Internal Phb/Drop Precedence
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map cos-dscp This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Page 609: Table 123: Mapping Per-Hop Behavior To Drop Precedence
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command. ◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent;...
Page 610: Table 124: Mapping Internal Phb/Drop Precedence To Cos/Cfi Values
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Console(config-if)#qos map default-drop-precedence 3 from 3 4 5 Console(config-if)#qos map default-drop-precedence 0 from 6 7 Console(config-if)# qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface.
Page 611: Table 125: Default Mapping Of Dscp Values To Internal Phb/Drop Values
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ If the packet is forwarded with an 8021.Q tag, the priority value in the egress packet is modified based on the table shown above, or on similar values as modified by this command.
Page 612: Qos Map Ip-Port-Dscp
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces.
Page 613: Table 126: Default Mapping Of Ip Precedence To Internal Phb/Drop Values
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map ip-port-dscp tcp 21 to 1 0 Console(config-if)# qos map ip-prec-dscp This command maps IP precedence values in incoming packets to per-hop...
Page 614: Qos Map Trust-Mode
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp | ip-prec} no qos map trust-mode cos - Sets the QoS mapping mode to CoS.
Page 615: Show Qos Map Cos-Dscp
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 616: Show Map Dscp-Cos
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map default-drop-precedence interface ethernet 1/5 Information of Eth 1/5 default-drop-precedence map: phb: ------------------------------------------------------- color: Console# show map dscp-cos This command shows the internal DSCP to egress CoS map, which converts internal PHB/Drop Precedence to CoS values.
Page 617: Show Qos Map Dscp-Mutation
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 618: Show Qos Map Ip-Prec-Dscp
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage The IP Port-to-DSCP mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console#show qos map ip-port-dscp interface ethernet 1/5 Information of Eth 1/5 ip-port-dscp map:...
Page 619: Show Qos Map Phb-Queue
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 620 Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) – 620 –...
Page 621: Table 127: Quality Of Service Commands
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 622: Class-Map
Chapter 23 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an access...
Page 623: Description
Chapter 23 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 625). The policy map is then bound by a service policy to an interface (page 635). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the...
Page 624 Chapter 23 | Quality of Service Commands cos - A Class of Service value. (Range: 0-7) dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration...
Page 625: Rename
Chapter 23 | Quality of Service Commands This example creates a class map call “rd-class#3, ” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Page 626: Class
Chapter 23 | Quality of Service Commands ◆ Create a Class Map (page 625) before assigning it to a Policy Map. Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the...
Page 627: Police Flow
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and...
Page 628: Police Srtcm-Color
Chapter 23 | Quality of Service Commands committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. ◆ The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented (CIR –...
Page 629 Chapter 23 | Quality of Service Commands committed-burst - Committed burst size (BC) in bytes. (Range: 4000-16000000 bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 4000-16000000 bytes) conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green).
Page 630 Chapter 23 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: If Tc is less than BC, Tc is incremented by one, else ■...
Page 631: Police Trtcm-Color
Chapter 23 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp}...
Page 632 Chapter 23 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR.
Page 633 Chapter 23 | Quality of Service Commands to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action drop Console(config-pmap-c)# set cos...
Page 634 Chapter 23 | Quality of Service Commands set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification. Syntax [no] set ip dscp new-dscp new-dscp - New Differentiated Service Code Point (DSCP) value.
Page 635: Service-Policy
Chapter 23 | Quality of Service Commands Command Usage ◆ The set phb command is used to set an internal QoS value in hardware for matching packets (see Table 122, "Default Mapping of CoS/CFI to Internal PHB/ Drop Precedence"). The QoS label is composed of five bits, three bits for per- hop behavior, and two bits for the color scheme used to control queue congestion by the police srtcm-color...
Page 636: Show Class-Map
Chapter 23 | Quality of Service Commands ◆ The switch does not allow a policy map to be bound to an interface for egress traffic. Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd-policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for...
Page 637: Show Policy-Map Interface
Chapter 23 | Quality of Service Commands Default Setting Displays all policy maps and all classes. Command Mode Privileged Exec Example Console#show policy-map Policy Map rd-policy Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console#...
Page 638 Chapter 23 | Quality of Service Commands – 638 –...
Page 639: Table 128: Multicast Filtering Commands
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Page 640 Chapter 24 | Multicast Filtering Commands IGMP Snooping (Continued) Table 129: IGMP Snooping Commands Command Function Mode ip igmp snooping Discards any IGMPv2/v3 packets that do not include the router-alert-option-check Router Alert option ip igmp snooping Configures the querier timeout router-port-expire-time ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology...
Page 641: Ip Igmp Snooping
Chapter 24 | Multicast Filtering Commands IGMP Snooping (Continued) Table 129: IGMP Snooping Commands Command Function Mode show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping Shows known multicast group, source, and host port group mapping show ip igmp snooping...
Page 642: Ip Igmp Snooping Priority
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore the default setting. priority Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Page 643: Ip Igmp Snooping Querier
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Page 644: Ip Igmp Snooping Router-Alert-Option-Check
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router Alert option. Use the no form to ignore the Router Alert Option when receiving router-alert-option- IGMP messages. check Syntax [no] ip igmp snooping router-alert-option-check...
Page 645: Ip Igmp Snooping Tcn-Flood
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example The following shows how to configure the timeout to 400 seconds: Console(config)#ip igmp snooping router-port-expire-time 400 Console(config)# ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs.
Page 646: Ip Igmp Snooping Tcn-Query-Solicit
Chapter 24 | Multicast Filtering Commands IGMP Snooping The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation...
Page 647: Ip Igmp Snooping Unregistered-Data-Flood
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. unregistered-data- flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration...
Page 648: Ip Igmp Snooping Version
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default. Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4094) 1 - IGMP Version 1...
Page 649: Ip Igmp Snooping Version-Exclusive
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the ip igmp version-exclusive snooping version command. Use the no form to disable this feature. Syntax ip igmp snooping [vlan vlan-id] version-exclusive no ip igmp snooping version-exclusive...
Page 650: Ip Igmp Snooping Vlan Immediate-Leave
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Page 651: Ip Igmp Snooping Vlan Last-Memb-Query-Count
Chapter 24 | Multicast Filtering Commands IGMP Snooping ◆ This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-and-...
Page 652: Ip Igmp Snooping Vlan Last-Memb-Query-Intvl
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to restore the default. last-memb-query- intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or group- and-source-specific query message.
Page 653: Ip Igmp Snooping Vlan Proxy-Address
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers.
Page 654 Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 655: Ip Igmp Snooping Vlan Query-Interval
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use the no form to restore the default. query-interval Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Page 656: Ip Igmp Snooping Vlan Static
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 643), or as a proxy host when IGMP snooping proxy reporting is enabled (page 642). Example Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20 Console(config)# ip igmp snooping vlan This command adds a port to a multicast group.
Page 657: Clear Ip Igmp Snooping Groups Dynamic
Chapter 24 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears multicast group information dynamically learned through IGMP snooping. snooping groups dynamic Syntax clear ip igmp snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though IGMP snooping. Statically configured multicast address are not cleared.
Page 658 Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP Snooping : Enabled Router Port Expire Time : 300 s Router Alert Check...
Page 659: Show Ip Igmp Snooping Group
Chapter 24 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows known multicast group, source, and host port mappings for the specified VLAN interface, or for all interfaces if none is specified. snooping group Syntax show ip igmp snooping group [host-ip-addr ip-address interface | igmpsnp | sort-by-port | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface...
Page 660: Show Ip Igmp Snooping Mrouter
Chapter 24 | Multicast Filtering Commands IGMP Snooping show ip igmp This command displays information on statically configured and dynamically learned multicast router ports. snooping mrouter Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
Page 661: Table 130: Show Ip Igmp Snooping Statistics Input - Display Description
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Example The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- ------ Eth 1/ 1 Console#...
Page 662: Table 132: Show Ip Igmp Snooping Statistics Vlan Query - Display Description
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 131: show ip igmp snooping statistics output - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Page 663: Table 133: Static Multicast Interface Commands
Chapter 24 | Multicast Filtering Commands Static Multicast Routing Table 132: show ip igmp snooping statistics vlan query - display description Field Description V2 Warning Count The number of times the query version received (Version 2) does not match the version configured for this interface. V3 Warning Count The number of times the query version received (Version 3) does not match the version configured for this interface.
Page 664: Table 134: Igmp Filtering And Throttling Commands
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling trunk) on this switch, that interface can be manually configured to join all the current multicast groups. ◆ IGMP Snooping must be enabled globally on the switch (using the ip igmp snooping command) before a multicast router port can take effect.
Page 665 Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling (Continued) Table 134: IGMP Filtering and Throttling Commands Command Function Mode show ip igmp throttle Displays the IGMP throttling setting for interfaces interface show ip multicast-data- Shows if the interface is configured to drop multicast data drop packets ip igmp filter...
Page 666: Ip Igmp Profile
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Page 667: Range
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Page 668: Table 135: Igmp Authentication Radius Attribute Value Pairs
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication.
Page 669: Ip Igmp Filter (Interface Configuration)
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling (Continued) Table 135: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry NAS_PORT User Port Number FRAMED_IP_ADDRESS Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Page 670: Ip Igmp Max-Groups
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 671: Ip Igmp Query-Drop
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace. ” If the action is set to deny, any new IGMP join reports will be dropped.
Page 672: Show Ip Igmp Authentication
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command).
Page 673: Show Ip Igmp Filter
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 674: Show Ip Igmp Query-Drop
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets.
Page 675: Show Ip Multicast-Data-Drop
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : FALSE Action : Deny Max Multicast Groups : 255...
Page 676: Table 136: Mld Snooping Commands
Chapter 24 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Page 677: Ipv6 Mld Snooping
Chapter 24 | Multicast Filtering Commands MLD Snooping (Continued) Table 136: MLD Snooping Commands Command Function Mode clear ipv6 mld snooping Clears MLD snooping statistics statistics show ipv6 mld snooping Displays MLD Snooping configuration show ipv6 mld snooping Displays the learned groups group show ipv6 mld snooping Displays the learned groups and corresponding source list PE...
Page 678: Ipv6 Mld Snooping Query-Interval
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. ◆ An IPv6 address must be configured on the VLAN interface from which the querier will act if elected.
Page 679: Ipv6 Mld Snooping Query-Max-Response-Time
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the maximum response time advertised in MLD general queries. Use the no form to restore the default. query-max-response- time Syntax ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
Page 680: Ipv6 Mld Snooping Robustness
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping proxy-reporting Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Page 681: Ipv6 Mld Snooping Unknown-Multicast Mode
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)#...
Page 682: Ipv6 Mld Snooping Unsolicited-Report-Interval
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled. Use the no form to unsolicited-report- restore the default value. interval Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval...
Page 683: Ipv6 Mld Snooping Vlan Immediate-Leave
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN.
Page 684: Ipv6 Mld Snooping Vlan Static
Chapter 24 | Multicast Filtering Commands MLD Snooping interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Default Setting No static multicast router ports are configured. Command Mode Global Configuration Command Usage Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Page 685: Clear Ipv6 Mld Snooping Groups Dynamic
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Example Console(config)#ipv6 mld snooping vlan 1 static ff05:0:1:2:3:4:5:6 ethernet Console(config)# clear ipv6 mld This command clears multicast group information dynamically learned through snooping groups MLD snooping. dynamic Syntax clear ipv6 mld snooping groups dynamic Command Mode Privileged Exec...
Page 686: Show Ipv6 Mld Snooping
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console#clear ipv6 mld snooping statistics Console# show ipv6 mld This command shows the current MLD Snooping configuration. snooping Syntax show ipv6 mld snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific MLD snooping configuration...
Page 687: Show Ipv6 Mld Snooping Group Source-List
Chapter 24 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping group configuration information: Console#show ipv6 mld snooping group VLAN Multicast IPv6 Address Member port Type ---- --------------------------------------- ----------- --------------- 1 FF02::01:01:01:01 Eth 1/1 MLD Snooping 1 FF02::01:01:01:02 Eth 1/1 Multicast Data 1 FF02::01:01:01:02...
Page 688: Show Ipv6 Mld Snooping Mrouter
Chapter 24 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows MLD Snooping multicast router information. snooping mrouter Syntax show ipv6 mld snooping mrouter vlan vlan-id vlan-id - A VLAN identification number. (Range: 1-4094) Command Mode Privileged Exec Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type...
Page 689: Table 137: Mld Filtering And Throttling Commands
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Example The following shows MLD protocol statistics input: Console#show ipv6 mld snooping statistics input interface ethernet 1/1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- ------ Eth 1/ 1 Console#...
Page 690: Ipv6 Mld Filter (Global Configuration)
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command globally enables MLD filtering and throttling on the switch. Use the no form to disable the feature. (Global Configuration) Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration...
Page 691: Permit, Deny
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface.
Page 692: Range
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ipv6-address [high-ipv6-address] low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range.
Page 693: Ipv6 Mld Max-Groups
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk. Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19...
Page 694: Ipv6 Mld Max-Groups Action
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld max-groups This command sets the MLD throttling action for an interface on the switch. action Syntax ipv6 mld max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Page 695: Ipv6 Multicast-Data-Drop
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data drop mode on a port interface. Use the multicast-data-drop no form of the command to disable multicast data drop. Syntax [no] ipv6 multicast-data-drop Default Setting...
Page 696: Show Ipv6 Mld Profile
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------- Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Page 697: Show Ipv6 Mld Throttle Interface
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling.
Page 698: Table 138: Multicast Vlan Registration For Ipv4 Commands
Chapter 24 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Page 699: Mvr Associated-Profile
Chapter 24 | Multicast Filtering Commands MVR for IPv4 (Continued) Table 138: Multicast VLAN Registration for IPv4 Commands Command Function Mode show mvr Shows the profiles bound the specified domain associated-profile show mvr interface Shows MVR settings for interfaces attached to the MVR VLAN show mvr members Shows information about the current number of entries in...
Page 700: Mvr Domain
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Default Setting Disabled Command Mode Global Configuration Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands mvr profile (701) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain.
Page 701: Mvr Priority
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN. Use the no form of this command to restore the default setting. Syntax mvr priority priority no mvr priority priority - The CoS priority assigned to all multicast traffic forwarded into the MVR VLAN.
Page 702: Mvr Proxy-Query-Interval
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group.
Page 703: Mvr Priority
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example This example sets the proxy query interval for MVR proxy switching. Console(config)#mvr proxy-query-interval 250 Console(config)# mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN. Use the no form of this command to restore the default setting.
Page 704 Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface. The source port performs only the host portion of MVR by sending summarized membership reports, and automatically disables MVR router functions.
Page 705: Mvr Robustness-Value
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
Page 706: Mvr Upstream-Source-Ip
Chapter 24 | Multicast Filtering Commands MVR for IPv4 source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
Page 707: Mvr Vlan
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain.
Page 708: Mvr Immediate-Leave
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax mvr [domain domain-id] immediate-leave [by-host-ip] no mvr [domain domain-id] immediate-leave...
Page 709: Mvr Type
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain.
Page 710: Mvr Vlan Group
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Console(config-if)#mvr domain 1 type receiver Console(config-if)# mvr vlan group This command statically binds a multicast group to a port which will receive long- term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings.
Page 711: Clear Mvr Groups Dynamic
Chapter 24 | Multicast Filtering Commands MVR for IPv4 clear mvr groups This command clears multicast group information dynamically learned through MVR. dynamic Syntax clear mvr groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though MVR. Statically configured multicast address are not cleared.
Page 712: Table 139: Show Mvr - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Page 713: Show Mvr Associated-Profile
Chapter 24 | Multicast Filtering Commands MVR for IPv4 (Continued) Table 139: show mvr - display description Field Description MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR Current Learned The current number of MVR group addresses Groups MVR Upstream Source IP The source IP address assigned to all upstream control packets.
Page 714: Table 140: Show Mvr Interface - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr domain 1 interface MVR Domain : 1 Flag: H - immediate leave by host ip Port Type Status...
Page 715 Chapter 24 | Multicast Filtering Commands MVR for IPv4 host-ip-address - The subscriber IP addresses. igmp - Entry created by IGMP protocol. sort-by-port - The multicast groups associated with an interface. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 716: Table 141: Show Mvr Members - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------- 234.5.6.7 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# Table 141: show mvr members - display description Field Description Group Address...
Page 717: Table 142: Show Mvr Statistics Input - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays MVR query-related statistics. summary - Displays summary of MVR statistics.
Page 718: Table 143: Show Mvr Statistics Output - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 The following shows MVR protocol-related statistics sent: Console#show mvr domain 1 statistics output MVR Domain : 1 , MVR VLAN: 2 Output Statistics: Interface Report Leave G Query G(-S)-S Query Drop Group ---------- -------- -------- -------- ------------- -------- ------ Eth 1/ 1...
Page 719: Table 144: Show Mvr Statistics Query - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 144: show mvr statistics query - display description Field Description Other Querier The IP address of the querier on this interface. Other Querier Expire The time after which this querier is assumed to have expired. Other Querier Uptime Other querier’s time up.
Page 720 Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 145: show mvr statistics summary interface - display description Field Description Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Page 721: Table 146: Show Mvr Statistics Summary Interface Mvr Vlan - Description
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 146: show mvr statistics summary interface mvr vlan - description Field Description Domain An independent multicast domain. Number of Groups Number of groups learned on this port. Querier Other Querier Other IGMP querier’s IP address.
Page 722: Table 147: Multicast Vlan Registration For Ipv6 Commands
Chapter 24 | Multicast Filtering Commands MVR for IPv6 MVR for IPv6 This section describes commands used to configure Multicast VLAN Registration for IPv6 (MVR6). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR6 VLAN is sent to all subscribers.
Page 723: Mvr6 Domain
Chapter 24 | Multicast Filtering Commands MVR for IPv6 (Continued) Table 147: Multicast VLAN Registration for IPv6 Commands Command Function Mode show mvr6 members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address show mvr6 profile Shows all configured MVR profiles...
Page 724: Mvr6 Priority
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Default Setting Disabled Command Mode Global Configuration Command Usage When MVR6 is enabled on a domain, any multicast data associated with an MVR6 group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group.
Page 725: Mvr6 Profile
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 profile This command maps a range of MVR6 group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr6 profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR6 group addresses.
Page 726: Mvr6 Proxy-Query-Interval
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 proxy-query- This command configures the interval at which the receiver port sends out general queries. Use the no form to restore the default setting. interval Syntax mvr6 proxy-query-interval interval no mv6r proxy-query-interval interval - The interval at which the receiver port sends out general queries.
Page 727: Mvr6 Robustness-Value
Chapter 24 | Multicast Filtering Commands MVR for IPv6 ◆ Receiver ports are known as downstream or router interfaces. These interfaces perform the standard MVR router functions by maintaining a database of all MVR6 subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR6 proxy service.
Page 728: Mvr6 Source-Port-Mode Dynamic
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage ◆ This command sets the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports.
Page 729 Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example Console(config)#mvr6 source-port-mode dynamic Console(config)# mvr6 upstream- This command configures the source IPv6 address assigned to all MVR control source-ip packets sent upstream on the specified domain. Use the no form to restore the default setting.
Page 730: Mvr6 Vlan
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR6 multicast data is received. Use the no form of this command to restore the default MVR6 VLAN. Syntax mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain.
Page 731: Mvr6 Type
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Page 732: Mvr6 Vlan Group
Chapter 24 | Multicast Filtering Commands MVR for IPv6 using the standard rules for multicast filtering (see “MLD Snooping” on page 676). ◆ Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR6 VLAN. MLD snooping can be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR6 VLAN.
Page 733: Default Setting
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Default Setting No receiver port is a member of any configured multicast group. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Multicast groups can be statically assigned to a receiver port using this command.
Page 734: Clear Mvr6 Groups Dynamic
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Page 735: Clear Mvr6 Statistics
Chapter 24 | Multicast Filtering Commands MVR for IPv6 clear mvr6 statistics This command clears MVR statistics. Syntax clear mvr6 statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec...
Page 736: Table 148: Show Mvr6 - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 MVR6 Proxy Query Interval : 125(sec.) MVR6 Source Port Mode : Always Forward MVR6 Domain MVR6 Config Status : Enabled MVR6 Running Status : Active MVR6 Multicast VLAN MVR6 Current Learned Groups : 0 MVR6 Upstream Source IP : FF05::25 Console#...
Page 737: Table 149: Show Mvr6 Interface - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR6 Profile Name Start IPv6 Addr. End IPv6 Addr. --------------------- ------------------------- ------------------------- ff01::fe ff01::ff Console#...
Page 738: Show Mvr6 Members
Chapter 24 | Multicast Filtering Commands MVR for IPv6 (Continued) Table 149: show mvr6 interface - display description Field Description Immediate Leave Shows if immediate leave is enabled or disabled. Static Group Address Shows any static MVR6 group assigned to an interface, and the receiver VLAN.
Page 739: Table 150: Show Mvr6 Members - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 The following example shows detailed information about a specific multicast address: Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port).
Page 740: Table 151: Show Mvr6 Statistics Input - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 show mvr6 statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr6 statistics {input | output} [interface interface] show mvr6 domain domain-id statistics {input [interface interface] | output [interface interface] | query | summary {ethernet interface | mvr-vlan | port-channel channel-id}} domain-id - An independent multicast domain.
Page 741: Table 152: Show Mvr6 Statistics Output - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 (Continued) Table 151: show mvr6 statistics input - display description Field Description Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
Page 742: Table 153: Show Mvr6 Statistics Summary Interface - Display Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Specific Query Sent Console# The following shows MVR6 summary statistics for an interface: Console#show mvr6 domain 1 statistics summary interface ethernet 1/1 Domain 1: Number of Groups: Querier: Report & Leave: Transmit Transmit General...
Page 743: Table 154: Show Mvr6 Statistics Summary Interface Mvr Vlan - Description
Chapter 24 | Multicast Filtering Commands MVR for IPv6 The following shows MVR6 summary statistics for the MVR6 VLAN: Console#show mvr6 domain 1 statistics summary interface mvr-vlan Domain 1: Number of Groups: Querier: Report & Leave: Other Addr : None Host Addr : None Other Expire...
Page 744 Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 154: show mvr6 statistics summary interface mvr vlan - description Field Description Transmit Report Number of reports sent out from source port. Leave Number of leaves sent out from source port. Received Field header Report...
Page 745: Table 155: Lldp Commands
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 746 Chapter 25 | LLDP Commands (Continued) Table 155: LLDP Commands Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name lldp dot1-tlv proto-ident Configures an LLDP-enabled port to advertise the supported protocols Configures an LLDP-enabled port to advertise port- lldp dot1-tlv proto-vid based protocol related VLAN information Configures an LLDP-enabled port to advertise its...
Page 747: Lldp
Chapter 25 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP advertisements. multiplier Use the no form to restore the default setting.
Page 748: Lldp Med-Fast-Start-Count
Chapter 25 | LLDP Commands Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting.
Page 749: Lldp Refresh-Interval
Chapter 25 | LLDP Commands Command Mode Global Configuration Command Usage ◆ This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 750: Lldp Reinit-Delay
Chapter 25 | LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
Page 751: Lldp Admin-Status
Chapter 25 | LLDP Commands ◆ This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status...
Page 752: Lldp Basic-Tlv Port-Description
Chapter 25 | LLDP Commands Command Usage ◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. ◆...
Page 753: Lldp Basic-Tlv System-Capabilities
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-capabilities Default Setting Enabled Command Mode...
Page 754: Lldp Basic-Tlv System-Name
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use system-name the no form to disable this feature. Syntax [no] lldp basic-tlv system-name Default Setting Enabled Command Mode...
Page 755: Lldp Dot1-Tlv Proto-Vid
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode...
Page 756: Lldp Dot1-Tlv Vlan-Name
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN name. Use vlan-name the no form to disable this feature. Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode...
Page 757: Lldp Dot3-Tlv Mac-Phy
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled...
Page 758: Lldp Dot3-Tlv Poe
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over- Ethernet (PoE) capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv poe Default Setting Enabled Command Mode...
Page 759: Table 156: Lldp Med Location Ca Types
Chapter 25 | LLDP Commands ca-type – A one-octet descriptor of the data civic address value. (Range: 0-255) ca-value – Description of a location. (Range: 1-32 characters) Default Setting Not advertised No description Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Page 760: Lldp Med-Notification
Chapter 25 | LLDP Commands location is not known, 0 and 1 can be used, providing the client device is physically close to the DHCP server or network element. Example The following example enables advertising location identification details. Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-location civic-addr Console(config-if)#lldp med-location civic-addr 1 California Console(config-if)#lldp med-location civic-addr 2 Orange...
Page 761: Lldp Med-Tlv Ext-Poe
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-notification Console(config-if)# lldp med-tlv ext-poe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature. Syntax [no] lldp med-tlv ext-poe Default Setting Enabled...
Page 762: Lldp Med-Tlv Location
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode...
Page 763: Lldp Med-Tlv Network-Policy
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature. Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode...
Page 764: Show Lldp Config
Chapter 25 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 765 Chapter 25 | LLDP Commands LLDP Port Configuration Port Admin Status Notification Enabled -------- ------------ -------------------- Eth 1/1 Tx-Rx True Eth 1/2 Tx-Rx True Eth 1/3 Tx-Rx True Eth 1/4 Tx-Rx True Eth 1/5 Tx-Rx True Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1...
Page 766: Show Lldp Info Local-Device
Chapter 25 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for this device. local-device Syntax show lldp info local-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 767: Show Lldp Info Remote-Device
Chapter 25 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. remote-device Syntax show lldp info remote-device [detail interface] detail - Shows detailed information. interface ethernet unit/port unit - Unit identifier.
Page 768 Chapter 25 | LLDP Commands Port MAU Type : 16 Power via MDI Power Class : PSE Power MDI Supported : Yes Power MDI Enabled : Yes Power Pair Controllable : No Power Pairs : Spare Power Classification : Class 1 Link Aggregation Link Aggregation Capable : Yes Link Aggregation Enable...
Page 769: Show Lldp Info Statistics
Chapter 25 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDP- enabled interfaces. statistics Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 770: Show Lldp Info Statistics
Chapter 25 | LLDP Commands The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. LLDP-MED Capability : Device Class : Network Connectivity Supported Capabilities : LLDP-MED Capabilities Network Policy Location Identification Extended Power via MDI - PSE Inventory Current Capabilities : LLDP-MED Capabilities...
Page 771 Chapter 25 | LLDP Commands Example Console#show lldp info statistics LLDP Global Statistics Neighbor Entries List Last Updated : 96 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- ------------------...
Page 772 Chapter 25 | LLDP Commands – 772 –...
Page 773: Table 157: Cfm Commands
CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Page 774 Chapter 26 | CFM Commands (Continued) Table 157: CFM Commands Command Function Mode ma index name-format Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages ethernet cfm port-enable...
Page 775 Chapter 26 | CFM Commands (Continued) Table 157: CFM Commands Command Function Mode ethernet cfm mep Enables cross-checking between the list of configured crosscheck remote MEPs within a maintenance association and MEPs learned through continuity check messages show ethernet cfm Displays information about remote maintenance points maintenance-points configured statically in a cross-check list...
Page 776: Defining Cfm Structures
Chapter 26 | CFM Commands Defining CFM Structures Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages.
Page 777: Ethernet Cfm Ais Ma
Chapter 26 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions.
Page 778: Ethernet Cfm Ais Period
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no form to restore the default setting. period Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period –...
Page 779: Ethernet Cfm Domain
Chapter 26 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Page 780 Chapter 26 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆...
Page 781: Ethernet Cfm Enable
Chapter 26 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Page 782: Ma Index Name
Chapter 26 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA.
Page 783 Chapter 26 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA.
Page 784: Ethernet Cfm Mep
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages.
Page 785: Ethernet Cfm Port-Enable
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable CFM processing on an interface. port-enable Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Page 786: Show Ethernet Cfm Configuration
Chapter 26 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm...
Page 787: Table 158: Show Ethernet Cfm Configuration Traps - Display Description
Chapter 26 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps. Console#show ethernet cfm configuration traps CC MEP Up Trap :Disabled CC MEP Down Trap :Disabled CC Configure Trap :Disabled CC Loop Trap :Disabled Cross Check MEP Unknown Trap :Disabled Cross Check MEP Missing Trap :Disabled...
Page 788: Show Ethernet Cfm Md
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains.
Page 789: Show Ethernet Cfm Maintenance-Points Local
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep –...
Page 790: Show Ethernet Cfm Maintenance-Points Local Detail Mep
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the continuity check database. maintenance-points local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name –...
Page 791: Table 159: Show Ethernet Cfm Maintenance-Points Local Detail Mep - Display
Chapter 26 | CFM Commands Defining CFM Structures Table 159: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry. MA Name Maintenance association to which this remote MEP belongs MA Name Format The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ID...
Page 792: Table 160: Show Ethernet Cfm Maintenance-Points Remote Detail - Display
Chapter 26 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address.
Page 793: Continuity Check Operations
Chapter 26 | CFM Commands Continuity Check Operations Table 160: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state –...
Page 794: Ethernet Cfm Cc Enable
Chapter 26 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency.
Page 795: Snmp-Server Enable Traps Ethernet Cfm Cc
Chapter 26 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Page 796: Mep Archive-Hold-Time
Chapter 26 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (801) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged.
Page 797: Clear Ethernet Cfm Errors
Chapter 26 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Page 798: Table 161: Show Ethernet Cfm Errors - Display Description
Chapter 26 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id –...
Page 799: Cross Check Operations
Chapter 26 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting.
Page 800: Mep Crosscheck Mpid
Chapter 26 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Page 801: Ethernet Cfm Mep Crosscheck
Chapter 26 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆...
Page 802: Show Ethernet Cfm Maintenance-Points Remote Crosscheck
Chapter 26 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a...
Page 803: Ethernet Cfm Linktrace Cache Hold-Time
Chapter 26 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded.
Page 804: Ethernet Cfm Linktrace Cache Size
Chapter 26 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting.
Page 805 Chapter 26 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message.
Page 806: Table 162: Show Ethernet Cfm Linktrace-Cache - Display Description
Chapter 26 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec...
Page 807: Loopback Operations
Chapter 26 | CFM Commands Loopback Operations (Continued) Table 162: show ethernet cfm linktrace-cache - display description Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false.
Page 808: Fault Generator Operations
Chapter 26 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆...
Page 809: Mep Fault-Notify Lowest-Priority
Chapter 26 | CFM Commands Fault Generator Operations more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify alarm-time 10 Console(config-ether-cfm)#...
Page 810: Table 163: Remote Mep Priority Levels
Chapter 26 | CFM Commands Fault Generator Operations ◆ Priority defects include the following items: Table 163: Remote MEP Priority Levels Priority Level Level Name Description allDef All defects. macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM. remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. errXcon DefErrorCCM or DefXconCCM.
Page 811: Table 165: Show Fault-Notify-Generator - Display Description
Chapter 26 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm...
Page 812: Delay Measure Operations
Chapter 26 | CFM Commands Delay Measure Operations (Continued) Table 165: show fault-notify-generator - display description Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Page 813 Chapter 26 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command.
Page 814 Chapter 26 | CFM Commands Delay Measure Operations – 814 –...
Page 815: Table 166: Oam Commands
OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Page 816: Efm Oam Critical-Link-Event
Chapter 27 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link.
Page 817: Efm Oam Link-Monitor Frame
Chapter 27 | OAM Commands ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down. Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam critical-link-event dying-gasp...
Page 818: Efm Oam Link-Monitor Frame Window
Chapter 27 | OAM Commands count - The threshold for errored frame link events. (Range: 1-65535) Default Setting Command Mode Interface Configuration Command Usage If this feature is enabled, an event notification message is sent if the threshold is reached or exceeded within the period specified by the efm oam link-monitor frame window command.
Page 819: Efm Oam Mode
Chapter 27 | OAM Commands Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting. Syntax efm oam mode {active | passive} no efm oam mode active - All OAM functions are enabled.
Page 820: Clear Efm Oam Event-Log
Chapter 27 | OAM Commands Example Console#clear efm oam counters Console# Related Commands show efm oam counters interface (822) clear efm oam This command clears all entries from the OAM event log for the specified port. event-log Syntax clear efm oam event-log [interface-list] unit - Unit identifier.
Page 821: Efm Oam Remote-Loopback Test
Chapter 27 | OAM Commands Command Usage ◆ OAM remote loop back can be used for fault localization and link performance testing. Statistics from both the local and remote DTE can be queried and compared at any time during loop back testing. ◆...
Page 822: Show Efm Oam Counters Interface
Chapter 27 | OAM Commands Command Usage ◆ You can use this command to perform an OAM remote loopback test on the specified port. The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mode. ◆...
Page 823: Show Efm Oam Event-Log Interface
Chapter 27 | OAM Commands show efm oam This command displays the OAM event log for the specified port(s) or for all ports that have logs. event-log interface show efm oam event-log interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports.
Page 824: Show Efm Oam Remote-Loopback Interface
Chapter 27 | OAM Commands Console#show efm oam event-log interface 1/1 <--- When dying gasp happens and the switch get these packets, it will log this event in OAM event-log. OAM event log of Eth 1/1: 10:27:21 2013/09/13 "Unit 1, Port 1: Connection to remote device is down at Local" 10:27:20 2013/09/13 "Unit 1, Port 1: Dying Gasp occurred at Remote"...
Page 825: Show Efm Oam Status Remote Interface
Chapter 27 | OAM Commands port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports. (Range: 1-28/52) brief - Displays a brief list of OAM configuration states. Command Mode Normal Exec, Privileged Exec Example...
Page 826 Chapter 27 | OAM Commands ---- ----------------- ------ -------- -------------- ------- ------------ 00-12-CF-6A-07-F6 000084 Enabled Disabled Enabled Disabled Console# – 826 –...
Page 827: Table 167: Address Table Commands
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Page 828: Ip Domain-List
Chapter 28 | Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host.
Page 829: Ip Domain-Lookup
Chapter 28 | Domain Name Service Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage ◆ At least one name server must be specified before DNS can be enabled. ◆...
Page 830: Ip Domain-Name
Chapter 28 | Domain Name Service Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Page 831: Ip Name-Server
Chapter 28 | Domain Name Service Commands Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts Flag Type...
Page 832: Ipv6 Host
Chapter 28 | Domain Name Service Commands sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (830) ip domain-lookup (829) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address.
Page 833: Clear Dns Cache
Chapter 28 | Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache Flag Type IP Address Host ------- ------- ------- --------------- ------- -------- Console# clear host This command deletes dynamic entries from the DNS table.
Page 834: Table 168: Show Dns Cache - Display Description
Chapter 28 | Domain Name Service Commands Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example...
Page 835: Table 169: Show Hosts - Display Description
Chapter 28 | Domain Name Service Commands Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts Flag Type IP Address Host ---- ---- ------- -------------------- ----- ---------------------------- 2 Address 192.168.1.55 2 Address 2001:DB8:1::12...
Page 836 Chapter 28 | Domain Name Service Commands – 836 –...
Page 837: Table 170: Dhcp Commands
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Page 838: Table 172: Options 60, 66 And 67 Statements
Chapter 29 | DHCP Commands DHCP Client hex - A hexadecimal value. (Range: 1-64 characters) Default Setting Class identifier option enabled, with the name of the switch. Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command without any keyword to restore the default setting. ◆...
Page 839: Ip Dhcp Restart Client
Chapter 29 | DHCP Commands DHCP Client ◆ Note that the vendor class identifier can be formatted in either text or hexadecimal using the ip dhcp client class-id command, but the format used by both the client and server must be the same. Example Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 0000e8666572...
Page 840: Dhcp For Ipv6
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no rapid-commit vlan form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive...
Page 841: Table 174: Dhcp Relay Option 82 Commands
Chapter 29 | DHCP Commands DHCP Relay Option 82 DHCP Relay Option 82 This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server. Table 174: DHCP Relay Option 82 Commands Command Function Mode...
Page 842: Ip Dhcp Relay Server
Chapter 29 | DHCP Commands DHCP Relay Option 82 ip dhcp relay server This command specifies the DHCP server or relay server addresses to use. Use the no form to clear all addresses. Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server.
Page 843: Ip Dhcp Relay Information Option
Chapter 29 | DHCP Commands DHCP Relay Option 82 ip dhcp relay This command enables DHCP Option 82 information relay, and specifies the frame format to use for the remote-id when Option 82 information is generated by the information option switch.
Page 844 Chapter 29 | DHCP Commands DHCP Relay Option 82 ◆ DHCP request packets received by the switch are handled as follows: If a DHCP relay server has been set on the switch, when the switch receives ■ a DHCP request packet without option 82 information from the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server.
Page 845 Chapter 29 | DHCP Commands DHCP Relay Option 82 A DHCP relay server has been set on the switch, when the switch receives a ■ DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). A DHCP relay server has been set on the switch, when the switch receives a ■...
Page 846: Ip Dhcp Relay Information Policy
Chapter 29 | DHCP Commands DHCP Relay Option 82 ip dhcp relay This command specifies how to handle client requests which already contain DHCP Option 82 information. information policy Syntax ip dhcp relay information policy {drop | keep | replace} drop - Floods the original request packet onto the VLAN that received it instead of relaying it.
Page 847: Related Commands
Chapter 29 | DHCP Commands DHCP Relay Option 82 Example Console#show ip dhcp relay L2 relay: enabled. Status of DHCP relay information: Insertion of relay information: disabled. DHCP option policy: drop. DHCP relay-server address: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 DHCP sub-option format: extra subtype included DHCP relay is configured on the following VLANs: 1-4094 Interface...
Page 848 Chapter 29 | DHCP Commands DHCP Relay Option 82 – 848 –...
Page 849: Table 175: Ip Interface Commands
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 850: Table 177: Basic Ip Configuration Commands
Chapter 30 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch. Table 177: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this switch can reach other subnetworks...
Page 851 Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ If this router is directly connected to end node devices (or connected to end nodes via shared media) that will be assigned to a specific subnet, then you must create a router interface for each VLAN that will support routing. The router interface consists of an IP address and subnet mask.
Page 852: Ip Default-Gateway
Chapter 30 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.1/24 Console(config-if)#...
Page 853: Show Ip Interface
Chapter 30 | IP Interface Commands IPv4 Interface after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console#show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2...
Page 854: Show Ip Traffic
Chapter 30 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. Command Mode Privileged Exec Example Console#show ip traffic IP Statistics: IP received 4877 total received header errors unknown protocols address errors discards...
Page 855: Traceroute
Chapter 30 | IP Interface Commands IPv4 Interface input errors 5867 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage...
Page 856: Ping
Chapter 30 | IP Interface Commands IPv4 Interface Traceroute to 192.168.1.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------- 20 ms <10 ms <10 ms 192.168.1.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the...
Page 857: Table 178: Address Resolution Protocol Commands
Chapter 30 | IP Interface Commands IPv4 Interface Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9:...
Page 858: Ip Proxy-Arp
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆...
Page 859: Arp Timeout
Chapter 30 | IP Interface Commands IPv4 Interface Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout. Syntax arp timeout seconds no arp timeout...
Page 860: Clear Arp-Cache
Chapter 30 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.
Page 861: Table 179: Ipv6 Configuration Commands
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands. Table 179: IPv6 Configuration Commands Command Function Mode Interface Address Configuration and Utilities ipv6 default-gateway Sets an IPv6 default gateway for traffic ipv6 address Configures an IPv6 global unicast address, and enables IPv6 on an interface...
Page 862: Interface Address Configuration And Utilities
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 179: IPv6 Configuration Commands Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known...
Page 863: Ipv6 Address
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands ip route (898) show ip route (899) ip default-gateway (852) show ipv6 default-gateway (871) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Page 864: Ipv6 Address Autoconfig
Chapter 30 | IP Interface Commands IPv6 Interface Example This example specifies a full IPv6 address and prefix length. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::72/96 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is stale. Link-local address: fe80::2e0:cff:fe02:fd%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff00:72...
Page 865: Ipv6 Address Eui-64
Chapter 30 | IP Interface Commands IPv6 Interface (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format. ◆ If a duplicate address is detected, a warning message is sent to the console. ◆...
Page 866 Chapter 30 | IP Interface Commands IPv6 Interface ipv6-prefix - The IPv6 network portion of the address assigned to the interface. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Page 867: Ipv6 Address Link-Local
Chapter 30 | IP Interface Commands IPv6 Interface Example This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:0DB8:0:1::/64 eui-64 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up...
Page 868 Chapter 30 | IP Interface Commands IPv6 Interface Command Usage ◆ The specified address must be formatted according to RFC 2373 “IPv6 Addressing Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 869: Ipv6 Enable
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address. Use the no form to disable IPv6 on an interface that has not been configured with an explicit IPv6 address.
Page 870: Ipv6 Mtu
Chapter 30 | IP Interface Commands IPv6 Interface ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Related Commands ipv6 address link-local (867) show ipv6 interface (871) ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface.
Page 871: Show Ipv6 Default-Gateway
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands show ipv6 mtu (873) jumbo frame (118) show ipv6 This command displays the current IPv6 default gateway. default-gateway Command Mode Normal Exec, Privileged Exec Example The following shows the default gateway configured for this device: Console#show ipv6 default-gateway IPv6 default gateway 2001:DB8:2222:7272::254 Console#...
Page 872: Table 180: Show Ipv6 Interface - Display Description
Chapter 30 | IP Interface Commands IPv6 Interface Global unicast address(es): 2001:db8:0:1:2e0:cff:fe02:fd/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff19:6779 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds...
Page 873: Table 181: Show Ipv6 Mtu - Display Description
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 180: show ipv6 interface - display description Field Description ND advertised The retransmit interval is included in all router advertisements sent out of an retransmit interface so that nodes on the same link use the same time value. interval ND reachable The amount of time a remote IPv6 node is considered reachable after a...
Page 874: Show Ipv6 Traffic
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 181: show ipv6 mtu - display description Field Description Since Time since an ICMP packet-too-big message was received from this destination. Destination Address which sent an ICMP packet-too-big message. Address No information is displayed if an IPv6 address has not been assigned to the switch.
Page 875: Table 182: Show Ipv6 Traffic - Display Description
Chapter 30 | IP Interface Commands IPv6 Interface group membership response messages group membership reduction messages ICMPv6 sent 4 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router advertisement messages 1 neighbor solicit messages neighbor advertisement messages...
Page 876 Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 182: show ipv6 traffic - display description Field Description delivers The total number of datagrams successfully delivered to IPv6 user- protocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
Page 877 Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 182: show ipv6 traffic - display description Field Description destination unreachable The number of ICMP Destination Unreachable messages received by messages the interface. packet too big messages The number of ICMP Packet Too Big messages received by the interface. time exceeded messages The number of ICMP Time Exceeded messages received by the interface.
Page 878: Clear Ipv6 Traffic
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 182: show ipv6 traffic - display description Field Description redirect messages The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects. group membership query The number of ICMPv6 Group Membership Query messages sent by messages...
Page 879 Chapter 30 | IP Interface Commands IPv6 Interface host-name - A host name string which can be resolved into an IPv6 address through a domain name server. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 0-1500 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
Page 880: Traceroute6
Chapter 30 | IP Interface Commands IPv6 Interface traceroute6 This command shows the route packets take to the specified destination. Syntax traceroute6 {ipv6-address | host-name} [max-failures max-failures] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture, ”...
Page 881: Neighbor Discovery
Chapter 30 | IP Interface Commands IPv6 Interface Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination. Hop Packet 1 Packet 2 Packet 3 IPv6 Address --- -------- -------- -------- -------------------------------------------- <10 ms <10 ms <10 ms FE80::2E0:CFF:FE9C:CA10%1/64 Trace completed.
Page 882 Chapter 30 | IP Interface Commands IPv6 Interface processes are disabled on the interface. If a duplicate global unicast address is detected, it is not used. All configuration commands associated with a duplicate address remain configured while the address is in “duplicate” state. ◆...
Page 883: Ipv6 Nd Ns-Interval
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Page 884: Ipv6 Nd Raguard
Chapter 30 | IP Interface Commands IPv6 Interface ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 30000 milliseconds ND advertised retransmit interval is 30000 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Related Commands...
Page 885: Ipv6 Nd Reachable-Time
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. Use reachable-time the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time...
Page 886: Clear Ipv6 Neighbors
Chapter 30 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 nd raguard This command displays the configuration setting for RA Guard.
Page 887: Table 183: Show Ipv6 Neighbors - Display Description
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting All IPv6 neighbor discovery cache entries are displayed. Command Mode Privileged Exec Example The following shows all known IPv6 neighbors for this switch: Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Link-layer Addr...
Page 888: Table 184: Nd Snooping Commands
Chapter 30 | IP Interface Commands ND Snooping Related Commands show mac-address-table (491) ND Snooping Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table. These tables can be used for stateless address auto-configuration or for address filtering by IPv6 Source Guard. ND snooping maintains a binding table in the process of neighbor discovery.
Page 889: Ipv6 Nd Snooping
Chapter 30 | IP Interface Commands ND Snooping (Continued) Table 184: ND Snooping Commands Command Function Mode show ipv6 nd snooping Shows configuration settings for ND snooping show ipv6 nd snooping Shows entries in the binding table binding show ipv6 nd snooping prefix Show entries in the prefix table ipv6 nd snooping This command enables ND snooping globally or on a specified VLAN or range of...
Page 890: Ipv6 Nd Snooping Auto-Detect
Chapter 30 | IP Interface Commands ND Snooping If an NS message is received on an untrusted interface, and the address ■ prefix does not match any entry in the prefix table, it drops the packet. If the message does match an entry in the prefix table, it adds an entry to ■...
Page 891: Ipv6 Nd Snooping Auto-Detect Retransmit Count
Chapter 30 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping auto-detect Console(config)# ipv6 nd snooping This command sets the number of times the auto-detection process sends an NS auto-detect message to determine if a dynamic user binding is still valid. Use the no form to restore the default setting.
Page 892: Ipv6 Nd Snooping Prefix Timeout
Chapter 30 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count (see the ipv6 nd snooping auto- detect retransmit count command) x the retransmit interval.
Page 893: Ipv6 Nd Snooping Max-Binding
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user binding table which can be bound to a port. Use the no form to restore the default max-binding setting.
Page 894: Clear Ipv6 Nd Snooping Binding
Chapter 30 | IP Interface Commands ND Snooping Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 nd snooping trust Console(config-if)# clear ipv6 nd This command clears all entries in the dynamic user address binding table. snooping binding Syntax clear ipv6 nd snooping binding Command Mode Privileged Exec Example...
Page 895: Show Ipv6 Nd Snooping
Chapter 30 | IP Interface Commands ND Snooping show ipv6 nd This command shows the configuration settings for ND snooping. snooping Syntax show ipv6 nd snooping Command Mode Privileged Exec Example Console#show ipv6 nd snooping Global ND Snooping status: enabled ND Snooping auto-detection: disabled ND Snooping auto-detection retransmit count: 3 ND Snooping auto-detection retransmit interval: 1 (second)
Page 896: Show Ipv6 Nd Snooping Prefix
Chapter 30 | IP Interface Commands ND Snooping show ipv6 nd This command shows all entries in the address prefix table. snooping prefix Syntax show ipv6 nd snooping prefix [interface vlan vlan_id] vlan-id - VLAN ID. (Range: 1-4094) Command Mode Privileged Exec Example Console#show ipv6 nd snooping prefix...
Page 897: Table 203: Ip Routing Commands
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks. However, to forward traffic to devices on other subnetworks, either configure fixed paths with static routing commands, or enable a dynamic routing protocol that exchanges information with other routers on the network to automatically...
Page 898: Ipv4 Commands
Chapter 30 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask [next-hop] | *} destination-ip –...
Page 899: Show Ip Route
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database –...
Page 900: Show Ip Route Database
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays entries in the Routing Information Base (RIB). database Command Mode Privileged Exec Command Usage The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes.
Page 901: Section Iii Appendices
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 903 ◆ “License Information” on page 905 – 901 –...
Page 902 Section III | Appendices – 902 –...
Page 903: Table 205: Troubleshooting Chart
Troubleshooting Problems Accessing the Management Interface Table 205: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered up. Telnet, or SNMP software ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable.
Page 904: Using System Logs
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 905: B License Information
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 906 Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 907 Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 908 Appendix B | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 909: Glossary
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 910 Glossary Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 911 Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 912 Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Page 913 Glossary MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group.
Page 914 Glossary Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow.
Page 915 Glossary TCP/IP Transmission Control Protocol/Internet Protocol. Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. User Datagram Protocol.
Page 916 Glossary – 916 –...
Page 917: Cli Commands
CLI Commands aaa accounting dot1x 232 calendar set 166 aaa accounting exec 233 capabilities 388 aaa accounting update 234 channel-group 428 aaa authorization exec 235 class 626 aaa group server 236 class-map 622 absolute 169 clear access-list hardware counters 381 access-list arp 378 clear arp-cache 860 access-list ip 362...
Page 918 CLI Commands cluster member 174 ethernet cfm ais level 776 configure 91 ethernet cfm ais ma 777 control-vlan 526 ethernet cfm ais period 778 copy 122 ethernet cfm ais suppress alarm 778 ethernet cfm cc enable 794 ethernet cfm cc ma interval 793 ethernet cfm delay-measure two-way 812 databits 134 ethernet cfm domain 779...
Page 919 CLI Commands ip dhcp relay information option 843 ip multicast-data-drop 671 ip dhcp relay information policy 846 ip name-server 831 ip dhcp relay server 842 ip proxy-arp 858 ip dhcp restart client 839 ip route 898 ip dhcp snooping 306 ip source-guard 333 ip dhcp snooping max-number 317 ip source-guard binding 331...
Page 920 CLI Commands ipv6 mtu 870 lldp notification 763 ipv6 multicast-data-drop 695 lldp notification-interval 748 ipv6 nd dad attempts 881 lldp refresh-interval 749 ipv6 nd ns-interval 883 lldp reinit-delay 750 ipv6 nd raguard 884 lldp tx-delay 750 ipv6 nd reachable-time 885 logging facility 144 ipv6 nd snooping 889 logging history 145...
Page 921 CLI Commands mvr priority 703 periodic 170 mvr profile 701 permit, deny 666 mvr proxy-query-interval 702 permit, deny 691 mvr proxy-switching 703 permit, deny (ARP ACL) 379 mvr robustness-value 705 permit, deny (Extended IPv4 ACL) 364 mvr source-port-mode dynamic 705 permit, deny (Extended IPv6 ACL) 370 mvr type 709 permit, deny (MAC ACL) 374...
Page 922 CLI Commands show cluster members 176 show discard 399 radius-server acct-port 224 show dns 833 radius-server auth-port 225 show dns cache 834 radius-server host 225 show dos-protection 354 radius-server key 226 show dot1q-tunnel 579 radius-server retransmit 227 show dot1x 265 radius-server timeout 227 show efm oam counters interface 822 range 667...
Page 923 CLI Commands show ip igmp snooping statistics 660 show mac-address-table 491 show ip igmp throttle interface 674 show mac-address-table aging-time 492 show ip interface 853 show mac-address-table count 493 show ip multicast-data-drop 675 show mac-vlan 593 show ip route 899 show management 269 show ip route database 900 show map default-drop-precedence 615...
Page 924 CLI Commands show rmon history 209 snmp-server enable port-traps atc multicast-control-apply show rmon statistics 209 show rspan 455 snmp-server enable port-traps atc multicast-control- show running-config 110 release 473 show sflow 215 snmp-server enable port-traps mac-notification 186 show snmp 181 snmp-server enable traps 182 show snmp engine-id 192 snmp-server engine-id 187 show snmp group 192...
Page 925 CLI Commands switchport dot1q-tunnel tpid 578 username 219 switchport forbidden vlan 558 switchport gvrp 558 switchport ingress-filtering 567 version 543 switchport l2protocol-tunnel 582 vlan 563 switchport mode 568 vlan database 562 switchport mtu 397 vlan-trunking 569 switchport native vlan 569 voice vlan 594 switchport packet-rate 459 voice vlan aging 595...
Page 926 CLI Commands – 926 –...
Page 927: Index
Index Numerics aging time 489 aging time, displaying 492 802.1Q tunnel 572 aging time, setting 489 access 574 administrative users, displaying 115 configuration, guidelines 572 configuration, limitations 573 ACL 345 CVID to SVID map 575 configuration 857 ethernet type 578 proxy 858 –...
Page 928 Index selecting protocol based on message format 520 continuity check messages, CFM 533 shut down port on receipt 508 CoS 614 bridge extension capabilities, displaying 559 configuring 601 broadcast packets, blocking 396 default mapping to internal values 608 broadcast storm, threshold 459 enabling 614 layer 3/4 priorities 606 priorities, mapping to internal values 608...
Page 929 Index remote ID 311 static entries, IPv4 830 sub-length field 309 static entries, IPv6 832 sub-option format 309 Domain Name Service See DNS sub-type and sub-length, disabling 309 domain service access point, CFM 780 subtype field 309 downloading software 122 DHCPv6 snooping 321 automatically 128 enabling 321...
Page 930 Index RPL owner 542 IEEE 802.1w 499 secondary ring 529 IEEE 802.1X 255 status, displaying 549 IGMP version 543 filter profiles, binding to interface 669 wait-to-restore timer 544 filter profiles, configuration 666 – WTR timer 544 filter, parameters 665 Ethernet Ring Protection Switching See ERPS filtering &...
Page 931 Index ingress filtering 567 host 246 IP address host, generating 252 BOOTP/DHCP 839 setting 849 IP filter, for management access 268 LACP IP Port to PHB/drop precedence 612 admin key 430 IP Precedence 614 configuration 425 enabling 614 group attributes, configuring 433 IP precedence to PHB/drop precedence 613 –...
Page 932 Index TLV, network policy 763 MLD snooping 676 TLV, PoE 761 configuring 676 local engine ID 187 enabling 677 logging immediate leave 683 messages, displaying 148 immediate leave, status 683 syslog traps 147 multicast static router port 683 to syslog servers 146 querier 677 logon authentication 217 querier, enabling 677...
Page 933 Index setting multicast domain 700 specifying servers 160 setting multicast groups 699 setting multicast priority 701 source port mode 705 specifying a domain 700 active mode 819 specifying a VLAN 699 – displaying settings and status 822 specifying priority 701 enabling on switch ports 816 static binding 701 –...
Page 934 Index capabilities 388 PHB to drop precedence, for untagged packets 609 configuring 385 PHB to queue 607 discard CDP/PVST 390 PHB/drop precedence to CoS/CFI 610 duplex mode 395 selecting CoS, DSCP, IP Precedence 614 flow control 391 QoS policy forced selection of media type 392 committed burst size 627 forced selection on combo ports 392 excess burst size 629...
Page 935 Index server, configuring 249 timeout 250 secure shell 246 STA 495 configuration 246 BPDU filter 507 security, general measures 279 BPDU flooding 516 serial port, configuring 133 BPDU shutdown 508 service instance, CFM 782 detecting loopbacks 511 sFlow edge port 510 destination for traffic 212 forward delay 497 destination, IPv6 212...
Page 936 Index – setting with SNTP 155 unregistered data flooding, IGMP snooping 647 – summer time 162 upgrading software 122 system logs 146 user account 218 system software, downloading from server 122 user password 218 TACACS+ VLAN trunking 569 – logon authentication 228 VLANs 555 settings 228 802.1Q tunnel mode 574...
Page 938 E092017-CS-R02...

This manual is also suitable for:

Ecs4120-28f-i Ecs4120-28t Ecs4120-28p Ecs4120-52t

Edge-Core ECS4120-28F Reference Manual

How to Use this Guide

Contents

Figures

Tables

Section I

Getting Started

Initial Switch Configuration

Command Line Interface

Using the Command Line Interface

General Commands

System Management Commands

5 SNMP Commands

Remote Monitoring Commands

Flow Sampling Commands

8 Authentication Commands

General Security Measures

Quick Links

Related Manuals for Edge-Core ECS4120-28F

Summary of Contents for Edge-Core ECS4120-28F