Page 1 C-300 Series Gigabit Managed Switch C L I R e f e r e n c e G u i d e OFTWARE ELEASE 1.1.10.171 www.signamax.com...
Page 2 CLI Reference Guide SC30010 C-300 48 Port Gigabit Managed Switch E122017-KS-R01...
Page 3: How To Use This Guide
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4 How to Use This Guide Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Page 5: Table Of Contents
Contents How to Use This Guide Contents Tables ECTION ETTING TARTED 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections Configuring the Switch for Remote Management Using the Network Interface Setting an IP Address Enabling SNMP Management Access...
Page 6 Contents ECTION OMMAND NTERFACE 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands...
Page 7 Contents Device Designation hostname System Status show access-list tcam-utilization show license file show memory show process cpu show process cpu guard show process cpu task show running-config show startup-config show system show tech-support show users show version show watchdog watchdog software Fan Control fan-speed force-full Frame Size...
Page 8 Contents ip tftp timeout show ip tftp Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging logging command logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts...
Page 9 Contents SNTP Commands sntp client sntp poll sntp server show sntp NTP Commands ntp authenticate ntp authentication-key ntp client ntp server show ntp Manual Configuration Commands clock summer-time (date) clock summer-time (predefined) clock summer-time (recurring) clock timezone calendar set show calendar Time Range time-range absolute...
Page 10 Contents General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps link-up-down snmp-server enable port-traps mac-notification show snmp-server enable port-traps SNMPv3 Commands snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id...
Page 11 Contents rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Flow Sampling Commands sflow owner sflow polling instance sflow sampling instance show sflow 8 Authentication Commands User Accounts and Privilege Levels enable password username privilege show privilege...
Page 12 Contents aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization commands aaa authorization exec aaa group server server accounting dot1x accounting commands accounting exec authorization commands authorization exec show accounting show authorization Web Server ip http authentication ip http port ip http server ip http secure-port...
Page 13 Contents ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x system-auth-control Authenticator Commands dot1x intrusion-action dot1x max-reauth-req dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period...
Page 14 Contents Network Access (MAC Address Authentication) network-access aging network-access mac-filter mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout...
Page 15 Contents ip dhcp snooping vlan ip dhcp snooping information option circuit-id ip dhcp snooping trust ip dhcp snooping max-number ip dhcp snooping trust clear ip dhcp snooping binding clear ip dhcp snooping database flash ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IPv4 Source Guard ip source-guard binding...
Page 16 Contents dos-protection tcp-null-scan dos-protection tcp-syn-fin-scan dos-protection tcp-xmas-scan dos-protection udp-flooding dos-protection win-nuke show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 10 Access Control Lists IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list...
Page 17 Contents access-list arp permit, deny (ARP ACL) show access-list arp ACL Information clear access-list hardware counters show access-group show access-list 11 Interface Commands Interface Configuration interface capabilities description flowcontrol history media-type negotiation shutdown speed-duplex clear counters show interfaces brief show interfaces counters show interfaces history show interfaces status show interfaces switchport...
Page 18 Contents Cable Diagnostics test cable-diagnostics show cable-diagnostics Power Savings power-save show power-save 12 Link Aggregation Commands Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) lacp timeout Trunk Status Display Commands show lacp show port-channel load-balance...
Page 19 Contents Storm Control Commands switchport packet-rate 15 Loopback Detection Commands loopback-detection loopback-detection action loopback-detection recover-time loopback-detection transmit-interval loopback detection trap loopback-detection release show loopback-detection 16 Address Table Commands mac-address-table aging-time mac-address-table static clear collision-mac-address-table clear mac-address-table dynamic show collision-mac-address-table show mac-address-table show mac-address-table aging-time show mac-address-table count 17 Spanning Tree Commands...
Page 20 Contents mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection action spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority spanning-tree port-bpdu-flooding spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree tc-prop-stop spanning-tree loopback-detection release...
Page 21 Contents switchport mode switchport native vlan Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel priority map switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid show dot1q-tunnel Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group...
Page 22 Contents show queue weight Priority Commands (Layer 3 and 4) qos map cos-queue qos map dscp-queue qos map trust-mode show qos map cos-queue show qos map dscp-queue show qos map trust-mode 20 Quality of Service Commands class-map description match rename policy-map class police rate...
Page 23 Contents ip igmp snooping version-exclusive ip igmp snooping vlan general-query-suppression ip igmp snooping vlan immediate-leave ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static clear ip igmp snooping groups dynamic...
Page 24 Contents ipv6 mld snooping proxy-reporting ipv6 mld snooping querier ipv6 mld snooping query-interval ipv6 mld snooping query-max-response-time ipv6 mld snooping robustness ipv6 mld snooping router-port-expire-time ipv6 mld snooping unknown-multicast mode ipv6 mld snooping unsolicited-report-interval ipv6 mld snooping version ipv6 mld snooping vlan immediate-leave ipv6 mld snooping vlan mrouter ipv6 mld snooping vlan static clear ipv6 mld snooping groups dynamic...
Page 25 Contents lldp holdtime-multiplier lldp med-fast-start-count lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv mac-phy lldp dot3-tlv max-frame...
Page 26 Contents ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts Multicast DNS Commands ip mdns show ip mdns 24 DHCP Commands DHCP Client DHCP for IPv4 ip dhcp dynamic-provision ip dhcp client class-id ip dhcp restart client show ip dhcp dynamic-provision...
Page 27 Contents show ip traffic traceroute ping ARP Configuration ip proxy-arp clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu show ipv6 default-gateway show ipv6 interface show ipv6 mtu show ipv6 traffic...
Page 28 Contents show ip route ECTION PPENDICES A Troubleshooting Problems Accessing the Management Interface Using System Logs B License Information The GNU General Public License Glossary Commands Index – 28 –...
Page 29: Tables
Tables Table 1: Options 60, 66 and 67 Statements Table 2: Options 55 and 124 Statements Table 1: General Command Modes Table 2: Configuration Command Modes Table 3: Keystroke Commands Table 4: Command Group Index Table 5: General Commands Table 6: System Management Commands Table 7: Device Designation Commands Table 8: System Status Commands Table 9: show access-list tcam-utilization - display description...
Page 30 Contents Table 28: show snmp engine-id - display description Table 29: show snmp group - display description Table 30: show snmp user - display description Table 31: show snmp view - display description Table 32: RMON Commands Table 33: sFlow Commands Table 34: Authentication Commands Table 35: User Access Commands Table 36: Default Login Settings...
Page 31 Contents Table 63: IPv4 ACL Commands Table 64: IPv6 ACL Commands Table 65: MAC ACL Commands Table 66: ARP ACL Commands Table 67: ACL Information Commands Table 68: Interface Commands Table 69: show interfaces counters - display description Table 70: show interfaces switchport - display description Table 71: Link Aggregation Commands Table 72: show lacp counters - display description Table 73: show lacp internal - display description...
Page 32 Contents Table 98: Default Mapping of CoS/CFI Values to Queue/CFI Table 99: Default Mapping of DSCP/CFI Values to Queue Table 100: Quality of Service Commands Table 101: Multicast Filtering Commands Table 102: IGMP Snooping Commands Table 103: show ip igmp snooping statistics input - display description Table 104: show ip igmp snooping statistics output - display description Table 105: show ip igmp snooping statistics vlan query - display description Table 106: Static Multicast Interface Commands...
Page 33 Contents Table 160: IP Routing Commands Table 161: Global Routing Configuration Commands Table 162: Troubleshooting Chart – 33 –...
Page 34: Sectioni
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP. This section includes these chapters: ◆ "Initial Switch Configuration" on page 35 – 34 –...
Page 35: Initial Switch Configuration
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch This switch series includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Page 36: Connecting To The Console Port
Chapter 1 | Initial Switch Configuration Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Page 37: Logging Onto The Command Line Interface
Chapter 1 | Initial Switch Configuration Connecting to the Switch When using HyperTerminal, select Terminal keys, not Windows keys. ■ Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access Command Line level (Normal Exec) and privileged access level (Privileged Exec).
Page 38: Remote Connections
Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the SC30010 Gigabit Ethernet switch. Other than the difference in port types, there are no significant differences. Remote Prior to accessing the switch’s onboard agent via a network connection, you...
Page 39: Configuring The Switch For Remote Management
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in- Interface band management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Page 40 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch Network mask for this network ◆...
Page 41 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ipv6 address”...
Page 42 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. From the interface prompt, type “ipv6 address ipv6-address”...
Page 43 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received.
Page 44 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.4 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Client Vendor Class ID (text): SC30010 DHCP Relay Server: Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 45: Enabling Snmp Management Access
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) 3rd-party applications. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 46 Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Page 47: Managing System Files
Chapter 1 | Initial Switch Configuration Managing System Files For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “SNMP Commands” on page 155 or to the Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP.
Page 48: Upgrading The Operation Code
Chapter 1 | Initial Switch Configuration Managing System Files the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch Operation Code and activate it.
Page 49 Chapter 1 | Initial Switch Configuration Managing System Files loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config:<filename> command. The maximum number of saved configuration files depends on available flash memory.
Page 50: Automatic Installation Of Operation Code And Configuration Settings
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file server.
Page 51 Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings case-insensitive. Please check the documentation for your server’s operating system if you are unsure of its file system’s behavior. ◆ Note that the switch itself does not distinguish between upper and lower- case file names, and only checks to see if the file stored on the server is more recent than the current runtime image.
Page 52 Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://site9:billy@192.168.0.1/sm24/ Console(config)# Set the switch to automatically reboot and load the new code after the opcode...
Page 53: Specifying A Dhcp Client Identifier
Press ENTER to start session Automatic Upgrade is looking for a new image No new image detected User Access Verification Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Console#dir File Name Type Startup Modified Time...
Page 54: Downloading Configuration Files / Other Parameters From A Dhcp Server
Chapter 1 | Initial Switch Configuration Downloading Configuration Files / Other Parameters from a DHCP Server DHCP client Identifier (Option 60) is used by DHCP clients to specify their unique identifier. The client identifier is optional and can be specified while configuring DHCP on the primary network interface.
Page 55: Table 1: Options 60, 66 And 67 Statements
Chapter 1 | Initial Switch Configuration Downloading Configuration Files / Other Parameters from a DHCP Server If the switch fails to download the bootup configuration file based on ◆ information passed by the DHCP server, it will not send any further DHCP client requests.
Page 56: Setting The System Clock
"192.168.255.101"; option bootfile-name "test"; Note: Use “sc30010.cfg” for the vendor-class-identifier in the dhcpd.conf file. Setting the System Clock Simple Network Time Protocol (SNTP) or Network Time Protocol (NTP) can be used to set the switch’s internal clock based on periodic updates from a time server.
Page 57: Setting The Time Manually
Chapter 1 | Initial Switch Configuration Setting the System Clock Summer Time/Daylight Saving Time (DST) – In some regions, the time ◆ shifts by one hour in the fall and spring. The switch supports manual entry for one-time or recurring clock shifts. Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command.
Page 58: Configuring Ntp
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 59: Command Line Interface
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ "Using the Command Line Interface" on page 61 ◆ "General Commands" on page 73 ◆...
Page 60 Section I | Command Line Interface ◆ "Spanning Tree Commands" on page 410 ◆ "VLAN Commands" on page 441 ◆ "Class of Service Commands" on page 471 ◆ "Quality of Service Commands" on page 483 ◆ "Multicast Filtering Commands" on page 494 ◆...
Page 61: Using The Command Line Interface
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. – 61 –...
Page 62: Telnet Connection
Chapter 2 | Using the Command Line Interface Accessing the CLI Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 63: Entering Commands
Entering Commands After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Vty-0# Note: You can open up to eight sessions to the device via Telnet or SSH.
Page 64: Command Completion
Chapter 2 | Using the Command Line Interface Entering Commands Command If you terminate input with a Tab key, the CLI will print the remaining characters of a Completion partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.
Page 65 Chapter 2 | Using the Command Line Interface Entering Commands privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server RADIUS server information reload Shows the reload settings rmon Remote monitoring information rspan...
Page 66: Partial Keyword Lookup
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that Lookup match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
Page 67: Exec Commands
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the SC30010 is opened.
Page 68: Configuration Commands
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify Commands switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
Page 69: Command Line Processing
Chapter 2 | Using the Command Line Interface Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 2: Configuration Command Modes Mode Command Prompt...
Page 70: Showing Status Information
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: Keystroke Commands (Continued) Keystroke Function Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer.
Page 71: Cli Command Groups
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below Table 4: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes of...
Page 72 Chapter 2 | Using the Command Line Interface CLI Command Groups Table 4: Command Group Index (Continued) Command Group Description Page VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling Class of Service Sets port priority for untagged frames, selects strict priority...
Page 73: General Commands
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 5: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or (Global Confi at a periodic interval guration)
Page 74: Reload (Global Configuration)
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)#...
Page 75: Enable
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is ◆ re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test.
Page 76: Quit
Chapter 3 | General Commands The “#” character is appended to the end of the prompt to indicate that the ◆ system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (78) enable password (192) This command exits the configuration program.
Page 77: Configure
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console#...
Page 78: Disable
Chapter 3 | General Commands This command returns to Normal Exec mode from privileged mode. In normal disable access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.
Page 79: Show Reload
Chapter 3 | General Commands This command displays the current reload settings, and the time at which next show reload scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015.
Page 80 Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 80 –...
Page 81: System Management Commands
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 6: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
Page 82: Table 8: System Status Commands
Chapter 4 | System Management Commands System Status This command specifies or modifies the host name for this device. Use the no hostname form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 83: Show Access-List Tcam-Utilization
Chapter 4 | System Management Commands System Status Table 8: System Status Commands (Continued) Command Function Mode show system Displays system information NE, PE show tech-support Displays a detailed list of system settings designed to help technical support resolve configuration or functional problems show users Shows all active console and Telnet sessions, including...
Page 84: Table 9: Show Access-List Tcam-Utilization - Display Description
Chapter 4 | System Management Commands System Status 64 D6S D6E 128 D4 W 128 DM 128 MV PV VV 64 I 0 Reserved 0 C L 64 AE6S AE6E 128 AE4 128 AEM 64 DE6S DE6E 128 DE4 128 DEM QINQ Console# Table 9: show access-list tcam-utilization - display description Field...
Page 85: Show Memory
Chapter 4 | System Management Commands System Status /1b+Zt4OWMZlxk3wXPSxqgCNY8J3tqK+63UzwLqsEJ6GBP9q5LC9W4jsuhnzmNG1kuC0nN1rJs2/ bN74dMfql/ fYokDbaIvmpHCndJh7aqOq9wRhCMOG5UKTlo5lflX+Io+sg6PmJX7dwK8FdfrdHdWbQUsUvi6T3y 4ycwDiIiWbySjT345sdfgsdfg5445bNBPozr6l3l5hRbZqQ3WIfH1GEE9voD4GG4vbEA/ kruBOtocFDvBhXjYVe5laTkRl+vODF02eUtgYE3cGBR/ KGYcgQ+i9IRRAIWEPCKRomM69W6SsYZfdasfewcc+d430NVyf34okaUnyQrnPmqHajkLUT1BBwMF KBuopQq1gv0Gkmuw75gUgOlGJrZ/yf1UwW/0F2MjKRTVCy4Q4Bl7IrE3DqkouscCZBKXNA== Console# This command shows memory utilization parameters, and alarm thresholds. show memory Command Mode Normal Exec, Privileged Exec Command Usage This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, the total amount of system memory, and the alarm thresholds.
Page 86: Table 10: Show Process Cpu Guard - Display Description
Chapter 4 | System Management Commands System Status Alarm Status Current Alarm Status : Off Last Alarm Start Time : Dec 31 00:00:19 2000 Last Alarm Duration Time : 15 seconds Alarm Configuration Rising Threshold : 90% Falling Threshold : 70% Console# Related Commands process cpu (177)
Page 87: Show Process Cpu Task
Chapter 4 | System Management Commands System Status Table 10: show process cpu guard - display description (Continued) Field Description Minimum Threshold If packet flow has been stopped after exceeding the maximum threshold, normal flow will be restored after usage falls beneath the minimum threshold.
Page 88: Show Running-Config
Chapter 4 | System Management Commands System Status NMTRDRV 1.00 1.66 4.00 NSM_GROUP 0.00 0.00 0.00 NSM_PROC 0.00 0.00 0.00 NSM_TD 0.00 0.00 0.00 OSPF6_TD 0.00 0.00 0.00 OSPF_TD 0.00 0.00 0.00 PIM_GROUP 0.00 0.00 0.00 PIM_PROC 0.00 0.00 0.00 PIM_SM_TD 0.00 0.00...
Page 89 Chapter 4 | System Management Commands System Status Use this command in conjunction with the show startup-config command ◆ to compare the information in running memory to the information stored in non-volatile memory. ◆ This command displays settings for key command modes. Each mode group is separated by “!”...
Page 90: Show Startup-Config
Refer to the example for the running configuration file. Related Commands show running-config (88) This command displays system information. show system Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : SC30010 System OID String : 1.3.6.1.4.1.50868.44.101 – 90 –...
Page 91: Table 11: Show System - Display Description
Chapter 4 | System Management Commands System Status System Information System Up Time : 0 days, 23 hours, 49 minutes, and 30.37 seconds System Name System Location System Contact MAC Address (Unit 1) : CC-37-AB-A1-06-C0 Web Server : Enabled Web Server Port : 80 Web Secure Server : Enabled...
Page 92: Show Tech-Support
Example User Access Verification Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Vty-2#show tech-support dir: File Name Type Startup Modified Time...
Page 93: Show Users
Chapter 4 | System Management Commands System Status Shows all active console and Telnet sessions, including user name, idle time, show users and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 94: Table 12: Show Version - Display Description
Chapter 4 | System Management Commands System Status Table 12: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply.
Page 95: Table 13: Fan Control Commands
Chapter 4 | System Management Commands Fan Control Fan Control This section describes the command used to force fan speed. Only some of the switches in the series support this command. Table 13: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed show system Shows if full fan speed is enabled...
Page 96: File Management
Chapter 4 | System Management Commands File Management Default Setting Disabled Command Mode Global Configuration Command Usage This switch provides more efficient throughput for large sequential data ◆ transfers by supporting layer 2 jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks up to 10240 bytes.
Page 97: Table 15: Flash/File Commands
Chapter 4 | System Management Commands File Management Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/ SFTP/TFTP server. The configuration file can be later downloaded to restore switch settings. The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it.
Page 98: Copy
Chapter 4 | System Management Commands File Management filename - Name of configuration file or code image. * The colon (:) is required. Default Setting None Command Mode Global Configuration Command Usage A colon (:) is required after the specified file type. ◆...
Page 99 Chapter 4 | System Management Commands File Management public-key - Keyword that allows you to copy a SSH key from a See “Secure Shell” on page 225. TFTP server. ( running-config - Keyword that allows you to copy to/from the current running configuration.
Page 100 Chapter 4 | System Management Commands File Management When logging into a remote SFTP server, the interface prompts for a user ◆ name and password configured on the remote server. If this is a first time connection, the system checks to see if the public key offered by the server matches one stored locally.
Page 101 Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Page 102: Delete
Chapter 4 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console#...
Page 103 Chapter 4 | System Management Commands File Management Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. ◆ If the public key type is not specified, then both DSA and RSA keys will be ◆...
Page 104: Table 16: File Directory Information
Chapter 4 | System Management Commands File Management File information is shown below: Table 16: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Operation Code, and Config file. Startup Shows if this file is used when the system is started. Modify Time The date and time the file was last modified.
Page 105: Automatic Code Upgrade Commands
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modified Time Size (bytes)
Page 106: Upgrade Opcode Path
Chapter 4 | System Management Commands File Management Any changes made to the default setting can be displayed with the show ◆ running-config show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup.
Page 107: Upgrade Opcode Reload
Chapter 4 | System Management Commands File Management When specifying a TFTP server, the following syntax must be used, where ◆ filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ When specifying an FTP server, the following syntax must be used, where ◆...
Page 108: Show Upgrade
Chapter 4 | System Management Commands File Management This command shows the opcode upgrade configuration settings. show upgrade Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : C-300-series.bix Console# TFTP Configuration Commands This command specifies the number of times the switch can retry transmitting...
Page 109: Ip Tftp Timeout
Chapter 4 | System Management Commands File Management This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout...
Page 110: Table 17: Line Commands
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 17: Line Commands Command Function...
Page 111: Line
Chapter 4 | System Management Commands Line This command identifies a specific line for configuration, and to process line subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 112: Exec-Timeout
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Page 113: Login
Chapter 4 | System Management Commands Line Example To set the timeout to two minutes, enter this command: Console(config-line-console)#exec-timeout 120 Console(config-line-console)# This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. Syntax login [local] no login...
Page 114: Parity
Chapter 4 | System Management Commands Line Related Commands username (193) password (114) This command defines the generation of a parity bit. Use the no form to parity restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity...
Page 115: Password-Thresh
Chapter 4 | System Management Commands Line Default Setting No password is specified. Command Mode Line Configuration Command Usage When a connection is started on a line with password protection, the ◆ system prompts for the password. If you enter the correct password, the system shows a prompt.
Page 116: Silent-Time
Chapter 4 | System Management Commands Line reached for Telnet, the Telnet logon interface shuts down. Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (116) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the...
Page 117: Speed
Chapter 4 | System Management Commands Line This command sets the terminal line’s baud rate. This command sets both the speed transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Page 118: Timeout Login Response
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# This command sets the interval that the system waits for a user to log into the timeout login CLI. Use the no form to restore the default setting. response Syntax timeout login response [seconds]...
Page 119: Terminal
Chapter 4 | System Management Commands Line session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Page 120: Show Line
Chapter 4 | System Management Commands Line Default Setting Escape Character: 27 (ASCII-number) History: 10 Length: 24 Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines.
Page 121: Table 18: Event Logging Commands
Chapter 4 | System Management Commands Event Logging Stop Bits VTY Configuration: Password Threshold : 3 times EXEC Timeout : 600 seconds Login Timeout : 300 sec. Silent Time : Disabled Console# Event Logging This section describes commands used to configure event logging on the switch.
Page 122: Logging Facility
Chapter 4 | System Management Commands Event Logging Command Usage The records stored include the commands executed from the CLI, command execution time and information about the CLI user including user name, user interface (console, Telnet, SSH) and user IP address. The severity level for this record type is 6 (see the logging facility command).
Page 123: Table 19: Logging Levels
Chapter 4 | System Management Commands Event Logging flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below. Messages sent include the selected level down to level 0.
Page 124: Logging On
Chapter 4 | System Management Commands Event Logging udp-port - UDP port number used by the remote server. (Range: 1- 65535) Default Setting UPD Port: 514 Command Mode Global Configuration Command Usage Use this command more than once to build up a list of host IP addresses. ◆...
Page 125: Logging Trap
Chapter 4 | System Management Commands Event Logging This command enables the logging of system messages to a remote server, or logging trap limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 126: Show Log
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (126) This command displays the log messages stored in local memory. show log Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Page 127: Table 20: Show Logging Flash/Ram - Display Description
Chapter 4 | System Management Commands Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {command | flash | ram | sendmail | trap} command - Stores CLI command execution records in syslog RAM and flash.
Page 128: Table 21: Show Logging Trap - Display Description
Chapter 4 | System Management Commands SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Global Configuration: Syslog Logging : Enabled Remote Logging Configuration: Status : Disabled Facility Type : Local use 7 (23) Level Type : Debugging messages (7) Console# Table 21: show logging trap - display description...
Page 129: Logging Sendmail
Chapter 4 | System Management Commands SMTP Alerts This command enables SMTP event handling. Use the no form to disable this logging sendmail function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# This command specifies the email recipients of alert messages. Use the no logging sendmail form to remove a recipient.
Page 130: Logging Sendmail Level
Chapter 4 | System Management Commands SMTP Alerts ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage You can specify up to three SMTP servers for event handing. However, ◆...
Page 131: Logging Sendmail Source-Email
Chapter 4 | System Management Commands SMTP Alerts Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
Page 132: Table 23: Time Commands
Chapter 4 | System Management Commands Time SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------- ted@this-company.com SMTP Source E-mail Address: bill@this-company.com SMTP Status: Enabled Console# Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Page 133: Sntp Commands
Chapter 4 | System Management Commands Time SNTP Commands This command enables SNTP client requests for time synchronization from sntp client NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting...
Page 134: Sntp Poll
Chapter 4 | System Management Commands Time This command sets the interval between sending time requests when the sntp poll switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Page 135: Show Sntp
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console# Related Commands sntp client (133) sntp poll (134) show sntp (135) This command displays the current time and configuration settings for the show sntp SNTP client, and indicates whether or not the local time has been properly updated.
Page 136: Ntp Authentication-Key
Chapter 4 | System Management Commands Time Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 137: Ntp Client
Chapter 4 | System Management Commands Time Use the no form of this command without an argument to clear all ◆ authentication keys in the list. Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (135) This command enables NTP client requests for time synchronization from ntp client NTP time servers specified with the ntp servers command.
Page 138: Ntp Server
Chapter 4 | System Management Commands Time This command sets the IP addresses of the servers to which NTP time ntp server requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [key key-number] no ntp server [ip-address]...
Page 139: Show Ntp
Chapter 4 | System Management Commands Time This command displays the current time and configuration settings for the show ntp NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Page 140 Chapter 4 | System Management Commands Time e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end.
Page 141: Table 24: Predefined Summer-Time Parameters
Chapter 4 | System Management Commands Time This command configures the summer time (daylight savings time) status and clock summer-time settings for the switch using predefined configurations for several major (predefined) regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa]...
Page 142: Clock Summer-Time (Recurring)
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (135) This command allows the user to manually configure the start, end, and offset clock summer-time times of summer time (daylight savings time) for the switch on a recurring (recurring)
Page 143: Clock Timezone
Chapter 4 | System Management Commands Time offset - Summer-time offset from the regular time zone, in minutes. (Range: 1-120 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions, clocks are adjusted through the summer ◆...
Page 144: Calendar Set
Chapter 4 | System Management Commands Time after-utc - Sets the local time zone after (west) of UTC. Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude.
Page 145: Table 25: Time Range Commands
Chapter 4 | System Management Commands Time Range Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2015. Console#calendar set 15:12:34 1 February 2015 Console# This command displays the system clock.
Page 146: Time-Range
Chapter 4 | System Management Commands Time Range This command specifies the name of a time range, and enters time range time-range configuration mode. Use the no form to remove a previously specified time range. Syntax [no] time-range name name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode...
Page 147: Periodic
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Time Range Configuration Command Usage If a time range is already configured, you must use the no form of this ◆ command to remove the current entry prior to configuring a new time range.
Page 148: Show Time-Range
Chapter 4 | System Management Commands Time Range minute - Minute. (Range: 0-59) Default Setting None Command Mode Time Range Configuration Command Usage ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range.
Page 149: Table 26: Switch Cluster Commands
Chapter 4 | System Management Commands Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Page 150: Cluster
Chapter 4 | System Management Commands Switch Clustering Note: Cluster Member switches can be managed either through a Telnet connection to the Commander, or through a web management connection to the Commander. When using a console connection, from the Commander CLI prompt, use the rcommand to connect to the Member switch.
Page 151: Cluster Ip-Pool
Chapter 4 | System Management Commands Switch Clustering Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate”...
Page 152: Cluster Member
Chapter 4 | System Management Commands Switch Clustering Set a Cluster IP Pool that does not conflict with addresses in the network ◆ IP subnet. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
Page 153: Show Cluster
There is no need to enter the username and password for access to the Member switch CLI. Example Console#rcommand id 1 CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration.
Page 154: Show Cluster Candidates
This command shows the discovered Candidate switches in the network. show cluster candidates Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Candidate join 00-E0-0C-00-00-FE SC30010 Candidate 00-12-CF-0B-47-A0 SC30010 Console# – 154 –...
Page 155: Table 27: Snmp Commands
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 156 Chapter 5 | SNMP Commands Table 27: SNMP Commands (Continued) Command Function Mode snmp-server view Adds an SNMP view show snmp engine-id Shows the SNMP engine ID show snmp group Shows the SNMP groups show snmp user Shows the SNMP users show snmp view Shows the SNMP views Notification Log Commands...
Page 157: General Snmp Commands
Chapter 5 | SNMP Commands General SNMP Commands This command enables the SNMPv3 engine and services for all management snmp-server clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example...
Page 158: Snmp-Server Contact
Chapter 5 | SNMP Commands Example Console(config)#snmp-server community alpha rw Console(config)# This command sets the system contact string. Use the no form to remove the snmp-server contact system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None...
Page 159: Show Snmp
Chapter 5 | SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (158) This command can be used to check the status of SNMP communications. show snmp Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counters for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps...
Page 160: Snmp Target Host Commands
Chapter 5 | SNMP Commands SNMP Logging: Disabled Console# SNMP Target Host Commands This command enables this device to send Simple Network Management snmp-server Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable enable traps SNMP notifications. Syntax [no] snmp-server enable traps [authentication | mac- notification [interval seconds]]...
Page 161: Snmp-Server Host
Chapter 5 | SNMP Commands Example Console(config)#snmp-server enable traps authentication Console(config)# Related Commands snmp-server host (161) This command specifies the recipient of a Simple Network Management snmp-server host Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth |...
Page 162 Chapter 5 | SNMP Commands SNMP Version: 1 UDP Port: 162 Command Mode Global Configuration Command Usage If you do not enter an snmp-server host command, no notifications are ◆ sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Page 163: Snmp-Server Enable Port-Traps Link-Up-Down
Chapter 5 | SNMP Commands Allow the switch to send SNMP traps; i.e., notifications (page 160). Specify the target host that will receive inform messages with the snmp-server host command as described in this section. The switch can send SNMP Version 1, 2c or 3 notifications to a host IP ◆...
Page 164: Snmp-Server Enable Port-Traps Mac-Notification
Chapter 5 | SNMP Commands This command enables the device to send SNMP traps (i.e., SNMP snmp-server notifications) when a dynamic MAC address is added or removed. Use the no enable port-traps form to restore the default setting. mac-notification Syntax [no] snmp-server enable port-traps mac-notification mac-notification - Keyword to issue trap when a dynamic MAC address is added or removed.
Page 165: Snmpv3 Commands
Chapter 5 | SNMP Commands Eth 1/3 SNMPv3 Commands This command configures an identification string for the SNMPv3 engine. Use snmp-server the no form to restore the default. engine-id Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
Page 166: Snmp-Server Group
Chapter 5 | SNMP Commands A local engine ID is automatically generated that is unique to the switch. ◆ This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 167).
Page 167: Snmp-Server User
Chapter 5 | SNMP Commands When authentication is selected, the MD5 or SHA algorithm is used as ◆ specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. For additional information on the notification messages supported by this ◆...
Page 168 Chapter 5 | SNMP Commands If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) 3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption. aes128 - Uses SNMPv3 with privacy with AES128 encryption. aes192 - Uses SNMPv3 with privacy with AES192 encryption.
Page 169: Snmp-Server View
Chapter 5 | SNMP Commands Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# This command adds an SNMP view which controls user access to the MIB. snmp-server view Use the no form to remove an SNMP view.
Page 170: Show Snmp Engine-Id
Chapter 5 | SNMP Commands This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# This command shows the SNMP engine ID. show snmp engine-id Command Mode Privileged Exec Example This example shows the default engine ID.
Page 171: Show Snmp User
Chapter 5 | SNMP Commands Storage Type : Nonvolatile Row Status : Active Group Name : public Security Model : v1 Read View : defaultview Write View : No writeview specified Notify View : No notifyview specified Storage Type : Volatile Row Status : Active Group Name...
Page 172: Show Snmp View
Chapter 5 | SNMP Commands Example Console#show snmp user Engine ID : 800001030300e00c0000fd0000 User Name : steve Group Name : rd Security Model : v1 Security Level : Authentication and privacy Authentication Protocol : None Privacy Protocol : None Storage Type : Nonvolatile Row Status : Active...
Page 173: Notification Log Commands
Chapter 5 | SNMP Commands Row Status: active View Name : defaultview Subtree OID View Type : included Storage Type : volatile Row Status : active Console# Table 31: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
Page 174: Snmp-Server Notify-Filter
Chapter 5 | SNMP Commands This command creates an SNMP notification log. Use the no form to remove snmp-server this log. notify-filter Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the snmp- server host...
Page 175: Show Nlm Oper-Status
Chapter 5 | SNMP Commands by default (see the command), but will not start recording information until a logging profile specified with this command is enabled with the command. ◆ Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes.
Page 176: Additional Trap Commands
Chapter 5 | SNMP Commands 10.1.19.23 Console# Additional Trap Commands This command sets an SNMP trap based on configured thresholds for memory memory utilization. Use the no form to restore the default setting. Syntax memory {rising rising-threshold | falling falling-threshold} no memory {rising | falling} rising-threshold - Rising threshold for memory utilization alarm expressed in percentage.
Page 177: Process Cpu
Chapter 5 | SNMP Commands This command sets an SNMP trap based on configured thresholds for CPU process cpu utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Page 178 Chapter 5 | SNMP Commands low-watermark - If packet flow has been stopped after exceeding the high watermark, normal flow will be restored after usage falls beneath the low watermark. (Range: 40-100%) max-threshold - If the number of packets being processed per second by the CPU is higher than the maximum threshold, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until the number of packets being...
Page 179: Remote Monitoring Commands
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 180: Rmon Alarm
Chapter 6 | Remote Monitoring Commands This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 181: Rmon Event
Chapter 6 | Remote Monitoring Commands threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Page 182: Rmon Collection History
Chapter 6 | Remote Monitoring Commands Command Usage If an event is already defined for an index, the entry must be deleted ◆ before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Page 183: Rmon Collection Rmon1
Chapter 6 | Remote Monitoring Commands The information collected for each sample includes: ◆ input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running-config command will display a message indicating that this...
Page 184: Show Rmon Alarms
Chapter 6 | Remote Monitoring Commands Command Usage By default, each index number equates to a port on the switch, but can be ◆ changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Page 185: Show Rmon History
Chapter 6 | Remote Monitoring Commands This command shows the sampling parameters configured for each entry in show rmon history the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Page 186: Flow Sampling Commands
Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 187 Chapter 7 | Flow Sampling Commands polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods.
Page 188: Sflow Polling Instance
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# This command enables an sFlow polling data source, for a specified interface, sflow polling instance that polls periodically based on a specified time interval.
Page 189: Sflow Sampling Instance
Chapter 7 | Flow Sampling Commands This command enables an sFlow data source instance for a specific interface sflow sampling that takes samples periodically based on the number of packets processed. instance Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Page 190: Show Sflow
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# This command shows the global and interface settings for the sFlow process. show sflow Syntax show sflow [owner owner-name | interface interface]...
Page 191: Authentication Commands
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port- based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access ‡...
Page 192: User Accounts And Privilege Levels
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 110), user authentication via a remote authentication server (page...
Page 193: Username
Chapter 8 | Authentication Commands User Accounts and Privilege Levels password - Password for this privilege level. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage You cannot set a null password.
Page 194: Table 36: Default Login Settings
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 0, 8 and 15 are designed for users (guest), managers (network maintenance), and administrators (top-level access). The other levels can be used to configured specialized access profiles. Level 0-7 provide the same default access privileges, all within Normal Exec mode under the “Console>”...
Page 195: Privilege
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# This command assigns a privilege level to specified command groups or privilege individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command...
Page 196: Authentication Sequence
Chapter 8 | Authentication Commands Authentication Sequence command - Displays the privilege level for all commands modified by the privilege command. Command Mode Privileged Exec Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping...
Page 197: Authentication Login
Chapter 8 | Authentication Commands Authentication Sequence Command Usage RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort ◆ delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 198: Radius Client
Chapter 8 | Authentication Commands RADIUS Client RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
Page 199: Radius-Server Acct-Port
Chapter 8 | Authentication Commands RADIUS Client This command sets the RADIUS server network port for accounting radius-server messages. Use the no form to restore the default. acct-port Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages.
Page 200: Radius-Server Key
Chapter 8 | Authentication Commands RADIUS Client Syntax [no] radius-server index host host-ip-address [acct-port acct-port] [auth-port auth-port] [key key] [retransmit retransmit] [timeout timeout] index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
Page 201: Radius-Server Retransmit
Chapter 8 | Authentication Commands RADIUS Client Default Setting None Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# This command sets the number of retries. Use the no form to restore the radius-server default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 202: Show Radius-Server
Chapter 8 | Authentication Commands TACACS+ Client Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# This command displays the current settings for the RADIUS server. show radius-server Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number...
Page 203: Tacacs-Server Host
Chapter 8 | Authentication Commands TACACS+ Client associated privilege levels for each user or group that require management access to a switch. Table 39: TACACS+ Client Commands Command Function Mode tacacs-server host Specifies the TACACS+ server and optional parameters tacacs-server key Sets the TACACS+ encryption key tacacs-server port Specifies the TACACS+ server network port...
Page 204: Tacacs-Server Key
Chapter 8 | Authentication Commands TACACS+ Client Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the TACACS+ encryption key. Use the no form to restore tacacs-server key the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
Page 205: Tacacs-Server Retransmit
Chapter 8 | Authentication Commands TACACS+ Client Console(config)#tacacs-server port 181 Console(config)# This command sets the number of retries. Use the no form to restore the tacacs-server default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Page 206: Show Tacacs-Server
Chapter 8 | Authentication Commands This command displays the current settings for the TACACS+ server. show tacacs-server Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times Timeout Server 1: Server IP Address...
Page 207: Aaa Accounting Commands
Chapter 8 | Authentication Commands Table 40: AAA Commands (Continued) Command Function Mode server Configures the IP address of a server in a group list accounting dot1x Applies an accounting method to an interface for 802.1X service requests accounting commands Applies an accounting method to CLI commands Line entered by a user...
Page 208: Aaa Accounting Dot1X
Chapter 8 | Authentication Commands Command Usage The accounting of Exec mode commands is only supported by TACACS+ ◆ servers. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Page 209: Aaa Accounting Exec
Chapter 8 | Authentication Commands servers, and do not actually send any information to the servers about the methods to use. Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# This command enables the accounting of requested Exec services for network aaa accounting exec access.
Page 210: Aaa Accounting Update
Chapter 8 | Authentication Commands Example Console(config)#aaa accounting exec default start-stop group tacacs+ Console(config)# This command enables the sending of periodic updates to the accounting aaa accounting server. Use the no form to disable accounting updates. update Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Page 211: Aaa Authorization Exec
Chapter 8 | Authentication Commands start-stop - Records authorization from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 212: Aaa Group Server
Chapter 8 | Authentication Commands group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Page 213: Server
Chapter 8 | Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)# This command adds a security server to an AAA server group. Use the no server form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index.
Page 214: Accounting Commands
Chapter 8 | Authentication Commands Default Setting None Command Mode Interface Configuration Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# This command applies an accounting method to entered CLI commands. Use accounting the no form to disable accounting for entered CLI commands. commands Syntax accounting commands level {default | list-name}...
Page 215: Authorization Commands
Chapter 8 | Authentication Commands list-name - Specifies a method list created with the aaa accounting exec command. Default Setting None Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to entered CLI commands. authorization Use the no form to disable authorization for entered CLI commands.
Page 216: Authorization Exec
Chapter 8 | Authentication Commands This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec default - Specifies the default method list created with the authorization exec command.
Page 217: Show Authorization
Chapter 8 | Authentication Commands interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting Type : dot1x Method List : default Group List : radius Interface : Eth 1/1...
Page 218: Web Server
Chapter 8 | Authentication Commands Web Server Default Setting None Command Mode Privileged Exec Example Console#show authorization Authorization Type : EXEC Method List : default Group List : tacacs+ Interface : vty Authorization Type : Commands 0 Method List : default Group List : tacacs+ Interface...
Page 219: Ip Http Authentication
Chapter 8 | Authentication Commands Web Server This command specifies the method list for EXEC authorization for starting an ip http authentication EXEC session used by the web browser interface. Use the no form to use the default port. Syntax ip http authentication aaa exec-authorization {default | list- name} no ip http authentication aaa exec-authorization...
Page 220: Ip Http Server
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (220) show system (90) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting...
Page 221: Ip Http Secure-Server
Chapter 8 | Authentication Commands Web Server Command Usage You cannot configure the HTTP and HTTPS servers to use the same port. ◆ ◆ If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Page 222: Telnet Server
Chapter 8 | Authentication Commands Telnet Server The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 42: HTTPS System Support Web Browser...
Page 223: Ip Telnet Max-Sessions
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. This command specifies the maximum number of Telnet sessions that can ip telnet max-sessions simultaneously connect to this system.
Page 224: Ip Telnet Server
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# This command allows this device to be monitored or configured from Telnet. ip telnet server Use the no form to disable this function. Syntax [no] ip telnet server Default Setting...
Page 225: Show Ip Telnet
Chapter 8 | Authentication Commands Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# Secure Shell...
Page 226 Chapter 8 | Authentication Commands Secure Shell Table 44: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 227 Chapter 8 | Authentication Commands Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 228: Ip Ssh Authentication-Retries
Chapter 8 | Authentication Commands Secure Shell When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
Page 229: Ip Ssh Server-Key Size
Chapter 8 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage The SSH server supports up to eight client sessions. The maximum ◆ number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 230: Ip Ssh Timeout
Chapter 8 | Authentication Commands Secure Shell Example Console(config)#ip ssh server-key size 512 Console(config)# This command configures the timeout for the SSH server. Use the no form to ip ssh timeout restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds –...
Page 231: Ip Ssh Crypto Host-Key Generate
Chapter 8 | Authentication Commands Secure Shell Default Setting Deletes both the DSA and RSA key. Command Mode Privileged Exec Example Console#delete public-key admin dsa Console# This command generates the host key pair (i.e., public and private). ip ssh crypto host-key generate Syntax ip ssh crypto host-key generate [dsa | rsa]...
Page 232: Ip Ssh Crypto Zeroize
Chapter 8 | Authentication Commands Secure Shell This command clears the host key from memory (i.e. RAM). ip ssh crypto zeroize Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key.
Page 233: Show Public-Key
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (231) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 234: Show Ssh
Chapter 8 | Authentication Commands Secure Shell 332802149888661921595568598879891919505883940181387440468908779160305837768 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# This command displays the current SSH server connections. show ssh Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started admin...
Page 235: X Port Authentication
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 236: General Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication General Commands This command sets all configurable dot1x authenticator global and port dot1x default settings to their default values. Command Mode Global Configuration Command Usage This command resets the following commands to their default settings: ◆...
Page 237: Authenticator Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands This command sets the port’s response to a failed authentication, either to dot1x intrusion-action block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Page 238: Dot1X Max-Reauth-Req
Chapter 8 | Authentication Commands 802.1X Port Authentication This command sets the maximum number of times that the switch sends an dot1x max-reauth-req EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default. Syntax dot1x max-reauth-req count no dot1x max-reauth-req...
Page 239: Dot1X Operation-Mode
Chapter 8 | Authentication Commands 802.1X Port Authentication This command allows hosts (clients) to connect to an 802.1X-authorized port. dot1x Use the no form with no keywords to restore the default to single host. Use the operation-mode no form with the multi-host max-count keywords to restore the default maximum count.
Page 240: Dot1X Port-Control
Chapter 8 | Authentication Commands 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 241: Dot1X Timeout Quiet-Period
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (241) This command sets the time that a switch port waits after the maximum dot1x timeout request count (see page 238) has been exceeded before attempting to quiet-period acquire a new client.
Page 242: Dot1X Timeout Supp-Timeout
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout response to an EAP request from a client before re-transmitting an EAP supp-timeout packet.
Page 243: Dot1X Re-Authenticate
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re-authenticate Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 244: Dot1X Timeout Held-Period
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Command Usage This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL-Start. Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout auth-period 60 Console(config-if)# This command sets the time that a supplicant port waits before resending its...
Page 245 Chapter 8 | Authentication Commands 802.1X Port Authentication interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) Command Mode Privileged Exec Command Usage This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port ◆...
Page 246 Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator PAE State Machine ◆ State – Current state (including initialize, disconnected, connecting, ■ authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. ■ Current Identifier– The integer (0-255) used by the Authenticator to identify ■...
Page 247: Management Ip Filter
Chapter 8 | Authentication Commands Management IP Filter Reauth Count Current Identifier Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Page 248: Show Management
Chapter 8 | Authentication Commands Management IP Filter Command Usage The management interfaces are open to all IP addresses by default. Once ◆ you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an ◆...
Page 249 Chapter 8 | Authentication Commands Management IP Filter Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2.
Page 250: General Security Measures
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Page 251: Port Security
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 252: Port Security
Chapter 9 | General Security Measures Port Security is enabled and mac-learning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 253 Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage The default maximum number of MAC addresses allowed on a secure port ◆ is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 254: Show Port Security
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (357) shutdown (349) mac-address-table static (405)
Page 255: Table 50: Show Port Security - Display Description
Chapter 9 | General Security Measures Port Security Table 50: show port security - display description Field Description Port Security The configured status (enabled or disabled). Port Status The operational status: ◆ Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆...
Page 256: Network Access (Mac Address Authentication)
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) MAC Filter : Disabled Last Intrusion MAC : 00-10-22-00-00-01 Last Time Detected Intrusion MAC : 2015/7/29 15:13:03 Console# Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Page 257: Network-Access Aging
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored in network-access aging the secure MAC address table. Use the no form of this command to disable address aging. Syntax [no] network-access aging Default Setting...
Page 258: Mac-Authentication Reauth-Time
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the mac- ◆ address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the...
Page 259: Network-Access Dynamic-Qos
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#mac-authentication reauth-time 300 Console(config)# Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos Syntax [no] network-access dynamic-qos Default Setting Disabled...
Page 260: Network-Access Dynamic-Vlan
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Note: Any configuration changes for dynamic QoS are not saved to the switch configuration file. Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable dynamic VLAN assignment for an authenticated...
Page 261: Network-Access Guest-Vlan
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)# Use this command to assign all traffic on a port to a guest VLAN when 802.1x network-access authentication or MAC authentication is rejected.
Page 262: Network-Access Mode Mac-Authentication
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed. (Range: 0-1024; 0 for unlimited) Default Setting 1024 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024.
Page 263: Network-Access Port-Mac-Filter
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Configured static MAC addresses are added to the secure address table ◆ when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. ◆...
Page 264: Mac-Authentication Intrusion-Action
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the default. intrusion-action Syntax mac-authentication intrusion-action {block traffic | pass traffic}...
Page 265: Clear Network-Access
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Use this command to clear entries from the secure MAC addresses table. clear network-access Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 266: Show Network-Access Mac-Address-Table
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion Action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Page 267: Show Network-Access Mac-Filter
Chapter 9 | General Security Measures Web Authentication Example Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ------------------------- --------- 00-00-01-02-03-04 172.155.120.17 00d06h32m50s Static 00-00-01-02-03-05 172.155.120.17 00d06h33m20s Dynamic 00-00-01-02-03-06 172.155.120.17 00d06h35m10s Static 00-00-01-02-03-07 172.155.120.17 00d06h34m20s Dynamic Console# Use this command to display information for entries in the MAC filter tables.
Page 268: Web-Auth Login-Attempts
Chapter 9 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 188). Note: Web authentication cannot be configured on trunk ports. Table 53: Web Authentication Command Function Mode...
Page 269: Web-Auth Quiet-Period
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web authentication quiet-period again.
Page 270: Web-Auth System-Auth-Control
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the no web-auth system- form to restore the default. auth-control Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 271: Web-Auth Re-Authenticate (Port)
Chapter 9 | General Security Measures Web Authentication This command ends all web authentication sessions connected to the port and web-auth re- forces the users to re-authenticate. authenticate (Port) Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Page 272: Show Web-Auth
Chapter 9 | General Security Measures Web Authentication This command displays global web authentication parameters. show web-auth Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters and...
Page 273: Show Web-Auth Summary
Chapter 9 | General Security Measures DHCPv4 Snooping This command displays a summary of web authentication port parameters and show web-auth statistics. summary Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ----...
Page 274: Ip Dhcp Snooping
Chapter 9 | General Security Measures DHCPv4 Snooping Table 54: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping Enables or disables the use of DHCP Option 82 information option circuit-id information circuit-id suboption ip dhcp snooping trust Configures the specified interface as trusted ip dhcp snooping max- configures the maximum number of DHCP clients number...
Page 275 Chapter 9 | General Security Measures DHCPv4 Snooping Table entries are only learned for trusted interfaces. Each entry includes a ◆ MAC address, IP address, lease time, VLAN identifier, and port identifier. ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second.
Page 276: Ip Dhcp Snooping Information Option
Chapter 9 | General Security Measures DHCPv4 Snooping the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Page 277 Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Option 82: Disabled CID/RID sub-type: Enabled Remote ID: MAC address (hexadecimal) Command Mode Global Configuration Command Usage DHCP provides a relay mechanism for sending information about the ◆ switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 278: Ip Dhcp Snooping Information Option Encode No-Subtype
Chapter 9 | General Security Measures DHCPv4 Snooping This command disables the use of sub-type and sub-length fields for the ip dhcp snooping circuit-ID (CID) and remote-ID (RID) in Option 82 information generated by the information option switch. Use the no form to enable the use of these fields. encode no-subtype Syntax [no] ip dhcp snooping information option encode no-subtype...
Page 279: Ip Dhcp Snooping Information Option Remote-Id
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID). Console(config)#no ip dhcp snooping information option encode no-subtype Console(config)# This command sets the remote ID to the switch’s IP address, MAC address, or ip dhcp snooping arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from information option...
Page 280: Ip Dhcp Snooping Information Option Tr101 Board-Id
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage The format for TR101 option 82 is: “<IP> eth <SID>/<PORT>[:<VLAN>]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added.
Page 281: Ip Dhcp Snooping Verify Mac-Address
Chapter 9 | General Security Measures DHCPv4 Snooping keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports. replace - Replaces the Option 82 information circuit-id and remote-id fields in the client’s request with information about the relay agent itself, inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports.
Page 282: Ip Dhcp Snooping Vlan
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# Related Commands ip dhcp snooping (274) ip dhcp snooping vlan (282) ip dhcp snooping trust (286) This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping vlan form to restore the default setting.
Page 283: Ip Dhcp Snooping Information Option Circuit-Id
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (274) ip dhcp snooping trust (286) This command specifies DHCP Option 82 circuit-id suboption information. Use ip dhcp snooping the no form to use the default settings. information option circuit-id Syntax...
Page 284: Ip Dhcp Snooping Trust
Chapter 9 | General Security Measures DHCPv4 Snooping sub-type - Distinguishes different types of circuit IDs. ■ sub-length - Length of the circuit ID type ■ access node identifier - ASCII string. Default is the MAC address of the ■ switch’s CPU.
Page 285: Ip Dhcp Snooping Max-Number
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage A trusted interface is an interface that is configured to receive only ◆ messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Page 286: Ip Dhcp Snooping Trust
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Command Mode Interface Configuration (Ethernet, Port Channel) Example This example sets the maximum number of DHCP clients supported on port 1 to 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping max-number 2 Console(config-if)# This command configures the specified interface as trusted.
Page 287: Clear Ip Dhcp Snooping Binding
Chapter 9 | General Security Measures DHCPv4 Snooping Additional considerations when the switch itself is a DHCP client – The ◆ port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)#...
Page 288: Ip Dhcp Snooping Database Flash
Chapter 9 | General Security Measures DHCPv4 Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Page 289: Show Ip Dhcp Snooping Binding
Chapter 9 | General Security Measures IPv4 Source Guard This command shows the DHCP snooping binding table entries. show ip dhcp snooping binding Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- ------ 11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP...
Page 290: Ip Source-Guard Binding
Chapter 9 | General Security Measures IPv4 Source Guard This command adds a static address to the source-guard ACL or MAC ip source-guard address binding table. Use the no form to remove a static entry. binding Syntax ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port-list no ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id...
Page 291 Chapter 9 | General Security Measures IPv4 Source Guard An entry with same MAC address and a different VLAN ID cannot be ◆ added to the binding table. ◆ Static bindings are processed as follows: A valid static IP source guard entry will be added to the binding table in ■...
Page 292: Ip Source-Guard
Chapter 9 | General Security Measures IPv4 Source Guard This command configures the switch to filter inbound traffic based on source ip source-guard IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...
Page 293 Chapter 9 | General Security Measures IPv4 Source Guard Filtering rules are implemented as follows: ◆ If DHCPv4 snooping is disabled (see page 274), IP source guard will check ■ the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Page 294: Ip Source-Guard Max-Binding
Chapter 9 | General Security Measures IPv4 Source Guard Default Setting Mode: ACL, Maximum Binding: 5 Mode: MAC, Maximum Binding: 16 Command Mode Interface Configuration (Ethernet) Command Usage This command sets the maximum number of address entries that can be ◆...
Page 295: Clear Ip Source-Guard Binding Blocked
Chapter 9 | General Security Measures IPv4 Source Guard Default Setting Command Mode Interface Configuration (Ethernet) Command Usage There are two modes for the filtering table: ACL - IP traffic will be forwarded if it passes the checking process in the ◆...
Page 296: Show Ip Source-Guard
Chapter 9 | General Security Measures IPv4 Source Guard This command shows whether source guard is enabled or disabled on each show ip source-guard interface. Command Mode Privileged Exec Example Console#show ip source-guard ACL Table MAC Table Interface Filter-type Filter-table Max-binding Max-binding ---------...
Page 297: Arp Inspection
Chapter 9 | General Security Measures ARP Inspection 00-10-b5-f4-d0-01 10.2.44.96 static-acl 1 Eth 1/1 Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Page 298: Ip Arp Inspection
Chapter 9 | General Security Measures ARP Inspection This command enables ARP Inspection globally on the switch. Use the no ip arp inspection form to disable this function. Syntax [no] ip arp inspection Default Setting Disabled Command Mode Global Configuration Command Usage When ARP Inspection is enabled globally with this command, it becomes ◆...
Page 299: Ip Arp Inspection Filter
Chapter 9 | General Security Measures ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use the ip arp inspection filter no form to remove an ACL binding. Use the no form to remove an ACL binding.
Page 300: Ip Arp Inspection Log-Buffer Logs
Chapter 9 | General Security Measures ARP Inspection This command sets the maximum number of entries saved in a log message, ip arp inspection and the rate at which these messages are sent. Use the no form to restore the log-buffer logs default settings.
Page 301: Ip Arp Inspection Validate
Chapter 9 | General Security Measures ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Page 302: Ip Arp Inspection Limit
Chapter 9 | General Security Measures ARP Inspection vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage...
Page 303: Ip Arp Inspection Trust
Chapter 9 | General Security Measures ARP Inspection none - There is no limit on the number of ARP packets that can be processed by the CPU. Default Setting Command Mode Interface Configuration (Port, Static Aggregation) Command Usage This command applies to both trusted and untrusted ports. ◆...
Page 304: Show Ip Arp Inspection Configuration
Chapter 9 | General Security Measures ARP Inspection This command displays the global configuration settings for ARP Inspection. show ip arp inspection configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP Inspection Global Information: Global IP ARP Inspection Status : disabled Log Message Interval : 1 s Log Message Number...
Page 305: Show Ip Arp Inspection Log
Chapter 9 | General Security Measures ARP Inspection This command shows information about entries stored in the log, including the show ip arp inspection associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Page 306: Denial Of Service Protection
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 307: Dos-Protection Echo-Chargen
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS echo/chargen attacks in which the echo dos-protection service repeats anything sent to it, and the chargen (character generator) echo-chargen service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service.
Page 308: Dos-Protection Tcp-Flooding
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS TCP-flooding attacks in which a dos-protection perpetrator sends a succession of TCP SYN requests (with or without a tcp-flooding spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Page 309: Dos-Protection Tcp-Syn-Fin-Scan
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a dos-protection TCP SYN/FIN scan message is used to identify listening TCP ports. The scan tcp-syn-fin-scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags.
Page 310: Dos-Protection Udp-Flooding
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS UDP-flooding attacks in which a dos-protection perpetrator sends a large number of UDP packets (with or without a spoofed- udp-flooding Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Page 311: Show Dos-Protection
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example Console(config)#dos-protection win-nuke bit-rate-in-kilo65 Console(config)# This command shows the configuration settings for the DoS protection show dos-protection commands. Command Mode Privileged Exec Example Console#show dos-protection Global DoS Protection: Echo/Chargen Attack : Disabled, 1000 kilobits per second Smurf Attack : Enabled TCP Flooding Attack...
Page 312: Traffic-Segmentation
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 60: Commands for Configuring Traffic Segmentation (Continued) Command Function Mode traffic-segmentation Specifies whether or not traffic can be forwarded uplink-to-uplink between uplink ports assigned to different client sessions show traffic-segmentation Displays the configured traffic segments This command enables traffic segmentation.
Page 313: Traffic-Segmentation Session
Chapter 9 | General Security Measures Port-based Traffic Segmentation The forwarding state for uplink-to-uplink ports is configured by the traffic- segmentation uplink-to-uplink command. When traffic segmentation is disabled, all ports operate in normal ◆ forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol.
Page 314: Traffic-Segmentation Uplink/Downlink
Chapter 9 | General Security Measures Port-based Traffic Segmentation This command configures the uplink and down-link ports for a segmented traffic-segmentation group of ports. Use the no form to remove a port from the segmented group. uplink/downlink Syntax [no] traffic-segmentation [session session-id] {uplink interface-list [downlink interface-list] | downlink interface-list} session-id –...
Page 315: Traffic-Segmentation Uplink-To-Uplink
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks. Console(config)#traffic-segmentation Console(config)#traffic-segmentation uplink ethernet 1/10 downlink ethernet 1/5-8 Console(config)# This command specifies whether or not traffic can be forwarded between traffic-segmentation uplink ports assigned to different client sessions.
Page 316 Chapter 9 | General Security Measures Port-based Traffic Segmentation Uplink-to-Uplink Mode Forwarding Session Uplink Ports Downlink Ports --------- ------------------------------ ----------------------------- Ethernet Ethernet Ethernet Ethernet Console# – 316 –...
Page 317: Access Control Lists
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Page 318: Access-List Ip
Chapter 10 | Access Control Lists IPv4 ACLs Table 63: IPv4 ACL Commands Command Function Mode show ip Shows port assignments for IPv4 ACLs access-group show ip access-list Displays the rules for configured IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs.
Page 319 Chapter 10 | Access Control Lists IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no form to (Standard IP ACL) remove a rule.
Page 320 Chapter 10 | Access Control Lists IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, protocol (Extended IPv4 ACL) types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 321 Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Page 322: Ip Access-Group
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Page 323: Show Ip Access-Group
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Page 324: Ipv6 Acls
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (319) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Page 325: Permit, Deny (Standard Ipv6 Acl)
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 326 Chapter 10 | Access Control Lists IPv6 ACLs time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 327 Chapter 10 | Access Control Lists IPv6 ACLs source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 328 Chapter 10 | Access Control Lists IPv6 ACLs 51 : Authentication (RFC 2402) 50 : Encapsulating Security Payload (RFC 2406) 60 : Destination Options (RFC 2460) Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit any 2009:db90:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5.
Page 329: Ipv6 Access-Group
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands access-list ipv6 (324) Time Range (145) This command binds an IPv6 ACL to a port. Use the no form to remove the ipv6 access-group port. Syntax ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name –...
Page 330: Show Ipv6 Access-Group
Chapter 10 | Access Control Lists IPv6 ACLs This command shows the ports assigned to IPv6 ACLs. show ipv6 access-group Command Mode Privileged Exec Example Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (329) This command displays the rules for configured IPv6 ACLs.
Page 331: Mac Acls
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 332: Permit, Deny (Mac Acl)
Chapter 10 | Access Control Lists MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (332) mac access-group (334) show mac access-list (335) This command adds a rule to a MAC ACL. The rule filters packets matching a permit, deny (MAC ACL) specified MAC source or destination address (i.e., physical layer address), or...
Page 333 Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype ethertype [ethertype-bitmask]] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] [time-range time-range-name]...
Page 334: Mac Access-Group
Chapter 10 | Access Control Lists MAC ACLs time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode MAC ACL Command Usage New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted ◆...
Page 335: Show Mac Access-Group
Chapter 10 | Access Control Lists MAC ACLs time-range-name - Name of the time range. (Range: 1-32 characters) counter – Enables counter for ACL statistics. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Page 336: Arp Acls
Chapter 10 | Access Control Lists ARP ACLs Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny (332) mac access-group (334) ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages.
Page 337: Permit, Deny (Arp Acl)
Chapter 10 | Access Control Lists ARP ACLs Command Usage When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the ◆...
Page 338: Show Access-List Arp
Chapter 10 | Access Control Lists ARP ACLs ip-address-bitmask – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask. mac-address-bitmask – Bitmask for MAC address (in hexadecimal format). log - Logs a packet when it matches the access control entry.
Page 339: Acl Information
Chapter 10 | Access Control Lists ACL Information Related Commands permit, deny (337) ACL Information This section describes commands used to display ACL information. Table 67: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified ACL PE hardware counters show access-group Shows the ACLs assigned to each port...
Page 340: Show Access-Group
Chapter 10 | Access Control Lists ACL Information This command shows the port assignments of ACLs. show access-group Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# This command shows all ACLs and associated rules. show access-list Syntax show access-list...
Page 341 Chapter 10 | Access Control Lists ACL Information permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console#...
Page 342: Interface Commands
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 68: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode capabilities Advertises the capabilities of a given interface for use in...
Page 343: Interface Configuration
Chapter 11 | Interface Commands Table 68: Interface Commands (Continued) Command Function Mode transceiver-threshold Sets thresholds for the transceiver power level of the rx-power received signal which can be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver temperature which temperature can be used to trigger an alarm or warning message transceiver-threshold...
Page 344: Capabilities
Chapter 11 | Interface Commands Default Setting None Command Mode Global Configuration Example To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)# This command advertises the port capabilities of a given interface during auto- capabilities negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Page 345: Description
Chapter 11 | Interface Commands Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (348) speed-duplex (349) flowcontrol (346) This command adds a description to an interface. Use the no form to remove description the description.
Page 346: Flowcontrol
Chapter 11 | Interface Commands This command enables flow control. Use the no form to disable flow control. flowcontrol Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Page 347: History
Chapter 11 | Interface Commands This command configures a periodic sampling of statistics, specifying the history sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history name name - A symbolic name for this entry in the sampling table.
Page 348: Negotiation
Chapter 11 | Interface Commands Command Usage Available sfp-forced modes include: Ports 49-52 (1000BASE SFP) support 1000sfp Example This forces the switch to use the 1000sfp mode for SFP port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)# This command enables auto-negotiation for a given interface. Use the no form negotiation to disable auto-negotiation.
Page 349: Shutdown
Chapter 11 | Interface Commands Related Commands capabilities (344) speed-duplex (349) This command disables an interface. To restart a disabled interface, use the shutdown no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been...
Page 350: Clear Counters
Chapter 11 | Interface Commands When auto-negotiation is disabled, the default speed-duplex setting is ◆ 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The 1000BASE-T standard does not support forced mode. Auto- ◆ negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 351: Show Interfaces Brief
Chapter 11 | Interface Commands Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 352: Show Interfaces Counters
Chapter 11 | Interface Commands This command displays interface statistics. show interfaces counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-24) Default Setting Shows the counters for all interfaces.
Page 353: Table 69: Show Interfaces Counters - Display Description
Chapter 11 | Interface Commands 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 5271 Packet Size <= 64 Octets 3589 Packet Size 65 to 127 Octets 222 Packet Size 128 to 255 Octets 313 Packet Size 256 to 511 Octets 190 Packet Size 512 to 1023 Octets 444 Packet Size 1024 to 1518 Octets ===== Port Utilization =====...
Page 354 Chapter 11 | Interface Commands Table 69: show interfaces counters - display description (Continued) Parameter Description Broadcast Output The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent. Etherlike Statistics FCS Errors A count of frames received on a particular interface that are an...
Page 355: Show Interfaces History
Chapter 11 | Interface Commands Table 69: show interfaces counters - display description (Continued) Parameter Description Oversize Packets The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had...
Page 356 Chapter 11 | Interface Commands name - Name of sample as defined in the history command. (Range: 1-32 characters) current - Statistics recorded in current interval. previous - Statistics recorded in previous intervals. index - An index into the buckets containing previous samples. (Range: 1-96) count - The number of historical samples to display.
Page 357: Show Interfaces Status
Chapter 11 | Interface Commands Start Time Octets Output Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- ------------ 00d 00:00:03 0.00 677855 Start Time Discards ------------ ------------- 00d 00:00:03 Console# This command displays the status for an interface. show interfaces status Syntax show interfaces status [interface] interface...
Page 358: Show Interfaces Switchport
Chapter 11 | Interface Commands Current Status: Link Status : Up Port Operation Status : Up Operation Speed-duplex : 100full Up Time : 0w 0d 1h 11m 2s (4262 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled Console#...
Page 359: Transceiver Threshold Configuration
Chapter 11 | Interface Commands 802.1Q Tunnel TPID : 8100 (Hex) Console# Table 70: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it Threshold also shows the threshold level (page 397).
Page 360: Transceiver-Threshold-Auto
Chapter 11 | Interface Commands Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-monitor Console# This command uses default threshold settings obtained from the transceiver to transceiver-threshold- determine when an alarm or warning message should be sent. Use the no auto form to disable this feature. Syntax transceiver-threshold-auto Default Setting...
Page 361: Transceiver-Threshold Rx-Power
Chapter 11 | Interface Commands Low Warning: 7 mA Low Alarm: 6 mA Command Mode Interface Configuration (SFP+ Ports) Command Usage If trap messages are enabled with the transceiver-monitor command, and ◆ a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
Page 362: Transceiver-Threshold Temperature
Chapter 11 | Interface Commands low-alarm – Sets the low power threshold for an alarm message. low-warning – Sets the low power threshold for a warning message. threshold-value – The power threshold of the received signal. (Range: -4000 - 820 in units of 0.01 dBm) Default Setting High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm...
Page 363: Transceiver-Threshold Tx-Power
Chapter 11 | Interface Commands low-alarm – Sets the low temperature threshold for an alarm message. low-warning – Sets the low temperature threshold for a warning message. threshold-value – The threshold of the transceiver temperature. (Range: -12800 - 12800 in units of 0.01 Celsius) Default Setting High Alarm: 75.00 ...
Page 364: Transceiver-Threshold Voltage
Chapter 11 | Interface Commands threshold-value – The power threshold of the transmitted signal. (Range: -4000 - 820 in units of 0.01 dBm) Default Setting High Alarm: -9.00 dBm HIgh Warning: -9.50 dBm Low Warning: -11.50 dBm Low Alarm: -12.00 dBm Command Mode Interface Configuration (SFP+ Ports) Command Usage...
Page 365: Show Interfaces Transceiver
Chapter 11 | Interface Commands threshold-value – The threshold of the transceiver voltage. (Range: 0-655 in units of 0.01 Volt) Default Setting High Alarm: 3.50 Volts HIgh Warning: 3.45 Volts Low Warning: 3.15 Volts Low Alarm: 3.10 Volts Command Mode Interface Configuration (SFP+ Ports) Command Usage ◆...
Page 366: Show Interfaces Transceiver-Threshold
Chapter 11 | Interface Commands Command Usage The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, and received optical power, and related alarm thresholds.
Page 367: Cable Diagnostics
Chapter 11 | Interface Commands Command Mode Privileged Exec Command Usage The switch can display diagnostic information for SFP modules which ◆ support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and...
Page 368: Show Cable-Diagnostics
Chapter 11 | Interface Commands Command Usage Cable diagnostics are performed using Digital Signal Processing (DSP) ◆ test method when the port link-up speed is 1 Gbps. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse.
Page 369: Power Savings
Chapter 11 | Interface Commands Potential conditions which may be listed by the diagnostics are shown by ◆ the legend in the following example. Additional information is provided for the following test results. OK: Correctly terminated pair ■ ■ ON: Open pair, no link partner IE (Impedance mismatch): Terminating impedance is not in the reference ■...
Page 370: Show Power-Save
Chapter 11 | Interface Commands The power-saving methods provided by this switch include: ◆ Power saving when there is no link partner: ■ Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists.
Page 371 Chapter 11 | Interface Commands Command Mode Privileged Exec Example Console#show power-save interface ethernet 1/24 Power Saving Status: Ethernet 1/24 : Enabled Console# – 371 –...
Page 372: Link Aggregation Commands
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 373: Manual Configuration Commands
Chapter 12 | Link Aggregation Commands The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including ◆ communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings.
Page 374 Chapter 12 | Link Aggregation Commands src-mac - Load balancing based on source MAC address. Default Setting src-dst-ip Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch. ◆ To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load- balance calculation to provide the best result for trunk connections: dst-ip: All traffic with the same destination IP address is output on the...
Page 375: Channel-Group
Chapter 12 | Link Aggregation Commands This command adds a port to a trunk. Use the no form to remove a port from a channel-group trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-24) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage...
Page 376 Chapter 12 | Link Aggregation Commands Command Usage The ports on both ends of an LACP trunk must be configured for full ◆ duplex, either by forced mode or auto-negotiation. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
Page 377: Lacp Admin-Key (Ethernet Interface)
Chapter 12 | Link Aggregation Commands This command configures a port's LACP administration key. Use the no form lacp admin-key to restore the default setting. (Ethernet Interface) Syntax lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link.
Page 378: Lacp Port-Priority
Chapter 12 | Link Aggregation Commands This command configures LACP port priority. Use the no form to restore the lacp port-priority default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 379: Lacp System-Priority
Chapter 12 | Link Aggregation Commands This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Page 380: Lacp Admin-Key (Port Channel)
Chapter 12 | Link Aggregation Commands This command configures a port channel's LACP administration key string. lacp admin-key Use the no form to restore the default setting. (Port Channel) Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 381: Trunk Status Display Commands
Chapter 12 | Link Aggregation Commands Default Setting long Command Mode Interface Configuration (Port Channel) Command Usage The timeout configured by this command is set in the LACP timeout bit of ◆ the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second.
Page 382: Table 72: Show Lacp Counters - Display Description
Chapter 12 | Link Aggregation Commands Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port Channel: 1 Member Port : Eth 1/24 LACPDU Sent LACPDU Received MarkerPDU Sent MarkerPDU Received MarkerResponsePDU Sent MarkerResponsePDU Received : 0 Unknown Packet Received Illegal Packet Received Table 72: show lacp counters - display description...
Page 383: Table 73: Show Lacp Internal - Display Description
Chapter 12 | Link Aggregation Commands Table 73: show lacp internal - display description Field Description Admin Key Current administrative value of the key for the aggregation port. Oper Key Current operational value of the key for the aggregation port. Timeout Time to wait for the next LACPDU before deleting partner port information.
Page 384: Table 74: Show Lacp Neighbors - Display Description
Chapter 12 | Link Aggregation Commands Table 74: show lacp neighbors - display description Field Description Partner Admin LAG partner’s system ID assigned by the user. System ID Partner Oper LAG partner’s system ID assigned by the LACP protocol. System ID Partner Admin Current administrative value of the port number for the protocol Partner.
Page 385: Show Port-Channel Load-Balance
Chapter 12 | Link Aggregation Commands This command shows the load-distribution method used on aggregated links. show port-channel load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console# – 385 –...
Page 386: Port Mirroring Commands
Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 76: Port Mirroring Commands Command Function...
Page 387: Show Port Monitor
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands Default Setting No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and ◆ transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real- ◆...
Page 388: Rspan Mirroring Commands
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). Example The following shows mirroring configured from port 6 to port 5: Console(config)#interface ethernet 1/5 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
Page 389 Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
Page 390: Rspan Source
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Use this command to specify the source port and traffic type to be mirrored rspan source remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.
Page 391: Rspan Destination
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# Use this command to specify the destination port to monitor the mirrored rspan destination traffic.
Page 392: Rspan Remote Vlan
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands The source port and destination port cannot be configured on the same ◆ switch. ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2...
Page 393: No Rspan Session
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Mode Global Configuration Command Usage Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as ◆ an RSPAN uplink port – access ports are not allowed (see switchport mode).
Page 394: Show Rspan
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Use this command to displays the configuration settings for an RSPAN show rspan session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Three sessions are allowed, including both local and remote mirroring, using different VLANs for RSPAN sessions.
Page 395: Congestion Control Commands
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 396: Storm Control Commands
Chapter 14 | Congestion Control Commands Storm Control Commands output – Output rate for specified interface rate – Maximum value in kbps. (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports; 64 - 10,000,000 kbits per second for 10 Gigabit Ethernet ports) The resolution at which the rate can be configured is 16 kbits/sec.
Page 397 Chapter 14 | Congestion Control Commands Storm Control Commands This command configures broadcast, multicast and unknown unicast storm switchport control. Use the no form to restore the default setting. packet-rate Syntax switchport {broadcast | multicast | unknown-unicast} packet- rate rate no switchport {broadcast | multicast | unknown-unicast} broadcast - Specifies storm control for broadcast traffic.
Page 398: Loopback Detection Commands
Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 82: Loopback Detection Commands Command Function...
Page 399: Loopback-Detection
Chapter 15 | Loopback Detection Commands This command enables loopback detection globally on the switch or on a loopback-detection specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Page 400: Loopback-Detection Recover-Time
Chapter 15 | Loopback Detection Commands Command Usage When a port receives a control frame sent by itself, this means that the ◆ port is in looped state, and the VLAN in the frame payload is also in looped state with the wrong VLAN tag. The looped port is therefore shut down. Use the loopback-detection recover-time command to set the time to wait...
Page 401: Loopback-Detection Transmit-Interval
Chapter 15 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# This command specifies the interval at which to transmit loopback detection loopback-detection control frames. Use the no form to restore the default setting. transmit-interval Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Page 402: Loopback-Detection Release
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# This command releases all interfaces currently shut down by the loopback loopback-detection detection feature.
Page 403 Chapter 15 | Loopback Detection Commands Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------- Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled Console#show loopback-detection ethernet 1/1 Loopback Detection Information of Eth 1/1 Admin State : Enabled Oper State...
Page 404: Address Table Commands
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 83: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Page 405: Mac-Address-Table Static
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# This command maps a static address to a destination port in a VLAN. Use the mac-address-table no form to remove an address. static Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 406: Clear Collision-Mac-Address-Table
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# This command removes all entries from the collision MAC address table. clear collision-mac- address-table Default Setting None Command Mode Privileged Exec Example Console#clear collision-mac-address-table Console# This command removes any learned entries from the forwarding database.
Page 407: Show Mac-Address-Table
Chapter 16 | Address Table Commands Example Console#show collision-mac-address-table MAC Address VLAN Collision Count ----------------- ----- ---------------- 90-e6-ba-cb-cd-d6 Total collision mac number: 1 Console# This command shows classes of entries in the bridge-forwarding database. show mac-address- table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address.
Page 408: Show Mac-Address-Table Aging-Time
Chapter 16 | Address Table Commands The maximum number of address entries is 16K. ◆ Example Console#show mac-address-table Interface MAC Address VLAN Type Life Time --------- ----------------- ---- -------- ----------------- 00-E0-00-00-00-01 1 CPU Delete on Reset Eth 1/ 1 00-E0-0C-10-90-09 1 Learn Delete on Timeout Eth 1/ 1 00-E0-29-94-34-64...
Page 409 Chapter 16 | Address Table Commands Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Eth 1/1 Total Address Count Static Address Count Dynamic Address Count Console#show mac-address-table count Compute the number of MAC Address... Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address...
Page 410: Spanning Tree Commands
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 84: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree Configures spanning tree operation to be compatible cisco-prestandard...
Page 411: Spanning-Tree
Chapter 17 | Spanning Tree Commands Table 84: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Configures the response for loopback detection to block detection action user traffic or shut down the interface spanning-tree loopback- Configures loopback release mode for a port detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a...
Page 412: Spanning-Tree Cisco-Prestandard
Chapter 17 | Spanning Tree Commands routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 413: Spanning-Tree Forward-Time
Chapter 17 | Spanning Tree Commands This command configures the spanning tree bridge forward time globally for spanning-tree this switch. Use the no form to restore the default. forward-time Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Page 414: Spanning-Tree Max-Age
Chapter 17 | Spanning Tree Commands Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (413) spanning-tree max-age (414) This command configures the spanning tree bridge maximum age globally for spanning-tree this switch.
Page 415: Spanning-Tree Mode
Chapter 17 | Spanning Tree Commands This command selects the spanning tree mode for this switch. Use the no spanning-tree mode form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) Default Setting...
Page 416: Spanning-Tree Mst Configuration
Chapter 17 | Spanning Tree Commands Be careful when switching between spanning tree modes. Changing ■ modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# This command changes to Multiple Spanning Tree (MST) configuration mode.
Page 417: Spanning-Tree Priority
Chapter 17 | Spanning Tree Commands Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices. ◆ Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 425) takes precedence over port priority...
Page 418: Spanning-Tree System-Bpdu-Flooding
Chapter 17 | Spanning Tree Commands This command configures the system to flood BPDUs to all other ports on the spanning-tree switch or just to all other ports in the same VLAN when spanning tree is system-bpdu-flooding disabled globally on the switch or disabled on a specific port. Use the no form to restore the default.
Page 419: Spanning-Tree Transmission-Limit
Chapter 17 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group.
Page 420: Max-Hops
Chapter 17 | Spanning Tree Commands This command configures the maximum number of hops in the region before a max-hops BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode...
Page 421: Mst Vlan
Chapter 17 | Spanning Tree Commands Command Usage MST priority is used in selecting the root bridge and alternate bridge of the ◆ specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 422: Name
Chapter 17 | Spanning Tree Commands same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# This command configures the name for the multiple spanning tree region in name which this switch is located.
Page 423: Spanning-Tree Bpdu-Filter
Chapter 17 | Spanning Tree Commands Command Mode MST Configuration Command Usage The MST region name (page 422) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 424: Spanning-Tree Bpdu-Guard
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# Related Commands spanning-tree edge-port (426) This command shuts down an edge port (i.e., an interface set for fast spanning-tree forwarding) if it receives a BPDU. Use the no form without any keywords to bpdu-guard disable this feature, or with a keyword to restore the default settings.
Page 425: Spanning-Tree Cost
Chapter 17 | Spanning Tree Commands Related Commands spanning-tree edge-port (426) spanning-tree spanning-disabled (434) This command configures the spanning tree path cost for the specified spanning-tree cost interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Page 426: Spanning-Tree Edge-Port
Chapter 17 | Spanning Tree Commands Command Usage This command is used by the Spanning Tree Algorithm to determine the ◆ best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Page 427: Spanning-Tree Link-Type
Chapter 17 | Spanning Tree Commands When edge port is set as auto, the operational state is determined ◆ automatically by the Bridge Detection State Machine described in 802.1D- 2004, where the edge port state may change dynamically based on environment changes (e.g., receiving a BPDU or not within the required interval).
Page 428: Spanning-Tree Loopback-Detection
Chapter 17 | Spanning Tree Commands This command enables the detection and response to Spanning Tree spanning-tree loopback BPDU packets on the port. Use the no form to disable this feature. loopback-detection Syntax [no] spanning-tree loopback-detection Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage If Port Loopback Detection is not enabled and a port receives it’s own...
Page 429: Spanning-Tree Loopback-Detection Release-Mode
Chapter 17 | Spanning Tree Commands command, the selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanning-tree loopback-detection release command.
Page 430: Spanning-Tree Loopback-Detection Trap
Chapter 17 | Spanning Tree Commands When configured for manual release mode, then a link down / up event will ◆ not release the port from the discarding state. It can only be released using spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)#...
Page 431: Spanning-Tree Mst Port-Priority
Chapter 17 | Spanning Tree Commands Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 432: Spanning-Tree Port-Bpdu-Flooding
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command defines the priority for the use of an interface in the multiple ◆ spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 433: Spanning-Tree Port-Priority
Chapter 17 | Spanning Tree Commands This command configures the priority for the specified interface. Use the no spanning-tree form to restore the default. port-priority Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)
Page 434: Spanning-Tree Spanning-Disabled
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage A bridge with a lower bridge identifier (or same identifier and lower MAC ◆ address) can take over as the root bridge at any time. ◆...
Page 435: Spanning-Tree Tc-Prop-Stop
Chapter 17 | Spanning Tree Commands Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# This command stops the propagation of topology change notifications (TCN). spanning-tree Use the no form to allow propagation of TCN messages. tc-prop-stop Syntax [no] spanning-tree tc-prop-stop...
Page 436: Spanning-Tree Protocol-Migration
Chapter 17 | Spanning Tree Commands Command Mode Privileged Exec Command Usage Use this command to release an interface from discarding state if loopback detection release mode is set to “manual” by the spanning-tree loopback- detection release-mode command and BPDU loopback occurs. Example Console#spanning-tree loopback-detection release ethernet 1/1 Console#...
Page 437: Show Spanning-Tree
Chapter 17 | Spanning Tree Commands This command shows the configuration for the common spanning tree (CST), show spanning-tree for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id | brief | stp-enabled-only] interface...
Page 438 Chapter 17 | Spanning Tree Commands Example Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.)
Page 439: Show Spanning-Tree Mst Configuration
Chapter 17 | Spanning Tree Commands This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : RSTP Spanning Tree Enabled/Disabled : Enabled Designated Root : 32768.0000E8944000 Current Root Port (Eth) : 1/24 Current Root Cost : 10000...
Page 440 Chapter 17 | Spanning Tree Commands Example Console#show spanning-tree tc-prop group 1 Group 1 Eth 1/ 1, Eth 1/ 2, Eth 1/ 3, Eth 1/ 4, Eth 1/ 5 Console# – 440 –...
Page 441: Vlan Commands
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 442: Vlan Database
Chapter 18 | VLAN Commands Editing VLAN Groups This command enters VLAN database mode. All commands in this mode will vlan database take effect immediately. Default Setting None Command Mode Global Configuration Command Usage Use the VLAN database command mode to add, change, and delete ◆...
Page 443: Configuring Vlan Interfaces
Chapter 18 | VLAN Commands Configuring VLAN Interfaces state - Keyword to be followed by the VLAN state. active - VLAN is operational. suspend - VLAN is suspended. Suspended VLANs do not pass packets. rspan - Keyword to create a VLAN used for mirroring traffic from remote switches.
Page 444: Interface Vlan
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Table 89: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport allowed vlan Configures the VLANs associated with an interface switchport ingress-filtering Enables ingress filtering on an interface switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default...
Page 445: Switchport Acceptable-Frame-Types
Chapter 18 | VLAN Commands Configuring VLAN Interfaces This command configures the acceptable frame types for a port. Use the no switchport form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Page 446 Chapter 18 | VLAN Commands Configuring VLAN Interfaces add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained. remove vlan-list - List of VLAN identifiers to remove. Default Setting All ports are assigned to VLAN 1 by default.
Page 447: Switchport Ingress-Filtering
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Syntax [no] switchport ingress-filtering Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Ingress filtering only affects tagged frames. If ingress filtering is disabled and a port receives frames tagged for VLANs ◆...
Page 448: Switchport Native Vlan
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Default Setting Hybrid mode, with the PVID set to VLAN 1. Command Mode Interface Configuration (Ethernet, Port Channel) Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid...
Page 449: Displaying Vlan Information
Chapter 18 | VLAN Commands Displaying VLAN Information Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information. Table 90: Commands for Displaying VLAN Information Command Function Mode show interfaces status Displays status for the specified VLAN interface NE, PE vlan...
Page 450: Configuring Ieee 802.1Q Tunneling
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Eth1/26(S) Console# Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Page 451: Dot1Q-Tunnel System-Tunnel-Control
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan). Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan).
Page 452: Switchport Dot1Q-Tunnel Mode
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show dot1q-tunnel (456) show interfaces switchport (358) This command configures an interface as a QinQ tunnel port. Use the no form switchport to disable QinQ on the interface. dot1q-tunnel mode Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...
Page 453: Switchport Dot1Q-Tunnel Priority Map
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling This command copies the inner tag priority to the outer tag priority. Use the no switchport dot1q- form to disable this feature. tunnel priority map Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled Command Mode...
Page 454 Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling When priority bits are found in the inner tag, these are also copied to the ◆ outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Page 455: Switchport Dot1Q-Tunnel Tpid
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 100,200,300 tagged Console(config-if)#switchport dot1q-tunnel mode uplink Configures port 1 as an untagged member of VLANs 100, 200 and 300 using access mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 100,200,300 untagged Console(config-if)#switchport dot1q-tunnel mode access Configure the following selective QinQ mapping entries.
Page 456: Show Dot1Q-Tunnel
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting 0x8100 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ◆ ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 457: Configuring Protocol-Based Vlans
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel 802.1Q Tunnel Status : Enabled Port Mode TPID (hex) -------- ------ ---------- Eth 1/ 1 Access 8100 Eth 1/ 2 Uplink...
Page 458: Protocol-Vlan Protocol-Group (Configuring Groups)
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Table 92: Protocol-based VLAN Commands Command Function Mode protocol-vlan Create a protocol group, specifying the supported protocol-group protocols (Configuring Groups) protocol-vlan protocol- Maps a protocol group to a VLAN group (Configuring Interfaces) show protocol-vlan Shows the configuration of protocol groups protocol-group...
Page 459: Protocol-Vlan Protocol-Group (Configuring Interfaces)
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Command Mode Global Configuration Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# This command maps a protocol group to a VLAN for the current interface.
Page 460: Show Protocol-Vlan Protocol-Group
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs If the frame is tagged, it will be processed according to the standard rules ■ applied to tagged frames. If the frame is untagged and the protocol type matches, the frame is ■...
Page 461: Show Interfaces Protocol-Vlan Protocol-Group
Chapter 18 | VLAN Commands Configuring MAC Based VLANs This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces. protocol-vlan protocol-group Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Page 462: Mac-Vlan
Chapter 18 | VLAN Commands Configuring MAC Based VLANs Table 93: MAC Based VLAN Commands Command Function Mode mac-vlan Defines the IP Subnet VLANs show mac-vlan Displays IP Subnet VLAN settings This command configures MAC address-to-VLAN mapping. Use the no form mac-vlan to remove an assignment.
Page 463: Show Mac-Vlan
Chapter 18 | VLAN Commands Configuring Voice VLANs 001...). A mask for the MAC address: 00-50-6e-00-5f-b1 translated into binary: MAC: 00000000-01010000-01101110-00000000-01011111-10110001 could be: 11111111-11xxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx So the mask in hexadecimal for this example could be: ff-fx-xx-xx-xx-xx/ff-c0-00-00-00-00/ff-e0-00-00-00-00 Example The following example assigns traffic from source MAC address 00-00-00-11- 22-33 to VLAN 10.
Page 464: Voice Vlan
Chapter 18 | VLAN Commands Configuring Voice VLANs Table 94: Voice VLAN Commands Command Function Mode voice vlan Defines the Voice VLAN ID voice vlan aging Configures the aging time for Voice VLAN ports voice vlan mac-address Configures VoIP device MAC addresses switchport voice vlan Sets the Voice VLAN port mode switchport voice vlan...
Page 465: Voice Vlan Aging
Chapter 18 | VLAN Commands Configuring Voice VLANs The Voice VLAN ID cannot be modified when the global auto-detection ◆ status is enabled (see the switchport voice vlan command. Example The following example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234.
Page 466: Voice Vlan Mac-Address
Chapter 18 | VLAN Commands Configuring Voice VLANs Example The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# This command specifies MAC address ranges to add to the OUI Telephony voice vlan list.
Page 467: Switchport Voice Vlan
Chapter 18 | VLAN Commands Configuring Voice VLANs Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00- 00 description A new phone Console(config)# This command specifies the Voice VLAN mode for ports. Use the no form to switchport voice vlan disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan...
Page 468: Switchport Voice Vlan Priority
Chapter 18 | VLAN Commands Configuring Voice VLANs This command specifies a CoS priority for VoIP traffic on a port. Use the no switchport voice vlan form to restore the default priority on a port. priority Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value.
Page 469: Switchport Voice Vlan Security
Chapter 18 | VLAN Commands Configuring Voice VLANs address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on.
Page 470 Chapter 18 | VLAN Commands Configuring Voice VLANs Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode Privileged Exec Command Usage When the switchport voice vlan command is set to auto mode, the remaining...
Page 471: Class Of Service Commands
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 472: Queue Mode
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Page 473: Queue Weight
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value. Service time is shared at the egress ports by defining scheduling weights ◆...
Page 474: Switchport Priority Default
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# Related Commands queue mode (472)
Page 475: Show Queue Mode
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)#...
Page 476: Qos Map Cos-Queue
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 97: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 477: Table 98: Default Mapping Of Cos/Cfi Values To Queue/Cfi
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 98: Default Mapping of CoS/CFI Values to Queue/CFI CoS (0-7)/CFI(0-1) (2,0) (2,0) (0,0) (0,0) (1,0) (1,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) Command Mode...
Page 478: Qos Map Dscp-Queue
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) This command maps DSCP values in incoming packets to per-hop behavior qos map dscp-queue for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-queue dscp-queue from dscp0 ...
Page 479: Qos Map Trust-Mode
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3. Console(config)#interface ethernet 1/2 Console(config-if)#qos map dscp-queue 3 from 1 Console(config-if)# This command sets QoS mapping to DSCP or CoS.
Page 480: Show Qos Map Cos-Queue
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface 1/1 Console(config-if)#qos map trust-mode cos Console(config-if)# This command shows the ingress CoS to eqress queue map.
Page 481: Show Qos Map Trust-Mode
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4. Example The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column) and ingress-dscp1 (least significant digit in the top row (in other...
Page 482 Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) – 482 –...
Page 483: Quality Of Service Commands
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 484: Class-Map
Chapter 20 | Quality of Service Commands CoS value. Note that a class map can include match settings for both IP values and a VLAN. Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode.
Page 485: Description
Chapter 20 | Quality of Service Commands Example This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd-class Console(config-cmap)#match cos 3 Console(config-cmap)# Related Commands show class-map (491) This command specifies the description of a class map or policy map. description Syntax description string...
Page 486: Rename
Chapter 20 | Quality of Service Commands Default Setting None Command Mode Class Map Configuration Command Usage First enter the class-map command to designate a class map and enter ◆ the Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map.
Page 487: Policy-Map
Chapter 20 | Quality of Service Commands Syntax rename map-name map-name - Name of the class map or policy map. (Range: 1- 32 characters) Command Mode Class Map Configuration Policy Map Configuration Example Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# This command creates a policy map that can be attached to multiple policy-map interfaces, and enters Policy Map configuration mode.
Page 488: Class
Chapter 20 | Quality of Service Commands Console(config-pmap-c)#set cos 0 Console(config-pmap-c)# This command defines a traffic classification upon which a policy can act, and class enters Policy Map Class configuration mode. Use the no form to delete a class map. Syntax [no] class class-map-name class-map-name - Name of the class map.
Page 489: Police Rate
Chapter 20 | Quality of Service Commands This command defines an enforcer for classified traffic based on the metered police rate flow rate. Use the no form to remove a policer. Syntax [no] police rate committed-rate committed-rate - Committed information rate in kilobits per second. (Range: 16-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) Default Setting...
Page 490 Chapter 20 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police rate command to limit the average bandwidth to 100,000 Kbps.
Page 491: Service-Policy
Chapter 20 | Quality of Service Commands This command applies a policy map defined by the policy-map command to service-policy the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic.
Page 492: Show Policy-Map
Chapter 20 | Quality of Service Commands Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# This command displays the QoS policy maps which define classification show policy-map criteria for ingress or egress traffic, and may include policers for bandwidth limitations.
Page 493: Show Policy-Map Interface
Chapter 20 | Quality of Service Commands This command displays the service policy assigned to the specified interface. show policy-map interface Syntax show policy-map interface [interface input] interface unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) Command Mode Privileged Exec Example...
Page 494: Multicast Filtering Commands
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 495 Chapter 21 | Multicast Filtering Commands IGMP Snooping Table 102: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs ip igmp snooping Sends an IGMP Query Solicitation when a Spanning tcn-query-solicit Tree topology change occurs ip igmp snooping...
Page 496: Ip Igmp Snooping
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command enables IGMP snooping globally on the switch or on a selected ip igmp snooping VLAN interface. Use the no form to disable it. Syntax [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Disabled...
Page 497: Ip Igmp Snooping Proxy-Reporting
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. Example Console(config)#ip igmp snooping priority 6 Console(config)#...
Page 498: Ip Igmp Snooping Querier
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command enables the switch as an IGMP querier. Use the no form to ip igmp snooping disable it. querier Syntax [no] ip igmp snooping querier Default Setting Disabled Command Mode Global Configuration Command Usage IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp...
Page 499: Ip Igmp Snooping Router-Port-Expire-Time
Chapter 21 | Multicast Filtering Commands IGMP Snooping Also, when the switch is acting in the role of a multicast host (such as when using proxy routing), it should ignore version 2 or 3 queries that do not contain the Router Alert option. Example Console(config)#ip igmp snooping router-alert-option-check Console(config)#...
Page 500 Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage When a spanning tree topology change occurs, the multicast membership ◆ information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Page 501: Ip Igmp Snooping Tcn-Query-Solicit
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command instructs the switch to send out an IGMP general query ip igmp snooping solicitation when a spanning tree topology change notification (TCN) occurs. tcn-query-solicit Use the no form to disable this feature. Syntax [no] ip igmp snooping tcn-query-solicit Default Setting...
Page 502: Ip Igmp Snooping Unsolicited-Report-Interval
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Page 503: Ip Igmp Snooping Version
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command configures the IGMP snooping version. Use the no form to ip igmp snooping restore the default. version Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4094) 1 - IGMP Version 1 2 - IGMP Version 2...
Page 504: Ip Igmp Snooping Vlan General-Query-Suppression
Chapter 21 | Multicast Filtering Commands IGMP Snooping Default Setting Global: Disabled VLAN: Disabled Command Mode Global Configuration Command Usage If version exclusive is disabled on a VLAN, then this setting is based on ◆ the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Page 505: Ip Igmp Snooping Vlan Immediate-Leave
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command immediately deletes a member port of a multicast service if a ip igmp snooping vlan leave packet is received at that port and immediate-leave is enabled for the immediate-leave parent VLAN. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id immediate-leave [by-host-ip] no ip igmp snooping vlan vlan-id immediate-leave...
Page 506: Ip Igmp Snooping Vlan Last-Memb-Query-Count
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command configures the number of IGMP proxy group-specific or group- ip igmp snooping vlan and-source-specific query messages that are sent out before the system last-memb-query- assumes there are no more local members. Use the no form to restore the count default.
Page 507: Ip Igmp Snooping Vlan Mrd
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage When a multicast host leaves a group, it sends an IGMP leave message. ◆ When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific or group-and-source-specific query message, and starts a timer.
Page 508: Ip Igmp Snooping Vlan Proxy-Address
Chapter 21 | Multicast Filtering Commands IGMP Snooping procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message. When the multicast services provided to a VLAN is relatively stable, the use of solicitation messages is not required and may be disabled using the no ip igmp snooping vlan mrd command.
Page 509: Ip Igmp Snooping Vlan Query-Interval
Chapter 21 | Multicast Filtering Commands IGMP Snooping To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command. Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
Page 510: Ip Igmp Snooping Vlan Query-Resp-Intvl
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage An IGMP general query message is sent by the switch at the interval ◆ specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Page 511: Ip Igmp Snooping Vlan Static
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command adds a port to a multicast group. Use the no form to remove ip igmp snooping vlan the port. static Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094) ip-address - IP address for multicast group interface...
Page 512: Clear Ip Igmp Snooping Statistics
Chapter 21 | Multicast Filtering Commands IGMP Snooping Example Console#clear ip igmp snooping groups dynamic Console# This command clears IGMP snooping statistics. clear ip igmp snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Page 513: Show Ip Igmp Snooping Group
Chapter 21 | Multicast Filtering Commands IGMP Snooping Router Alert Check : Disabled Router Port Mode : Forward TCN Flood : Disabled TCN Query Solicit : Disabled Unregistered Data Flood : Disabled Unsolicited Report Interval : 400 s Version Exclusive : Disabled Version Proxy Reporting...
Page 514: Show Ip Igmp Snooping Mrouter
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port).
Page 515: Show Ip Igmp Snooping Statistics
Chapter 21 | Multicast Filtering Commands IGMP Snooping Eth 1/4 Dynamic 0:4:28 Eth 1/10 Static Console# This command shows IGMP snooping protocol statistics for the specified show ip igmp interface. snooping statistics Syntax show ip igmp snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id]} interface...
Page 516: Table 104: Show Ip Igmp Snooping Statistics Output - Display Description
Chapter 21 | Multicast Filtering Commands IGMP Snooping Table 103: show ip igmp snooping statistics input - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Page 517: Table 105: Show Ip Igmp Snooping Statistics Vlan Query - Display Description
Chapter 21 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : None Other Querier Expire : 0(m):0(s) Other Querier Uptime : 0(h):0(m):0(s) Self Querier : 192.168.2.12 Self Querier Expire : 0(m):0(s)
Page 518: Static Multicast Routing
Chapter 21 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 106: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Page 519: Igmp Filtering And Throttling
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Page 520: Ip Igmp Profile
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling This command globally enables IGMP filtering and throttling on the switch. ip igmp filter Use the no form to disable the feature. (Global Configuration) Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration...
Page 521: Permit, Deny
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# This command sets the access mode for an IGMP filter profile. Use the no permit, deny form to delete a profile number.
Page 522: Ip Igmp Filter (Interface Configuration)
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)#...
Page 523: Ip Igmp Max-Groups
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling This command sets the IGMP throttling number for an interface on the switch. ip igmp max-groups Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 524: Ip Igmp Query-Drop
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Page 525: Show Ip Igmp Filter
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command).
Page 526: Show Ip Igmp Profile
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling This command displays IGMP filtering profiles created on the switch. show ip igmp profile Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode...
Page 527: Show Ip Igmp Throttle Interface
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# This command displays the interface settings for IGMP throttling. show ip igmp throttle interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 528: Show Ip Multicast-Data-Drop
Chapter 21 | Multicast Filtering Commands MLD Snooping This command shows if the specified interface is configured to drop multicast show ip data packets. multicast-data-drop Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Page 529: Ipv6 Mld Snooping
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 108: MLD Snooping Commands Command Function Mode ipv6 mld snooping Enables MLD Snooping globally ipv6 mld snooping Enables MLD Snooping with Proxy Reporting proxy-reporting ipv6 mld snooping querier Allows the switch to act as the querier for MLD snooping ipv6 mld snooping Configures the interval between sending MLD general...
Page 530: Ipv6 Mld Snooping Proxy-Reporting
Chapter 21 | Multicast Filtering Commands MLD Snooping Default Setting Disabled Command Mode Global Configuration Example The following example enables MLD Snooping: Console(config)#ipv6 mld snooping Console(config)# This command enables IGMP Snooping with Proxy Reporting. Use the no ipv6 mld snooping form to restore the default setting.
Page 531: Ipv6 Mld Snooping Query-Interval
Chapter 21 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is ◆ responsible for asking hosts if they want to receive multicast traffic. ◆ An IPv6 address must be configured on the VLAN interface from which the querier will act if elected.
Page 532: Ipv6 Mld Snooping Query-Max-Response-Time
Chapter 21 | Multicast Filtering Commands MLD Snooping This command configures the maximum response time advertised in MLD ipv6 mld snooping general queries. Use the no form to restore the default. query-max-response- time Syntax ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
Page 533: Ipv6 Mld Snooping Router-Port-Expire-Time
Chapter 21 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping robustness 2 Console(config)# This command configures the MLD query timeout. Use the no form to restore ipv6 mld snooping the default. router-port- expire-time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Page 534: Ipv6 Mld Snooping Unsolicited-Report-Interval
Chapter 21 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage When set to “flood,” any received IPv6 multicast packets that have not ◆ been requested by a host are flooded to all ports in the VLAN. ◆...
Page 535: Ipv6 Mld Snooping Version
Chapter 21 | Multicast Filtering Commands MLD Snooping This command configures the MLD snooping version. Use the no form to ipv6 mld snooping restore the default. version Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1. 2 - MLD version 2.
Page 536 Chapter 21 | Multicast Filtering Commands MLD Snooping Console(config)#ipv6 mld snooping immediate-leave Console(config)# This command statically configures an IPv6 multicast router port. Use the no ipv6 mld snooping form to remove the configuration. vlan mrouter Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port...
Page 537: Clear Ipv6 Mld Snooping Groups Dynamic
Chapter 21 | Multicast Filtering Commands MLD Snooping ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-24) Default Setting None Command Mode Global Configuration...
Page 538: Show Ipv6 Mld Snooping
Chapter 21 | Multicast Filtering Commands MLD Snooping interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-24) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear ipv6 mld snooping statistics Console# This command shows the current MLD Snooping configuration.
Page 539: Show Ipv6 Mld Snooping Group
Chapter 21 | Multicast Filtering Commands MLD Snooping Console#show ipv6 mld snooping vlan VLAN 1 Immediate Leave : Disabled Unknown Flood Behavior : To Router Port Console# This command shows known multicast groups, member ports, and the means show ipv6 mld by which each group was learned.
Page 540: Show Ipv6 Mld Snooping Mrouter
Chapter 21 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping group mapping information: Console#show ipv6 mld snooping group source-list VLAN ID Mutlicast IPv6 Address : FF02::01:01:01:01 Member Port : Eth 1/1 MLD Snooping : Multicast Data Filter Mode : Include (if exclude filter mode)
Page 541: Show Ipv6 Mld Snooping Statistics
Chapter 21 | Multicast Filtering Commands MLD Snooping This command shows MLD snooping protocol statistics for the specified show ipv6 mld interface. snooping statistics Syntax show ipv6 mld snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id] | summary interface interface} interface ethernet unit/port...
Page 542: Table 110: Show Ipv6 Mld Snooping Statistics Output - Display Description
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 109: show ipv6 MLD snooping statistics input - display description Field Description Join Succ The number of times a multicast group was successfully joined. Group The number of MLD groups active on this interface. The following shows MLD snooping output-related message statistics: Console#show ipv6 mld snooping statistics output interface ethernet 1/1 Output Statistics:...
Page 543: Table 111: Show Ipv6 Mld Snooping Statistics Query - Display Description
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 111: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired. Other Querier Uptime Time remote querier has been up.
Page 544: Table 112: Show Ipv6 Mld Snooping Statistics Summary - Display Description
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 112: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit The number of general queries sent from this interface. General The number of group specific queries sent from this interface.
Page 545: Mld Filtering And Throttling
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Table 112: show ipv6 MLD snooping statistics summary - display description Field Description Report & Leave The link-local or global IPv6 address that is assigned on that VLAN. Host Addr The number of group leaves resulting from timeouts instead of Unsolicit Expire explicit leave messages.
Page 546: Ipv6 Mld Profile
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling This command globally enables MLD filtering and throttling on the switch. Use ipv6 mld filter the no form to disable the feature. (Global Configuration) Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration...
Page 547: Permit, Deny
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface.
Page 548: Ipv6 Mld Filter (Interface Configuration)
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Syntax [no] range low-ipv6-address [high-ipv6-address] low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range. high-ipv6-address - A valid IPv6 address (X:X:X:X::X) for the end of a multicast group range.
Page 549: Ipv6 Mld Max-Groups
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19 Console(config-if)# This command configures the maximum number of MLD groups that an ipv6 mld max-groups interface can join. Use the no form to restore the default setting. Syntax ipv6 mld max-groups number no ipv6 mld max-groups...
Page 550: Ipv6 Mld Max-Groups Action
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling This command sets the MLD throttling action for an interface on the switch. ipv6 mld max-groups action Syntax ipv6 mld max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Page 551: Show Ipv6 Mld Filter
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# This command displays the global and interface settings for MLD filtering. show ipv6 mld filter Syntax show ipv6 mld filter [interface interface] interface ethernet unit/port unit - Unit identifier.
Page 552: Show Ipv6 Mld Query-Drop
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Example Console#show ipv6 mld profile MLD Profile 19 MLD Profile 50 Console#show ipv6 mld profile 19 Profile 19 Deny Range ff01::101 ff01::faa Console# This command shows if the specified interface is configured to drop MLD show ipv6 mld query packets.
Page 553 Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-24) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces.
Page 554: Lldp Commands
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 555 Chapter 22 | LLDP Commands Table 114: LLDP Commands (Continued) Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise its system-capabilities system capabilities lldp basic-tlv Configures an LLDP-enabled port to advertise system-description the system description lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name lldp dot1-tlv proto-ident...
Page 556: Lldp
Chapter 22 | LLDP Commands This command enables LLDP globally on the switch. Use the no form to lldp disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# This command configures the time-to-live (TTL) value sent in LLDP lldp advertisements.
Page 557: Lldp Med-Fast-Start-Count
Chapter 22 | LLDP Commands This command specifies the amount of MED Fast Start LLDPDUs to transmit lldp during the activation process of the LLDP-MED Fast Start mechanism. Use med-fast-start-count the no form to restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Page 558: Lldp Refresh-Interval
Chapter 22 | LLDP Commands Information about changes in LLDP neighbors that occur between SNMP ◆ notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 559: Lldp Tx-Delay
Chapter 22 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# This command configures a delay between the successive transmission of lldp tx-delay advertisements initiated by a change in local LLDP MIB variables.
Page 560: Lldp Admin-Status
Chapter 22 | LLDP Commands This command enables LLDP transmit, receive, or transmit and receive mode lldp admin-status on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Page 561: Lldp Basic-Tlv Port-Description
Chapter 22 | LLDP Commands Since there are typically a number of different addresses associated with a ◆ Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this...
Page 562: Lldp Basic-Tlv System-Capabilities
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise its system lldp basic-tlv capabilities. Use the no form to disable this feature. system-capabilities Syntax [no] lldp basic-tlv system-capabilities Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
Page 563: Lldp Basic-Tlv System-Name
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise the system lldp basic-tlv name. Use the no form to disable this feature. system-name Syntax [no] lldp basic-tlv system-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on...
Page 564: Lldp Dot1-Tlv Proto-Vid
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise port-based lldp dot1-tlv proto-vid protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface (see...
Page 565: Lldp Dot1-Tlv Vlan-Name
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise its VLAN name. lldp dot1-tlv Use the no form to disable this feature. vlan-name Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned.
Page 566: Lldp Dot3-Tlv Mac-Phy
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise its MAC and lldp dot3-tlv mac-phy physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes...
Page 567: Lldp Med-Location Civic-Addr
Chapter 22 | LLDP Commands This command configures an LLDP-MED-enabled port to advertise its location lldp med-location identification details. Use the no form to restore the default settings. civic-addr Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code –...
Page 568: Lldp Med-Notification
Chapter 22 | LLDP Commands Table 115: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Group of streets below the neighborhood level Exchange Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519...
Page 569: Lldp Med-Tlv Inventory
Chapter 22 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option sends out SNMP trap notifications to designated target stations ◆ at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization- specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Page 570: Lldp Med-Tlv Location
Chapter 22 | LLDP Commands This command configures an LLDP-MED-enabled port to advertise its location lldp med-tlv location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Page 571: Lldp Med-Tlv Network-Policy
Chapter 22 | LLDP Commands This command configures an LLDP-MED-enabled port to advertise its network lldp med-tlv policy configuration. Use the no form to disable this feature. network-policy Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
Page 572: Show Lldp Config
Chapter 22 | LLDP Commands Information about additional changes in LLDP neighbors that occur ◆ between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 573: Show Lldp Info Local-Device
Chapter 22 | LLDP Commands Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised : port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised : port-vid vlan-name proto-vlan proto-ident...
Page 574: Show Lldp Info Remote-Device
Console#show lldp info local-device LLDP Local Global Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : SC30010 System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information Port...
Page 575 : 70-72-CF-91-1C-B4 Time To Live : 120 seconds Port Description : Ethernet Port on unit 1, port 2 System Description : SC30010 System Capabilities : Bridge Enabled Capabilities : Bridge Management Address : 192.168.0.4 (IPv4) Port VLAN ID : 1...
Page 576: Show Lldp Info Statistics
Chapter 22 | LLDP Commands The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. LLDP-MED Capability : Device Class : Network Connectivity Supported Capabilities : LLDP-MED Capabilities Network Policy Location Identification Extended Power via MDI - PSE Inventory Current Capabilities : LLDP-MED Capabilities...
Page 577 Chapter 22 | LLDP Commands Example Console#show lldp info statistics LLDP Global Statistics Neighbor Entries List Last Updated : 485 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- ------------------...
Page 578: Domain Name Service Commands
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server...
Page 579 Chapter 23 | Domain Name Service Commands DNS Commands formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Page 580: Ip Domain-Lookup
Chapter 23 | Domain Name Service Commands DNS Commands This command enables DNS host name-to-address translation. Use the no ip domain-lookup form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled. ◆...
Page 581: Ip Domain-Name
Chapter 23 | Domain Name Service Commands DNS Commands This command defines the default domain name appended to incomplete host ip domain-name names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Page 582: Ip Name-Server
Chapter 23 | Domain Name Service Commands DNS Commands Command Mode Global Configuration Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts...
Page 583: Ipv6 Host
Chapter 23 | Domain Name Service Commands DNS Commands Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (581) ip domain-lookup (580) This command creates a static entry in the DNS table that maps a host name ipv6 host to an IPv6 address.
Page 584: Clear Dns Cache
Chapter 23 | Domain Name Service Commands DNS Commands This command clears all entries in the DNS cache. clear dns cache Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache Flag Type IP Address Host ------- ------- ------- --------------- ------- -------- Console# This command deletes dynamic entries from the DNS table.
Page 585: Show Dns
Chapter 23 | Domain Name Service Commands DNS Commands This command displays the configuration of the DNS service. show dns Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55...
Page 586: Show Hosts
Chapter 23 | Domain Name Service Commands Multicast DNS Commands This command displays the static host name-to-address mapping table. show hosts Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.
Page 587: Show Ip Mdns
Chapter 23 | Domain Name Service Commands Multicast DNS Commands Command Mode Global Configuration Command Usage Use this command to enable multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. For more information on this command refer to the Web Management Guide.
Page 588: Dhcp Commands
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Page 589: Dhcp For Ipv4
Chapter 24 | DHCP Commands DHCP Client DHCP for IPv4 This command enables dynamic provisioning via DHCP. Use the no form to ip dhcp disable this feature. dynamic-provision Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Page 590: Ip Dhcp Client Class-Id
| DHCP Commands DHCP Client Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "SignaMax"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg";...
Page 591: Table 121: Options 60, 66 And 67 Statements
Chapter 24 | DHCP Commands DHCP Client This command is used to identify the vendor class and configuration of the ◆ switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆...
Page 592: Ip Dhcp Restart Client
Chapter 24 | DHCP Commands DHCP Client Related Commands ip dhcp restart client (592) This command submits a BOOTP or DHCP client request. ip dhcp restart client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the address command.
Page 593: Dhcp For Ipv6
Chapter 24 | DHCP Commands DHCP Client Example Console#show ip dhcp dynamic provisioning Dynamic Provision via DHCP Status: Disabled Console# DHCP for IPv6 This command specifies the Rapid Commit option for DHCPv6 message ipv6 dhcp client exchange for all DHCPv6 client requests submitted from the specified rapid-commit vlan interface.
Page 594: Ipv6 Dhcp Restart Client Vlan
Chapter 24 | DHCP Commands DHCP Client This command submits a DHCPv6 client request. ipv6 dhcp restart client vlan Syntax ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Page 595: Show Ipv6 Dhcp Duid
Chapter 24 | DHCP Commands DHCP Client based on their advertised preference value. If the client needs to acquire prefixes from servers, only servers that have advertised prefixes are considered. ◆ If the rapid commit option has been enabled on the switch using the ipv6 dhcp client rapid-commit vlan command, and on the DHCPv6 server,...
Page 596: Dhcp Relay
Chapter 24 | DHCP Commands DHCP Relay Command Usage Each allocation in the DHCPv6 server is identified by a DUID and an IAID. IAID means Interface Association Identifier, and is a binding between the interface and one or more IP addresses. Command Mode Privileged Exec Example...
Page 597: Ip Dhcp Restart Relay
Chapter 24 | DHCP Commands DHCP Relay Command Mode Interface Configuration (VLAN) Usage Guidelines DHCP relay service applies to DHCP client requests received on the ◆ specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch.
Page 598 Address is 00-00-E8-93-82-A0 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 10.1.0.254 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Relay Server: DHCP Client Vendor Class ID (text): SC30010 Console# Related Commands ip dhcp relay server (596) – 598 –...
Page 599: Ip Interface Commands
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 600: Ip Address
Chapter 25 | IP Interface Commands IPv4 Interface Basic IPv4 This section describes commands used to configure IP addresses for VLAN Configuration interfaces on the switch. Table 126: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this switch can reach other subnetworks...
Page 601 Chapter 25 | IP Interface Commands IPv4 Interface Command Usage An IP address must be assigned to this device to gain management ◆ access over the network or to connect the router to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server.
Page 602: Ip Default-Gateway
Chapter 25 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (592) ip default-gateway (602) ipv6 address (612) This command specifies the default gateway for destinations not found in local ip default-gateway routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway...
Page 603: Show Ip Default-Gateway
VLAN 1 is Administrative Up - Link Up Address is 00-E0-00-00-00-01 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.0 DHCP Client Vendor Class ID (text): SC30010 Console# Related Commands ip address (600) show ipv6 interface (620)
Page 604: Show Ip Traffic
Chapter 25 | IP Interface Commands IPv4 Interface This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. show ip traffic Command Mode Privileged Exec Example Console#show ip traffic IP Statistics: IP received 7845 total received header errors unknown protocols address errors discards...
Page 605: Traceroute
Chapter 25 | IP Interface Commands IPv4 Interface input errors 9897 output Console# This command shows the route packets take to the specified destination. traceroute Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage...
Page 606: Ping
Chapter 25 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------- 20 ms <10 ms <10 ms 192.168.0.99 Trace completed.
Page 607: Arp Configuration
Chapter 25 | IP Interface Commands IPv4 Interface When pinging a host name, be sure the DNS server has been defined ◆ (page 582) and host name-to-address translation enabled (page 580). If necessary, local devices can also be specified in the DNS static host table (page 581).
Page 608: Ip Proxy-Arp
Chapter 25 | IP Interface Commands IPv4 Interface Command Mode Global Configuration Command Usage The ARP cache is used to map 32-bit IP addresses into 48-bit hardware ◆ (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆...
Page 609: Clear Arp-Cache
Chapter 25 | IP Interface Commands IPv4 Interface Extensive use of Proxy ARP can degrade router performance because it ◆ may lead to increased ARP traffic and increased search time for larger ARP address tables. Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# This command deletes all dynamic entries from the Address Resolution clear arp-cache...
Page 610: Ipv6 Interface
Chapter 25 | IP Interface Commands IPv6 Interface Example This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 10.1.0.0 FF-FF-FF-FF-FF-FF other VLAN1 10.1.0.254 00-00-AB-CD-00-00 other VLAN1 10.1.0.255...
Page 611: Interface Address Configuration And Utilities
Chapter 25 | IP Interface Commands IPv6 Interface Table 128: IPv6 Configuration Commands (Continued) Command Function Mode traceroute6 Shows the route packets take to the specified host Neighbor Discovery ipv6 nd dad attempts Configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection ipv6 nd ns-interval Configures the interval between IPv6 neighbor...
Page 612: Ipv6 Address
Chapter 25 | IP Interface Commands IPv6 Interface An IPv6 default gateway should be defined if the destination has been ◆ assigned an IPv6 address that is located in a different IP segment. ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Page 613: Ipv6 Address Autoconfig
Chapter 25 | IP Interface Commands IPv6 Interface If a link-local address has not yet been assigned to this interface, this ◆ command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) If a duplicate address is detected, a warning message is sent to the...
Page 614 Chapter 25 | IP Interface Commands IPv6 Interface Default Setting No IPv6 addresses are defined Command Mode Interface Configuration (VLAN) Command Usage If a link local address has not yet been assigned to this interface, this ◆ command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface.
Page 615: Ipv6 Address Eui-64
Chapter 25 | IP Interface Commands IPv6 Interface Related Commands ipv6 address (612) show ipv6 interface (620) This command configures an IPv6 address for an interface using an EUI-64 ipv6 address eui-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface.
Page 616 Chapter 25 | IP Interface Commands IPv6 Interface EUI-64 specification is designed for devices that use an extended 8-byte MAC address. For devices that still use a 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
Page 617: Ipv6 Address Link-Local
Chapter 25 | IP Interface Commands IPv6 Interface This command configures an IPv6 link-local address for an interface and ipv6 address link-local enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Page 618: Ipv6 Enable
Chapter 25 | IP Interface Commands IPv6 Interface ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...
Page 619: Ipv6 Mtu
Chapter 25 | IP Interface Commands IPv6 Interface Example In this example, IPv6 is enabled on VLAN 1, and the link-local address FE80::2E0:CFF:FE00:FD/64 is automatically generated by the switch. Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64...
Page 620: Show Ipv6 Default-Gateway
Chapter 25 | IP Interface Commands IPv6 Interface The maximum value set by this command cannot exceed the MTU of the ◆ physical interface, which is currently fixed at 1500 bytes. ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented.
Page 621: Table 129: Show Ipv6 Interface - Display Description
Chapter 25 | IP Interface Commands IPv6 Interface ipv6-prefix - The IPv6 network portion of the address assigned to the interface. The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 622 Chapter 25 | IP Interface Commands IPv6 Interface Table 129: show ipv6 interface - display description (Continued) Field Description Joined group In addition to the unicast addresses assigned to an interface, a node is address(es) required to join the all-nodes multicast addresses FF01::1 and FF02::1 for all IPv6 nodes within scope 1 (interface-local) and scope 2 (link-local), respectively.
Page 623: Show Ipv6 Mtu
Chapter 25 | IP Interface Commands IPv6 Interface This command displays the maximum transmission unit (MTU) cache for show ipv6 mtu destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch. Command Mode Normal Exec, Privileged Exec Example The following example shows the MTU cache for this device: Console#show ipv6 mtu...
Page 624 Chapter 25 | IP Interface Commands IPv6 Interface reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 6 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages...
Page 625: Table 131: Show Ipv6 Traffic - Display Description
Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Page 626 Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
Page 627 Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description (Continued) Field Description router advertisement The number of ICMP Router Advertisement messages received by messages the interface. neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface.
Page 628: Clear Ipv6 Traffic
Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description (Continued) Field Description multicast listener The number of MLDv2 reports sent by the interface. discovery version 2 reports UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port.
Page 629: Traceroute6
Chapter 25 | IP Interface Commands IPv6 Interface size - Number of bytes in a packet. (Range: 0-1500 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting count: 5 size: 32 bytes Command Mode...
Page 630 Chapter 25 | IP Interface Commands IPv6 Interface ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 631: Neighbor Discovery
Chapter 25 | IP Interface Commands IPv6 Interface Trace completed. Console# Neighbor Discovery This command configures the number of consecutive neighbor solicitation ipv6 nd dad attempts messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts...
Page 632: Ipv6 Nd Ns-Interval
Chapter 25 | IP Interface Commands IPv6 Interface commands associated with a duplicate address remain configured while the address is in “duplicate” state. ◆ If the link-local address for an interface is changed, duplicate address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface.
Page 633 Chapter 25 | IP Interface Commands IPv6 Interface Default Setting 1000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertised in router advertisements Command Mode Interface Configuration (VLAN) Command Usage When a non-default value is configured, the specified interval is used both ◆...
Page 634: Ipv6 Nd Reachable-Time
Chapter 25 | IP Interface Commands IPv6 Interface This command configures the amount of time that a remote IPv6 node is ipv6 nd considered reachable after some reachability confirmation event has reachable-time occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time...
Page 635: Clear Ipv6 Neighbors
Chapter 25 | IP Interface Commands IPv6 Interface This command deletes all dynamic entries in the IPv6 neighbor discovery clear ipv6 neighbors cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# This command displays information in the IPv6 neighbor discovery cache.
Page 636: Table 132: Show Ipv6 Neighbors - Display Description
Chapter 25 | IP Interface Commands IPv6 Interface Table 132: show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent.” Link-layer Addr Physical layer MAC address.
Page 637: Ip Routing Commands
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Page 638: Show Ip Route
Chapter 26 | IP Routing Commands Global Routing Configuration dynamic route is less than that configured for the static route. Note that the default administrative distance used by the dynamic unicast routing protocol is 120 for RIP. (Range: 1-255, Default: 1) * –...
Page 639 Chapter 26 | IP Routing Commands Global Routing Configuration changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base), which holds all routing information received from routing peers.
Page 640 Chapter 26 | IP Routing Commands Global Routing Configuration IP routing table maximum-paths is 1 Connected Total Console# – 640 –...
Page 641: S Ection Iii A Ppendices
Section III Appendices This section provides additional information and includes these items: ◆ "Troubleshooting" on page 642 ◆ "License Information" on page 644 – 641 –...
Page 642: Problems Accessing The Management Interface
Troubleshooting Problems Accessing the Management Interface Table 162: Troubleshooting Chart Symptom Action Cannot connect using ◆ Be sure the switch is powered up. Telnet, or SNMP software ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable.
Page 643: Using System Logs
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 644: B License Information
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 645 Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 646 Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 647 Appendix B | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 648: Glossary
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 649 Glossary information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients. A technique used to enhance network security by snooping on DHCP server DHCP Snooping messages to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible.
Page 650 Glossary Generic Attribute Registration Protocol. GARP is a protocol that can be used GARP by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations.
Page 651 Glossary Port Authentication controls access to the switch ports by requiring users to IEEE 802.1X first enter a user ID and password for authentication. Defines frame extensions for VLAN tagging. IEEE 802.3ac Defines Ethernet frame start/stop requests and timers used for flow control IEEE 802.3x on full-duplex links.
Page 652 Glossary Link Aggregation Control Protocol. Allows ports to automatically negotiate LACP a trunked link with LACP-configured ports on another device. Data Link layer in the ISO 7-Layer Data Communications Protocol. This is Layer 2 related directly to the hardware interface for network devices and passes on traffic based on MAC addresses.
Page 653 Glossary Multicast VLAN Registration is a method of using a single network-wide multicast VLAN to transmit common services, such as such as television channels or video-on-demand, across a service-provider’s network. MVR simplifies the configuration of multicast services by using a common VLAN for distribution, while still preserving security and data isolation for subscribers residing in both the MVR VLAN and other standard groups.
Page 654 Glossary Remote Authentication Dial-in User Service. RA is a logon RADIUS DIUS authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. Routing Information Protocol seeks to find the shortest route to another device by minimizing the distance-vector, or hop count, which serves as a rough estimate of transmission cost.
Page 655 Glossary Transmission Control Protocol/Internet Protocol. Protocol suite that TCP/IP includes TCP as the primary transport protocol, and IP as the network layer protocol. Defines a remote communication facility for interfacing to a terminal device Telnet over TCP/IP. Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software TFTP downloads.
Page 656: Commands
Commands aaa accounting commands cluster ip-pool aaa accounting dot1x cluster member aaa accounting exec configure aaa accounting update copy aaa authorization commands databits aaa authorization exec delete aaa group server delete public-key 230 absolute description access-list arp description access-list ip access-list ipv6 disable access-list mac...
Page 657 List of Commands ip arp inspection filter ip igmp snooping vlan mrd ip arp inspection limit ip igmp snooping vlan mrouter ip arp inspection log-buffer logs ip igmp snooping vlan proxy-address ip arp inspection trust ip igmp snooping vlan query-interval ip arp inspection validate ip igmp snooping vlan query-resp-intvl ip arp inspection vlan...
Page 658 List of Commands ipv6 nd reachable-time mac-authentication reauth-time jumbo frame mac-learning lacp mac-vlan lacp admin-key (Ethernet Interface) management lacp admin-key (Port Channel) match lacp port-priority max-hops lacp system-priority media-type lacp timeout memory line mst priority lldp mst vlan lldp admin-status name lldp basic-tlv management-ip-address negotiation...
Page 659 List of Commands quit show ip arp inspection configuration radius-server acct-port show ip arp inspection interface radius-server auth-port show ip arp inspection log radius-server host show ip arp inspection statistics radius-server key show ip arp inspection vlan radius-server retransmit show ip default-gateway radius-server timeout show ip dhcp dynamic-provision range...
Page 660 List of Commands show mac-address-table aging-time show watchdog show mac-address-table count show web-auth show mac-vlan show web-auth interface show management show web-auth summary show memory 85 shutdown show network-access silent-time show network-access mac-address-table snmp-server show network-access mac-filter snmp-server community show nlm oper-status snmp-server contact show ntp snmp-server enable port-traps link-up-down...
Page 661 List of Commands switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid switchport ingress-filtering switchport mode switchport native vlan switchport packet-rate switchport priority default switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit...
Page 662: Index
Index Numerics address table aging time 802.1Q tunnel aging time, displaying access aging time, setting CVID to SVID map administrative users, displaying ethernet type – interface configuration proxy mode selection ARP ACL status, configuring ARP configuration TPID ARP inspection uplink ACL filter 802.1X additional validation criteria...
Page 663 Index class map DHCPv4 snooping description enabling DiffServ global configuration information option command modes information option policy showing commands information option, enabling clustering switches, management access information option, remote ID command line interface See CLI policy selection committed information rate, QoS policy remote ID community string specifying trusted interfaces...
Page 664 Index encryption filtering & throttling, status filtering, configuring profile engine ID filtering, creating profile event logging filtering, group range – exec command privileges, accounting filtering, interface settings exec settings groups, displaying accounting Layer 2 authorization query query, enabling snooping snooping & query, parameters FIB, description snooping, configuring firmware...
Page 665 Index IP statistics LLDP IPv4 address device statistics details, displaying BOOTP/DHCP device statistics, displaying dynamic configuration display device information manual configuration displaying remote information – setting interface attributes, configuring IPv6 local device information, displaying displaying neighbors message attributes duplicate address detection message statistics enabling remote information, displaying...
Page 666 Index mDNS multicast router discovery domain name list multicast router port, displaying enabling lookup multicast services multicast name service configuring name server list displaying media-type multicast static router port memory configuring status configuring for MLD snooping utilization, showing multicast storm, threshold memory utilization, setting trap multicast, filtering and throttling mirror port...
Page 667 Index ports remote engine ID autonegotiation remote logging broadcast storm threshold Remote Monitoring See RMON capabilities rename, DiffServ configuring restarting the system duplex mode at scheduled times flow control showing restart time forced selection of media type RMON forced selection on combo ports alarm, displaying settings mirroring alarm, setting thresholds...
Page 668 Index SNMP startup files community string creating enabling traps displaying enabling traps, mac-address changes setting filtering IP addresses static addresses, setting – global settings, configuring static routes, configuring mac address traps statistics trap manager – SNMPv3 ICMP engine ID engine identifier, local engine identifier, remote groups statistics, port...
Page 669 Index traffic segmentation assigning ports web authentication enabling address, re-authenticating sessions, assigning ports configuring sessions, creating configuring ports transceiver thresholds port information, displaying displaying ports, configuring trap manager ports, re-authenticating troubleshooting trunk configuration LACP load balancing static unicast routing unknown unicast storm, threshold unregistered data flooding, IGMP snooping upgrading software user account...
Page 671 E122017/KS-R01...

SignaMax SC30010 Cli Reference Manual

How to Use this Guide

Contents

Tables

Sectioni

Getting Started

1 Initial Switch Configuration

Command Line Interface

2 Using the Command Line Interface

3 General Commands

4 System Management Commands

6 Remote Monitoring Commands

7 Flow Sampling Commands

8 Authentication Commands

9 General Security Measures

10 Access Control Lists

Quick Links

Related Manuals for SignaMax SC30010

Summary of Contents for SignaMax SC30010