How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4
How to Use This Guide Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Contents How to Use This Guide Contents Tables ECTION ETTING TARTED 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections Configuring the Switch for Remote Management Using the Network Interface Setting an IP Address Enabling SNMP Management Access...
Page 6
Contents ECTION OMMAND NTERFACE 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands Configuration Commands...
Page 7
Contents Device Designation hostname System Status show access-list tcam-utilization show license file show memory show process cpu show process cpu guard show process cpu task show running-config show startup-config show system show tech-support show users show version show watchdog watchdog software Fan Control fan-speed force-full Frame Size...
Page 8
Contents ip tftp timeout show ip tftp Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging logging command logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts...
Page 9
Contents SNTP Commands sntp client sntp poll sntp server show sntp NTP Commands ntp authenticate ntp authentication-key ntp client ntp server show ntp Manual Configuration Commands clock summer-time (date) clock summer-time (predefined) clock summer-time (recurring) clock timezone calendar set show calendar Time Range time-range absolute...
Page 10
Contents General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps link-up-down snmp-server enable port-traps mac-notification show snmp-server enable port-traps SNMPv3 Commands snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id...
Page 11
Contents rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Flow Sampling Commands sflow owner sflow polling instance sflow sampling instance show sflow 8 Authentication Commands User Accounts and Privilege Levels enable password username privilege show privilege...
Page 12
Contents aaa accounting commands aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization commands aaa authorization exec aaa group server server accounting dot1x accounting commands accounting exec authorization commands authorization exec show accounting show authorization Web Server ip http authentication ip http port ip http server ip http secure-port...
Page 13
Contents ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x system-auth-control Authenticator Commands dot1x intrusion-action dot1x max-reauth-req dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period...
Page 15
Contents ip dhcp snooping vlan ip dhcp snooping information option circuit-id ip dhcp snooping trust ip dhcp snooping max-number ip dhcp snooping trust clear ip dhcp snooping binding clear ip dhcp snooping database flash ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IPv4 Source Guard ip source-guard binding...
Page 16
Contents dos-protection tcp-null-scan dos-protection tcp-syn-fin-scan dos-protection tcp-xmas-scan dos-protection udp-flooding dos-protection win-nuke show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 10 Access Control Lists IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list...
Page 17
Contents access-list arp permit, deny (ARP ACL) show access-list arp ACL Information clear access-list hardware counters show access-group show access-list 11 Interface Commands Interface Configuration interface capabilities description flowcontrol history media-type negotiation shutdown speed-duplex clear counters show interfaces brief show interfaces counters show interfaces history show interfaces status show interfaces switchport...
Page 18
Contents Cable Diagnostics test cable-diagnostics show cable-diagnostics Power Savings power-save show power-save 12 Link Aggregation Commands Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) lacp timeout Trunk Status Display Commands show lacp show port-channel load-balance...
Page 19
Contents Storm Control Commands switchport packet-rate 15 Loopback Detection Commands loopback-detection loopback-detection action loopback-detection recover-time loopback-detection transmit-interval loopback detection trap loopback-detection release show loopback-detection 16 Address Table Commands mac-address-table aging-time mac-address-table static clear collision-mac-address-table clear mac-address-table dynamic show collision-mac-address-table show mac-address-table show mac-address-table aging-time show mac-address-table count 17 Spanning Tree Commands...
Page 21
Contents switchport mode switchport native vlan Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel priority map switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid show dot1q-tunnel Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group...
Page 22
Contents show queue weight Priority Commands (Layer 3 and 4) qos map cos-queue qos map dscp-queue qos map trust-mode show qos map cos-queue show qos map dscp-queue show qos map trust-mode 20 Quality of Service Commands class-map description match rename policy-map class police rate...
Page 23
Contents ip igmp snooping version-exclusive ip igmp snooping vlan general-query-suppression ip igmp snooping vlan immediate-leave ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static clear ip igmp snooping groups dynamic...
Page 26
Contents ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts Multicast DNS Commands ip mdns show ip mdns 24 DHCP Commands DHCP Client DHCP for IPv4 ip dhcp dynamic-provision ip dhcp client class-id ip dhcp restart client show ip dhcp dynamic-provision...
Page 27
Contents show ip traffic traceroute ping ARP Configuration ip proxy-arp clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu show ipv6 default-gateway show ipv6 interface show ipv6 mtu show ipv6 traffic...
Page 28
Contents show ip route ECTION PPENDICES A Troubleshooting Problems Accessing the Management Interface Using System Logs B License Information The GNU General Public License Glossary Commands Index – 28 –...
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP. This section includes these chapters: ◆ "Initial Switch Configuration" on page 35 – 34 –...
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch This switch series includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web- based interface.
Chapter 1 | Initial Switch Configuration Connecting to the Switch Control port access through IEEE 802.1X security or static address ◆ filtering Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Chapter 1 | Initial Switch Configuration Connecting to the Switch When using HyperTerminal, select Terminal keys, not Windows keys. ■ Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access Command Line level (Normal Exec) and privileged access level (Privileged Exec).
Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the SC30010 Gigabit Ethernet switch. Other than the difference in port types, there are no significant differences. Remote Prior to accessing the switch’s onboard agent via a network connection, you...
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in- Interface band management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Page 40
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch Network mask for this network ◆...
Page 41
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ipv6 address”...
Page 42
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. From the interface prompt, type “ipv6 address ipv6-address”...
Page 43
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received.
Page 44
Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.4 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Client Vendor Class ID (text): SC30010 DHCP Relay Server: Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) 3rd-party applications. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 46
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Chapter 1 | Initial Switch Configuration Managing System Files For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “SNMP Commands” on page 155 or to the Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP.
Chapter 1 | Initial Switch Configuration Managing System Files the running-config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch Operation Code and activate it.
Page 49
Chapter 1 | Initial Switch Configuration Managing System Files loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config:<filename> command. The maximum number of saved configuration files depends on available flash memory.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file server.
Page 51
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings case-insensitive. Please check the documentation for your server’s operating system if you are unsure of its file system’s behavior. ◆ Note that the switch itself does not distinguish between upper and lower- case file names, and only checks to see if the file stored on the server is more recent than the current runtime image.
Page 52
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://site9:billy@192.168.0.1/sm24/ Console(config)# Set the switch to automatically reboot and load the new code after the opcode...
Press ENTER to start session Automatic Upgrade is looking for a new image No new image detected User Access Verification Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Console#dir File Name Type Startup Modified Time...
Chapter 1 | Initial Switch Configuration Downloading Configuration Files / Other Parameters from a DHCP Server DHCP client Identifier (Option 60) is used by DHCP clients to specify their unique identifier. The client identifier is optional and can be specified while configuring DHCP on the primary network interface.
Chapter 1 | Initial Switch Configuration Downloading Configuration Files / Other Parameters from a DHCP Server If the switch fails to download the bootup configuration file based on ◆ information passed by the DHCP server, it will not send any further DHCP client requests.
"192.168.255.101"; option bootfile-name "test"; Note: Use “sc30010.cfg” for the vendor-class-identifier in the dhcpd.conf file. Setting the System Clock Simple Network Time Protocol (SNTP) or Network Time Protocol (NTP) can be used to set the switch’s internal clock based on periodic updates from a time server.
Chapter 1 | Initial Switch Configuration Setting the System Clock Summer Time/Daylight Saving Time (DST) – In some regions, the time ◆ shifts by one hour in the fall and spring. The switch supports manual entry for one-time or recurring clock shifts. Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ "Using the Command Line Interface" on page 61 ◆ "General Commands" on page 73 ◆...
Page 60
Section I | Command Line Interface ◆ "Spanning Tree Commands" on page 410 ◆ "VLAN Commands" on page 441 ◆ "Class of Service Commands" on page 471 ◆ "Quality of Service Commands" on page 483 ◆ "Multicast Filtering Commands" on page 494 ◆...
When finished, exit the session with the “quit” or “exit” command. After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. – 61 –...
Chapter 2 | Using the Command Line Interface Accessing the CLI Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Entering Commands After entering the Telnet command, the login screen displays: Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Vty-0# Note: You can open up to eight sessions to the device via Telnet or SSH.
Chapter 2 | Using the Command Line Interface Entering Commands Command If you terminate input with a Tab key, the CLI will print the remaining characters of a Completion partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.
Page 65
Chapter 2 | Using the Command Line Interface Entering Commands privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server RADIUS server information reload Shows the reload settings rmon Remote monitoring information rspan...
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that Lookup match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.”...
“super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the SC30010 is opened.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify Commands switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 2: Configuration Command Modes Mode Command Prompt...
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: Keystroke Commands (Continued) Keystroke Function Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below Table 4: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes of...
Page 72
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 4: Command Group Index (Continued) Command Group Description Page VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling Class of Service Sets port priority for untagged frames, selects strict priority...
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 5: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or (Global Confi at a periodic interval guration)
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)#...
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is ◆ re-specified, the previous setting will be overwritten. When the system is restarted, it will always run the Power-On Self-Test.
Chapter 3 | General Commands The “#” character is appended to the end of the prompt to indicate that the ◆ system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (78) enable password (192) This command exits the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console#...
Chapter 3 | General Commands This command returns to Normal Exec mode from privileged mode. In normal disable access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.
Chapter 3 | General Commands This command displays the current reload settings, and the time at which next show reload scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015.
Page 80
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 80 –...
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 6: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
Chapter 4 | System Management Commands System Status This command specifies or modifies the host name for this device. Use the no hostname form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Chapter 4 | System Management Commands System Status Table 8: System Status Commands (Continued) Command Function Mode show system Displays system information NE, PE show tech-support Displays a detailed list of system settings designed to help technical support resolve configuration or functional problems show users Shows all active console and Telnet sessions, including...
Chapter 4 | System Management Commands System Status /1b+Zt4OWMZlxk3wXPSxqgCNY8J3tqK+63UzwLqsEJ6GBP9q5LC9W4jsuhnzmNG1kuC0nN1rJs2/ bN74dMfql/ fYokDbaIvmpHCndJh7aqOq9wRhCMOG5UKTlo5lflX+Io+sg6PmJX7dwK8FdfrdHdWbQUsUvi6T3y 4ycwDiIiWbySjT345sdfgsdfg5445bNBPozr6l3l5hRbZqQ3WIfH1GEE9voD4GG4vbEA/ kruBOtocFDvBhXjYVe5laTkRl+vODF02eUtgYE3cGBR/ KGYcgQ+i9IRRAIWEPCKRomM69W6SsYZfdasfewcc+d430NVyf34okaUnyQrnPmqHajkLUT1BBwMF KBuopQq1gv0Gkmuw75gUgOlGJrZ/yf1UwW/0F2MjKRTVCy4Q4Bl7IrE3DqkouscCZBKXNA== Console# This command shows memory utilization parameters, and alarm thresholds. show memory Command Mode Normal Exec, Privileged Exec Command Usage This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, the total amount of system memory, and the alarm thresholds.
Chapter 4 | System Management Commands System Status Alarm Status Current Alarm Status : Off Last Alarm Start Time : Dec 31 00:00:19 2000 Last Alarm Duration Time : 15 seconds Alarm Configuration Rising Threshold : 90% Falling Threshold : 70% Console# Related Commands process cpu (177)
Chapter 4 | System Management Commands System Status Table 10: show process cpu guard - display description (Continued) Field Description Minimum Threshold If packet flow has been stopped after exceeding the maximum threshold, normal flow will be restored after usage falls beneath the minimum threshold.
Page 89
Chapter 4 | System Management Commands System Status Use this command in conjunction with the show startup-config command ◆ to compare the information in running memory to the information stored in non-volatile memory. ◆ This command displays settings for key command modes. Each mode group is separated by “!”...
Refer to the example for the running configuration file. Related Commands show running-config (88) This command displays system information. show system Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : SC30010 System OID String : 1.3.6.1.4.1.50868.44.101 – 90 –...
Chapter 4 | System Management Commands System Status System Information System Up Time : 0 days, 23 hours, 49 minutes, and 30.37 seconds System Name System Location System Contact MAC Address (Unit 1) : CC-37-AB-A1-06-C0 Web Server : Enabled Web Server Port : 80 Web Secure Server : Enabled...
Example User Access Verification Username: admin Password: CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Vty-2#show tech-support dir: File Name Type Startup Modified Time...
Chapter 4 | System Management Commands System Status Shows all active console and Telnet sessions, including user name, idle time, show users and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Table 12: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply.
Chapter 4 | System Management Commands Fan Control Fan Control This section describes the command used to force fan speed. Only some of the switches in the series support this command. Table 13: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed show system Shows if full fan speed is enabled...
Chapter 4 | System Management Commands File Management Default Setting Disabled Command Mode Global Configuration Command Usage This switch provides more efficient throughput for large sequential data ◆ transfers by supporting layer 2 jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks up to 10240 bytes.
Chapter 4 | System Management Commands File Management Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/ SFTP/TFTP server. The configuration file can be later downloaded to restore switch settings. The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it.
Chapter 4 | System Management Commands File Management filename - Name of configuration file or code image. * The colon (:) is required. Default Setting None Command Mode Global Configuration Command Usage A colon (:) is required after the specified file type. ◆...
Page 99
Chapter 4 | System Management Commands File Management public-key - Keyword that allows you to copy a SSH key from a See “Secure Shell” on page 225. TFTP server. ( running-config - Keyword that allows you to copy to/from the current running configuration.
Page 100
Chapter 4 | System Management Commands File Management When logging into a remote SFTP server, the interface prompts for a user ◆ name and password configured on the remote server. If this is a first time connection, the system checks to see if the public key offered by the server matches one stored locally.
Page 101
Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Chapter 4 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console#...
Page 103
Chapter 4 | System Management Commands File Management Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. ◆ If the public key type is not specified, then both DSA and RSA keys will be ◆...
Chapter 4 | System Management Commands File Management File information is shown below: Table 16: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Operation Code, and Config file. Startup Shows if this file is used when the system is started. Modify Time The date and time the file was last modified.
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modified Time Size (bytes)
Chapter 4 | System Management Commands File Management Any changes made to the default setting can be displayed with the show ◆ running-config show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup.
Chapter 4 | System Management Commands File Management When specifying a TFTP server, the following syntax must be used, where ◆ filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ When specifying an FTP server, the following syntax must be used, where ◆...
Chapter 4 | System Management Commands File Management This command shows the opcode upgrade configuration settings. show upgrade Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : C-300-series.bix Console# TFTP Configuration Commands This command specifies the number of times the switch can retry transmitting...
Chapter 4 | System Management Commands File Management This command specifies the time the switch can wait for a response from a ip tftp timeout TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout...
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 17: Line Commands Command Function...
Chapter 4 | System Management Commands Line This command identifies a specific line for configuration, and to process line subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line Example To set the timeout to two minutes, enter this command: Console(config-line-console)#exec-timeout 120 Console(config-line-console)# This command enables password checking at login. Use the no form to login disable password checking and allow connections without a password. Syntax login [local] no login...
Chapter 4 | System Management Commands Line Related Commands username (193) password (114) This command defines the generation of a parity bit. Use the no form to parity restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity...
Chapter 4 | System Management Commands Line Default Setting No password is specified. Command Mode Line Configuration Command Usage When a connection is started on a line with password protection, the ◆ system prompts for the password. If you enter the correct password, the system shows a prompt.
Chapter 4 | System Management Commands Line reached for Telnet, the Telnet logon interface shuts down. Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (116) This command sets the amount of time the management console is silent-time inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the...
Chapter 4 | System Management Commands Line This command sets the terminal line’s baud rate. This command sets both the speed transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# This command sets the interval that the system waits for a user to log into the timeout login CLI. Use the no form to restore the default setting. response Syntax timeout login response [seconds]...
Chapter 4 | System Management Commands Line session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Chapter 4 | System Management Commands Line Default Setting Escape Character: 27 (ASCII-number) History: 10 Length: 24 Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines.
Chapter 4 | System Management Commands Event Logging Command Usage The records stored include the commands executed from the CLI, command execution time and information about the CLI user including user name, user interface (console, Telnet, SSH) and user IP address. The severity level for this record type is 6 (see the logging facility command).
Chapter 4 | System Management Commands Event Logging flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below. Messages sent include the selected level down to level 0.
Chapter 4 | System Management Commands Event Logging udp-port - UDP port number used by the remote server. (Range: 1- 65535) Default Setting UPD Port: 514 Command Mode Global Configuration Command Usage Use this command more than once to build up a list of host IP addresses. ◆...
Chapter 4 | System Management Commands Event Logging This command enables the logging of system messages to a remote server, or logging trap limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (126) This command displays the log messages stored in local memory. show log Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Chapter 4 | System Management Commands Event Logging This command displays the configuration settings for logging messages to show logging local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {command | flash | ram | sendmail | trap} command - Stores CLI command execution records in syslog RAM and flash.
Chapter 4 | System Management Commands SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Global Configuration: Syslog Logging : Enabled Remote Logging Configuration: Status : Disabled Facility Type : Local use 7 (23) Level Type : Debugging messages (7) Console# Table 21: show logging trap - display description...
Chapter 4 | System Management Commands SMTP Alerts This command enables SMTP event handling. Use the no form to disable this logging sendmail function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# This command specifies the email recipients of alert messages. Use the no logging sendmail form to remove a recipient.
Chapter 4 | System Management Commands SMTP Alerts ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage You can specify up to three SMTP servers for event handing. However, ◆...
Chapter 4 | System Management Commands SMTP Alerts Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
Chapter 4 | System Management Commands Time SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------- ted@this-company.com SMTP Source E-mail Address: bill@this-company.com SMTP Status: Enabled Console# Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP).
Chapter 4 | System Management Commands Time SNTP Commands This command enables SNTP client requests for time synchronization from sntp client NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting...
Chapter 4 | System Management Commands Time This command sets the interval between sending time requests when the sntp poll switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console# Related Commands sntp client (133) sntp poll (134) show sntp (135) This command displays the current time and configuration settings for the show sntp SNTP client, and indicates whether or not the local time has been properly updated.
Chapter 4 | System Management Commands Time Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Chapter 4 | System Management Commands Time Use the no form of this command without an argument to clear all ◆ authentication keys in the list. Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (135) This command enables NTP client requests for time synchronization from ntp client NTP time servers specified with the ntp servers command.
Chapter 4 | System Management Commands Time This command sets the IP addresses of the servers to which NTP time ntp server requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [key key-number] no ntp server [ip-address]...
Chapter 4 | System Management Commands Time This command displays the current time and configuration settings for the show ntp NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Page 140
Chapter 4 | System Management Commands Time e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end.
Chapter 4 | System Management Commands Time This command configures the summer time (daylight savings time) status and clock summer-time settings for the switch using predefined configurations for several major (predefined) regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa]...
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (135) This command allows the user to manually configure the start, end, and offset clock summer-time times of summer time (daylight savings time) for the switch on a recurring (recurring)
Chapter 4 | System Management Commands Time offset - Summer-time offset from the regular time zone, in minutes. (Range: 1-120 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions, clocks are adjusted through the summer ◆...
Chapter 4 | System Management Commands Time after-utc - Sets the local time zone after (west) of UTC. Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude.
Chapter 4 | System Management Commands Time Range Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2015. Console#calendar set 15:12:34 1 February 2015 Console# This command displays the system clock.
Chapter 4 | System Management Commands Time Range This command specifies the name of a time range, and enters time range time-range configuration mode. Use the no form to remove a previously specified time range. Syntax [no] time-range name name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode...
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Time Range Configuration Command Usage If a time range is already configured, you must use the no form of this ◆ command to remove the current entry prior to configuring a new time range.
Chapter 4 | System Management Commands Time Range minute - Minute. (Range: 0-59) Default Setting None Command Mode Time Range Configuration Command Usage ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range.
Chapter 4 | System Management Commands Switch Clustering Switch Clustering Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Chapter 4 | System Management Commands Switch Clustering Note: Cluster Member switches can be managed either through a Telnet connection to the Commander, or through a web management connection to the Commander. When using a console connection, from the Commander CLI prompt, use the rcommand to connect to the Member switch.
Chapter 4 | System Management Commands Switch Clustering Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate”...
Chapter 4 | System Management Commands Switch Clustering Set a Cluster IP Pool that does not conflict with addresses in the network ◆ IP subnet. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
There is no need to enter the username and password for access to the Member switch CLI. Example Console#rcommand id 1 CLI session with the SC30010 is opened. To end the CLI session, enter [Exit]. Vty-0# This command shows the switch clustering configuration.
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 156
Chapter 5 | SNMP Commands Table 27: SNMP Commands (Continued) Command Function Mode snmp-server view Adds an SNMP view show snmp engine-id Shows the SNMP engine ID show snmp group Shows the SNMP groups show snmp user Shows the SNMP users show snmp view Shows the SNMP views Notification Log Commands...
Chapter 5 | SNMP Commands General SNMP Commands This command enables the SNMPv3 engine and services for all management snmp-server clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example...
Chapter 5 | SNMP Commands Example Console(config)#snmp-server community alpha rw Console(config)# This command sets the system contact string. Use the no form to remove the snmp-server contact system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None...
Chapter 5 | SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (158) This command can be used to check the status of SNMP communications. show snmp Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counters for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps...
Chapter 5 | SNMP Commands Example Console(config)#snmp-server enable traps authentication Console(config)# Related Commands snmp-server host (161) This command specifies the recipient of a Simple Network Management snmp-server host Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth |...
Page 162
Chapter 5 | SNMP Commands SNMP Version: 1 UDP Port: 162 Command Mode Global Configuration Command Usage If you do not enter an snmp-server host command, no notifications are ◆ sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command.
Chapter 5 | SNMP Commands Allow the switch to send SNMP traps; i.e., notifications (page 160). Specify the target host that will receive inform messages with the snmp-server host command as described in this section. The switch can send SNMP Version 1, 2c or 3 notifications to a host IP ◆...
Chapter 5 | SNMP Commands This command enables the device to send SNMP traps (i.e., SNMP snmp-server notifications) when a dynamic MAC address is added or removed. Use the no enable port-traps form to restore the default setting. mac-notification Syntax [no] snmp-server enable port-traps mac-notification mac-notification - Keyword to issue trap when a dynamic MAC address is added or removed.
Chapter 5 | SNMP Commands Eth 1/3 SNMPv3 Commands This command configures an identification string for the SNMPv3 engine. Use snmp-server the no form to restore the default. engine-id Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
Chapter 5 | SNMP Commands A local engine ID is automatically generated that is unique to the switch. ◆ This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 167).
Chapter 5 | SNMP Commands When authentication is selected, the MD5 or SHA algorithm is used as ◆ specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. For additional information on the notification messages supported by this ◆...
Page 168
Chapter 5 | SNMP Commands If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) 3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption. aes128 - Uses SNMPv3 with privacy with AES128 encryption. aes192 - Uses SNMPv3 with privacy with AES192 encryption.
Chapter 5 | SNMP Commands Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# This command adds an SNMP view which controls user access to the MIB. snmp-server view Use the no form to remove an SNMP view.
Chapter 5 | SNMP Commands This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# This command shows the SNMP engine ID. show snmp engine-id Command Mode Privileged Exec Example This example shows the default engine ID.
Chapter 5 | SNMP Commands Storage Type : Nonvolatile Row Status : Active Group Name : public Security Model : v1 Read View : defaultview Write View : No writeview specified Notify View : No notifyview specified Storage Type : Volatile Row Status : Active Group Name...
Chapter 5 | SNMP Commands Example Console#show snmp user Engine ID : 800001030300e00c0000fd0000 User Name : steve Group Name : rd Security Model : v1 Security Level : Authentication and privacy Authentication Protocol : None Privacy Protocol : None Storage Type : Nonvolatile Row Status : Active...
Chapter 5 | SNMP Commands Row Status: active View Name : defaultview Subtree OID View Type : included Storage Type : volatile Row Status : active Console# Table 31: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree.
Chapter 5 | SNMP Commands This command creates an SNMP notification log. Use the no form to remove snmp-server this log. notify-filter Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - IPv4 or IPv6 address of a remote device. The specified target host must already have been configured using the snmp- server host...
Chapter 5 | SNMP Commands by default (see the command), but will not start recording information until a logging profile specified with this command is enabled with the command. ◆ Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes.
Chapter 5 | SNMP Commands 10.1.19.23 Console# Additional Trap Commands This command sets an SNMP trap based on configured thresholds for memory memory utilization. Use the no form to restore the default setting. Syntax memory {rising rising-threshold | falling falling-threshold} no memory {rising | falling} rising-threshold - Rising threshold for memory utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands This command sets an SNMP trap based on configured thresholds for CPU process cpu utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Page 178
Chapter 5 | SNMP Commands low-watermark - If packet flow has been stopped after exceeding the high watermark, normal flow will be restored after usage falls beneath the low watermark. (Range: 40-100%) max-threshold - If the number of packets being processed per second by the CPU is higher than the maximum threshold, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until the number of packets being...
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands This command sets threshold bounds for a monitored variable. Use the no rmon alarm form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Chapter 6 | Remote Monitoring Commands threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage If an event is already defined for an index, the entry must be deleted ◆ before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Chapter 6 | Remote Monitoring Commands The information collected for each sample includes: ◆ input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running-config command will display a message indicating that this...
Chapter 6 | Remote Monitoring Commands Command Usage By default, each index number equates to a port on the switch, but can be ◆ changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands This command shows the sampling parameters configured for each entry in show rmon history the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 187
Chapter 7 | Flow Sampling Commands polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods.
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# This command enables an sFlow polling data source, for a specified interface, sflow polling instance that polls periodically based on a specified time interval.
Chapter 7 | Flow Sampling Commands This command enables an sFlow data source instance for a specific interface sflow sampling that takes samples periodically based on the number of packets processed. instance Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# This command shows the global and interface settings for the sFlow process. show sflow Syntax show sflow [owner owner-name | interface interface]...
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port- based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access ‡...
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 110), user authentication via a remote authentication server (page...
Chapter 8 | Authentication Commands User Accounts and Privilege Levels password - Password for this privilege level. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage You cannot set a null password.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 0, 8 and 15 are designed for users (guest), managers (network maintenance), and administrators (top-level access). The other levels can be used to configured specialized access profiles. Level 0-7 provide the same default access privileges, all within Normal Exec mode under the “Console>”...
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# This command assigns a privilege level to specified command groups or privilege individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command...
Chapter 8 | Authentication Commands Authentication Sequence command - Displays the privilege level for all commands modified by the privilege command. Command Mode Privileged Exec Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping...
Chapter 8 | Authentication Commands Authentication Sequence Command Usage RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort ◆ delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Chapter 8 | Authentication Commands RADIUS Client RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
Chapter 8 | Authentication Commands RADIUS Client This command sets the RADIUS server network port for accounting radius-server messages. Use the no form to restore the default. acct-port Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages.
Chapter 8 | Authentication Commands RADIUS Client Syntax [no] radius-server index host host-ip-address [acct-port acct-port] [auth-port auth-port] [key key] [retransmit retransmit] [timeout timeout] index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
Chapter 8 | Authentication Commands RADIUS Client Default Setting None Command Mode Global Configuration Example Console(config)#radius-server key green Console(config)# This command sets the number of retries. Use the no form to restore the radius-server default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# This command displays the current settings for the RADIUS server. show radius-server Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number...
Chapter 8 | Authentication Commands TACACS+ Client associated privilege levels for each user or group that require management access to a switch. Table 39: TACACS+ Client Commands Command Function Mode tacacs-server host Specifies the TACACS+ server and optional parameters tacacs-server key Sets the TACACS+ encryption key tacacs-server port Specifies the TACACS+ server network port...
Chapter 8 | Authentication Commands TACACS+ Client Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# This command sets the TACACS+ encryption key. Use the no form to restore tacacs-server key the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
Chapter 8 | Authentication Commands TACACS+ Client Console(config)#tacacs-server port 181 Console(config)# This command sets the number of retries. Use the no form to restore the tacacs-server default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands This command displays the current settings for the TACACS+ server. show tacacs-server Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times Timeout Server 1: Server IP Address...
Chapter 8 | Authentication Commands Table 40: AAA Commands (Continued) Command Function Mode server Configures the IP address of a server in a group list accounting dot1x Applies an accounting method to an interface for 802.1X service requests accounting commands Applies an accounting method to CLI commands Line entered by a user...
Chapter 8 | Authentication Commands Command Usage The accounting of Exec mode commands is only supported by TACACS+ ◆ servers. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands servers, and do not actually send any information to the servers about the methods to use. Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# This command enables the accounting of requested Exec services for network aaa accounting exec access.
Chapter 8 | Authentication Commands Example Console(config)#aaa accounting exec default start-stop group tacacs+ Console(config)# This command enables the sending of periodic updates to the accounting aaa accounting server. Use the no form to disable accounting updates. update Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands start-stop - Records authorization from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)# This command adds a security server to an AAA server group. Use the no server form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index.
Chapter 8 | Authentication Commands Default Setting None Command Mode Interface Configuration Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# This command applies an accounting method to entered CLI commands. Use accounting the no form to disable accounting for entered CLI commands. commands Syntax accounting commands level {default | list-name}...
Chapter 8 | Authentication Commands list-name - Specifies a method list created with the aaa accounting exec command. Default Setting None Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# This command applies an authorization method to entered CLI commands. authorization Use the no form to disable authorization for entered CLI commands.
Chapter 8 | Authentication Commands This command applies an authorization method to local console, Telnet or authorization exec SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec default - Specifies the default method list created with the authorization exec command.
Chapter 8 | Authentication Commands interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting Type : dot1x Method List : default Group List : radius Interface : Eth 1/1...
Chapter 8 | Authentication Commands Web Server Default Setting None Command Mode Privileged Exec Example Console#show authorization Authorization Type : EXEC Method List : default Group List : tacacs+ Interface : vty Authorization Type : Commands 0 Method List : default Group List : tacacs+ Interface...
Chapter 8 | Authentication Commands Web Server This command specifies the method list for EXEC authorization for starting an ip http authentication EXEC session used by the web browser interface. Use the no form to use the default port. Syntax ip http authentication aaa exec-authorization {default | list- name} no ip http authentication aaa exec-authorization...
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (220) show system (90) This command allows this device to be monitored or configured from a ip http server browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting...
Chapter 8 | Authentication Commands Web Server Command Usage You cannot configure the HTTP and HTTPS servers to use the same port. ◆ ◆ If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Chapter 8 | Authentication Commands Telnet Server The client and server establish a secure encrypted connection. ◆ A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 42: HTTPS System Support Web Browser...
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. This command specifies the maximum number of Telnet sessions that can ip telnet max-sessions simultaneously connect to this system.
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# This command allows this device to be monitored or configured from Telnet. ip telnet server Use the no form to disable this function. Syntax [no] ip telnet server Default Setting...
Chapter 8 | Authentication Commands Secure Shell This command displays the configuration settings for the Telnet server. show ip telnet Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# Secure Shell...
Page 226
Chapter 8 | Authentication Commands Secure Shell Table 44: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 227
Chapter 8 | Authentication Commands Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Chapter 8 | Authentication Commands Secure Shell When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
Chapter 8 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage The SSH server supports up to eight client sessions. The maximum ◆ number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 8 | Authentication Commands Secure Shell Example Console(config)#ip ssh server-key size 512 Console(config)# This command configures the timeout for the SSH server. Use the no form to ip ssh timeout restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds –...
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (231) This command displays the connection settings used when authenticating show ip ssh client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Chapter 8 | Authentication Commands 802.1X Port Authentication General Commands This command sets all configurable dot1x authenticator global and port dot1x default settings to their default values. Command Mode Global Configuration Command Usage This command resets the following commands to their default settings: ◆...
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands This command sets the port’s response to a failed authentication, either to dot1x intrusion-action block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication This command sets the maximum number of times that the switch sends an dot1x max-reauth-req EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default. Syntax dot1x max-reauth-req count no dot1x max-reauth-req...
Chapter 8 | Authentication Commands 802.1X Port Authentication This command allows hosts (clients) to connect to an 802.1X-authorized port. dot1x Use the no form with no keywords to restore the default to single host. Use the operation-mode no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication This command sets the dot1x mode on a port interface. Use the no form to dot1x port-control restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (241) This command sets the time that a switch port waits after the maximum dot1x timeout request count (see page 238) has been exceeded before attempting to quiet-period acquire a new client.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# This command sets the time that an interface on the switch waits for a dot1x timeout response to an EAP request from a client before re-transmitting an EAP supp-timeout packet.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# This command forces re-authentication on all ports or a specific interface. dot1x re-authenticate Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Command Usage This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL-Start. Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout auth-period 60 Console(config-if)# This command sets the time that a supplicant port waits before resending its...
Page 245
Chapter 8 | Authentication Commands 802.1X Port Authentication interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) Command Mode Privileged Exec Command Usage This command displays the following information: Global 802.1X Parameters – Shows whether or not 802.1X port ◆...
Page 246
Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator PAE State Machine ◆ State – Current state (including initialize, disconnected, connecting, ■ authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. ■ Current Identifier– The integer (0-255) used by the Authenticator to identify ■...
Chapter 8 | Authentication Commands Management IP Filter Reauth Count Current Identifier Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter Command Usage The management interfaces are open to all IP addresses by default. Once ◆ you add an entry to a filter list, access to that interface is restricted to the specified addresses. If anyone tries to access a management interface on the switch from an ◆...
Page 249
Chapter 8 | Authentication Commands Management IP Filter Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2.
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Chapter 9 | General Security Measures Port Security is enabled and mac-learning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 253
Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage The default maximum number of MAC addresses allowed on a secure port ◆ is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (357) shutdown (349) mac-address-table static (405)
Chapter 9 | General Security Measures Port Security Table 50: show port security - display description Field Description Port Security The configured status (enabled or disabled). Port Status The operational status: ◆ Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) MAC Filter : Disabled Last Intrusion MAC : 00-10-22-00-00-01 Last Time Detected Intrusion MAC : 2015/7/29 15:13:03 Console# Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Use this command to enable aging for authenticated MAC addresses stored in network-access aging the secure MAC address table. Use the no form of this command to disable address aging. Syntax [no] network-access aging Default Setting...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the mac- ◆ address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#mac-authentication reauth-time 300 Console(config)# Use this command to enable the dynamic QoS feature for an authenticated network-access port. Use the no form to restore the default. dynamic-qos Syntax [no] network-access dynamic-qos Default Setting Disabled...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Note: Any configuration changes for dynamic QoS are not saved to the switch configuration file. Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# Use this command to enable dynamic VLAN assignment for an authenticated...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)# Use this command to assign all traffic on a port to a guest VLAN when 802.1x network-access authentication or MAC authentication is rejected.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed. (Range: 0-1024; 0 for unlimited) Default Setting 1024 Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Configured static MAC addresses are added to the secure address table ◆ when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server. ◆...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# Use this command to configure the port response to a host MAC mac-authentication authentication failure. Use the no form of this command to restore the default. intrusion-action Syntax mac-authentication intrusion-action {block traffic | pass traffic}...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion Action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Chapter 9 | General Security Measures Web Authentication Example Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ------------------------- --------- 00-00-01-02-03-04 172.155.120.17 00d06h32m50s Static 00-00-01-02-03-05 172.155.120.17 00d06h33m20s Dynamic 00-00-01-02-03-06 172.155.120.17 00d06h35m10s Static 00-00-01-02-03-07 172.155.120.17 00d06h34m20s Dynamic Console# Use this command to display information for entries in the MAC filter tables.
Chapter 9 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 188). Note: Web authentication cannot be configured on trunk ports. Table 53: Web Authentication Command Function Mode...
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# This command defines the amount of time a host must wait after exceeding web-auth the limit for failed login attempts, before it may attempt web authentication quiet-period again.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# This command globally enables web authentication for the switch. Use the no web-auth system- form to restore the default. auth-control Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage...
Chapter 9 | General Security Measures Web Authentication This command ends all web authentication sessions connected to the port and web-auth re- forces the users to re-authenticate. authenticate (Port) Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Chapter 9 | General Security Measures Web Authentication This command displays global web authentication parameters. show web-auth Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# This command displays interface-specific web authentication parameters and...
Chapter 9 | General Security Measures DHCPv4 Snooping This command displays a summary of web authentication port parameters and show web-auth statistics. summary Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ----...
Chapter 9 | General Security Measures DHCPv4 Snooping Table 54: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping Enables or disables the use of DHCP Option 82 information option circuit-id information circuit-id suboption ip dhcp snooping trust Configures the specified interface as trusted ip dhcp snooping max- configures the maximum number of DHCP clients number...
Page 275
Chapter 9 | General Security Measures DHCPv4 Snooping Table entries are only learned for trusted interfaces. Each entry includes a ◆ MAC address, IP address, lease time, VLAN identifier, and port identifier. ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second.
Chapter 9 | General Security Measures DHCPv4 Snooping the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Page 277
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Option 82: Disabled CID/RID sub-type: Enabled Remote ID: MAC address (hexadecimal) Command Mode Global Configuration Command Usage DHCP provides a relay mechanism for sending information about the ◆ switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 9 | General Security Measures DHCPv4 Snooping This command disables the use of sub-type and sub-length fields for the ip dhcp snooping circuit-ID (CID) and remote-ID (RID) in Option 82 information generated by the information option switch. Use the no form to enable the use of these fields. encode no-subtype Syntax [no] ip dhcp snooping information option encode no-subtype...
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID). Console(config)#no ip dhcp snooping information option encode no-subtype Console(config)# This command sets the remote ID to the switch’s IP address, MAC address, or ip dhcp snooping arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from information option...
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage The format for TR101 option 82 is: “<IP> eth <SID>/<PORT>[:<VLAN>]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added.
Chapter 9 | General Security Measures DHCPv4 Snooping keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports. replace - Replaces the Option 82 information circuit-id and remote-id fields in the client’s request with information about the relay agent itself, inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# Related Commands ip dhcp snooping (274) ip dhcp snooping vlan (282) ip dhcp snooping trust (286) This command enables DHCP snooping on the specified VLAN. Use the no ip dhcp snooping vlan form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (274) ip dhcp snooping trust (286) This command specifies DHCP Option 82 circuit-id suboption information. Use ip dhcp snooping the no form to use the default settings. information option circuit-id Syntax...
Chapter 9 | General Security Measures DHCPv4 Snooping sub-type - Distinguishes different types of circuit IDs. ■ sub-length - Length of the circuit ID type ■ access node identifier - ASCII string. Default is the MAC address of the ■ switch’s CPU.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage A trusted interface is an interface that is configured to receive only ◆ messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Command Mode Interface Configuration (Ethernet, Port Channel) Example This example sets the maximum number of DHCP clients supported on port 1 to 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping max-number 2 Console(config-if)# This command configures the specified interface as trusted.
Chapter 9 | General Security Measures DHCPv4 Snooping Additional considerations when the switch itself is a DHCP client – The ◆ port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)#...
Chapter 9 | General Security Measures DHCPv4 Snooping This command writes all dynamically learned snooping entries to flash ip dhcp snooping memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory.
Chapter 9 | General Security Measures IPv4 Source Guard This command adds a static address to the source-guard ACL or MAC ip source-guard address binding table. Use the no form to remove a static entry. binding Syntax ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port-list no ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id...
Page 291
Chapter 9 | General Security Measures IPv4 Source Guard An entry with same MAC address and a different VLAN ID cannot be ◆ added to the binding table. ◆ Static bindings are processed as follows: A valid static IP source guard entry will be added to the binding table in ■...
Chapter 9 | General Security Measures IPv4 Source Guard This command configures the switch to filter inbound traffic based on source ip source-guard IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...
Page 293
Chapter 9 | General Security Measures IPv4 Source Guard Filtering rules are implemented as follows: ◆ If DHCPv4 snooping is disabled (see page 274), IP source guard will check ■ the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Default Setting Mode: ACL, Maximum Binding: 5 Mode: MAC, Maximum Binding: 16 Command Mode Interface Configuration (Ethernet) Command Usage This command sets the maximum number of address entries that can be ◆...
Chapter 9 | General Security Measures IPv4 Source Guard Default Setting Command Mode Interface Configuration (Ethernet) Command Usage There are two modes for the filtering table: ACL - IP traffic will be forwarded if it passes the checking process in the ◆...
Chapter 9 | General Security Measures IPv4 Source Guard This command shows whether source guard is enabled or disabled on each show ip source-guard interface. Command Mode Privileged Exec Example Console#show ip source-guard ACL Table MAC Table Interface Filter-type Filter-table Max-binding Max-binding ---------...
Chapter 9 | General Security Measures ARP Inspection 00-10-b5-f4-d0-01 10.2.44.96 static-acl 1 Eth 1/1 Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 9 | General Security Measures ARP Inspection This command enables ARP Inspection globally on the switch. Use the no ip arp inspection form to disable this function. Syntax [no] ip arp inspection Default Setting Disabled Command Mode Global Configuration Command Usage When ARP Inspection is enabled globally with this command, it becomes ◆...
Chapter 9 | General Security Measures ARP Inspection This command specifies an ARP ACL to apply to one or more VLANs. Use the ip arp inspection filter no form to remove an ACL binding. Use the no form to remove an ACL binding.
Chapter 9 | General Security Measures ARP Inspection This command sets the maximum number of entries saved in a log message, ip arp inspection and the rate at which these messages are sent. Use the no form to restore the log-buffer logs default settings.
Chapter 9 | General Security Measures ARP Inspection This command specifies additional validation of address components in an ip arp inspection ARP packet. Use the no form to restore the default setting. validate Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet...
Chapter 9 | General Security Measures ARP Inspection vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage...
Chapter 9 | General Security Measures ARP Inspection none - There is no limit on the number of ARP packets that can be processed by the CPU. Default Setting Command Mode Interface Configuration (Port, Static Aggregation) Command Usage This command applies to both trusted and untrusted ports. ◆...
Chapter 9 | General Security Measures ARP Inspection This command displays the global configuration settings for ARP Inspection. show ip arp inspection configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP Inspection Global Information: Global IP ARP Inspection Status : disabled Log Message Interval : 1 s Log Message Number...
Chapter 9 | General Security Measures ARP Inspection This command shows information about entries stored in the log, including the show ip arp inspection associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS echo/chargen attacks in which the echo dos-protection service repeats anything sent to it, and the chargen (character generator) echo-chargen service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service.
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS TCP-flooding attacks in which a dos-protection perpetrator sends a succession of TCP SYN requests (with or without a tcp-flooding spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a dos-protection TCP SYN/FIN scan message is used to identify listening TCP ports. The scan tcp-syn-fin-scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags.
Chapter 9 | General Security Measures Denial of Service Protection This command protects against DoS UDP-flooding attacks in which a dos-protection perpetrator sends a large number of UDP packets (with or without a spoofed- udp-flooding Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example Console(config)#dos-protection win-nuke bit-rate-in-kilo65 Console(config)# This command shows the configuration settings for the DoS protection show dos-protection commands. Command Mode Privileged Exec Example Console#show dos-protection Global DoS Protection: Echo/Chargen Attack : Disabled, 1000 kilobits per second Smurf Attack : Enabled TCP Flooding Attack...
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 60: Commands for Configuring Traffic Segmentation (Continued) Command Function Mode traffic-segmentation Specifies whether or not traffic can be forwarded uplink-to-uplink between uplink ports assigned to different client sessions show traffic-segmentation Displays the configured traffic segments This command enables traffic segmentation.
Chapter 9 | General Security Measures Port-based Traffic Segmentation The forwarding state for uplink-to-uplink ports is configured by the traffic- segmentation uplink-to-uplink command. When traffic segmentation is disabled, all ports operate in normal ◆ forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol.
Chapter 9 | General Security Measures Port-based Traffic Segmentation This command configures the uplink and down-link ports for a segmented traffic-segmentation group of ports. Use the no form to remove a port from the segmented group. uplink/downlink Syntax [no] traffic-segmentation [session session-id] {uplink interface-list [downlink interface-list] | downlink interface-list} session-id –...
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks. Console(config)#traffic-segmentation Console(config)#traffic-segmentation uplink ethernet 1/10 downlink ethernet 1/5-8 Console(config)# This command specifies whether or not traffic can be forwarded between traffic-segmentation uplink ports assigned to different client sessions.
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Chapter 10 | Access Control Lists IPv4 ACLs Table 63: IPv4 ACL Commands Command Function Mode show ip Shows port assignments for IPv4 ACLs access-group show ip access-list Displays the rules for configured IPv4 ACLs This command adds an IP access list and enters configuration mode for access-list ip standard or extended IPv4 ACLs.
Page 319
Chapter 10 | Access Control Lists IPv4 ACLs This command adds a rule to a Standard IPv4 ACL. The rule sets a filter permit, deny condition for packets emanating from the specified source. Use the no form to (Standard IP ACL) remove a rule.
Page 320
Chapter 10 | Access Control Lists IPv4 ACLs This command adds a rule to an Extended IPv4 ACL. The rule sets a filter permit, deny condition for packets with specific source or destination IP addresses, protocol (Extended IPv4 ACL) types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 321
Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (319) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list.
Page 326
Chapter 10 | Access Control Lists IPv6 ACLs time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Page 327
Chapter 10 | Access Control Lists IPv6 ACLs source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 328
Chapter 10 | Access Control Lists IPv6 ACLs 51 : Authentication (RFC 2402) 50 : Encapsulating Security Payload (RFC 2406) 60 : Destination Options (RFC 2460) Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit any 2009:db90:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5.
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands access-list ipv6 (324) Time Range (145) This command binds an IPv6 ACL to a port. Use the no form to remove the ipv6 access-group port. Syntax ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name –...
Chapter 10 | Access Control Lists IPv6 ACLs This command shows the ports assigned to IPv6 ACLs. show ipv6 access-group Command Mode Privileged Exec Example Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (329) This command displays the rules for configured IPv6 ACLs.
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (332) mac access-group (334) show mac access-list (335) This command adds a rule to a MAC ACL. The rule filters packets matching a permit, deny (MAC ACL) specified MAC source or destination address (i.e., physical layer address), or...
Chapter 10 | Access Control Lists MAC ACLs time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode MAC ACL Command Usage New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted ◆...
Chapter 10 | Access Control Lists MAC ACLs time-range-name - Name of the time range. (Range: 1-32 characters) counter – Enables counter for ACL statistics. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Chapter 10 | Access Control Lists ARP ACLs Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny (332) mac access-group (334) ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages.
Chapter 10 | Access Control Lists ARP ACLs Command Usage When you create a new ACL or enter configuration mode for an existing ◆ ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. To remove a rule, use the no permit or no deny command followed by the ◆...
Chapter 10 | Access Control Lists ARP ACLs ip-address-bitmask – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask. mac-address-bitmask – Bitmask for MAC address (in hexadecimal format). log - Logs a packet when it matches the access control entry.
Chapter 10 | Access Control Lists ACL Information Related Commands permit, deny (337) ACL Information This section describes commands used to display ACL information. Table 67: ACL Information Commands Command Function Mode clear access-list Clears hit counter for rules in all ACLs, or in a specified ACL PE hardware counters show access-group Shows the ACLs assigned to each port...
Chapter 10 | Access Control Lists ACL Information This command shows the port assignments of ACLs. show access-group Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# This command shows all ACLs and associated rules. show access-list Syntax show access-list...
Page 341
Chapter 10 | Access Control Lists ACL Information permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console#...
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 68: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode capabilities Advertises the capabilities of a given interface for use in...
Chapter 11 | Interface Commands Table 68: Interface Commands (Continued) Command Function Mode transceiver-threshold Sets thresholds for the transceiver power level of the rx-power received signal which can be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver temperature which temperature can be used to trigger an alarm or warning message transceiver-threshold...
Chapter 11 | Interface Commands Default Setting None Command Mode Global Configuration Example To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)# This command advertises the port capabilities of a given interface during auto- capabilities negotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (348) speed-duplex (349) flowcontrol (346) This command adds a description to an interface. Use the no form to remove description the description.
Chapter 11 | Interface Commands This command enables flow control. Use the no form to disable flow control. flowcontrol Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage 1000BASE-T does not support forced mode. Auto-negotiation should ◆...
Chapter 11 | Interface Commands This command configures a periodic sampling of statistics, specifying the history sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history name name - A symbolic name for this entry in the sampling table.
Chapter 11 | Interface Commands Command Usage Available sfp-forced modes include: Ports 49-52 (1000BASE SFP) support 1000sfp Example This forces the switch to use the 1000sfp mode for SFP port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)# This command enables auto-negotiation for a given interface. Use the no form negotiation to disable auto-negotiation.
Chapter 11 | Interface Commands Related Commands capabilities (344) speed-duplex (349) This command disables an interface. To restart a disabled interface, use the shutdown no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been...
Chapter 11 | Interface Commands When auto-negotiation is disabled, the default speed-duplex setting is ◆ 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The 1000BASE-T standard does not support forced mode. Auto- ◆ negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 11 | Interface Commands Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Chapter 11 | Interface Commands This command displays interface statistics. show interfaces counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-24) Default Setting Shows the counters for all interfaces.
Page 354
Chapter 11 | Interface Commands Table 69: show interfaces counters - display description (Continued) Parameter Description Broadcast Output The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent. Etherlike Statistics FCS Errors A count of frames received on a particular interface that are an...
Chapter 11 | Interface Commands Table 69: show interfaces counters - display description (Continued) Parameter Description Oversize Packets The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had...
Page 356
Chapter 11 | Interface Commands name - Name of sample as defined in the history command. (Range: 1-32 characters) current - Statistics recorded in current interval. previous - Statistics recorded in previous intervals. index - An index into the buckets containing previous samples. (Range: 1-96) count - The number of historical samples to display.
Chapter 11 | Interface Commands Start Time Octets Output Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- ------------ 00d 00:00:03 0.00 677855 Start Time Discards ------------ ------------- 00d 00:00:03 Console# This command displays the status for an interface. show interfaces status Syntax show interfaces status [interface] interface...
Chapter 11 | Interface Commands Current Status: Link Status : Up Port Operation Status : Up Operation Speed-duplex : 100full Up Time : 0w 0d 1h 11m 2s (4262 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled Console#...
Chapter 11 | Interface Commands 802.1Q Tunnel TPID : 8100 (Hex) Console# Table 70: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it Threshold also shows the threshold level (page 397).
Chapter 11 | Interface Commands Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-monitor Console# This command uses default threshold settings obtained from the transceiver to transceiver-threshold- determine when an alarm or warning message should be sent. Use the no auto form to disable this feature. Syntax transceiver-threshold-auto Default Setting...
Chapter 11 | Interface Commands Low Warning: 7 mA Low Alarm: 6 mA Command Mode Interface Configuration (SFP+ Ports) Command Usage If trap messages are enabled with the transceiver-monitor command, and ◆ a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
Chapter 11 | Interface Commands low-alarm – Sets the low power threshold for an alarm message. low-warning – Sets the low power threshold for a warning message. threshold-value – The power threshold of the received signal. (Range: -4000 - 820 in units of 0.01 dBm) Default Setting High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm...
Chapter 11 | Interface Commands low-alarm – Sets the low temperature threshold for an alarm message. low-warning – Sets the low temperature threshold for a warning message. threshold-value – The threshold of the transceiver temperature. (Range: -12800 - 12800 in units of 0.01 Celsius) Default Setting High Alarm: 75.00 ...
Chapter 11 | Interface Commands Command Usage The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, and received optical power, and related alarm thresholds.
Chapter 11 | Interface Commands Command Mode Privileged Exec Command Usage The switch can display diagnostic information for SFP modules which ◆ support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and...
Chapter 11 | Interface Commands Command Usage Cable diagnostics are performed using Digital Signal Processing (DSP) ◆ test method when the port link-up speed is 1 Gbps. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse.
Chapter 11 | Interface Commands Potential conditions which may be listed by the diagnostics are shown by ◆ the legend in the following example. Additional information is provided for the following test results. OK: Correctly terminated pair ■ ■ ON: Open pair, no link partner IE (Impedance mismatch): Terminating impedance is not in the reference ■...
Chapter 11 | Interface Commands The power-saving methods provided by this switch include: ◆ Power saving when there is no link partner: ■ Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists.
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Chapter 12 | Link Aggregation Commands The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including ◆ communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings.
Page 374
Chapter 12 | Link Aggregation Commands src-mac - Load balancing based on source MAC address. Default Setting src-dst-ip Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch. ◆ To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load- balance calculation to provide the best result for trunk connections: dst-ip: All traffic with the same destination IP address is output on the...
Chapter 12 | Link Aggregation Commands This command adds a port to a trunk. Use the no form to remove a port from a channel-group trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-24) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage...
Page 376
Chapter 12 | Link Aggregation Commands Command Usage The ports on both ends of an LACP trunk must be configured for full ◆ duplex, either by forced mode or auto-negotiation. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
Chapter 12 | Link Aggregation Commands This command configures a port's LACP administration key. Use the no form lacp admin-key to restore the default setting. (Ethernet Interface) Syntax lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link.
Chapter 12 | Link Aggregation Commands This command configures LACP port priority. Use the no form to restore the lacp port-priority default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands This command configures a port's LACP system priority. Use the no form to lacp system-priority restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands This command configures a port channel's LACP administration key string. lacp admin-key Use the no form to restore the default setting. (Port Channel) Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 12 | Link Aggregation Commands Default Setting long Command Mode Interface Configuration (Port Channel) Command Usage The timeout configured by this command is set in the LACP timeout bit of ◆ the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second.
Chapter 12 | Link Aggregation Commands Default Setting Port Channel: all Command Mode Privileged Exec Example Console#show lacp 1 counters Port Channel: 1 Member Port : Eth 1/24 LACPDU Sent LACPDU Received MarkerPDU Sent MarkerPDU Received MarkerResponsePDU Sent MarkerResponsePDU Received : 0 Unknown Packet Received Illegal Packet Received Table 72: show lacp counters - display description...
Chapter 12 | Link Aggregation Commands Table 73: show lacp internal - display description Field Description Admin Key Current administrative value of the key for the aggregation port. Oper Key Current operational value of the key for the aggregation port. Timeout Time to wait for the next LACPDU before deleting partner port information.
Chapter 12 | Link Aggregation Commands Table 74: show lacp neighbors - display description Field Description Partner Admin LAG partner’s system ID assigned by the user. System ID Partner Oper LAG partner’s system ID assigned by the LACP protocol. System ID Partner Admin Current administrative value of the port number for the protocol Partner.
Chapter 12 | Link Aggregation Commands This command shows the load-distribution method used on aggregated links. show port-channel load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console# – 385 –...
Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 76: Port Mirroring Commands Command Function...
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands Default Setting No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and ◆ transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real- ◆...
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). Example The following shows mirroring configured from port 6 to port 5: Console(config)#interface ethernet 1/5 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
Page 389
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Use this command to specify the source port and traffic type to be mirrored rspan source remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# Use this command to specify the destination port to monitor the mirrored rspan destination traffic.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands The source port and destination port cannot be configured on the same ◆ switch. ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2...
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Mode Global Configuration Command Usage Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as ◆ an RSPAN uplink port – access ports are not allowed (see switchport mode).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Use this command to displays the configuration settings for an RSPAN show rspan session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Three sessions are allowed, including both local and remote mirroring, using different VLANs for RSPAN sessions.
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Chapter 14 | Congestion Control Commands Storm Control Commands output – Output rate for specified interface rate – Maximum value in kbps. (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports; 64 - 10,000,000 kbits per second for 10 Gigabit Ethernet ports) The resolution at which the rate can be configured is 16 kbits/sec.
Page 397
Chapter 14 | Congestion Control Commands Storm Control Commands This command configures broadcast, multicast and unknown unicast storm switchport control. Use the no form to restore the default setting. packet-rate Syntax switchport {broadcast | multicast | unknown-unicast} packet- rate rate no switchport {broadcast | multicast | unknown-unicast} broadcast - Specifies storm control for broadcast traffic.
Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 82: Loopback Detection Commands Command Function...
Chapter 15 | Loopback Detection Commands This command enables loopback detection globally on the switch or on a loopback-detection specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands Command Usage When a port receives a control frame sent by itself, this means that the ◆ port is in looped state, and the VLAN in the frame payload is also in looped state with the wrong VLAN tag. The looped port is therefore shut down. Use the loopback-detection recover-time command to set the time to wait...
Chapter 15 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# This command specifies the interval at which to transmit loopback detection loopback-detection control frames. Use the no form to restore the default setting. transmit-interval Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# This command releases all interfaces currently shut down by the loopback loopback-detection detection feature.
Page 403
Chapter 15 | Loopback Detection Commands Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------- Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled Console#show loopback-detection ethernet 1/1 Loopback Detection Information of Eth 1/1 Admin State : Enabled Oper State...
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 83: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table Maps a static address to a port in a VLAN...
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# This command maps a static address to a destination port in a VLAN. Use the mac-address-table no form to remove an address. static Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# This command removes all entries from the collision MAC address table. clear collision-mac- address-table Default Setting None Command Mode Privileged Exec Example Console#clear collision-mac-address-table Console# This command removes any learned entries from the forwarding database.
Chapter 16 | Address Table Commands The maximum number of address entries is 16K. ◆ Example Console#show mac-address-table Interface MAC Address VLAN Type Life Time --------- ----------------- ---- -------- ----------------- 00-E0-00-00-00-01 1 CPU Delete on Reset Eth 1/ 1 00-E0-0C-10-90-09 1 Learn Delete on Timeout Eth 1/ 1 00-E0-29-94-34-64...
Page 409
Chapter 16 | Address Table Commands Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Eth 1/1 Total Address Count Static Address Count Dynamic Address Count Console#show mac-address-table count Compute the number of MAC Address... Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address...
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 84: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree Configures spanning tree operation to be compatible cisco-prestandard...
Chapter 17 | Spanning Tree Commands Table 84: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback- Configures the response for loopback detection to block detection action user traffic or shut down the interface spanning-tree loopback- Configures loopback release mode for a port detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a...
Chapter 17 | Spanning Tree Commands routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Chapter 17 | Spanning Tree Commands This command configures the spanning tree bridge forward time globally for spanning-tree this switch. Use the no form to restore the default. forward-time Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Chapter 17 | Spanning Tree Commands Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (413) spanning-tree max-age (414) This command configures the spanning tree bridge maximum age globally for spanning-tree this switch.
Chapter 17 | Spanning Tree Commands This command selects the spanning tree mode for this switch. Use the no spanning-tree mode form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) Default Setting...
Chapter 17 | Spanning Tree Commands Be careful when switching between spanning tree modes. Changing ■ modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# This command changes to Multiple Spanning Tree (MST) configuration mode.
Chapter 17 | Spanning Tree Commands Command Mode Global Configuration Command Usage The path cost method is used to determine the best path between devices. ◆ Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 425) takes precedence over port priority...
Chapter 17 | Spanning Tree Commands This command configures the system to flood BPDUs to all other ports on the spanning-tree switch or just to all other ports in the same VLAN when spanning tree is system-bpdu-flooding disabled globally on the switch or disabled on a specific port. Use the no form to restore the default.
Chapter 17 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group.
Chapter 17 | Spanning Tree Commands This command configures the maximum number of hops in the region before a max-hops BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode...
Chapter 17 | Spanning Tree Commands Command Usage MST priority is used in selecting the root bridge and alternate bridge of the ◆ specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 17 | Spanning Tree Commands same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# This command configures the name for the multiple spanning tree region in name which this switch is located.
Chapter 17 | Spanning Tree Commands Command Mode MST Configuration Command Usage The MST region name (page 422) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# Related Commands spanning-tree edge-port (426) This command shuts down an edge port (i.e., an interface set for fast spanning-tree forwarding) if it receives a BPDU. Use the no form without any keywords to bpdu-guard disable this feature, or with a keyword to restore the default settings.
Chapter 17 | Spanning Tree Commands Related Commands spanning-tree edge-port (426) spanning-tree spanning-disabled (434) This command configures the spanning tree path cost for the specified spanning-tree cost interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Chapter 17 | Spanning Tree Commands Command Usage This command is used by the Spanning Tree Algorithm to determine the ◆ best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Chapter 17 | Spanning Tree Commands When edge port is set as auto, the operational state is determined ◆ automatically by the Bridge Detection State Machine described in 802.1D- 2004, where the edge port state may change dynamically based on environment changes (e.g., receiving a BPDU or not within the required interval).
Chapter 17 | Spanning Tree Commands This command enables the detection and response to Spanning Tree spanning-tree loopback BPDU packets on the port. Use the no form to disable this feature. loopback-detection Syntax [no] spanning-tree loopback-detection Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage If Port Loopback Detection is not enabled and a port receives it’s own...
Chapter 17 | Spanning Tree Commands command, the selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanning-tree loopback-detection release command.
Chapter 17 | Spanning Tree Commands When configured for manual release mode, then a link down / up event will ◆ not release the port from the discarding state. It can only be released using spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)#...
Chapter 17 | Spanning Tree Commands Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command defines the priority for the use of an interface in the multiple ◆ spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Chapter 17 | Spanning Tree Commands This command configures the priority for the specified interface. Use the no spanning-tree form to restore the default. port-priority Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage A bridge with a lower bridge identifier (or same identifier and lower MAC ◆ address) can take over as the root bridge at any time. ◆...
Chapter 17 | Spanning Tree Commands Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# This command stops the propagation of topology change notifications (TCN). spanning-tree Use the no form to allow propagation of TCN messages. tc-prop-stop Syntax [no] spanning-tree tc-prop-stop...
Chapter 17 | Spanning Tree Commands Command Mode Privileged Exec Command Usage Use this command to release an interface from discarding state if loopback detection release mode is set to “manual” by the spanning-tree loopback- detection release-mode command and BPDU loopback occurs. Example Console#spanning-tree loopback-detection release ethernet 1/1 Console#...
Chapter 17 | Spanning Tree Commands This command shows the configuration for the common spanning tree (CST), show spanning-tree for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id | brief | stp-enabled-only] interface...
Page 438
Chapter 17 | Spanning Tree Commands Example Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------- Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.)
Chapter 17 | Spanning Tree Commands This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : RSTP Spanning Tree Enabled/Disabled : Enabled Designated Root : 32768.0000E8944000 Current Root Port (Eth) : 1/24 Current Root Cost : 10000...
Page 440
Chapter 17 | Spanning Tree Commands Example Console#show spanning-tree tc-prop group 1 Group 1 Eth 1/ 1, Eth 1/ 2, Eth 1/ 3, Eth 1/ 4, Eth 1/ 5 Console# – 440 –...
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 18 | VLAN Commands Editing VLAN Groups This command enters VLAN database mode. All commands in this mode will vlan database take effect immediately. Default Setting None Command Mode Global Configuration Command Usage Use the VLAN database command mode to add, change, and delete ◆...
Chapter 18 | VLAN Commands Configuring VLAN Interfaces state - Keyword to be followed by the VLAN state. active - VLAN is operational. suspend - VLAN is suspended. Suspended VLANs do not pass packets. rspan - Keyword to create a VLAN used for mirroring traffic from remote switches.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Table 89: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport allowed vlan Configures the VLANs associated with an interface switchport ingress-filtering Enables ingress filtering on an interface switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default...
Chapter 18 | VLAN Commands Configuring VLAN Interfaces This command configures the acceptable frame types for a port. Use the no switchport form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Page 446
Chapter 18 | VLAN Commands Configuring VLAN Interfaces add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained. remove vlan-list - List of VLAN identifiers to remove. Default Setting All ports are assigned to VLAN 1 by default.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Default Setting Hybrid mode, with the PVID set to VLAN 1. Command Mode Interface Configuration (Ethernet, Port Channel) Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid...
Chapter 18 | VLAN Commands Displaying VLAN Information Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information. Table 90: Commands for Displaying VLAN Information Command Function Mode show interfaces status Displays status for the specified VLAN interface NE, PE vlan...
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Eth1/26(S) Console# Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan). Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan).
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show dot1q-tunnel (456) show interfaces switchport (358) This command configures an interface as a QinQ tunnel port. Use the no form switchport to disable QinQ on the interface. dot1q-tunnel mode Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling This command copies the inner tag priority to the outer tag priority. Use the no switchport dot1q- form to disable this feature. tunnel priority map Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled Command Mode...
Page 454
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling When priority bits are found in the inner tag, these are also copied to the ◆ outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting 0x8100 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ◆ ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Table 92: Protocol-based VLAN Commands Command Function Mode protocol-vlan Create a protocol group, specifying the supported protocol-group protocols (Configuring Groups) protocol-vlan protocol- Maps a protocol group to a VLAN group (Configuring Interfaces) show protocol-vlan Shows the configuration of protocol groups protocol-group...
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Command Mode Global Configuration Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# This command maps a protocol group to a VLAN for the current interface.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs If the frame is tagged, it will be processed according to the standard rules ■ applied to tagged frames. If the frame is untagged and the protocol type matches, the frame is ■...
Chapter 18 | VLAN Commands Configuring MAC Based VLANs This command shows the mapping from protocol groups to VLANs for the show interfaces selected interfaces. protocol-vlan protocol-group Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Chapter 18 | VLAN Commands Configuring MAC Based VLANs Table 93: MAC Based VLAN Commands Command Function Mode mac-vlan Defines the IP Subnet VLANs show mac-vlan Displays IP Subnet VLAN settings This command configures MAC address-to-VLAN mapping. Use the no form mac-vlan to remove an assignment.
Chapter 18 | VLAN Commands Configuring Voice VLANs 001...). A mask for the MAC address: 00-50-6e-00-5f-b1 translated into binary: MAC: 00000000-01010000-01101110-00000000-01011111-10110001 could be: 11111111-11xxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx So the mask in hexadecimal for this example could be: ff-fx-xx-xx-xx-xx/ff-c0-00-00-00-00/ff-e0-00-00-00-00 Example The following example assigns traffic from source MAC address 00-00-00-11- 22-33 to VLAN 10.
Chapter 18 | VLAN Commands Configuring Voice VLANs The Voice VLAN ID cannot be modified when the global auto-detection ◆ status is enabled (see the switchport voice vlan command. Example The following example enables VoIP traffic detection and specifies the Voice VLAN ID as 1234.
Chapter 18 | VLAN Commands Configuring Voice VLANs Example The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# This command specifies MAC address ranges to add to the OUI Telephony voice vlan list.
Chapter 18 | VLAN Commands Configuring Voice VLANs Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00- 00 description A new phone Console(config)# This command specifies the Voice VLAN mode for ports. Use the no form to switchport voice vlan disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan...
Chapter 18 | VLAN Commands Configuring Voice VLANs This command specifies a CoS priority for VoIP traffic on a port. Use the no switchport voice vlan form to restore the default priority on a port. priority Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value.
Chapter 18 | VLAN Commands Configuring Voice VLANs address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on.
Page 470
Chapter 18 | VLAN Commands Configuring Voice VLANs Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings. Default Setting None Command Mode Privileged Exec Command Usage When the switchport voice vlan command is set to auto mode, the remaining...
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) This command sets the scheduling mode used for processing each of the queue mode class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) which each queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value. Service time is shared at the egress ports by defining scheduling weights ◆...
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# Related Commands queue mode (472)
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)#...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 97: Priority Commands (Layer 3 and 4) Command Function Mode...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) This command maps DSCP values in incoming packets to per-hop behavior qos map dscp-queue for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-queue dscp-queue from dscp0 ...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3. Console(config)#interface ethernet 1/2 Console(config-if)#qos map dscp-queue 3 from 1 Console(config-if)# This command sets QoS mapping to DSCP or CoS.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface 1/1 Console(config-if)#qos map trust-mode cos Console(config-if)# This command shows the ingress CoS to eqress queue map.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4. Example The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column) and ingress-dscp1 (least significant digit in the top row (in other...
Page 482
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) – 482 –...
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 20 | Quality of Service Commands CoS value. Note that a class map can include match settings for both IP values and a VLAN. Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode.
Chapter 20 | Quality of Service Commands Example This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd-class Console(config-cmap)#match cos 3 Console(config-cmap)# Related Commands show class-map (491) This command specifies the description of a class map or policy map. description Syntax description string...
Chapter 20 | Quality of Service Commands Default Setting None Command Mode Class Map Configuration Command Usage First enter the class-map command to designate a class map and enter ◆ the Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map.
Chapter 20 | Quality of Service Commands Syntax rename map-name map-name - Name of the class map or policy map. (Range: 1- 32 characters) Command Mode Class Map Configuration Policy Map Configuration Example Console(config)#class-map rd-class#1 Console(config-cmap)#rename rd-class#9 Console(config-cmap)# This command creates a policy map that can be attached to multiple policy-map interfaces, and enters Policy Map configuration mode.
Chapter 20 | Quality of Service Commands Console(config-pmap-c)#set cos 0 Console(config-pmap-c)# This command defines a traffic classification upon which a policy can act, and class enters Policy Map Class configuration mode. Use the no form to delete a class map. Syntax [no] class class-map-name class-map-name - Name of the class map.
Chapter 20 | Quality of Service Commands This command defines an enforcer for classified traffic based on the metered police rate flow rate. Use the no form to remove a policer. Syntax [no] police rate committed-rate committed-rate - Committed information rate in kilobits per second. (Range: 16-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) Default Setting...
Page 490
Chapter 20 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police rate command to limit the average bandwidth to 100,000 Kbps.
Chapter 20 | Quality of Service Commands This command applies a policy map defined by the policy-map command to service-policy the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic.
Chapter 20 | Quality of Service Commands Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# This command displays the QoS policy maps which define classification show policy-map criteria for ingress or egress traffic, and may include policers for bandwidth limitations.
Chapter 20 | Quality of Service Commands This command displays the service policy assigned to the specified interface. show policy-map interface Syntax show policy-map interface [interface input] interface unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) Command Mode Privileged Exec Example...
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 495
Chapter 21 | Multicast Filtering Commands IGMP Snooping Table 102: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs ip igmp snooping Sends an IGMP Query Solicitation when a Spanning tcn-query-solicit Tree topology change occurs ip igmp snooping...
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command enables IGMP snooping globally on the switch or on a selected ip igmp snooping VLAN interface. Use the no form to disable it. Syntax [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Disabled...
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. Example Console(config)#ip igmp snooping priority 6 Console(config)#...
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command enables the switch as an IGMP querier. Use the no form to ip igmp snooping disable it. querier Syntax [no] ip igmp snooping querier Default Setting Disabled Command Mode Global Configuration Command Usage IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp...
Chapter 21 | Multicast Filtering Commands IGMP Snooping Also, when the switch is acting in the role of a multicast host (such as when using proxy routing), it should ignore version 2 or 3 queries that do not contain the Router Alert option. Example Console(config)#ip igmp snooping router-alert-option-check Console(config)#...
Page 500
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage When a spanning tree topology change occurs, the multicast membership ◆ information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change.
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command instructs the switch to send out an IGMP general query ip igmp snooping solicitation when a spanning tree topology change notification (TCN) occurs. tcn-query-solicit Use the no form to disable this feature. Syntax [no] ip igmp snooping tcn-query-solicit Default Setting...
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command configures the IGMP snooping version. Use the no form to ip igmp snooping restore the default. version Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4094) 1 - IGMP Version 1 2 - IGMP Version 2...
Chapter 21 | Multicast Filtering Commands IGMP Snooping Default Setting Global: Disabled VLAN: Disabled Command Mode Global Configuration Command Usage If version exclusive is disabled on a VLAN, then this setting is based on ◆ the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command immediately deletes a member port of a multicast service if a ip igmp snooping vlan leave packet is received at that port and immediate-leave is enabled for the immediate-leave parent VLAN. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id immediate-leave [by-host-ip] no ip igmp snooping vlan vlan-id immediate-leave...
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command configures the number of IGMP proxy group-specific or group- ip igmp snooping vlan and-source-specific query messages that are sent out before the system last-memb-query- assumes there are no more local members. Use the no form to restore the count default.
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage When a multicast host leaves a group, it sends an IGMP leave message. ◆ When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific or group-and-source-specific query message, and starts a timer.
Chapter 21 | Multicast Filtering Commands IGMP Snooping procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message. When the multicast services provided to a VLAN is relatively stable, the use of solicitation messages is not required and may be disabled using the no ip igmp snooping vlan mrd command.
Chapter 21 | Multicast Filtering Commands IGMP Snooping To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command. Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Usage An IGMP general query message is sent by the switch at the interval ◆ specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
Chapter 21 | Multicast Filtering Commands IGMP Snooping This command adds a port to a multicast group. Use the no form to remove ip igmp snooping vlan the port. static Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094) ip-address - IP address for multicast group interface...
Chapter 21 | Multicast Filtering Commands IGMP Snooping Example Console#clear ip igmp snooping groups dynamic Console# This command clears IGMP snooping statistics. clear ip igmp snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Chapter 21 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port).
Chapter 21 | Multicast Filtering Commands IGMP Snooping Table 103: show ip igmp snooping statistics input - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Chapter 21 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 106: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling This command globally enables IGMP filtering and throttling on the switch. ip igmp filter Use the no form to disable the feature. (Global Configuration) Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration...
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# This command sets the access mode for an IGMP filter profile. Use the no permit, deny form to delete a profile number.
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)#...
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling This command sets the IGMP throttling number for an interface on the switch. ip igmp max-groups Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command).
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling This command displays IGMP filtering profiles created on the switch. show ip igmp profile Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode...
Chapter 21 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# This command displays the interface settings for IGMP throttling. show ip igmp throttle interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 21 | Multicast Filtering Commands MLD Snooping This command shows if the specified interface is configured to drop multicast show ip data packets. multicast-data-drop Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Chapter 21 | Multicast Filtering Commands MLD Snooping Default Setting Disabled Command Mode Global Configuration Example The following example enables MLD Snooping: Console(config)#ipv6 mld snooping Console(config)# This command enables IGMP Snooping with Proxy Reporting. Use the no ipv6 mld snooping form to restore the default setting.
Chapter 21 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is ◆ responsible for asking hosts if they want to receive multicast traffic. ◆ An IPv6 address must be configured on the VLAN interface from which the querier will act if elected.
Chapter 21 | Multicast Filtering Commands MLD Snooping This command configures the maximum response time advertised in MLD ipv6 mld snooping general queries. Use the no form to restore the default. query-max-response- time Syntax ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
Chapter 21 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping robustness 2 Console(config)# This command configures the MLD query timeout. Use the no form to restore ipv6 mld snooping the default. router-port- expire-time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Chapter 21 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage When set to “flood,” any received IPv6 multicast packets that have not ◆ been requested by a host are flooded to all ports in the VLAN. ◆...
Chapter 21 | Multicast Filtering Commands MLD Snooping This command configures the MLD snooping version. Use the no form to ipv6 mld snooping restore the default. version Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1. 2 - MLD version 2.
Page 536
Chapter 21 | Multicast Filtering Commands MLD Snooping Console(config)#ipv6 mld snooping immediate-leave Console(config)# This command statically configures an IPv6 multicast router port. Use the no ipv6 mld snooping form to remove the configuration. vlan mrouter Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port...
Chapter 21 | Multicast Filtering Commands MLD Snooping Console#show ipv6 mld snooping vlan VLAN 1 Immediate Leave : Disabled Unknown Flood Behavior : To Router Port Console# This command shows known multicast groups, member ports, and the means show ipv6 mld by which each group was learned.
Chapter 21 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping group mapping information: Console#show ipv6 mld snooping group source-list VLAN ID Mutlicast IPv6 Address : FF02::01:01:01:01 Member Port : Eth 1/1 MLD Snooping : Multicast Data Filter Mode : Include (if exclude filter mode)
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 109: show ipv6 MLD snooping statistics input - display description Field Description Join Succ The number of times a multicast group was successfully joined. Group The number of MLD groups active on this interface. The following shows MLD snooping output-related message statistics: Console#show ipv6 mld snooping statistics output interface ethernet 1/1 Output Statistics:...
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 111: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired. Other Querier Uptime Time remote querier has been up.
Chapter 21 | Multicast Filtering Commands MLD Snooping Table 112: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit The number of general queries sent from this interface. General The number of group specific queries sent from this interface.
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Table 112: show ipv6 MLD snooping statistics summary - display description Field Description Report & Leave The link-local or global IPv6 address that is assigned on that VLAN. Host Addr The number of group leaves resulting from timeouts instead of Unsolicit Expire explicit leave messages.
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling This command globally enables MLD filtering and throttling on the switch. Use ipv6 mld filter the no form to disable the feature. (Global Configuration) Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration...
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface.
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Syntax [no] range low-ipv6-address [high-ipv6-address] low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range. high-ipv6-address - A valid IPv6 address (X:X:X:X::X) for the end of a multicast group range.
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19 Console(config-if)# This command configures the maximum number of MLD groups that an ipv6 mld max-groups interface can join. Use the no form to restore the default setting. Syntax ipv6 mld max-groups number no ipv6 mld max-groups...
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling This command sets the MLD throttling action for an interface on the switch. ipv6 mld max-groups action Syntax ipv6 mld max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# This command displays the global and interface settings for MLD filtering. show ipv6 mld filter Syntax show ipv6 mld filter [interface interface] interface ethernet unit/port unit - Unit identifier.
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling Example Console#show ipv6 mld profile MLD Profile 19 MLD Profile 50 Console#show ipv6 mld profile 19 Profile 19 Deny Range ff01::101 ff01::faa Console# This command shows if the specified interface is configured to drop MLD show ipv6 mld query packets.
Page 553
Chapter 21 | Multicast Filtering Commands MLD Filtering and Throttling interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number. (Range: 1-52) port-channel channel-id (Range: 1-24) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces.
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 555
Chapter 22 | LLDP Commands Table 114: LLDP Commands (Continued) Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise its system-capabilities system capabilities lldp basic-tlv Configures an LLDP-enabled port to advertise system-description the system description lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name lldp dot1-tlv proto-ident...
Chapter 22 | LLDP Commands This command enables LLDP globally on the switch. Use the no form to lldp disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# This command configures the time-to-live (TTL) value sent in LLDP lldp advertisements.
Chapter 22 | LLDP Commands This command specifies the amount of MED Fast Start LLDPDUs to transmit lldp during the activation process of the LLDP-MED Fast Start mechanism. Use med-fast-start-count the no form to restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Chapter 22 | LLDP Commands Information about changes in LLDP neighbors that occur between SNMP ◆ notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 22 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# This command configures a delay between the successive transmission of lldp tx-delay advertisements initiated by a change in local LLDP MIB variables.
Chapter 22 | LLDP Commands This command enables LLDP transmit, receive, or transmit and receive mode lldp admin-status on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Chapter 22 | LLDP Commands Since there are typically a number of different addresses associated with a ◆ Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this...
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise its system lldp basic-tlv capabilities. Use the no form to disable this feature. system-capabilities Syntax [no] lldp basic-tlv system-capabilities Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise the system lldp basic-tlv name. Use the no form to disable this feature. system-name Syntax [no] lldp basic-tlv system-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on...
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise port-based lldp dot1-tlv proto-vid protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface (see...
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise its VLAN name. lldp dot1-tlv Use the no form to disable this feature. vlan-name Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned.
Chapter 22 | LLDP Commands This command configures an LLDP-enabled port to advertise its MAC and lldp dot3-tlv mac-phy physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes...
Chapter 22 | LLDP Commands This command configures an LLDP-MED-enabled port to advertise its location lldp med-location identification details. Use the no form to restore the default settings. civic-addr Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code –...
Chapter 22 | LLDP Commands Table 115: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Group of streets below the neighborhood level Exchange Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519...
Chapter 22 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option sends out SNMP trap notifications to designated target stations ◆ at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization- specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 22 | LLDP Commands This command configures an LLDP-MED-enabled port to advertise its location lldp med-tlv location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 22 | LLDP Commands This command configures an LLDP-MED-enabled port to advertise its network lldp med-tlv policy configuration. Use the no form to disable this feature. network-policy Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
Chapter 22 | LLDP Commands Information about additional changes in LLDP neighbors that occur ◆ between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Console#show lldp info local-device LLDP Local Global Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : SC30010 System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.101 (IPv4) LLDP Port Information Port...
Page 575
: 70-72-CF-91-1C-B4 Time To Live : 120 seconds Port Description : Ethernet Port on unit 1, port 2 System Description : SC30010 System Capabilities : Bridge Enabled Capabilities : Bridge Management Address : 192.168.0.4 (IPv4) Port VLAN ID : 1...
Chapter 22 | LLDP Commands The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. LLDP-MED Capability : Device Class : Network Connectivity Supported Capabilities : LLDP-MED Capabilities Network Policy Location Identification Extended Power via MDI - PSE Inventory Current Capabilities : LLDP-MED Capabilities...
Page 577
Chapter 22 | LLDP Commands Example Console#show lldp info statistics LLDP Global Statistics Neighbor Entries List Last Updated : 485 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- ------------------...
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server...
Page 579
Chapter 23 | Domain Name Service Commands DNS Commands formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 23 | Domain Name Service Commands DNS Commands This command enables DNS host name-to-address translation. Use the no ip domain-lookup form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled. ◆...
Chapter 23 | Domain Name Service Commands DNS Commands This command defines the default domain name appended to incomplete host ip domain-name names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Chapter 23 | Domain Name Service Commands DNS Commands Command Mode Global Configuration Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts...
Chapter 23 | Domain Name Service Commands DNS Commands Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (581) ip domain-lookup (580) This command creates a static entry in the DNS table that maps a host name ipv6 host to an IPv6 address.
Chapter 23 | Domain Name Service Commands DNS Commands This command clears all entries in the DNS cache. clear dns cache Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache Flag Type IP Address Host ------- ------- ------- --------------- ------- -------- Console# This command deletes dynamic entries from the DNS table.
Chapter 23 | Domain Name Service Commands DNS Commands This command displays the configuration of the DNS service. show dns Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55...
Chapter 23 | Domain Name Service Commands Multicast DNS Commands This command displays the static host name-to-address mapping table. show hosts Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.
Chapter 23 | Domain Name Service Commands Multicast DNS Commands Command Mode Global Configuration Command Usage Use this command to enable multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. For more information on this command refer to the Web Management Guide.
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 24 | DHCP Commands DHCP Client DHCP for IPv4 This command enables dynamic provisioning via DHCP. Use the no form to ip dhcp disable this feature. dynamic-provision Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Chapter 24 | DHCP Commands DHCP Client This command is used to identify the vendor class and configuration of the ◆ switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆...
Chapter 24 | DHCP Commands DHCP Client Related Commands ip dhcp restart client (592) This command submits a BOOTP or DHCP client request. ip dhcp restart client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the address command.
Chapter 24 | DHCP Commands DHCP Client Example Console#show ip dhcp dynamic provisioning Dynamic Provision via DHCP Status: Disabled Console# DHCP for IPv6 This command specifies the Rapid Commit option for DHCPv6 message ipv6 dhcp client exchange for all DHCPv6 client requests submitted from the specified rapid-commit vlan interface.
Chapter 24 | DHCP Commands DHCP Client This command submits a DHCPv6 client request. ipv6 dhcp restart client vlan Syntax ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 24 | DHCP Commands DHCP Client based on their advertised preference value. If the client needs to acquire prefixes from servers, only servers that have advertised prefixes are considered. ◆ If the rapid commit option has been enabled on the switch using the ipv6 dhcp client rapid-commit vlan command, and on the DHCPv6 server,...
Chapter 24 | DHCP Commands DHCP Relay Command Usage Each allocation in the DHCPv6 server is identified by a DUID and an IAID. IAID means Interface Association Identifier, and is a binding between the interface and one or more IP addresses. Command Mode Privileged Exec Example...
Chapter 24 | DHCP Commands DHCP Relay Command Mode Interface Configuration (VLAN) Usage Guidelines DHCP relay service applies to DHCP client requests received on the ◆ specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch.
Page 598
Address is 00-00-E8-93-82-A0 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 10.1.0.254 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Relay Server: DHCP Client Vendor Class ID (text): SC30010 Console# Related Commands ip dhcp relay server (596) – 598 –...
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Chapter 25 | IP Interface Commands IPv4 Interface Basic IPv4 This section describes commands used to configure IP addresses for VLAN Configuration interfaces on the switch. Table 126: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this switch can reach other subnetworks...
Page 601
Chapter 25 | IP Interface Commands IPv4 Interface Command Usage An IP address must be assigned to this device to gain management ◆ access over the network or to connect the router to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server.
Chapter 25 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (592) ip default-gateway (602) ipv6 address (612) This command specifies the default gateway for destinations not found in local ip default-gateway routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway...
VLAN 1 is Administrative Up - Link Up Address is 00-E0-00-00-00-01 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.0 DHCP Client Vendor Class ID (text): SC30010 Console# Related Commands ip address (600) show ipv6 interface (620)
Chapter 25 | IP Interface Commands IPv4 Interface This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. show ip traffic Command Mode Privileged Exec Example Console#show ip traffic IP Statistics: IP received 7845 total received header errors unknown protocols address errors discards...
Chapter 25 | IP Interface Commands IPv4 Interface input errors 9897 output Console# This command shows the route packets take to the specified destination. traceroute Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage...
Chapter 25 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------- 20 ms <10 ms <10 ms 192.168.0.99 Trace completed.
Chapter 25 | IP Interface Commands IPv4 Interface When pinging a host name, be sure the DNS server has been defined ◆ (page 582) and host name-to-address translation enabled (page 580). If necessary, local devices can also be specified in the DNS static host table (page 581).
Chapter 25 | IP Interface Commands IPv4 Interface Command Mode Global Configuration Command Usage The ARP cache is used to map 32-bit IP addresses into 48-bit hardware ◆ (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆...
Chapter 25 | IP Interface Commands IPv4 Interface Extensive use of Proxy ARP can degrade router performance because it ◆ may lead to increased ARP traffic and increased search time for larger ARP address tables. Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# This command deletes all dynamic entries from the Address Resolution clear arp-cache...
Chapter 25 | IP Interface Commands IPv6 Interface Example This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 10.1.0.0 FF-FF-FF-FF-FF-FF other VLAN1 10.1.0.254 00-00-AB-CD-00-00 other VLAN1 10.1.0.255...
Chapter 25 | IP Interface Commands IPv6 Interface Table 128: IPv6 Configuration Commands (Continued) Command Function Mode traceroute6 Shows the route packets take to the specified host Neighbor Discovery ipv6 nd dad attempts Configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection ipv6 nd ns-interval Configures the interval between IPv6 neighbor...
Chapter 25 | IP Interface Commands IPv6 Interface An IPv6 default gateway should be defined if the destination has been ◆ assigned an IPv6 address that is located in a different IP segment. ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Chapter 25 | IP Interface Commands IPv6 Interface If a link-local address has not yet been assigned to this interface, this ◆ command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) If a duplicate address is detected, a warning message is sent to the...
Page 614
Chapter 25 | IP Interface Commands IPv6 Interface Default Setting No IPv6 addresses are defined Command Mode Interface Configuration (VLAN) Command Usage If a link local address has not yet been assigned to this interface, this ◆ command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface.
Chapter 25 | IP Interface Commands IPv6 Interface Related Commands ipv6 address (612) show ipv6 interface (620) This command configures an IPv6 address for an interface using an EUI-64 ipv6 address eui-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface.
Page 616
Chapter 25 | IP Interface Commands IPv6 Interface EUI-64 specification is designed for devices that use an extended 8-byte MAC address. For devices that still use a 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
Chapter 25 | IP Interface Commands IPv6 Interface This command configures an IPv6 link-local address for an interface and ipv6 address link-local enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 25 | IP Interface Commands IPv6 Interface ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...
Chapter 25 | IP Interface Commands IPv6 Interface Example In this example, IPv6 is enabled on VLAN 1, and the link-local address FE80::2E0:CFF:FE00:FD/64 is automatically generated by the switch. Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64...
Chapter 25 | IP Interface Commands IPv6 Interface The maximum value set by this command cannot exceed the MTU of the ◆ physical interface, which is currently fixed at 1500 bytes. ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented.
Chapter 25 | IP Interface Commands IPv6 Interface ipv6-prefix - The IPv6 network portion of the address assigned to the interface. The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Page 622
Chapter 25 | IP Interface Commands IPv6 Interface Table 129: show ipv6 interface - display description (Continued) Field Description Joined group In addition to the unicast addresses assigned to an interface, a node is address(es) required to join the all-nodes multicast addresses FF01::1 and FF02::1 for all IPv6 nodes within scope 1 (interface-local) and scope 2 (link-local), respectively.
Chapter 25 | IP Interface Commands IPv6 Interface This command displays the maximum transmission unit (MTU) cache for show ipv6 mtu destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch. Command Mode Normal Exec, Privileged Exec Example The following example shows the MTU cache for this device: Console#show ipv6 mtu...
Page 624
Chapter 25 | IP Interface Commands IPv6 Interface reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 6 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages...
Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Page 626
Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
Page 627
Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description (Continued) Field Description router advertisement The number of ICMP Router Advertisement messages received by messages the interface. neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface.
Chapter 25 | IP Interface Commands IPv6 Interface Table 131: show ipv6 traffic - display description (Continued) Field Description multicast listener The number of MLDv2 reports sent by the interface. discovery version 2 reports UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port.
Chapter 25 | IP Interface Commands IPv6 Interface size - Number of bytes in a packet. (Range: 0-1500 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting count: 5 size: 32 bytes Command Mode...
Page 630
Chapter 25 | IP Interface Commands IPv6 Interface ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 25 | IP Interface Commands IPv6 Interface Trace completed. Console# Neighbor Discovery This command configures the number of consecutive neighbor solicitation ipv6 nd dad attempts messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts...
Chapter 25 | IP Interface Commands IPv6 Interface commands associated with a duplicate address remain configured while the address is in “duplicate” state. ◆ If the link-local address for an interface is changed, duplicate address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface.
Page 633
Chapter 25 | IP Interface Commands IPv6 Interface Default Setting 1000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertised in router advertisements Command Mode Interface Configuration (VLAN) Command Usage When a non-default value is configured, the specified interval is used both ◆...
Chapter 25 | IP Interface Commands IPv6 Interface This command configures the amount of time that a remote IPv6 node is ipv6 nd considered reachable after some reachability confirmation event has reachable-time occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time...
Chapter 25 | IP Interface Commands IPv6 Interface This command deletes all dynamic entries in the IPv6 neighbor discovery clear ipv6 neighbors cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# This command displays information in the IPv6 neighbor discovery cache.
Chapter 25 | IP Interface Commands IPv6 Interface Table 132: show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent.” Link-layer Addr Physical layer MAC address.
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 26 | IP Routing Commands Global Routing Configuration dynamic route is less than that configured for the static route. Note that the default administrative distance used by the dynamic unicast routing protocol is 120 for RIP. (Range: 1-255, Default: 1) * –...
Page 639
Chapter 26 | IP Routing Commands Global Routing Configuration changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base), which holds all routing information received from routing peers.
Page 640
Chapter 26 | IP Routing Commands Global Routing Configuration IP routing table maximum-paths is 1 Connected Total Console# – 640 –...
Section III Appendices This section provides additional information and includes these items: ◆ "Troubleshooting" on page 642 ◆ "License Information" on page 644 – 641 –...
Troubleshooting Problems Accessing the Management Interface Table 162: Troubleshooting Chart Symptom Action Cannot connect using ◆ Be sure the switch is powered up. Telnet, or SNMP software ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 645
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 646
Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 647
Appendix B | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 649
Glossary information can be used by DHCP servers to assign fixed IP addresses, or set other services or policies for clients. A technique used to enhance network security by snooping on DHCP server DHCP Snooping messages to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible.
Page 650
Glossary Generic Attribute Registration Protocol. GARP is a protocol that can be used GARP by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations.
Page 651
Glossary Port Authentication controls access to the switch ports by requiring users to IEEE 802.1X first enter a user ID and password for authentication. Defines frame extensions for VLAN tagging. IEEE 802.3ac Defines Ethernet frame start/stop requests and timers used for flow control IEEE 802.3x on full-duplex links.
Page 652
Glossary Link Aggregation Control Protocol. Allows ports to automatically negotiate LACP a trunked link with LACP-configured ports on another device. Data Link layer in the ISO 7-Layer Data Communications Protocol. This is Layer 2 related directly to the hardware interface for network devices and passes on traffic based on MAC addresses.
Page 653
Glossary Multicast VLAN Registration is a method of using a single network-wide multicast VLAN to transmit common services, such as such as television channels or video-on-demand, across a service-provider’s network. MVR simplifies the configuration of multicast services by using a common VLAN for distribution, while still preserving security and data isolation for subscribers residing in both the MVR VLAN and other standard groups.
Page 654
Glossary Remote Authentication Dial-in User Service. RA is a logon RADIUS DIUS authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. Routing Information Protocol seeks to find the shortest route to another device by minimizing the distance-vector, or hop count, which serves as a rough estimate of transmission cost.
Page 655
Glossary Transmission Control Protocol/Internet Protocol. Protocol suite that TCP/IP includes TCP as the primary transport protocol, and IP as the network layer protocol. Defines a remote communication facility for interfacing to a terminal device Telnet over TCP/IP. Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software TFTP downloads.
Page 657
List of Commands ip arp inspection filter ip igmp snooping vlan mrd ip arp inspection limit ip igmp snooping vlan mrouter ip arp inspection log-buffer logs ip igmp snooping vlan proxy-address ip arp inspection trust ip igmp snooping vlan query-interval ip arp inspection validate ip igmp snooping vlan query-resp-intvl ip arp inspection vlan...
Page 658
List of Commands ipv6 nd reachable-time mac-authentication reauth-time jumbo frame mac-learning lacp mac-vlan lacp admin-key (Ethernet Interface) management lacp admin-key (Port Channel) match lacp port-priority max-hops lacp system-priority media-type lacp timeout memory line mst priority lldp mst vlan lldp admin-status name lldp basic-tlv management-ip-address negotiation...
Page 659
List of Commands quit show ip arp inspection configuration radius-server acct-port show ip arp inspection interface radius-server auth-port show ip arp inspection log radius-server host show ip arp inspection statistics radius-server key show ip arp inspection vlan radius-server retransmit show ip default-gateway radius-server timeout show ip dhcp dynamic-provision range...
Page 660
List of Commands show mac-address-table aging-time show watchdog show mac-address-table count show web-auth show mac-vlan show web-auth interface show management show web-auth summary show memory 85 shutdown show network-access silent-time show network-access mac-address-table snmp-server show network-access mac-filter snmp-server community show nlm oper-status snmp-server contact show ntp snmp-server enable port-traps link-up-down...
Page 661
List of Commands switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid switchport ingress-filtering switchport mode switchport native vlan switchport packet-rate switchport priority default switchport voice vlan switchport voice vlan priority switchport voice vlan rule switchport voice vlan security tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit...
Index Numerics address table aging time 802.1Q tunnel aging time, displaying access aging time, setting CVID to SVID map administrative users, displaying ethernet type – interface configuration proxy mode selection ARP ACL status, configuring ARP configuration TPID ARP inspection uplink ACL filter 802.1X additional validation criteria...
Page 663
Index class map DHCPv4 snooping description enabling DiffServ global configuration information option command modes information option policy showing commands information option, enabling clustering switches, management access information option, remote ID command line interface See CLI policy selection committed information rate, QoS policy remote ID community string specifying trusted interfaces...
Page 664
Index encryption filtering & throttling, status filtering, configuring profile engine ID filtering, creating profile event logging filtering, group range – exec command privileges, accounting filtering, interface settings exec settings groups, displaying accounting Layer 2 authorization query query, enabling snooping snooping & query, parameters FIB, description snooping, configuring firmware...
Page 665
Index IP statistics LLDP IPv4 address device statistics details, displaying BOOTP/DHCP device statistics, displaying dynamic configuration display device information manual configuration displaying remote information – setting interface attributes, configuring IPv6 local device information, displaying displaying neighbors message attributes duplicate address detection message statistics enabling remote information, displaying...
Page 666
Index mDNS multicast router discovery domain name list multicast router port, displaying enabling lookup multicast services multicast name service configuring name server list displaying media-type multicast static router port memory configuring status configuring for MLD snooping utilization, showing multicast storm, threshold memory utilization, setting trap multicast, filtering and throttling mirror port...
Page 667
Index ports remote engine ID autonegotiation remote logging broadcast storm threshold Remote Monitoring See RMON capabilities rename, DiffServ configuring restarting the system duplex mode at scheduled times flow control showing restart time forced selection of media type RMON forced selection on combo ports alarm, displaying settings mirroring alarm, setting thresholds...
Page 668
Index SNMP startup files community string creating enabling traps displaying enabling traps, mac-address changes setting filtering IP addresses static addresses, setting – global settings, configuring static routes, configuring mac address traps statistics trap manager – SNMPv3 ICMP engine ID engine identifier, local engine identifier, remote groups statistics, port...