Download Print this page

Edge-Core ECS2100-10T Reference Manual

Edge-Core ECS2100-10T Reference Manual

10/28-port web-smart pro gigabit ethernet switch

Hide thumbs Also See for ECS2100-10T:

Installation manual (51 pages)

,

Quick start manual (12 pages)

,

Quick start manual (9 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

See also: Installation Manual

ECS2100-10T/PE/P

ECS2100-28T/P/PP

10/28-Port Web-smart Pro

C L I R e f e r e n c e G u id e

Gigabit Ethernet Switch

Software Release v1.2.2.0

www.edge-core.com

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the ECS2100-10T and is the answer not in the manual?

Questions and answers

Summary of Contents for Edge-Core ECS2100-10T

Page 1 ECS2100-10T/PE/P ECS2100-28T/P/PP 10/28-Port Web-smart Pro C L I R e f e r e n c e G u id e Gigabit Ethernet Switch Software Release v1.2.2.0 www.edge-core.com...
Page 2 C L I R e f e r e n c e G u i d e ECS2100-10T Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) Ports and 2 Gigabit SFP Ports ECS2100-10PE Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 8 10/100/1000BASE-T (RJ-45) 802.3 af/at PoE Ports...
Page 3: How To Use This Guide
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4 How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Page 5 How to Use This Guide Revision Date Change Description Updated: • "dir" on page 107 • – SFTP "File Management" on page 100 • "Denial of Service Protection" on page 314 • "switchport packet-rate" on page 415 Removed: • “vlan-trunking” •...
Page 6 How to Use This Guide – 6 –...
Page 7: Table Of Contents
Contents How to Use This Guide Contents Tables Section I Getting Started 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections Configuring the Switch for Remote Management Using the Network Interface Setting an IP Address Enabling SNMP Management Access...
Page 8 Contents Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 9 Contents 4 System Management Commands Device Designation hostname System Status show access-list tcam-utilization show memory show process cpu show process cpu guard show process cpu task show running-config show startup-config show system show tech-support show users show version show watchdog Frame Size jumbo frame File Management...
Page 10 Contents Line line databits exec-timeout login parity password password-thresh silent-time speed stopbits timeout login response disconnect terminal show line Event Logging logging command logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail destination-email logging sendmail host...
Page 11 Contents sntp poll sntp server show sntp NTP Commands ntp authenticate ntp authentication-key ntp client ntp server show ntp Manual Configuration Commands clock summer-time (date) clock summer-time (predefined) clock summer-time (recurring) clock timezone calendar set show calendar Time Range time-range absolute periodic show time-range...
Page 12 Contents snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps link-up-down snmp-server enable port-traps mac-notification show snmp-server enable port-traps SNMPv3 Commands snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view...
Page 13 Contents show rmon history show rmon statistics 7 Flow Sampling Commands sflow owner sflow polling instance sflow sampling instance show sflow 8 Authentication Commands User Accounts and Privilege Levels enable password username privilege show privilege Authentication Sequence authentication enable authentication login RADIUS Client radius-server acct-port radius-server auth-port...
Page 14 Contents aaa accounting exec aaa accounting update aaa authorization commands aaa authorization exec aaa group server server accounting dot1x accounting commands accounting exec authorization commands authorization exec show accounting show authorization Web Server ip http authentication ip http port ip http server ip http secure-port ip http secure-server Telnet Server...
Page 15 Contents show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x system-auth-control Authenticator Commands dot1x intrusion-action dot1x max-reauth-req dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate Supplicant Commands dot1x timeout auth-period...
Page 16 Contents mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP)
Page 17 Contents ip dhcp snooping max-number ip dhcp snooping trust clear ip dhcp snooping binding clear ip dhcp snooping database flash ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding IPv4 Source Guard ip source-guard binding ip source-guard ip source-guard max-binding ip source-guard mode...
Page 18 Contents dos-protection udp-flooding dos-protection win-nuke show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 10 Access Control Lists IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs access-list ipv6...
Page 19 Contents ACL Information clear access-list hardware counters show access-group show access-list 11 Interface Commands Interface Configuration interface capabilities description flowcontrol history media-type negotiation shutdown speed-duplex clear counters show interfaces brief show interfaces counters show interfaces history show interfaces status show interfaces switchport Transceiver Threshold Configuration transceiver-monitor transceiver-threshold-auto...
Page 20 Contents Power Savings power-save show power-save 12 Link Aggregation Commands Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) lacp timeout Trunk Status Display Commands show lacp show port-channel load-balance 13 Power over Ethernet Commands power inline compatible...
Page 21 Contents RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 15 Congestion Control Commands Rate Limit Commands rate-limit Storm Control Commands switchport packet-rate 16 Loopback Detection Commands loopback-detection loopback-detection action loopback-detection recover-time loopback-detection transmit-interval loopback detection trap loopback-detection release show loopback-detection...
Page 22 Contents spanning-tree max-age spanning-tree mode spanning-tree mst configuration spanning-tree pathcost method spanning-tree priority spanning-tree system-bpdu-flooding spanning-tree tc-prop spanning-tree transmission-limit max-hops mst priority mst vlan name revision spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection action spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost...
Page 23 Contents 19 VLAN Commands Editing VLAN Groups vlan database vlan Configuring VLAN Interfaces interface vlan switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode switchport native vlan Displaying VLAN Information show vlan Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode switchport dot1q-tunnel priority map switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid...
Page 24 Contents switchport voice vlan rule switchport voice vlan security show voice vlan 20 ERPS Commands erps erps domain control-vlan enable guard-timer holdoff-timer major-domain meg-level mep-monitor node-id non-erps-dev-protect non-revertive propagate-tc raps-def-mac raps-without-vc ring-port rpl neighbor rpl owner version wtr-timer clear erps statistics erps clear erps forced-switch erps manual-switch...
Page 25 Contents show queue mode show queue weight Priority Commands (Layer 3 and 4) qos map cos-queue qos map dscp-queue qos map trust-mode show qos map cos-queue show qos map dscp-queue show qos map trust-mode 22 Quality of Service Commands class-map description match rename...
Page 26 Contents ip igmp snooping version ip igmp snooping version-exclusive ip igmp snooping vlan general-query-suppression ip igmp snooping vlan immediate-leave ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static clear ip igmp snooping groups dynamic...
Page 27 Contents MLD Snooping ipv6 mld snooping ipv6 mld snooping proxy-reporting ipv6 mld snooping querier ipv6 mld snooping query-interval ipv6 mld snooping query-max-response-time ipv6 mld snooping robustness ipv6 mld snooping router-port-expire-time ipv6 mld snooping unknown-multicast mode ipv6 mld snooping unsolicited-report-interval ipv6 mld snooping version ipv6 mld snooping vlan immediate-leave ipv6 mld snooping vlan mrouter ipv6 mld snooping vlan static...
Page 28 Contents 24 LLDP Commands lldp lldp holdtime-multiplier lldp med-fast-start-count lldp notification-interval lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg...
Page 29 Contents 25 Domain Name Service Commands DNS Commands ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts Multicast DNS Commands ip mdns show ip mdns 26 DHCP Commands DHCP Client DHCP for IPv4...
Page 30 Contents 27 IP Interface Commands IPv4 Interface Basic IPv4 Configuration ip address ip default-gateway show ip default-gateway show ip interface show ip traffic traceroute ping ARP Configuration ip proxy-arp clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig...
Page 31 Contents clear ipv6 neighbors show ipv6 neighbors 28 IP Routing Commands Global Routing Configuration IPv4 Commands ip route show ip route Section III Appendices A Troubleshooting Problems Accessing the Management Interface Using System Logs B License Information The GNU General Public License Glossary Commands Index...
Page 32 Contents – 32 –...
Page 33: Tables
Tables Table 1: Options 60, 66 and 67 Statements Table 2: Options 55 and 124 Statements Table 3: General Command Modes Table 4: Configuration Command Modes Table 5: Keystroke Commands Table 6: Command Group Index Table 7: General Commands Table 8: System Management Commands Table 9: Device Designation Commands Table 10: System Status Commands Table 11: show access-list tcam-utilization - display description...
Page 34 Tables Table 30: show snmp group - display description Table 31: show snmp user - display description Table 32: show snmp view - display description Table 33: RMON Commands Table 34: sFlow Commands Table 35: Authentication Commands Table 36: User Access Commands Table 37: Default Login Settings Table 38: Authentication Sequence Commands Table 39: RADIUS Client Commands...
Page 35 Tables Table 65: IPv6 ACL Commands Table 66: MAC ACL Commands Table 67: ARP ACL Commands Table 68: ACL Information Commands Table 69: Interface Commands Table 70: show interfaces counters - display description Table 71: show interfaces switchport - display description Table 72: Link Aggregation Commands Table 73: show lacp counters - display description Table 74: show lacp internal - display description...
Page 36 Tables Table 100: Voice VLAN Commands Table 101: ERPS Commands Table 102: ERPS Request/State Priority Table 103: show erps - summary display description Table 104: show erps domain - detailed display description Table 105: show erps statistics - detailed display description Table 106: Priority Commands Table 107: Priority Commands (Layer 2) Table 108: Priority Commands (Layer 3 and 4)
Page 37 Tables Table 135: IP Interface Commands Table 136: IPv4 Interface Commands Table 137: Basic IP Configuration Commands Table 138: Address Resolution Protocol Commands Table 139: IPv6 Configuration Commands Table 140: show ipv6 interface - display description Table 141: show ipv6 mtu - display description Table 142: show ipv6 traffic - display description Table 143: show ipv6 neighbors - display description Table 160: IP Routing Commands...
Page 38 Tables – 38 –...
Page 39: Section I
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP. This section includes these chapters: ◆ "Initial Switch Configuration" on page 41 – 39 –...
Page 40 Section I | Getting Started – 40 –...
Page 41: Initial Switch Configuration
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Page 42: Connecting To The Console Port
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆ Configure IP routing for unicast traffic ◆ Configure IGMP multicast filtering ◆...
Page 43: Logging Onto The Command Line Interface
Chapter 1 | Initial Switch Configuration Connecting to the Switch Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec).
Page 44: Remote Connections
Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ECS2100-10T/28T Gigabit Ethernet switches, and the ECS2100-10PE/10P/28P/28PP Gigabit Ethernet PoE switches. Other than the difference in port types, and support for PoE, there are no significant differences.
Page 45: Configuring The Switch For Remote Management
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in-band Interface management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Page 46 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆...
Page 47 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ipv6 address”...
Page 48 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. From the interface prompt, type “ipv6 address ipv6-address”...
Page 49 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received.
Page 50 Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.4 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Client Vendor Class ID (text): ECS4110-28...
Page 51: Enabling Snmp Management Access
Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 52 Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Page 53: Managing System Files
Chapter 1 | Initial Switch Configuration Managing System Files For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “SNMP Commands” on page 159 or to the Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP.
Page 54: Upgrading The Operation Code
Chapter 1 | Initial Switch Configuration Managing System Files config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it.
Page 55 Chapter 1 | Initial Switch Configuration Managing System Files the new file as the startup file. To select a previously saved configuration file, use the boot system config:<filename> command. The maximum number of saved configuration files depends on available flash memory.
Page 56: Automatic Installation Of Operation Code And Configuration Settings
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file server.
Page 57 Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image.
Page 58 Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://site9:billy@192.168.0.1/sm24/ Console(config)# Set the switch to automatically reboot and load the new code after the opcode upgrade is completed.
Page 59: Specifying A Dhcp Client Identifier
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings The following shows an example of the upgrade process. Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ------- Unit 1: ECS2100_V1.1.1.27.bix OpCode 2015-11-30 08:40:36 8037063 Factory_Default_Config.cfg...
Page 60: Downloading A Configuration File And Other Parameters From A Dhcp Server
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
Page 61: Table 1: Options 60, 66 And 67 Statements
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP. To successfully transmit a bootup configuration file to the switch, the DHCP daemon (using a Linux based system for this example) must be configured with the following information:...
Page 62: Setting The System Clock
Chapter 1 | Initial Switch Configuration Setting the System Clock option dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 class "Option66,67_1" { #DHCP Option 60 Vendor class match if option vendor-class-identifier = "ecs2100-28t.cfg";...
Page 63: Configuring Sntp
Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 Console(config)# To display the clock configuration settings, enter the following command.
Page 64 Chapter 1 | Initial Switch Configuration Setting the System Clock To configure NTP time synchronization, enter commands similar to the following. Console(config)#ntp client Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)#ntp authenticate Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time...
Page 65: Command Line Interface
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ “Using the Command Line Interface” on page 67 ◆ “General Commands” on page 79 ◆...
Page 66 Section II | Command Line Interface ◆ “Spanning Tree Commands” on page 429 ◆ “VLAN Commands” on page 459 ◆ “ERPS Commands” on page 489 ◆ “Class of Service Commands” on page 521 ◆ “Quality of Service Commands” on page 533 ◆...
Page 67: Using The Command Line Interface
Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Page 68: Telnet Connection
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 69: Entering Commands
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters.
Page 70: Getting Help On Commands
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list on Commands keywords or parameters.
Page 71: Partial Keyword Lookup
Chapter 2 | Using the Command Line Interface Entering Commands rspan Display status of the current RSPAN configuration running-config Information on the running configuration sflow Shows the sflow information snmp Simple Network Management Protocol configuration and statistics snmp-server Displays SNMP server configuration sntp Simple Network Time Protocol configuration spanning-tree...
Page 72: Negating The Effect Of Commands
Chapter 2 | Using the Command Line Interface Entering Commands Negating the Effect of For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For Commands example, the logging command will log system messages to a host server.
Page 73: Configuration Commands
Chapter 2 | Using the Command Line Interface Entering Commands system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super. ” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password]...
Page 74: Table 4: Configuration Command Modes
Chapter 2 | Using the Command Line Interface Entering Commands ◆ Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance. ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. ◆...
Page 75: Command Line Processing
Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other Processing currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Page 76: Cli Command Groups
Chapter 2 | Using the Command Line Interface CLI Command Groups Console(config)#ip igmp snooping Console(config)#end Console#show ip igmp snooping mrouter VLAN M'cast Router Ports Type ---- ------------------- ------- Eth 1/11 Static Console# CLI Command Groups The system commands can be broken down into the functional groups shown below Table 6: Command Group Index Command Group...
Page 77 Chapter 2 | Using the Command Line Interface CLI Command Groups (Continued) Table 6: Command Group Index Command Group Description Page Loopback Detection Detects general loopback conditions caused by hardware problems or faulty protocol settings Address Table Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch...
Page 78 Chapter 2 | Using the Command Line Interface CLI Command Groups PM (Policy Map Configuration) VC (VLAN Database Configuration) – 78 –...
Page 79: General Commands
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 7: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Page 80: Reload (Global Configuration)
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Page 81: Enable
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. ◆...
Page 82: Quit
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (84) enable password (200) quit This command exits the configuration program.
Page 83: Configure
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console#...
Page 84: Disable
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.
Page 85: Show Reload
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015.
Page 86 Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 86 –...
Page 87: System Management Commands
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 8: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
Page 88: Hostname
Chapter 4 | System Management Commands System Status hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Page 89: Show Access-List Tcam-Utilization
Chapter 4 | System Management Commands System Status (Continued) Table 10: System Status Commands Command Function Mode show tech-support Displays a detailed list of system settings designed to help technical support resolve configuration or functional problems show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version...
Page 90: Show Memory
Chapter 4 | System Management Commands System Status 0 Reserved 0 C L 64 AE6S AE6E 128 AE4 128 AEM 64 DE6S DE6E 128 DE4 128 DEM QINQ Console# Table 11: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List.
Page 91: Show Process Cpu
Chapter 4 | System Management Commands System Status Console# Related Commands memory (180) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds. Command Mode Normal Exec, Privileged Exec Example Console#show process cpu CPU Utilization in the past 5 seconds : 24% CPU Utilization in the past 60 seconds Average Utilization : 24%...
Page 92: Show Process Cpu Task
Chapter 4 | System Management Commands System Status Console# Table 12: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Page 93 Chapter 4 | System Management Commands System Status DOT1X_SUP_GROUP 0.00 0.00 0.00 DRIVER_GROUP 1.00 0.75 2.00 DRIVER_GROUP_FR 0.00 0.00 0.00 DRIVER_GROUP_TX 0.00 0.00 0.00 0.00 0.00 0.00 HTTP_TD 0.00 0.00 5.00 HW_WTDOG_TD 0.00 0.00 0.00 IML_TX 0.00 0.00 0.00 IP_SERVICE_GROU 0.00 0.00 0.00...
Page 94: Show Running-Config
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec...
Page 95: Show Startup-Config
Chapter 4 | System Management Commands System Status enable password 7 1b3231655cebb7a1f783eddf27d254ca vlan database VLAN 1 name DefaultVlan media ethernet spanning-tree mst configuration interface ethernet 1/1 no negotiation interface ethernet 1/28 no negotiation interface vlan 1 ip address dhcp interface vlan 1 line console line vty Console#...
Page 96: Show System
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (94) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS2100-28T System OID String...
Page 97: Show Tech-Support
Chapter 4 | System Management Commands System Status (Continued) Table 13: show system – display description Parameter Description Jumbo Frame Shows if jumbo frames are enabled or disabled. Main Power Status Displays the status of the internal power supply. show tech-support This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems.
Page 98: Show Users
Chapter 4 | System Management Commands System Status Eth 1/ 5 Dowm Auto-100full 1000BASE-T None show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*”...
Page 99: Show Watchdog
Chapter 4 | System Management Commands Frame Size Console# Table 14: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply.
Page 100: Jumbo Frame
Chapter 4 | System Management Commands File Management jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 101: Table 16: Flash/File Commands
Chapter 4 | System Management Commands File Management When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file.
Page 102: General Commands
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {config | opcode}: filename config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image.
Page 103 Chapter 4 | System Management Commands File Management copy startup-config {file | running-config | tftp} copy tftp {add-to-running-config | file | https-certificate | public-key | running-config | startup-config} add-to-running-config - Keyword that adds the settings listed in the specified file to the running configuration. file - Keyword that allows you to copy to/from a file.
Page 104 Chapter 4 | System Management Commands File Management configuring the switch to use HTTPS for a secure connection, see the ip http secure-server command. ◆ The reload command will not be accepted during copy operations to flash memory. ◆ When logging into an FTP server, the interface prompts for a user name and password configured on the remote server.
Page 105 Chapter 4 | System Management Commands File Management Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99...
Page 106: Delete
Chapter 4 | System Management Commands File Management Write to FLASH Programming. Success. Console# This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1.
Page 107: Dir
Chapter 4 | System Management Commands File Management public-key - Keyword that allows you to delete a SSH key on the switch. (See “Secure Shell” on page 233.) username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa –...
Page 108: Whichboot
Chapter 4 | System Management Commands File Management Command Mode Privileged Exec Command Usage If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 17: File Directory Information Column Heading Description File Name The name of the file.
Page 109: Automatic Code Upgrade Commands
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modified Time Size (bytes)
Page 110: Upgrade Opcode Path
Chapter 4 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup.
Page 111: Upgrade Opcode Reload
Chapter 4 | System Management Commands File Management ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous”...
Page 112: Show Upgrade
Chapter 4 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : ECS2100-series.bix Console# TFTP Configuration Commands ip tftp retry...
Page 113: Ip Tftp Timeout
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Page 114: Line
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 18: Line Commands Command Function...
Page 115: Line
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 116: Exec-Timeout
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Page 117: Login
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Page 118: Parity
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity...
Page 119: Password-Thresh
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the...
Page 120: Silent-Time
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (120) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Page 121: Speed
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Page 122: Timeout Login Response
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response...
Page 123: Terminal
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (242)
Page 124: Show Line
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters.
Page 125: Event Logging
Chapter 4 | System Management Commands Event Logging Login Timeout : 300 sec. Silent Time : Disabled Console# Event Logging This section describes commands used to configure event logging on the switch. Table 19: Event Logging Commands Command Function Mode logging command Stores CLI command execution records in syslog RAM and flash...
Page 126: Logging Facility
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Page 127: Logging Host
Chapter 4 | System Management Commands Event Logging Table 20: Logging Levels Level Severity Name Description debugging Debugging messages informational Informational messages only notifications Normal but significant condition, such as cold start warnings Warning conditions (e.g., return false, unexpected return) errors Error conditions (e.g., invalid input, default used) critical...
Page 128: Logging On
Chapter 4 | System Management Commands Event Logging Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error...
Page 129: Logging Trap
Chapter 4 | System Management Commands Event Logging logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Page 130: Show Log
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (130) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 131: Show Logging
Chapter 4 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {command | flash | ram | sendmail | trap} command - Stores CLI command execution records in syslog RAM and flash.
Page 132: Smtp Alerts
Chapter 4 | System Management Commands SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Global Configuration: Syslog Logging : Enabled Remote Logging Configuration: Status : Disabled Facility Type : Local use 7 (23) Level Type : Debugging messages (7) Console# Table 22: show logging trap - display description...
Page 133: Logging Sendmail
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# logging sendmail This command specifies the email recipients of alert messages.
Page 134: Logging Sendmail Host
Chapter 4 | System Management Commands SMTP Alerts logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip-address ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling.
Page 135: Logging Sendmail Source-Email
Chapter 4 | System Management Commands SMTP Alerts Command Mode Global Configuration Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
Page 136: Show Logging Sendmail
Chapter 4 | System Management Commands Time show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec Example Console#show logging sendmail SMTP Servers ----------------------------------------------- 192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------- ted@this-company.com SMTP Source E-mail Address: bill@this-company.com...
Page 137: Sntp Commands
Chapter 4 | System Management Commands Time (Continued) Table 24: Time Commands Command Function Mode Manual Configuration Commands clock summer-time (date) Configures summer time for the switch’s internal clock clock summer-time Configures summer time for the switch’s internal clock (predefined) clock summer-time Configures summer time for the switch’s internal clock...
Page 138: Sntp Poll
Chapter 4 | System Management Commands Time SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# Related Commands sntp server (138) sntp poll (138) show sntp (139) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode.
Page 139: Show Sntp
Chapter 4 | System Management Commands Time Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received.
Page 140: Ntp Commands
Chapter 4 | System Management Commands Time NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. Syntax [no] ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Page 141: Ntp Client
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch. Re-enter this command for each server you want to configure.
Page 142: Ntp Server
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. Example Console(config)#ntp client Console(config)# Related Commands sntp client (137)
Page 143: Show Ntp
Chapter 4 | System Management Commands Time Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)# Related Commands ntp client (141) show ntp (143) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
Page 144 Chapter 4 | System Management Commands Time b-date - Day of the month when summer time will begin. (Range: 1-31) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-year- The year summer time will begin.
Page 145: Clock Summer-Time (Predefined)
Chapter 4 | System Management Commands Time Related Commands show sntp (139) clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa]...
Page 146: Clock Summer-Time (Recurring)
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (139) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis.
Page 147: Clock Timezone
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Page 148: Calendar Set
Chapter 4 | System Management Commands Time Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 149: Show Calendar
Chapter 4 | System Management Commands Time Range show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar Current Time : May 13 14:08:18 2014 Time Zone : UTC, 08:00 Summer Time : Not configured Summer Time in Effect : No...
Page 150: Absolute
Chapter 4 | System Management Commands Time Range Command Usage ◆ This command sets a time range for use by other functions, such as Access Control Lists. ◆ A maximum of eight rules can be configured for a time range. Example Console(config)#time-range r&d Console(config-time-range)#...
Page 151: Periodic
Chapter 4 | System Management Commands Time Range Example This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Page 152: Show Time-Range
Chapter 4 | System Management Commands Switch Clustering Example This example configures a time range for the periodic occurrence of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Page 153: Cluster
Chapter 4 | System Management Commands Switch Clustering (Continued) Table 27: Switch Cluster Commands Command Function Mode show cluster Displays the switch clustering status show cluster members Displays current cluster Members show cluster candidates Displays current cluster Candidates in the network Using Switch Clustering ◆...
Page 154: Cluster Commander
Chapter 4 | System Management Commands Switch Clustering Default Setting Disabled Command Mode Global Configuration Command Usage ◆ To create a switch cluster, first be sure that clustering is enabled on the switch (the default is disabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
Page 155: Cluster Ip-Pool
Chapter 4 | System Management Commands Switch Clustering ◆ Cluster Member switches can be managed through a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool.
Page 156: Cluster Member
Chapter 4 | System Management Commands Switch Clustering cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
Page 157: Show Cluster
Chapter 4 | System Management Commands Switch Clustering Example Console#rcommand id 1 CLI session with the ECS2100-10T is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec...
Page 158: Show Cluster Candidates
This command shows the discovered Candidate switches in the network. candidates Command Mode Privileged Exec Example Console#show cluster candidates Cluster Candidates: Role MAC Address Description --------------- ----------------- ---------------------------------------- Candidate join 00-E0-0C-00-00-FE ECS2100-10T Candidate 00-12-CF-0B-47-A0 ECS2100-10T Console# – 158 –...
Page 159: Snmp Commands
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 160 Chapter 5 | SNMP Commands (Continued) Table 28: SNMP Commands Command Function Mode show snmp engine-id Shows the SNMP engine ID show snmp group Shows the SNMP groups show snmp user Shows the SNMP users show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter...
Page 161: General Snmp Commands
Chapter 5 | SNMP Commands General SNMP Commands (Continued) Table 28: SNMP Commands Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm process cpu guard Sets the CPU utilization watermark and threshold...
Page 162: Snmp-Server Contact
Chapter 5 | SNMP Commands General SNMP Commands ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆...
Page 163: Snmp-Server Location
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location. (Maximum length: 255 characters) Default Setting None...
Page 164: Snmp Target Host Commands
Chapter 5 | SNMP Commands SNMP Target Host Commands 2. private, and the access level is read/write 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs...
Page 165: Snmp-Server Host
Chapter 5 | SNMP Commands SNMP Target Host Commands notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. ◆ The snmp-server enable traps command is used in conjunction with the snmp-server host command.
Page 166 Chapter 5 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy.
Page 167: Snmp-Server Enable Port-Traps Link-Up-Down
Chapter 5 | SNMP Commands SNMP Target Host Commands Allow the switch to send SNMP traps; i.e., notifications (page 164). Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: Enable the SNMP agent (page 161).
Page 168: Snmp-Server Enable Port-Traps Mac-Notification
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed.
Page 169: Snmpv3 Commands
Chapter 5 | SNMP Commands SNMPv3 Commands port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------- Eth 1/1 Eth 1/2 Eth 1/3 SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Page 170: Snmp-Server Group
Chapter 5 | SNMP Commands SNMPv3 Commands ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆...
Page 171: Snmp-Server User
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
Page 172 Chapter 5 | SNMP Commands SNMPv3 Commands auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password.
Page 173: Snmp-Server View
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)#...
Page 174: Show Snmp Engine-Id
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id...
Page 175: Show Snmp Group
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access. Command Mode Privileged Exec Example Console#show snmp group Group Name : r&d Security Model : v3 Security Level : Authentication and privacy Read View...
Page 176: Show Snmp User
Chapter 5 | SNMP Commands SNMPv3 Commands (Continued) Table 30: show snmp group - display description Field Description Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry.
Page 177: Show Snmp View
Chapter 5 | SNMP Commands Notification Log Commands (Continued) Table 31: show snmp user - display description Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views.
Page 178: Snmp-Server Notify-Filter
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆...
Page 179 Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Page 180: Show Nlm Oper-Status
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec...
Page 181: Process Cpu
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60...
Page 182: Process Cpu Guard
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Page 183 Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered. Example Console(config)#process cpu guard high-watermark 80 Console(config)#process cpu guard low-watermark 60 Console(config)#...
Page 184 Chapter 5 | SNMP Commands Additional Trap Commands – 184 –...
Page 185: Remote Monitoring Commands
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Page 186: Rmon Alarm
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Page 187: Rmon Event
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Page 188: Rmon Collection History
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Page 189: Rmon Collection Rmon1
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running-config...
Page 190: Show Rmon Alarms
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Page 191: Show Rmon History
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Page 192 Chapter 6 | Remote Monitoring Commands – 192 –...
Page 193: Flow Sampling Commands
Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Page 194 Chapter 7 | Flow Sampling Commands sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector.
Page 195: Sflow Polling Instance
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# sflow polling instance This command enables an sFlow polling data source, for a specified interface, that polls periodically based on a specified time interval.
Page 196: Sflow Sampling Instance
Chapter 7 | Flow Sampling Commands sflow sampling This command enables an sFlow data source instance for a specific interface that takes samples periodically based on the number of packets processed. Use the no instance form to remove the sampling data source instance from the switch’s sFlow configuration.
Page 197: Show Sflow
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# show sflow This command shows the global and interface settings for the sFlow process. Syntax show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent.
Page 198 Chapter 7 | Flow Sampling Commands – 198 –...
Page 199: Authentication Commands
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Page 200: User Accounts And Privilege Levels
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 114), user authentication via a remote authentication server...
Page 201: Username
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command.
Page 202: Table 37: Default Login Settings
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using privilege command.
Page 203: Privilege
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command.
Page 204: Authentication Sequence
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access.
Page 205: Authentication Login
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Page 206: Radius Client
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local, ” the user name and password on the RADIUS server is verified first.
Page 207: Radius-Server Auth-Port
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Page 208: Radius-Server Key
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 209: Radius-Server Retransmit
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 210: Show Radius-Server
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times...
Page 211: Tacacs-Server Host
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server.
Page 212: Tacacs-Server Port
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Page 213: Tacacs-Server Timeout
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Page 214: Aaa
Chapter 8 | Authentication Commands TACACS+ Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 41: AAA Commands Command Function...
Page 215: Aaa Accounting Commands
Chapter 8 | Authentication Commands aaa accounting This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service. commands Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ | server-group} no aaa accounting commands level {default | method-name} level - The privilege level for executing commands.
Page 216: Aaa Accounting Dot1X
Chapter 8 | Authentication Commands aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} default - Specifies the default accounting method for service requests.
Page 217: Aaa Accounting Exec
Chapter 8 | Authentication Commands aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Page 218: Aaa Accounting Update
Chapter 8 | Authentication Commands aaa accounting This command enables the sending of periodic updates to the accounting server. Use the no form to disable accounting updates. update Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval. (Range: 1-2147483647 minutes) Default Setting 1 minute...
Page 219: Aaa Authorization Exec
Chapter 8 | Authentication Commands server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆...
Page 220: Aaa Group Server
Chapter 8 | Authentication Commands Command Mode Global Configuration Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled. ◆...
Page 221: Server
Chapter 8 | Authentication Commands server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
Page 222: Accounting Commands
Chapter 8 | Authentication Commands Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting This command applies an accounting method to entered CLI commands. Use the commands no form to disable accounting for entered CLI commands. Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands.
Page 223: Authorization Commands
Chapter 8 | Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the no form to disable authorization for entered CLI commands. commands Syntax authorization commands level {default | list-name}...
Page 224: Authorization Exec
Chapter 8 | Authentication Commands authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec default - Specifies the default method list created with the authorization exec command.
Page 225: Show Authorization
Chapter 8 | Authentication Commands interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting Type : dot1x Method List : default Group List : radius Interface : Eth 1/1...
Page 226: Web Server
Chapter 8 | Authentication Commands Web Server Default Setting None Command Mode Privileged Exec Example Console#show authorization Authorization Type : EXEC Method List : default Group List : tacacs+ Interface : vty Authorization Type : Commands 0 Method List : default Group List : tacacs+ Interface...
Page 227: Ip Http Authentication
Chapter 8 | Authentication Commands Web Server ip http authentication This command specifies the method list for EXEC authorization for starting an EXEC session used by the web browser interface. Use the no form to use the default port. Syntax ip http authentication aaa exec-authorization {default | list-name} no ip http authentication aaa exec-authorization default - Specifies the default method list used for authorization requests.
Page 228: Ip Http Server
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (228) show system (96) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting...
Page 229: Ip Http Secure-Server
Chapter 8 | Authentication Commands Web Server Command Usage ◆ You cannot configure the HTTP and HTTPS servers to use the same port. ◆ If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https:// device:port_number Example Console(config)#ip http secure-port 1000...
Page 230: Telnet Server
Chapter 8 | Authentication Commands Telnet Server ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions. The following web browsers and operating systems currently support HTTPS: Table 43: HTTPS System Support Web Browser...
Page 231: Ip Telnet Max-Sessions
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet max-sessions This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system.
Page 232: Ip Telnet Server
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting...
Page 233: Show Ip Telnet
Chapter 8 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# Secure Shell...
Page 234 Chapter 8 | Authentication Commands Secure Shell (Continued) Table 45: Secure Shell Commands Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 235 Chapter 8 | Authentication Commands Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Page 236: Ip Ssh Authentication-Retries
Chapter 8 | Authentication Commands Secure Shell When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
Page 237: Ip Ssh Server-Key Size
Chapter 8 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Page 238: Ip Ssh Timeout
Chapter 8 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 120 seconds...
Page 239: Ip Ssh Crypto Host-Key Generate
Chapter 8 | Authentication Commands Secure Shell Example Console#delete public-key admin dsa Console# ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa –...
Page 240: Ip Ssh Crypto Zeroize
Chapter 8 | Authentication Commands Secure Shell ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key.
Page 241: Show Ip Ssh
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (239) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Page 242: Show Ssh
Chapter 8 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started admin...
Page 243: 802.1X Port Authentication
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 244: General Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication General Commands dot1x default This command sets all configurable dot1x authenticator global and port settings to their default values. Command Mode Global Configuration Command Usage This command resets the following commands to their default settings: ◆...
Page 245: Authenticator Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Page 246: Dot1X Max-Reauth-Req
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAP- request/identity frame to the client before restarting the authentication process. Use the no form to restore the default. Syntax dot1x max-reauth-req count no dot1x max-reauth-req...
Page 247: Dot1X Operation-Mode
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form operation-mode with the multi-host max-count keywords to restore the default maximum count. Syntax dot1x operation-mode {single-host | multi-host [max-count count] | mac- based-auth}...
Page 248: Dot1X Port-Control
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Page 249: Dot1X Timeout Quiet-Period
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (249) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 246) has been exceeded before attempting to acquire a new client.
Page 250: Dot1X Timeout Supp-Timeout
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Page 251: Dot1X Re-Authenticate
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Page 252: Supplicant Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting. Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Page 253: Information Display Commands
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier.
Page 254 Chapter 8 | Authentication Commands 802.1X Port Authentication Operation Mode– Shows if single or multiple hosts (clients) can connect to ■ an 802.1X-authorized port. Port Control–Shows the dot1x mode on a port as auto, force-authorized, or ■ force-unauthorized (page 248). Intrusion Action–...
Page 255: Management Ip Filter
Chapter 8 | Authentication Commands Management IP Filter Reauth Max Retries Max Request Operation Mode : Multi-host Port Control : Auto Intrusion Action : Block traffic Supplicant : 00-e0-29-94-34-65 Authenticator PAE State Machine State : Authenticated Reauth Count Current Identifier Backend State Machine State : Idle...
Page 256: Show Management
Chapter 8 | Authentication Commands Management IP Filter Default Setting All addresses Command Mode Global Configuration Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Page 257 Chapter 8 | Authentication Commands Management IP Filter Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1.
Page 258 Chapter 8 | Authentication Commands Management IP Filter – 258 –...
Page 259: General Security Measures
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes.
Page 260: Port Security
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 261: Port Security
Chapter 9 | General Security Measures Port Security the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 262 Chapter 9 | General Security Measures Port Security Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Page 263: Show Port Security
Chapter 9 | General Security Measures Port Security Related Commands show interfaces status (364) shutdown (356) mac-address-table static (424) show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Page 264 Chapter 9 | General Security Measures Port Security (Continued) Table 51: show port security - display description Field Description MaxMacCnt The maximum number of addresses which can be stored in the address table for this interface (either dynamic or static). CurrMacCnt The current number of secure entries in the address table.
Page 265: Network Access (Mac Address Authentication)
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Page 266 Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Global Configuration Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Page 267: Mac-Authentication Reauth-Time
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ This command is different from configuring static addresses with the mac- address-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access mac-filter command.
Page 268: Table 53: Dynamic Qos Profiles
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. Use the no form to restore the default. dynamic-qos Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration...
Page 269 Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. Use the no form to disable dynamic VLAN assignment.
Page 270: Network-Access Guest-Vlan
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication or MAC authentication is rejected. Use the no form of this command guest-vlan to disable guest VLAN assignment.
Page 271 Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Page 272: Network-Access Port-Mac-Filter
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Page 273: Mac-Authentication Intrusion-Action
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. intrusion-action Syntax mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action Default Setting Block Traffic...
Page 274: Clear Network-Access
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Page 275: Show Network-Access Mac-Address-Table
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion Action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Page 276: Show Network-Access Mac-Filter
Chapter 9 | General Security Measures Web Authentication Example Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ------------------------- --------- 00-00-01-02-03-04 172.155.120.17 00d06h32m50s Static 00-00-01-02-03-05 172.155.120.17 00d06h33m20s Dynamic 00-00-01-02-03-06 172.155.120.17 00d06h35m10s Static 00-00-01-02-03-07 172.155.120.17 00d06h34m20s Dynamic Console# show network-access Use this command to display information for entries in the MAC filter tables.
Page 277: Web-Auth Login-Attempts
Chapter 9 | General Security Measures Web Authentication Note: Web authentication cannot be configured on trunk ports. Table 54: Web Authentication Command Function Mode web-auth login-attempts Defines the limit for failed web authentication login attempts web-auth quiet-period Defines the amount of time to wait after the limit for failed login attempts is exceeded.
Page 278: Web-Auth Quiet-Period
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use quiet-period the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period...
Page 279: Web-Auth System-Auth-Control
Chapter 9 | General Security Measures Web Authentication web-auth system- This command globally enables web authentication for the switch. Use the no form to restore the default. auth-control Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface...
Page 280: Web-Auth Re-Authenticate (Port)
Chapter 9 | General Security Measures Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and forces the users to re-authenticate. authenticate (Port) Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Page 281: Show Web-Auth
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period : 60 Max Login Attempts Console# show web-auth...
Page 282: Show Web-Auth Summary
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ----...
Page 283: Ip Dhcp Snooping
Chapter 9 | General Security Measures DHCPv4 Snooping (Continued) Table 55: DHCP Snooping Commands Command Function Mode ip dhcp snooping trust Configures the specified interface as trusted ip dhcp snooping max- configures the maximum number of DHCP clients which number can be supported per interface ip dhcp snooping information Enables or disables the use of DHCP Option 82...
Page 284 Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆...
Page 285: Ip Dhcp Snooping Information Option
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (291) ip dhcp snooping trust (295) ip dhcp snooping...
Page 286: Ip Dhcp Snooping Information Option Encode No-Subtype
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Page 287: Table 56: Option 82 Information
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage ◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below: Table 56: Option 82 information 3-69 1-67 opt82 opt-len sub-opt1 string-len R-124 string The circuit identifier used by this switch starts at sub-option1 and goes to the...
Page 288: Ip Dhcp Snooping Information Option Remote-Id
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, or arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from the end information option of the TR101 field.
Page 289: Ip Dhcp Snooping Information Option Tr101 Board-Id
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the remote ID to the switch’s IP address. Console(config)#ip dhcp snooping information option remote-id tr101 node-identifier ip Console(config)# ip dhcp snooping This command sets the board identifier used in Option 82 information based on TR-101 syntax.
Page 290: Ip Dhcp Snooping Verify Mac-Address
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets.
Page 291: Ip Dhcp Snooping Vlan
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled Command Mode...
Page 292: Ip Dhcp Snooping Information Option Circuit-Id
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the no form to use the default settings. information option circuit-id Syntax ip dhcp snooping information option circuit-id string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Page 293: Ip Dhcp Snooping Trust
Chapter 9 | General Security Measures DHCPv4 Snooping access node identifier - ASCII string. Default is the MAC address of the ■ switch’s CPU. This field is set by the ip dhcp snooping information option command, eth - The second field is the fixed string “eth” ■...
Page 294: Ip Dhcp Snooping Max-Number
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ Set all ports connected to DHCP servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted. ◆ When DHCP snooping is enabled globally using the ip dhcp snooping command, and enabled on a VLAN with ip dhcp snooping vlan...
Page 295: Ip Dhcp Snooping Trust
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage...
Page 296: Clear Ip Dhcp Snooping Binding
Chapter 9 | General Security Measures DHCPv4 Snooping clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this command without any optional keywords to clear all entries from the binding snooping binding table. Syntax clear ip dhcp snooping binding mac-address ip-address mac-address - Specifies a MAC address entry.
Page 297: Show Ip Dhcp Snooping
Chapter 9 | General Security Measures DHCPv4 Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping Status: disabled DHCP Snooping Information Option Status: disabled DHCP Snooping Information Option Sub-option Format: extra subtype included DHCP Snooping Information Option Remote ID: MAC Address (hex encoded) DHCP Snooping Information Option Remote ID TR101 VLAN Field: enabled...
Page 298: Ipv4 Source Guard
Chapter 9 | General Security Measures IPv4 Source Guard IPv4 Source Guard IPv4 Source Guard is a security feature that filters IPv4 traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic entries in the DHCPv4 Snooping table when enabled (see “DHCPv4 Snooping”...
Page 299 Chapter 9 | General Security Measures IPv4 Source Guard unit - Unit identifier. (Range: 1) port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers. (Range: 1-10/28) Default Setting No configured entries Command Mode...
Page 300: Ip Source-Guard
Chapter 9 | General Security Measures IPv4 Source Guard If there is a binding entry with same IP address and MAC address, then ■ the new entry shall replace the old one. ◆ Only unicast addresses are accepted for static bindings. Example This example configures a static source-guard binding on port 5.
Page 301 Chapter 9 | General Security Measures IPv4 Source Guard ◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table. ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP- SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
Page 302: Ip Source-Guard Max-Binding
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command sets the maximum number of entries that can be bound to an interface. Use the no form to restore the default setting. max-binding Syntax ip source-guard [mode {acl | mac}] max-binding number no ip source-guard [mode {acl | mac}] max-binding mode - Specifies the learning mode.
Page 303: Ip Source-Guard Mode
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard mode This command sets the source-guard learning mode to search for addresses in the ACL binding table or the MAC address binding table. Use the no form to restore the default setting.
Page 304: Show Ip Source-Guard
Chapter 9 | General Security Measures IPv4 Source Guard stored before the switch overwrites the oldest record with new blocked records. Use the clear ip source-guard binding blocked command to clear this table. Example This command clears the blocked record table. Console(config)#clear ip source-guard binding blocked Console(config)# show ip source-guard...
Page 305: Arp Inspection
Chapter 9 | General Security Measures ARP Inspection interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) Command Mode Privileged Exec Example Console#show ip source-guard binding MAC Address IP Address Type VLAN Interface...
Page 306: Ip Arp Inspection
Chapter 9 | General Security Measures ARP Inspection (Continued) Table 59: ARP Inspection Commands Command Function Mode show ip arp inspection Displays the global configuration settings for ARP configuration Inspection show ip arp inspection Shows the trust status and inspection rate limit for ports PE interface show ip arp inspection log Shows information about entries stored in the log,...
Page 307: Ip Arp Inspection Filter
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. Example Console(config)#ip arp inspection Console(config)#...
Page 308: Ip Arp Inspection Log-Buffer Logs
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default log-buffer logs settings.
Page 309: Ip Arp Inspection Validate
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header...
Page 310: Ip Arp Inspection Vlan
Chapter 9 | General Security Measures ARP Inspection ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Page 311: Ip Arp Inspection Limit
Chapter 9 | General Security Measures ARP Inspection ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Page 312: Show Ip Arp Inspection Configuration
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection This command displays the global configuration settings for ARP Inspection. configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP Inspection Global Information: Global IP ARP Inspection Status : disabled Log Message Interval...
Page 313: Show Ip Arp Inspection Log
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Page 314: Denial Of Service Protection
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Page 315: Dos-Protection Smurf
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection echo-chargen bit-rate-in-kilo 65 Console(config)# dos-protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Page 316: Dos-Protection Tcp-Null-Scan
Chapter 9 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP NULL tcp-null-scan scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Page 317: Dos-Protection Tcp-Xmas-Scan
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection syn-fin-scan Console(config)# dos-protection This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS tcp-xmas-scan scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Page 318: Dos-Protection Win-Nuke
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection udp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
Page 319: Port-Based Traffic Segmentation
Chapter 9 | General Security Measures Port-based Traffic Segmentation WinNuke Attack : Disabled, 1000 kilobits per second Console# Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 320: Traffic-Segmentation Session
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Page 321 Chapter 9 | General Security Measures Port-based Traffic Segmentation Default Setting None Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Page 322: Traffic-Segmentation Uplink-To-Uplink
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field.
Page 323: Show Traffic-Segmentation
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments. traffic-segmentation Command Mode Privileged Exec Example Console#show traffic-segmentation Traffic segmentation Status : Disabled Uplink-to-Uplink Mode : Forwarding Traffic segmentation Status : Disabled Uplink-to-Uplink Mode Forwarding Session Uplink Ports...
Page 324 Chapter 9 | General Security Measures Port-based Traffic Segmentation – 324 –...
Page 325: Access Control Lists
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type).
Page 326: Access-List Ip
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...
Page 327: Permit, Deny (Extended Ipv4 Acl)
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Standard IPv4 ACL...
Page 328 Chapter 10 | Access Control Lists IPv4 ACLs no {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [dscp dscp] [precedence precedence] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [dscp dscp] [precedence precedence]...
Page 329 Chapter 10 | Access Control Lists IPv4 ACLs Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match”...
Page 330: Ip Access-Group
Chapter 10 | Access Control Lists IPv4 ACLs This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN. ” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control- flag 2 2 Console(config-ext-acl)# Related Commands access-list ip (326) Time Range (149) ip access-group This command binds an IPv4 ACL to a port.
Page 331: Show Ip Access-Group
Chapter 10 | Access Control Lists IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard –...
Page 332: Ipv6 Acls
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Page 333: Permit, Deny (Standard Ipv6 Acl) (333
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (333) permit, deny (Extended IPv6 ACL) (334) ipv6 access-group (337) show ipv6 access-list (338) permit, deny This command adds a rule to a Standard IPv6 ACL.
Page 334: Permit, Deny (Extended Ipv6 Acl)
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (332) Time Range (149) permit, deny This command adds a rule to an Extended IPv6 ACL.
Page 335 Chapter 10 | Access Control Lists IPv6 ACLs prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-128 for destination prefix) dscp –...
Page 336 Chapter 10 | Access Control Lists IPv6 ACLs This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.
Page 337: Ipv6 Access-Group
Chapter 10 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds an IPv6 ACL to a port. Use the no form to remove the port. Syntax ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name –...
Page 338: Show Ipv6 Access-List
Chapter 10 | Access Control Lists MAC ACLs show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name –...
Page 339: Access-List Mac
Chapter 10 | Access Control Lists MAC ACLs access-list mac This command enters MAC ACL configuration mode. Rules can be added to filter packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also be used to filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types.
Page 340 Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] Note: The default is for Ethernet II packets. {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask}...
Page 341 Chapter 10 | Access Control Lists MAC ACLs tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets. any – Any MAC, IPv4 or IPv6 source or destination address. host – A specific MAC, IPv4 or IPv6 address. source –...
Page 342: Mac Access-Group
Chapter 10 | Access Control Lists MAC ACLs Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (339) Time Range (149) mac access-group This command binds a MAC ACL to a port.
Page 343: Show Mac Access-Group
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (342) show mac access-list This command displays the rules for configured MAC ACLs.
Page 344: Arp Acls
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Page 345: Permit, Deny (Arp Acl)
Chapter 10 | Access Control Lists ARP ACLs permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching a (ARP ACL specified source or destination address in ARP messages. Use the no form to remove a rule.
Page 346: Show Access-List Arp
Chapter 10 | Access Control Lists ACL Information Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (344) show access-list arp This command displays the rules for configured ARP ACLs.
Page 347: Clear Access-List Hardware Counters
Chapter 10 | Access Control Lists ACL Information clear access-list This command clears the hit counter for the rules in all ACLs, or for the rules in a specified ACL. hardware counters Syntax clear access-list hardware counters [direction in [interface interface]] | [interface interface] | [name acl-name] in –...
Page 348: Show Access-List
Chapter 10 | Access Control Lists ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp –...
Page 349: Interface Commands
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 69: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode capabilities Advertises the capabilities of a given interface for use in...
Page 350: Interface Configuration
Chapter 11 | Interface Commands Interface Configuration (Continued) Table 69: Interface Commands Command Function Mode transceiver-threshold Sets thresholds for transceiver current which can be used current to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver power level of the rx-power received signal which can be used to trigger an alarm or warning message...
Page 351: Capabilities
Chapter 11 | Interface Commands Interface Configuration Default Setting None Command Mode Global Configuration Example To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)# capabilities This command advertises the port capabilities of a given interface during auto- negotiation.
Page 352: Description
Chapter 11 | Interface Commands Interface Configuration Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (355) speed-duplex (356) flowcontrol (353) description This command adds a description to an interface.
Page 353: Flowcontrol
Chapter 11 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 354: History
Chapter 11 | Interface Commands Interface Configuration history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history name name - A symbolic name for this entry in the sampling table.
Page 355: Negotiation
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet) Command Usage Available sfp-forced modes include: ECS2001-10T/PE/P: Ports 9-10 (1000BASE SFP) support 1000sfp ECS2001-28T/P/PP: Ports 25-28 (1000BASE SFP) support 1000sfp Example This forces the switch to use the 1000sfp mode for SFP port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)#...
Page 356: Shutdown
Chapter 11 | Interface Commands Interface Configuration Related Commands capabilities (351) speed-duplex (356) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been...
Page 357: Clear Counters
Chapter 11 | Interface Commands Interface Configuration ◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Page 358: Show Interfaces Brief
Chapter 11 | Interface Commands Interface Configuration Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 359: Show Interfaces Counters
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces.
Page 360: Table 70: Show Interfaces Counters - Display Description
Chapter 11 | Interface Commands Interface Configuration 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 5271 Packet Size <= 64 Octets 3589 Packet Size 65 to 127 Octets 222 Packet Size 128 to 255 Octets 313 Packet Size 256 to 511 Octets 190 Packet Size 512 to 1023 Octets 444 Packet Size 1024 to 1518 Octets...
Page 361 Chapter 11 | Interface Commands Interface Configuration (Continued) Table 70: show interfaces counters - display description Parameter Description Etherlike Statistics FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-too- short error.
Page 362: Show Interfaces History
Chapter 11 | Interface Commands Interface Configuration (Continued) Table 70: show interfaces counters - display description Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error.
Page 363 Chapter 11 | Interface Commands Interface Configuration previous - Statistics recorded in previous intervals. index - An index into the buckets containing previous samples. (Range: 1-96) count - The number of historical samples to display. (Range: 1-96) input - Ingress traffic. output - Egress traffic.
Page 364: Show Interfaces Status
Chapter 11 | Interface Commands Interface Configuration Start Time Discards ------------ ------------- 00d 00:00:03 Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 365: Show Interfaces Switchport
Chapter 11 | Interface Commands Interface Configuration Operation Speed-duplex : 100full Up Time : 0w 0d 1h 11m 2s (4262 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled Console# show interfaces...
Page 366: Transceiver Threshold Configuration
Chapter 11 | Interface Commands Transceiver Threshold Configuration Table 71: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it also Threshold shows the threshold level (page 415). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 415).
Page 367: Transceiver-Threshold-Auto
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-monitor Console# transceiver-threshold- This command uses default threshold settings obtained from the transceiver to auto determine when an alarm or warning message should be sent. Use the no form to disable this feature.
Page 368: Transceiver-Threshold Rx-Power
Chapter 11 | Interface Commands Transceiver Threshold Configuration Command Mode SFP/ Interface Configuration ( SFP+ Ports) Command Usage ◆ If trap messages are enabled with the transceiver-monitor command, and a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
Page 369: Transceiver-Threshold Temperature
Chapter 11 | Interface Commands Transceiver Threshold Configuration Default Setting High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm Command Mode Interface Configuration (SFP/SFP+ Ports) Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW).
Page 370: Transceiver-Threshold Tx-Power
Chapter 11 | Interface Commands Transceiver Threshold Configuration -123.00 ° C Low Alarm: Low Warning: 0.00 ° C Command Mode Interface Configuration (SFP/SFP+ Ports) Command Usage ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆...
Page 371: Transceiver-Threshold Voltage
Chapter 11 | Interface Commands Transceiver Threshold Configuration Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
Page 372: Show Interfaces Transceiver
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the transceiver voltage at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold voltage low-alarm 4 Console(config-if)#transceiver-threshold voltage high-alarm 2...
Page 373: Show Interfaces Transceiver-Threshold
Chapter 11 | Interface Commands Transceiver Threshold Configuration Vendor Rev Vendor SN : SE08T712Z00006 Date Code : 10-09-14 DDM Info Temperature : 35.64 degree C : 3.25 V Bias Current : 12.13 mA TX Power : 2.36 dBm RX Power : -24.20 dBm DDM Thresholds Low Alarm...
Page 374: Cable Diagnostics
Chapter 11 | Interface Commands Cable Diagnostics DDM Thresholds Transceiver-monitor : Disabled Transceiver-threshold-auto : Enabled Low Alarm Low Warning High Warning High Alarm ----------- ------------ ------------ ------------ ------------ Temperature(Celsius) -123.00 0.00 70.00 75.00 Voltage(Volts) 3.10 3.15 3.45 3.50 Current(mA) 6.00 7.00 90.00 100.00...
Page 375: Show Cable-Diagnostics
Chapter 11 | Interface Commands Cable Diagnostics Example Console#test cable-diagnostics interface ethernet 1/24 Console# show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics dsp interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 376: Power Savings
Chapter 11 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature. Syntax [no] power-save Default Setting Enabled Command Mode Interface Configuration (Ethernet ports 1-8/24) Command Usage ◆...
Page 377: Show Power-Save
Chapter 11 | Interface Commands Power Savings determine whether or not it can reduce the signal amplitude used on a particular link. Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Page 378 Chapter 11 | Interface Commands Power Savings – 378 –...
Page 379: Link Aggregation Commands
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 380: Manual Configuration Commands
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆...
Page 381 Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-dst-ip - Load balancing based on source and destination IP address. src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address.
Page 382: Channel-Group
Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-mac: All traffic with the same source MAC address is output on the ■ same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. Example Console(config)#port channel load-balance dst-ip Console(config)#...
Page 383: Dynamic Configuration Commands
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆...
Page 384: Lacp Admin-Key (Ethernet Interface)
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Storm Threshold Resolution : 1 packets/second Flow Control : Disabled MAC Learning : Enabled Link-up-down Trap...
Page 385: Lacp Port-Priority
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. Note: Configuring the partner admin-key does not affect remote or local switch operation.
Page 386: Lacp System-Priority
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Page 387: Lacp Admin-Key (Port Channel)
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. (Port Channel) Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Page 388: Lacp Timeout
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout long - Specifies a slow timeout of 90 seconds.
Page 389: Trunk Status Display Commands
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-8) counters - Statistics for LACP protocol messages.
Page 390: Table 74: Show Lacp Internal - Display Description
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands (Continued) Table 73: show lacp counters - display description Field Description Unknown Packet Number of frames received that either (1) Carry the Slow Protocols Ethernet Received Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Page 391: Table 75: Show Lacp Neighbors - Display Description
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands (Continued) Table 74: show lacp internal - display description Field Description ◆ Admin State, Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Oper State (continued) ◆...
Page 392: Show Port-Channel Load-Balance
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-8F-2C-A7 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 32768 00-30-F1-D4-73-A0 Table 76: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch.
Page 393: Power Over Ethernet Commands
Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the RJ-45 ports 1-8 on the ECS2100-10PE/10P and RJ-45 ports 1-24 on the ECS2100-28P/28PP. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget.
Page 394: Power Inline Compatible
Chapter 13 | Power over Ethernet Commands power inline This command allows the switch to detect and provide power to powered devices that were designed prior to the IEEE 802.3af PoE standard. Use the no form to compatible disable this feature. Syntax [no] power inline compatible [interface] interface...
Page 395: Power Inline Maximum Allocation
Chapter 13 | Power over Ethernet Commands power inline This command sets the maximum power allocation mode based on PD (powered device) class or user configuration. Use the no form to restore the default setting. maximum allocation Syntax power inline maximum allocation mode {class | user} no power inline maximum allocation mode class - Power allocation is based on device classification.
Page 396: Power Mainpower Maximum Allocation
Chapter 13 | Power over Ethernet Commands power mainpower This command defines a power budget for the switch (i.e., the power available to all switch ports). Use the no form to restore the default setting. maximum allocation Syntax power mainpower maximum allocation milliwatts milliwatts - The power budget for the switch.
Page 397: Power Inline
Chapter 13 | Power over Ethernet Commands power inline This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port, or the no form with the time-range keyword to remove the time range settings.
Page 398: Power Inline Priority
Chapter 13 | Power over Ethernet Commands Command Mode Interface Configuration (Ethernet ports 1-8/24) Command Usage ◆ The number of ports which can supply maximum power simultaneously to connected devices is listed in the following table. In this table, EPS refers to the optional external power supply.
Page 399: Power Inline Time-Range
Chapter 13 | Power over Ethernet Commands Command Usage ◆ If the power demand from devices connected to the switch exceeds the power budget setting as determined during bootup, the switch uses port power priority settings to control the supplied power. For example: A device connected to a low-priority port that causes the switch to exceed ■...
Page 400: Show Power Inline Status
Chapter 13 | Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline time-range rd Console(config-if)# Related Commands time-range (149) show power inline This command displays the current power status for all ports or for specific ports. status Syntax show power inline status [interface] interface ethernet unit - Unit identifier.
Page 401: Show Power Inline Time-Range
Chapter 13 | Power over Ethernet Commands Table 80: show power inline status - display description Field Description Compatible Mode Shows if the switch detects and provides power to powered devices that were designed prior to the IEEE 802.3af PoE standard (see power inline compatible) Maximum...
Page 402: Show Power Mainpower
Chapter 13 | Power over Ethernet Commands show power Use this command to display the current power status for the switch. mainpower Command Mode Privileged Exec Example This example shows the maximum available PoE power and maximum allocated PoE power. Console#show power mainpower Unit 1 PoE Status PoE Maximum Available Power...
Page 403: Port Mirroring Commands
Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 82: Port Mirroring Commands Command Function...
Page 404: Show Port Monitor
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4094) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage ◆...
Page 405: Rspan Mirroring Commands
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). Example The following shows mirroring configured from port 6 to port 5: Console(config)#interface ethernet 1/5 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end...
Page 406 Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 is prohibited.) Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored.
Page 407: Rspan Source
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port.
Page 408: Rspan Destination
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic.
Page 409: Rspan Remote Vlan
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan...
Page 410: No Rspan Session
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch.
Page 411: Show Rspan
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Three sessions are allowed, including both local and remote mirroring, using different VLANs for RSPAN sessions.
Page 412 Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands – 412 –...
Page 413: Congestion Control Commands
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Page 414: Rate-Limit
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input –...
Page 415: Storm Control Commands
Chapter 15 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Page 416 Chapter 15 | Congestion Control Commands Storm Control Commands Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# Related Commands show interfaces switchport (365) – 416 –...
Page 417: Loopback Detection Commands
Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 88: Loopback Detection Commands Command Function...
Page 418: Loopback-Detection
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Page 419: Loopback-Detection Recover-Time
Chapter 16 | Loopback Detection Commands Command Usage ◆ When a port receives a control frame sent by itself, this means that the port is in looped state, and the VLAN in the frame payload is also in looped state with the wrong VLAN tag.
Page 420: Loopback-Detection Transmit-Interval
Chapter 16 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Page 421: Loopback-Detection Release
Chapter 16 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Page 422 Chapter 16 | Loopback Detection Commands Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------- Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled Console#show loopback-detection ethernet 1/1...
Page 423: Address Table Commands
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 89: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table static Maps a static address to a port in a VLAN...
Page 424: Mac-Address-Table Static
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Page 425: Clear Collision-Mac-Address-Table
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear collision-mac- This command removes all entries from the collision MAC address table. address-table Default Setting None Command Mode Privileged Exec Example Console#clear collision-mac-address-table Console# clear mac-address- This command removes any learned entries from the forwarding database.
Page 426: Show Mac-Address-Table
Chapter 17 | Address Table Commands Example Console#show collision-mac-address-table MAC Address VLAN Collision Count ----------------- ----- ---------------- 90-e6-ba-cb-cd-d6 Total collision mac number: 1 Console# show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address.
Page 427: Show Mac-Address-Table Aging-Time
Chapter 17 | Address Table Commands Example Console#show mac-address-table Interface MAC Address VLAN Type Life Time --------- ----------------- ---- -------- ----------------- 00-E0-00-00-00-01 1 CPU Delete on Reset Eth 1/ 1 00-E0-0C-10-90-09 1 Learn Delete on Timeout Eth 1/ 1 00-E0-29-94-34-64 1 Learn Delete on Timeout Console#...
Page 428 Chapter 17 | Address Table Commands Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Eth 1/1 Total Address Count Static Address Count Dynamic Address Count Console#show mac-address-table count Compute the number of MAC Address... Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address...
Page 429: Spanning Tree Commands
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 90: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree Configures spanning tree operation to be compatible with cisco-prestandard...
Page 430: Spanning-Tree
Chapter 18 | Spanning Tree Commands (Continued) Table 90: Spanning Tree Commands Command Function Mode spanning-tree loopback- Configures the response for loopback detection to block detection action user traffic or shut down the interface spanning-tree loopback- Configures loopback release mode for a port detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a port...
Page 431: Spanning-Tree Cisco-Prestandard
Chapter 18 | Spanning Tree Commands allows the switch to interact with other bridging devices (that is, an STA- compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Page 432: Spanning-Tree Hello-Time
Chapter 18 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Page 433: Spanning-Tree Max-Age
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. max-age Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 434 Chapter 18 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network.
Page 435: Spanning-Tree Mst Configuration
Chapter 18 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address. Command Mode Global Configuration Example Console(config)#spanning-tree mst configuration...
Page 436: Spanning-Tree Priority
Chapter 18 | Spanning Tree Commands ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP. Example Console(config)#spanning-tree pathcost method long Console(config)#...
Page 437: Spanning-Tree System-Bpdu-Flooding
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled system-bpdu-flooding globally on the switch or disabled on a specific port. Use the no form to restore the default.
Page 438: Spanning-Tree Transmission-Limit
Chapter 18 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group.
Page 439: Max-Hops
Chapter 18 | Spanning Tree Commands max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting Command Mode...
Page 440: Mst Vlan
Chapter 18 | Spanning Tree Commands Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Page 441: Name
Chapter 18 | Spanning Tree Commands Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of multiple spanning tree region.
Page 442: Spanning-Tree Bpdu-Filter
Chapter 18 | Spanning Tree Commands Command Usage The MST region name (page 441) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 443: Spanning-Tree Bpdu-Guard
Chapter 18 | Spanning Tree Commands spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or bpdu-guard with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]]...
Page 444: Spanning-Tree Cost
Chapter 18 | Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method) Table 91: Recommended STA Path Cost Range Port Type...
Page 445: Spanning-Tree Edge-Port
Chapter 18 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 435) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port.
Page 446: Spanning-Tree Link-Type
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. link-type Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Page 447: Spanning-Tree Loopback-Detection Action
Chapter 18 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W- 2001 9.3.4 (Note 1). ◆...
Page 448: Spanning-Tree Loopback-Detection Release-Mode
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore loopback-detection the default. release-mode Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state...
Page 449: Spanning-Tree Loopback-Detection Trap
Chapter 18 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. loopback-detection trap Syntax [no] spanning-tree loopback-detection trap Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Page 450: Spanning-Tree Mst Port-Priority
Chapter 18 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50...
Page 451: Spanning-Tree Port-Bpdu-Flooding
Chapter 18 | Spanning Tree Commands Related Commands spanning-tree mst cost (449) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled globally port-bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting. Syntax [no] spanning-tree port-bpdu-flooding Default Setting...
Page 452: Spanning-Tree Root-Guard
Chapter 18 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 453: Spanning-Tree Spanning-Disabled
Chapter 18 | Spanning Tree Commands could also be used to form a border around part of the network where the root bridge is allowed. ◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Page 454: Spanning-Tree Loopback-Detection Release
Chapter 18 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Page 455: Spanning-Tree Protocol-Migration
Chapter 18 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) port-channel channel-id (Range: 1-8) Command Mode Privileged Exec...
Page 456 Chapter 18 | Spanning Tree Commands stp-enabled-only - Displays global settings, and settings for interfaces for which STP is enabled. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree.
Page 457 Chapter 18 | Spanning Tree Commands State : Discarding External Admin Path Cost Internal Admin Path Cost External Oper Path Cost : 100000 Internal Oper Path Cost : 100000 Priority : 128 Designated Cost : 100000 Designated Port : 128.1 Designated Root : 32768.0.0001ECF8D8C6 Designated Bridge...
Page 458: Show Spanning-Tree Mst Configuration
Chapter 18 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree. mst configuration Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4094 Console#...
Page 459: Vlan Commands
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 460: Vlan Database
Chapter 19 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan...
Page 461: Configuring Vlan Interfaces
Chapter 19 | VLAN Commands Configuring VLAN Interfaces rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering).
Page 462: Interface Vlan
Chapter 19 | VLAN Commands Configuring VLAN Interfaces (Continued) Table 95: Commands for Configuring VLAN Interfaces Command Function Mode switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface.
Page 463: Switchport Acceptable-Frame-Types
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Page 464 Chapter 19 | VLAN Commands Configuring VLAN Interfaces Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094). add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained.
Page 465: Switchport Ingress-Filtering
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command enables ingress filtering for an interface. Use the no form to restore the default. ingress-filtering Syntax [no] switchport ingress-filtering Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Page 466: Switchport Native Vlan
Chapter 19 | VLAN Commands Configuring VLAN Interfaces trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames.
Page 467: Displaying Vlan Information
Chapter 19 | VLAN Commands Displaying VLAN Information Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information. Table 96: Commands for Displaying VLAN Information Command Function...
Page 468: Configuring Ieee 802.1Q Tunneling
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S) Eth1/26(S) Eth1/27(S) Eth1/28(S) Console# Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs.
Page 469: Dot1Q-Tunnel System-Tunnel-Control
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan). Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan).
Page 470: Switchport Dot1Q-Tunnel Mode
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show dot1q-tunnel (474) show interfaces switchport (365) switchport This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. dot1q-tunnel mode Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...
Page 471: Switchport Dot1Q-Tunnel Priority Map
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command copies the inner tag priority to the outer tag priority. Use the no form to disable this feature. tunnel priority map Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled Command Mode...
Page 472 Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel. ◆ Rather than relying on standard service paths and priority queuing, QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs.
Page 473: Switchport Dot1Q-Tunnel Tpid
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configures port 1 as an untagged member of VLANs 100, 200 and 300 using access mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 100,200,300 untagged Console(config-if)#switchport dot1q-tunnel mode access Configure the following selective QinQ mapping entries. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 100 match cvid 10 Console(config-if)#switchport dot1q-tunnel service 200 match cvid 20...
Page 474: Show Dot1Q-Tunnel
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Page 475: Configuring Protocol-Based Vlans
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel 802.1Q Tunnel Status : Enabled Port Mode TPID (hex) -------- ------ ---------- Eth 1/ 1 Access 8100 Eth 1/ 2 Uplink...
Page 476: Protocol-Vlan Protocol-Group (Configuring Groups)
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Table 98: Protocol-based VLAN Commands Command Function Mode protocol-vlan Create a protocol group, specifying the supported protocol-group protocols protocol-vlan Maps a protocol group to a VLAN protocol-group show protocol-vlan Shows the configuration of protocol groups protocol-group show interfaces Shows the interfaces mapped to a protocol group and the...
Page 477: Protocol-Vlan Protocol-Group (Configuring Interfaces)
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Command Mode Global Configuration Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan...
Page 478: Show Protocol-Vlan Protocol-Group
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs If the frame is tagged, it will be processed according to the standard rules ■ applied to tagged frames. If the frame is untagged and the protocol type matches, the frame is ■...
Page 479: Show Interfaces Protocol-Vlan Protocol-Group
Chapter 19 | VLAN Commands Configuring MAC Based VLANs show interfaces This command shows the mapping from protocol groups to VLANs for the selected interfaces. protocol-vlan protocol-group Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 480: Mac-Vlan
Chapter 19 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address [mask mask-address] vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address [mask mask-address] | all} mac-address –...
Page 481: Show Mac-Vlan
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example assigns traffic from source MAC address 00-00-00-11-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 mask FF-FF-FF-FF-00-00 vlan 10 Console(config)# show mac-vlan This command displays MAC address-to-VLAN assignments. Command Mode Privileged Exec Command Usage Use this command to display MAC address-to-VLAN mappings.
Page 482: Voice Vlan
Chapter 19 | VLAN Commands Configuring Voice VLANs (Continued) Table 100: Voice VLAN Commands Command Function Mode switchport voice vlan Enables Voice VLAN security on ports security show voice vlan Displays Voice VLAN settings voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
Page 483: Voice Vlan Aging
Chapter 19 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes...
Page 484: Voice Vlan Mac-Address
Chapter 19 | VLAN Commands Configuring Voice VLANs voice vlan This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list. mac-address Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the...
Page 485: Switchport Voice Vlan
Chapter 19 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Page 486: Switchport Voice Vlan Rule
Chapter 19 | VLAN Commands Configuring Voice VLANs Default Setting Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port.
Page 487: Switchport Voice Vlan Security
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# switchport voice vlan This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port.
Page 488 Chapter 19 | VLAN Commands Configuring Voice VLANs Default Setting None Command Mode Privileged Exec Command Usage When the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed (or “Not Start” will be displayed).
Page 489: Erps Commands
ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS. Table 101: ERPS Commands Command Function Mode erps Enables ERPS globally on the switch...
Page 490 Chapter 20 | ERPS Commands (Continued) Table 101: ERPS Commands Command Function Mode clear erps Clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health statistics protocol messages erps clear Manually clears protection state which has been invoked by a Forced Switch or Manual Switch command, and the node is operating under non-revertive mode;...
Page 491: Erps
Chapter 20 | ERPS Commands Enable ERPS: Before enabling a ring as described in the next step, first use the erps command to globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled with the no erps command, no ERPS rings will work.
Page 492: Erps Domain
Chapter 20 | ERPS Commands erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. Syntax erps domain ring-name [id ring-id] no erps domain ring-name ring-name - Name of a specific ERPS ring.
Page 493: Enable
Chapter 20 | ERPS Commands Command Usage ◆ Configure one control VLAN for each ERPS ring. First create the VLAN to be used as the control VLAN (vlan, page 460), add the ring ports for the east and west interface as tagged members to this VLAN (switchport allowed vlan, page...
Page 494: Guard-Timer
Chapter 20 | ERPS Commands ring-port command, the RPL owner specified with the rpl owner command, and the control VLAN configured with the control-vlan command. ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps)#enable Console(config-erps)#...
Page 495: Holdoff-Timer
Chapter 20 | ERPS Commands holdoff-timer This command sets the timer to filter out intermittent link faults. Use the no form to restore the default setting. Syntax holdoff-timer milliseconds milliseconds - The hold-off timer is used to filter out intermittent link faults. Faults will only be reported to the ring protection mechanism if this timer expires.
Page 496: Meg-Level
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ This switch can support up to six rings. However, ERPS control packets can only be sent on one ring. This command is used to indicate that the current ring is a secondary ring, and to specify the major ring which will be used to send ERPS control packets.
Page 497: Mep-Monitor
Chapter 20 | ERPS Commands Example Console(config-erps)#meg-level 0 Console(config-erps)# Related Commands ethernet cfm domain (697) ethernet cfm mep (702) mep-monitor This command specifies the CFM MEPs used to monitor the link on a ring node. Use the no form to restore the default setting. Syntax mep-monitor {east | west} mep mpid east - Connects to next ring node to the east.
Page 498: Node-Id
Chapter 20 | ERPS Commands Related Commands ethernet cfm domain (697) ethernet cfm mep (702) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Page 499 Chapter 20 | ERPS Commands Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆ The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL.
Page 500: Non-Revertive
Chapter 20 | ERPS Commands non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode. Syntax [no] non-revertive Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆...
Page 501 Chapter 20 | ERPS Commands traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and performing a flush FDB action. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL link that does not have an SF condition.
Page 502 Chapter 20 | ERPS Commands The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. When the WTB timer expires, in the absence of any other higher priority request, the RPL Owner Node initiates reversion by blocking the traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes...
Page 503: Propagate-Tc
Chapter 20 | ERPS Commands Recovery with revertive mode is handled in the following way: ■ The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request, starts the WTB timer and waits for it to expire.
Page 504: Raps-Def-Mac
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching.
Page 505: Raps-Without-Vc
Chapter 20 | ERPS Commands raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes. Use the no form to restore the default setting. Syntax [no] raps-without-vc Default Setting R-APS with Virtual Channel Command Mode ERPS Configuration Command Usage ◆...
Page 506 Chapter 20 | ERPS Commands Figure 3: Sub-ring with Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring with Virtual Channel Virtual Channel ◆ Sub-ring without R-APS Virtual Channel – Under certain circumstances it may not be desirable to use a virtual channel to interconnect the sub-ring over an arbitrary Ethernet network.
Page 507: Ring-Port
Chapter 20 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Page 508: Rpl Neighbor
Chapter 20 | ERPS Commands rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting. Syntax rpl neighbor no rpl Default Setting None (that is, neither owner nor neighbor) Command Mode ERPS Configuration Command Usage...
Page 509: Version
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the erps forced-switch erps manual-switch...
Page 510: Wtr-Timer
Chapter 20 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”.
Page 511: Clear Erps Statistics
Chapter 20 | ERPS Commands clear erps statistics This command clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages. Syntax clear erps statistics [domain ring-name] ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) Command Mode Privileged Exec Example...
Page 512: Erps Forced-Switch
Chapter 20 | ERPS Commands Example Console#erps clear domain r&d Console# erps forced-switch This command blocks the specified ring port. Syntax erps forced-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port.
Page 513: Table 102: Erps Request/State Priority
Chapter 20 | ERPS Commands While an existing forced switch request is present in a ring, any new forced switch request is accepted, except on a ring node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued.
Page 514: Erps Manual-Switch
Chapter 20 | ERPS Commands node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Example Console#erps forced-switch domain r&d west Console# erps manual-switch This command blocks the specified ring port, in the absence of a failure or an erps forced-switch command.
Page 515: Show Erps
Chapter 20 | ERPS Commands A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. A ring node receiving an R-APS (MS) message flushes its FDB. ◆ Protection switching on a manual switch request is completed when the above actions are performed by each ring node.
Page 516: Table 103: Show Erps - Summary Display Description
Chapter 20 | ERPS Commands Example This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ERPS Status : Enabled Number of ERPS Domains Domain Enabled Ver MEL Ctrl VLAN State Type Revertive ------------ --- ------- --- --- --------- ---------- ------------ --------- r&d 1 Yes 1 Idle...
Page 517: Table 104: Show Erps Domain - Detailed Display Description
Chapter 20 | ERPS Commands (Continued) Table 103: show erps - summary display description Field Description Port State The operational state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R- APS messages is allowed.
Page 518 Chapter 20 | ERPS Commands (Continued) Table 104: show erps domain - detailed display description Field Description R-APS with VC The R-APS Virtual Channel is the R-APS channel connection used to tunnel R-APS messages between two interconnection nodes of a sub- ring in another Ethernet ring or network.
Page 519: Table 105: Show Erps Statistics - Detailed Display Description
Chapter 20 | ERPS Commands Table 105: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node. Local Clear SF The number of times a clear command was issued to terminate protection state entered through a forced switch or manual switch...
Page 520 Chapter 20 | ERPS Commands – 520 –...
Page 521: Class Of Service Commands
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 522: Queue Mode
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Page 523: Queue Weight
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Page 524: Switchport Priority Default
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# Related Commands queue mode (522)
Page 525: Show Queue Mode
Chapter 21 | Class of Service Commands Priority Commands (Layer 2) port. (Note that if the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)#...
Page 526: Priority Commands (Layer 3 And 4)
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 108: Priority Commands (Layer 3 and 4) Command Function Mode...
Page 527: Table 109: Default Mapping Of Cos/Cfi Values To Queue/Cfi
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 109: Default Mapping of CoS/CFI Values to Queue/CFI (2,0) (2,0) (0,0) (0,0) (1,0) (1,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage...
Page 528: Qos Map Dscp-Queue
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-queue This command maps DSCP values in incoming packets to per-hop behavior for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-queue dscp-queue from dscp0 ...
Page 529: Qos Map Trust-Mode
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3. Console(config)#interface ethernet 1/2 Console(config-if)#qos map dscp-queue 3 from 1 Console(config-if)# qos map trust-mode...
Page 530: Show Qos Map Cos-Queue
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface 1/1 Console(config-if)#qos map trust-mode cos Console(config-if)# show qos map cos- This command shows the ingress CoS to eqress queue map.
Page 531: Show Qos Map Dscp-Queue
Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to eqress queue map. queue Syntax show qos map dscp-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 532 Chapter 21 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example The following shows that the trust mode is set to CoS: Console#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 CoS Map Mode: CoS mode Console#...
Page 533: Quality Of Service Commands
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 534: Class-Map
Chapter 22 | Quality of Service Commands CoS value. Note that a class map can include match settings for both IP values and a VLAN. Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode.
Page 535: Description
Chapter 22 | Quality of Service Commands Example This example creates a class map call “rd-class, ” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd-class Console(config-cmap)#match cos 3 Console(config-cmap)# Related Commands show class-map (541) description This command specifies the description of a class map or policy map.
Page 536: Match
Chapter 22 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list.
Page 537: Rename
Chapter 22 | Quality of Service Commands This example creates a class map call “rd-class#2, ” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3, ” and sets it to match packets marked for VLAN 1.
Page 538: Class
Chapter 22 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆...
Page 539: Police Rate
Chapter 22 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set cos command to classify the service that incoming packets will receive. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set cos 3...
Page 540: Set Cos
Chapter 22 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens: If Tc(t)-B ≥ 0, the packet is green and Tc is decremented by B down to the ■ minimum value of 0, else the packet is red and Tc is not decremented.
Page 541: Service-Policy
Chapter 22 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic.
Page 542: Show Policy-Map
Chapter 22 | Quality of Service Commands Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for ingress or egress traffic, and may include policers for bandwidth limitations.
Page 543: Show Policy-Map Interface
Chapter 22 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface [interface input] interface unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) Command Mode Privileged Exec Example...
Page 544 Chapter 22 | Quality of Service Commands – 544 –...
Page 545: Multicast Filtering Commands
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Page 546 Chapter 23 | Multicast Filtering Commands IGMP Snooping (Continued) Table 113: IGMP Snooping Commands Command Function Mode ip igmp snooping Sends an IGMP Query Solicitation when a Spanning Tree tcn-query-solicit topology change occurs ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping...
Page 547: Ip Igmp Snooping
Chapter 23 | Multicast Filtering Commands IGMP Snooping (Continued) Table 113: IGMP Snooping Commands Command Function Mode show ip igmp snooping Shows multicast router ports mrouter show ip igmp snooping Shows IGMP snooping protocol statistics for the specified statistics interface ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface.
Page 548: Ip Igmp Snooping Priority
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore the default setting. priority Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Page 549: Ip Igmp Snooping Querier
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Page 550: Ip Igmp Snooping Router-Alert-Option-Check
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router Alert option. Use the no form to ignore the Router Alert Option when receiving router-alert-option- IGMP messages. check Syntax [no] ip igmp snooping router-alert-option-check...
Page 551: Ip Igmp Snooping Tcn-Flood
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following shows how to configure the timeout to 400 seconds: Console(config)#ip igmp snooping router-port-expire-time 400 Console(config)# ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs.
Page 552: Ip Igmp Snooping Tcn-Query-Solicit
Chapter 23 | Multicast Filtering Commands IGMP Snooping The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation...
Page 553: Ip Igmp Snooping Unregistered-Data-Flood
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. unregistered-data- flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration...
Page 554: Ip Igmp Snooping Version
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default. Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4094) 1 - IGMP Version 1...
Page 555: Ip Igmp Snooping Version-Exclusive
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the ip igmp version-exclusive snooping version command. Use the no form to disable this feature. Syntax ip igmp snooping [vlan vlan-id] version-exclusive no ip igmp snooping version-exclusive...
Page 556: Ip Igmp Snooping Vlan Immediate-Leave
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Page 557: Ip Igmp Snooping Vlan Last-Memb-Query-Count
Chapter 23 | Multicast Filtering Commands IGMP Snooping ◆ This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-and-...
Page 558: Ip Igmp Snooping Vlan Last-Memb-Query-Intvl
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to restore the default. last-memb-query- intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or group- and-source-specific query message.
Page 559: Ip Igmp Snooping Vlan Proxy-Address
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers.
Page 560 Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Page 561: Ip Igmp Snooping Vlan Query-Interval
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use the no form to restore the default. query-interval Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Page 562: Ip Igmp Snooping Vlan Static
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 549), or as a proxy host when IGMP snooping proxy reporting is enabled (page 548). Example Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20 Console(config)# ip igmp snooping vlan This command adds a port to a multicast group.
Page 563: Clear Ip Igmp Snooping Groups Dynamic
Chapter 23 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears multicast group information dynamically learned through IGMP snooping. snooping groups dynamic Syntax clear ip igmp snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though IGMP snooping. Statically configured multicast address are not cleared.
Page 564: Show Ip Igmp Snooping
Chapter 23 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings. snooping Syntax show ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings.
Page 565: Show Ip Igmp Snooping Group
Chapter 23 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows known multicast group, source, and host port mappings for the specified VLAN interface, or for all interfaces if none is specified. snooping group Syntax show ip igmp snooping group [host-ip-addr ip-address interface | igmpsnp | sort-by-port | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface...
Page 566: Show Ip Igmp Snooping Mrouter
Chapter 23 | Multicast Filtering Commands IGMP Snooping show ip igmp This command displays information on statically configured and dynamically learned multicast router ports. snooping mrouter Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
Page 567: Table 114: Show Ip Igmp Snooping Statistics Input - Display Description
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Example The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- ------ Eth 1/ 1 Console#...
Page 568: Table 116: Show Ip Igmp Snooping Statistics Vlan Query - Display Description
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 115: show ip igmp snooping statistics output - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Page 569: Static Multicast Routing
Chapter 23 | Multicast Filtering Commands Static Multicast Routing Table 116: show ip igmp snooping statistics vlan query - display description Field Description V2 Warning Count The number of times the query version received (Version 2) does not match the version configured for this interface. V3 Warning Count The number of times the query version received (Version 3) does not match the version configured for this interface.
Page 570: Igmp Filtering And Throttling
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling trunk) on this switch, that interface can be manually configured to join all the current multicast groups. ◆ IGMP Snooping must be enabled globally on the switch (using the ip igmp snooping command) before a multicast router port can take effect.
Page 571: Ip Igmp Filter (Global Configuration)
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. (Global Configuration) Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration...
Page 572: {Permit | Deny
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number.
Page 573: Ip Igmp Filter (Interface Configuration)
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)#...
Page 574: Ip Igmp Max-Groups
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Page 575: Ip Igmp Query-Drop
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace. ” If the action is set to deny, any new IGMP join reports will be dropped.
Page 576: Show Ip Igmp Filter
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command).
Page 577: Show Ip Igmp Profile
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode...
Page 578: Show Ip Igmp Throttle Interface
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Page 579: Show Ip Multicast-Data-Drop
Chapter 23 | Multicast Filtering Commands MLD Snooping show ip This command shows if the specified interface is configured to drop multicast data packets. multicast-data-drop Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 580: Table 119: Mld Snooping Commands
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 119: MLD Snooping Commands Command Function Mode ipv6 mld snooping Enables MLD Snooping globally ipv6 mld snooping Enables MLD Snooping with Proxy Reporting proxy-reporting ipv6 mld snooping querier Allows the switch to act as the querier for MLD snooping ipv6 mld snooping Configures the interval between sending MLD general query-interval...
Page 581: Ipv6 Mld Snooping
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping. Syntax [no] ipv6 mld snooping Default Setting Disabled Command Mode Global Configuration Example The following example enables MLD Snooping: Console(config)#ipv6 mld snooping...
Page 582: Ipv6 Mld Snooping Querier
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command allows the switch to act as the querier for MLDv2 snooping. Use the no form to disable this feature. querier Syntax [no] ipv6 mld snooping querier Default Setting Disabled Command Mode Global Configuration...
Page 583: Ipv6 Mld Snooping Query-Max-Response-Time
Chapter 23 | Multicast Filtering Commands MLD Snooping ◆ An MLD general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an MLD report for the multicast groups they have joined. Example Console(config)#ipv6 mld snooping query-interval 150 Console(config)#...
Page 584: Ipv6 Mld Snooping Router-Port-Expire-Time
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage A port will be removed from the receiver list for a multicast service when no MLD reports are detected in response to a number of MLD queries. The robustness variable sets the number of queries on ports for which there is no report.
Page 585: Ipv6 Mld Snooping Unknown-Multicast Mode
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the no form to restore the default. unknown-multicast mode Syntax ipv6 mld snooping unknown-multicast mode {flood | to-router-port} no ipv6 mld snooping unknown-multicast mode flood - Floods the unknown multicast data packets to all ports.
Page 586: Ipv6 Mld Snooping Version
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream interface. ◆ This command only applies when proxy reporting is enabled (see page 581).
Page 587: Ipv6 Mld Snooping Vlan Mrouter
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.
Page 588: Ipv6 Mld Snooping Vlan Static
Chapter 23 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove the port.
Page 589: Clear Ipv6 Mld Snooping Statistics
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface]...
Page 590: Show Ipv6 Mld Snooping Group
Chapter 23 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping configuration information Console#show ipv6 mld snooping Service Status : Disabled Proxy Reporting : Disabled Querier Status : Disabled Robustness Query Interval : 125 sec Query Max Response Time : 10 sec Router Port Expiry Time : 300 sec...
Page 591: Show Ipv6 Mld Snooping Group Source-List
Chapter 23 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which each group was learned, and the corresponding source list. snooping group source-list Syntax show ipv6 mld snooping group source-list [ipv6-address | vlan vlan-id] ipv6-address - An IPv6 address of a multicast group.
Page 592: Show Ipv6 Mld Snooping Statistics
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type Expire ---- --------------------- --------- ------ 1 Eth 1/ 2 Static Console# show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface. snooping statistics Syntax show ipv6 mld snooping statistics...
Page 593: Table 121: Show Ipv6 Mld Snooping Statistics Output - Display Description
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 120: show ipv6 MLD snooping statistics input - display description Field Description Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
Page 594: Table 122: Show Ipv6 Mld Snooping Statistics Query - Display Description
Chapter 23 | Multicast Filtering Commands MLD Snooping Specific Query Received Specific Query Sent Console# Table 122: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired.
Page 595: Table 123: Show Ipv6 Mld Snooping Statistics Summary - Display Description
Chapter 23 | Multicast Filtering Commands MLD Snooping Others Drop Console# Table 123: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit General...
Page 596: Mld Filtering And Throttling
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Page 597: Ipv6 Mld Profile
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling can be assigned to a port. When enabled, MLD join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the MLD join report is forwarded as normal. If a requested multicast group is denied, the MLD join report is dropped.
Page 598: {Permit | Deny
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling permit, deny This command sets the access mode for an MLD filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting deny Command Mode MLD Profile Configuration Command Usage ◆...
Page 599: Ipv6 Mld Filter (Interface Configuration)
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config-mld-profile)#range ff01::0101 ff01::0202 Console(config-mld-profile)# ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax [no] ipv6 mld filter profile-number profile-number - An MLD filter profile number.
Page 600: Ipv6 Mld Max-Groups Action
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions;...
Page 601: Ipv6 Mld Query-Drop
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups action replace Console(config-if)# ipv6 mld query-drop This command drops any received MLD query packets. Use the no form to restore the default setting. Syntax [no] ipv6 mld query-drop Default Setting...
Page 602: Show Ipv6 Mld Profile
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console#show ipv6 mld filter MLD filter Enabled Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------- Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch.
Page 603: Show Ipv6 Mld Throttle Interface
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling.
Page 604 Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling – 604 –...
Page 605: Lldp Commands
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 606 Chapter 24 | LLDP Commands (Continued) Table 125: LLDP Commands Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise the system-description system description lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name Configures an LLDP-enabled port to advertise the lldp dot1-tlv proto-ident supported protocols Configures an LLDP-enabled port to advertise port-...
Page 607: Lldp
Chapter 24 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Page 608: Lldp Med-Fast-Start-Count
Chapter 24 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to med-fast-start-count restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Page 609: Lldp Refresh-Interval
Chapter 24 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Page 610: Lldp Tx-Delay
Chapter 24 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Page 611: Lldp Admin-Status
Chapter 24 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Page 612: Lldp Basic-Tlv Port-Description
Chapter 24 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Page 613: Lldp Basic-Tlv System-Description
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities...
Page 614: Lldp Dot1-Tlv Proto-Ident
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
Page 615: Lldp Dot1-Tlv Pvid
Chapter 24 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 475). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Page 616: Lldp Dot3-Tlv Link-Agg
Chapter 24 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 463 “protocol-vlan protocol- group (Configuring Interfaces)” on page 477. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg...
Page 617: Lldp Dot3-Tlv Max-Frame
Chapter 24 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size.
Page 618: Lldp Med-Location Civic-Addr
Chapter 24 | LLDP Commands Command Usage ◆ This command only applies to the PoE models. ◆ This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Page 619: Table 126: Lldp Med Location Ca Types
Chapter 24 | LLDP Commands ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776.
Page 620: Lldp Med-Notification
Chapter 24 | LLDP Commands Console(config-if)#lldp med-location civic-addr what 2 Console(config-if)# lldp med-notification This command enables the transmission of SNMP trap notifications about LLDP- MED changes. Use the no form to disable LLDP-MED notifications. Syntax [no] lldp med-notification Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel)
Page 621: Lldp Med-Tlv Inventory
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command only applies to the PoE models. This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Page 622: Lldp Med-Tlv Med-Cap
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities.
Page 623: Lldp Notification
Chapter 24 | LLDP Commands Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv network-policy...
Page 624: Show Lldp Config
Chapter 24 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) port-channel channel-id (Range: 1-8) Command Mode Privileged Exec...
Page 625: Show Lldp Info Local-Device
Chapter 24 | LLDP Commands MED Enabled TLVs Advertised : med-cap network-policy location ext-poe inventory MED Location Identification: Location Data Format : Civic Address LCI Civic Address Status : Enabled Country Name : US What CA-Type CA-Value : Alabama CA-Type CA-Value : Tuscaloosa Console#...
Page 626: Show Lldp Info Remote-Device
Chapter 24 | LLDP Commands Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy...
Page 627 Chapter 24 | LLDP Commands Enabled Capabilities : Bridge Management Address : 192.168.0.4 (IPv4) Port VLAN ID : 1 Port and Protocol VLAN ID : supported, disabled VLAN Name : VLAN 1 - DefaultVlan Protocol Identity (Hex) : 88-CC MAC/PHY Configuration/Status Port Auto-neg Supported : Yes Port Auto-neg Enabled...
Page 628: Show Lldp Info Statistics
Chapter 24 | LLDP Commands Software Revision : 1.2.6.0 Serial Number : S123456 Manufacture Name : Prye Model Name : VP101 Asset ID : 340937 Console# show lldp info This command shows statistics based on traffic received through all attached LLDP- statistics enabled interfaces.
Page 629: Domain Name Service Commands
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Page 630: Dns Commands
Chapter 25 | Domain Name Service Commands DNS Commands DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation).
Page 631: Ip Domain-Lookup
Chapter 25 | Domain Name Service Commands DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage ◆ At least one name server must be specified before DNS can be enabled. ◆...
Page 632: Ip Domain-Name
Chapter 25 | Domain Name Service Commands DNS Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Page 633: Ip Name-Server
Chapter 25 | Domain Name Service Commands DNS Commands Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts...
Page 634: Ipv6 Host
Chapter 25 | Domain Name Service Commands DNS Commands sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (632) ip domain-lookup (631) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address.
Page 635: Clear Dns Cache
Chapter 25 | Domain Name Service Commands DNS Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache Flag Type IP Address Host ------- ------- ------- --------------- ------- -------- Console# clear host This command deletes dynamic entries from the DNS table.
Page 636: Show Dns
Chapter 25 | Domain Name Service Commands DNS Commands show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55...
Page 637: Show Hosts
Chapter 25 | Domain Name Service Commands Multicast DNS Commands show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.
Page 638: Show Ip Mdns
Chapter 25 | Domain Name Service Commands Multicast DNS Commands Command Mode Global Configuration Command Usage Use this command to enable multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. For more information on this command refer to the Web Management Guide.
Page 639: Dhcp Commands
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Page 640: Dhcp For Ipv4
Chapter 26 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems.
Page 641: Ip Dhcp Client Class-Id
| DHCP Commands DHCP Client Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edge-core"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg";...
Page 642: Table 132: Options 60, 66 And 67 Statements
Chapter 26 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆...
Page 643: Ip Dhcp Restart Client
Chapter 26 | DHCP Commands DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command.
Page 644: Dhcp For Ipv6
Chapter 26 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no rapid-commit vlan form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive...
Page 645 Chapter 26 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Page 646: Show Ipv6 Dhcp Duid
Chapter 26 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (665) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage...
Page 647: Dhcp Relay
Chapter 26 | DHCP Commands DHCP Relay List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# ELATED OMMANDS ipv6 address (664) DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Page 648: Ip Dhcp Restart Relay
Chapter 26 | DHCP Commands DHCP Relay packet to a DHCP server on another network. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch).
Page 649 Chapter 26 | DHCP Commands DHCP Relay Example In the following example, the device is reassigned the same address. Console#ip dhcp restart relay Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-00-E8-93-82-A0 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 10.1.0.254 Mask: 255.255.255.0 Proxy ARP is disabled...
Page 650 Chapter 26 | DHCP Commands DHCP Relay – 650 –...
Page 651: Ip Interface Commands
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Page 652: Basic Ipv4 Configuration
Chapter 27 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch. Table 137: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this switch can reach other subnetworks...
Page 653 Chapter 27 | IP Interface Commands IPv4 Interface Command Usage ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server.
Page 654: Ip Default-Gateway
Chapter 27 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Page 655: Show Ip Default-Gateway
Chapter 27 | IP Interface Commands IPv4 Interface show ip This command shows the IPv4 default gateway configured for this device. default-gateway Default Setting None Command Mode Privileged Exec Example Console#show ip default-gateway IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (654) show ipv6 default-gateway (672) show ip interface...
Page 656: Show Ip Traffic
Chapter 27 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. Command Mode Privileged Exec Example Console#show ip traffic IP Statistics: IP received 7845 total received header errors unknown protocols address errors discards...
Page 657: Traceroute
Chapter 27 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage...
Page 658: Ping
Chapter 27 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------- 20 ms <10 ms <10 ms 192.168.0.99 Trace completed.
Page 659: Arp Configuration
Chapter 27 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 633) and host name-to-address translation enabled (page 631). If necessary, local devices can also be specified in the DNS static host table (page 632).
Page 660: Ip Proxy-Arp
Chapter 27 | IP Interface Commands IPv4 Interface Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router.
Page 661: Clear Arp-Cache
Chapter 27 | IP Interface Commands IPv4 Interface ◆ Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables. Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol...
Page 662: Ipv6 Interface
Chapter 27 | IP Interface Commands IPv6 Interface Example This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------- 10.1.0.0 FF-FF-FF-FF-FF-FF other VLAN1 10.1.0.254 00-00-AB-CD-00-00 other VLAN1 10.1.0.255...
Page 663: Interface Address Configuration And Utilities
Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 139: IPv6 Configuration Commands Command Function Mode traceroute6 Shows the route packets take to the specified host Neighbor Discovery ipv6 nd dad attempts Configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection ipv6 nd ns-interval Configures the interval between IPv6 neighbor solicitation...
Page 664: Ipv6 Address
Chapter 27 | IP Interface Commands IPv6 Interface ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. Example The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780%1 Console(config)# Related Commands...
Page 665: Ipv6 Address Autoconfig
Chapter 27 | IP Interface Commands IPv6 Interface made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) ◆ If a duplicate address is detected, a warning message is sent to the console. Example This example specifies a full IPv6 address and prefix length.
Page 666 Chapter 27 | IP Interface Commands IPv6 Interface Command Usage ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) ◆...
Page 667: Ipv6 Address Eui-64
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface.
Page 668 Chapter 27 | IP Interface Commands IPv6 Interface globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35.
Page 669: Ipv6 Address Link-Local
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Page 670: Ipv6 Enable
Chapter 27 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console#...
Page 671: Ipv6 Mtu
Chapter 27 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds...
Page 672: Show Ipv6 Default-Gateway
Chapter 27 | IP Interface Commands IPv6 Interface ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set. Example The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1...
Page 673: Table 140: Show Ipv6 Interface - Display Description
Chapter 27 | IP Interface Commands IPv6 Interface prefix-length - A decimal value indicating how many of the contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). Command Mode Privileged Exec Example This example displays all the IPv6 addresses configured for the switch.
Page 674 Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 140: show ipv6 interface - display description Field Description Joined group In addition to the unicast addresses assigned to an interface, a node is required to address(es) join the all-nodes multicast addresses FF01::1 and FF02::1 for all IPv6 nodes within scope 1 (interface-local) and scope 2 (link-local), respectively.
Page 675: Show Ipv6 Mtu
Chapter 27 | IP Interface Commands IPv6 Interface show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch. Command Mode Normal Exec, Privileged Exec Example The following example shows the MTU cache for this device: Console#show ipv6 mtu...
Page 676: Table 142: Show Ipv6 Traffic - Display Description
Chapter 27 | IP Interface Commands IPv6 Interface IPv6 sent forwards datagrams 6 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages router solicit messages...
Page 677 Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 142: show ipv6 traffic - display description Field Description too big errors The number of input datagrams that could not be forwarded because their size exceeded the link MTU of outgoing interface. no routes The number of input datagrams discarded because no route could be found to transmit them to their destination.
Page 678 Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 142: show ipv6 traffic - display description Field Description discards The number of output IPv6 datagrams for which no problem was encountered to prevent their transmission to their destination, but which were discarded (e.g., for lack of buffer space).
Page 679 Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 142: show ipv6 traffic - display description Field Description multicast listener discovery The number of MLDv2 reports received by the interface. version 2 reports ICMPv6 sent output The total number of ICMP messages which this interface attempted to send.
Page 680: Clear Ipv6 Traffic
Chapter 27 | IP Interface Commands IPv6 Interface clear ipv6 traffic This command resets IPv6 traffic counters. Command Mode Privileged Exec Command Usage This command resets all of the counters displayed by the show ipv6 traffic command. Example Console#clear ipv6 traffic Console# ping6 This command sends (IPv6) ICMP echo request packets to another node on the...
Page 681: Traceroute6
Chapter 27 | IP Interface Commands IPv6 Interface For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent. ◆ When pinging a host name, be sure the DNS server has been enabled (see page 631). If necessary, local devices can also be specified in the DNS static host table (see page 632).
Page 682 Chapter 27 | IP Interface Commands IPv6 Interface Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Page 683: Neighbor Discovery
Chapter 27 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts...
Page 684: Ipv6 Nd Ns-Interval
Chapter 27 | IP Interface Commands IPv6 Interface Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#end Console#show ipv6 interface...
Page 685 Chapter 27 | IP Interface Commands IPv6 Interface Command Usage ◆ When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor.
Page 686: Ipv6 Nd Reachable-Time
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. Use reachable-time the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time...
Page 687: Clear Ipv6 Neighbors
Chapter 27 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache.
Page 688 Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 143: show ipv6 neighbors - display description Field Description Link-layer Addr Physical layer MAC address. State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
Page 689: Ip Routing Commands
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Page 690: Ipv4 Commands
Chapter 28 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip –...
Page 691: Show Ip Route
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database –...
Page 692 Chapter 28 | IP Routing Commands Global Routing Configuration The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Page 693: Appendices
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 695 ◆ “License Information” on page 697 – 693 –...
Page 694 Section III | Appendices – 694 –...
Page 695: A Troubleshooting
Troubleshooting Problems Accessing the Management Interface Table 162: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered up. Telnet, or SNMP software ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable.
Page 696: Using System Logs
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
Page 697: B License Information
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 698 Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 699 Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 700 Appendix B | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Page 701: Glossary
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 702 Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a well- defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 703 Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol.
Page 704 Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork.
Page 705 Glossary Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Page 706 Glossary Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks.
Page 707 Glossary Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems.
Page 708 Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected. – 708 –...
Page 709: Commands
Commands clear mac-address-table dynamic clear network-access aaa accounting commands clock summer-time (date) aaa accounting dot1x clock summer-time (predefined) aaa accounting exec clock summer-time (recurring) aaa accounting update clock timezone aaa authorization commands cluster aaa authorization exec cluster commander aaa group server cluster ip-pool absolute cluster member...
Page 710 Commands ip dhcp snooping verify mac-address ip dhcp snooping vlan enable ip domain-list enable ip domain-lookup 631 enable password ip domain-name ip host erps ip http authentication 227 erps clear ip http port erps domain ip http secure-port 228 erps forced-switch 512 ip http secure-server erps manual-switch ip http server...
Page 711 Commands ip tftp retry lldp dot1-tlv vlan-name ip tftp timeout lldp dot3-tlv link-agg ipv6 access-group 337 lldp dot3-tlv mac-phy 616 ipv6 address lldp dot3-tlv max-frame ipv6 address autoconfig lldp dot3-tlv poe ipv6 address eui-64 lldp holdtime-multiplier ipv6 address link-local lldp med-fast-start-count ipv6 default-gateway lldp med-location civic-addr ipv6 dhcp client rapid-commit vlan...
Page 712 Commands name qos map cos-queue negotiation qos map dscp-queue network-access aging qos map trust-mode 529 network-access dynamic-qos queue mode network-access dynamic-vlan queue weight network-access guest-vlan quit network-access mac-filter network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter radius-server acct-port radius-server auth-port 207 no rspan session radius-server host node-id...
Page 713 Commands show dns show ipv6 mld snooping show dns cache show ipv6 mtu show dos-protection show ipv6 neighbors show dot1q-tunnel 474 show ipv6 traffic show dot1x show lacp show erps show line show history show lldp config show hosts show lldp info local-device show interfaces brief show lldp info remote-device 626 show interfaces counters...
Page 714 Commands show snmp notify-filter spanning-tree mst cost show snmp user spanning-tree mst port-priority show snmp view spanning-tree pathcost method show snmp-server enable port-traps spanning-tree port-bpdu-flooding 451 show sntp spanning-tree port-priority show spanning-tree 455 spanning-tree priority show spanning-tree mst configuration 458 spanning-tree protocol-migration 455 show spanning-tree tc-prop spanning-tree root-guard 452...
Page 715 Commands upgrade opcode auto upgrade opcode path 110 upgrade opcode reload username version 509 vlan vlan database voice vlan 482 voice vlan aging voice vlan mac-address web-auth web-auth login-attempts web-auth quiet-period web-auth re-authenticate (IP) web-auth re-authenticate (Port) web-auth session-timeout 278 web-auth system-auth-control 279 whichboot wtr-timer...
Page 716 Commands – 716 –...
Page 717: Index
Index Numerics administrative users, displaying 98 802.1Q tunnel 468 proxy 660 access 470 ARP ACL 307 CVID to SVID map 471 ARP configuration 659 ethernet type 473 ARP inspection 305 – interface configuration 470 ACL filter 307 mode selection 470 additional validation criteria 309 status, configuring 469 ARP ACL 344...
Page 718 Index sub-option format 286 command modes 72 sub-type and sub-length, disabling 286 showing commands 70 subtype field 286 clustering switches, management access 153 verifying MAC addresses 290 command line interface See CLI VLAN configuration 291 committed information rate, QoS policy 539 DiffServ 533 community string 51 binding policy to interface 541...
Page 719 Index hold-off timer 495 major domain 495 IEEE 802.1D 433 MEG level 496 IEEE 802.1s 433 node identifier 498 IEEE 802.1w 433 non-compliant device protection 498 IEEE 802.1X 243 non-ERPS device protection 498 IGMP propagate topology change 503 filter profiles, binding to interface 573 ring configuration 492 filter profiles, configuration 571 ring port, east interface 507...
Page 720 Index immediate leave, IGMP snooping 556 group attributes, configuring 387 immediate leave, MLD snooping 586 group members, configuring 383 importing user public keys 103 local parameters 389 ingress filtering 465 partner parameters 389 IP address, setting 651 protocol message statistics 389 IP filter, for management access 255 protocol parameters 379 IP routing 689...
Page 721 Index loopback detection path cost 449 non-STA 417 MTU for IPv6 671 STA 446 Multicast Domain Name Service See mDNS multicast filtering 545 enabling IGMP snooping 547 enabling IGMP snooping per interface 547 MAC address authentication 265 enabling MLD snooping 581 ports, configuring 265 router configuration 569 reauthentication 267...
Page 722 Index priority 398 selecting DSCP, CoS 529 showing main power 402 QoS policy, committed information rate 539 time range 399 queue weight, assigning to CoS 523 port priority configuring 521 default ingress 524 RADIUS STA 451 logon authentication 206 port security, configuring 260 settings 206 port, statistics 359 rate limit...
Page 723 Index timeout 193 port/trunk loopback detection 446 version 194 protocol migration 455 SMTP transmission limit 438 event handling 132 startup files sending log events 132 creating 102 SNMP 159 displaying 95 community string 161 setting 102 enabling traps 164 static addresses, setting 424 enabling traps, mac-address changes 168 static routes, configuring 690 filtering IP addresses 255...
Page 724 Index traffic segmentation 319 assigning ports 321 web authentication 279 enabling 319 address, re-authenticating 280 sessions, assigning ports 321 configuring 279 sessions, creating 320 configuring ports 279 transceiver thresholds port information, displaying 281 displaying 373 ports, configuring 279 trap manager 52 ports, re-authenticating 280 troubleshooting 695 trunk...
Page 725 E0120176/ST-R02...

This manual is also suitable for:

Ecs2100-28pp Ecs2100-10pe Ecs2100-10p Ecs2100-28t Ecs2100-28p