Alaxala AX3640S Software Manual

Configuration command reference vol. 1 for version 11.7

page of 875

/ 875
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

AX3640S/AX3630S Software Manual

Configuration Command Reference Vol. 1

For Version 11.7

AX36S-S004X-F0

Table of Contents

Summary of Contents for Alaxala AX3640S

Page 1 AX3640S/AX3630S Software Manual Configuration Command Reference Vol. 1 For Version 11.7 AX36S-S004X-F0...
Page 2 Relevant products This manual applies to the models in the AX3640S and AX3630S series of switches. It also describes the functionality of version 11.7 of the software. The described functionality is that supported by the software OS-L3A-A/OS-L3A and OS-L3L-A/OS-L3L, and by optional licenses.
Page 3 History of Amendments [For version 11.7] Summary of amendments Location and title Changes 17 Flow Detection Modes and Flow • The parameter was added to the layer3-6 flow detection mode Operations command. 18 Access Lists • The parameter was added to the following commands: policy-list access-list permit (ip access-list extended)
Page 4 Item Changes MAC Address Table • The command was added. mac-address-table limit Ring Protocol • The command was added. flush-request-transmit vlan Flow Detection Modes and Flow Operations • The command was added. flow action-change cos SNMP • A parameter related to VRF was added to the following commands: snmp-server community snmp-server host snmp-server user...
Page 5 Item Changes Ethernet • A description related to 100BASE-FX was added to the following commands: duplex flowcontrol interface gigabitethernet mdix auto speed system mtu Ring Protocol • The command was added. preempt-delay VRRP • The <interface type> and <interface number> parameters were added to the command.
Page 6 [For version 10.8] Summary of amendments Item Changes Ring Protocol • The range of values for the command health-check interval parameter was changed. Access Lists • The type and code of ICMP were added to the detection conditions for the following commands: access-list deny (ip access-list extended) deny (ipv6 access-list)
Page 7 (ipv6 access-list) • Parameters that specify the upper-layer protocol condition for IPv6 packets were added to the following commands: qos (ipv6 qos-flow-list) • A description of AX3640S series switches was added to the 2pq+6drr parameter of the command. qos-queue-list...
Page 8 Item Changes Web Authentication • The following commands were added: authentication arp-relay authentication ip access-group web-authentication ip address web-authentication jump-url web-authentication logging enable web-authentication logout ping tos-windows web-authentication logout ping ttl web-authentication logout polling count web-authentication logout polling enable web-authentication logout polling interval web-authentication logout polling retry-interval web-authentication port web-authentication redirect enable...
Page 9 Item Changes sFlow Statistics • The range of values for the <sample count> parameter of the sflow sample command was changed. [For version 10.4] Summary of amendments Item Changes Connecting from an Operation • The descriptions about the <num> parameters of the command line vty Terminal...
Page 10 Item Changes GSRP • The specifiable range of values for the <GROUP ID> parameter of the command was modified. vlan-group disable • The specifiable range of values for the <GROUP ID> parameter of the command was modified. vlan-group vlan • The specifiable range of values for the <GROUP ID> parameter of the command was modified.
Page 11: Preface
Preface Applicable products and software versions This manual applies to the models in the AX3640S and AX3630S series of switches. It also describes the functionality of version 11.7 of the software. The described functionality is that supported by the software OS-L3A-A/OS-L3A and OS-L3L-A/OS-L3L, and by optional licenses.
Page 12: Reading Sequence Of The Manuals
Switch. Conventions: The terms "Switch" and "switch" The term Switch (upper-case "S") is an abbreviation for any or all of the following models: AX3640S series switch AX3630S series switch...
Page 13: Abbreviations Used In The Manual
The term switch (lower-case "s") might refer to a Switch, another type of switch from the current vendor, or a switch from another vendor. The context decides the meaning. Abbreviations used in the manual Alternating Current ACKnowledge ADSL Asymmetric Digital Subscriber Line Application Level Gateway ANSI American National Standards Institute...
Page 14 IPv6 Internet Protocol version 6 IPV6CP IP Version 6 Control Protocol Internetwork Packet Exchange International Organization for Standardization Internet Service Provider Internal Spanning Tree L2LD Layer 2 Loop Detection Local Area Network Link Control Protocol Light Emitting Diode Logical Link Control LLDP Link Layer Discovery Protocol LLQ+3WFQ...
Page 15: Conventions: Kb, Mb, Gb, And Tb
RIPng Routing Information Protocol next generation RMON Remote Network Monitoring MIB Reverse Path Forwarding ReQuest RSTP Rapid Spanning Tree Protocol Source Address Secure Digital Synchronous Digital Hierarchy Service Data Unit NSAP SELector Start Frame Delimiter Small Form factor Pluggable SFP+ Enhanced Small Form factor Pluggable SMTP Simple Mail Transfer Protocol...
Page 17: Table Of Contents
Contents Preface Applicable products and software versions ................i Corrections to the manual .......................i Intended readers ........................i Manual URL ..........................i Reading sequence of the manuals ..................ii Conventions: The terms "Switch" and "switch" ..............ii Abbreviations used in the manual ..................iii Conventions: KB, MB, GB, and TB ..................v PART 1: Reading the Manual 1.
Page 18 parser view ........................... 50 radius-server host ......................... 51 radius-server key .......................... 54 radius-server retransmit ........................ 55 radius-server timeout ........................56 tacacs-server host ......................... 57 tacacs-server key .......................... 59 tacacs-server timeout ........................60 username ............................61 5. Time Settings and NTP clock timezone ..........................
Page 19 link up-debounce ........................122 mdix auto ............................123 media-type ..........................124 mtu ..............................125 power inline [AX3630S] ......................127 shutdown .............................129 speed ............................130 system flowcontrol off ........................132 system minimum-tagged-frame-length-68 .................133 system mtu ..........................134 10. Link Aggregation channel-group lacp system-priority ....................138 channel-group max-active-port ....................139 channel-group max-detach-port ....................141 channel-group mode ........................143 channel-group multi-speed ......................145 channel-group periodic-timer .....................146...
Page 20 vlan-mac-prefix .......................... 195 vlan-protocol ..........................197 13. Spanning Tree Protocol instance ............................200 name ............................202 revision ............................203 spanning-tree bpdufilter ......................204 spanning-tree bpduguard ......................205 spanning-tree cost ........................206 spanning-tree disable ........................208 spanning-tree guard ........................209 spanning-tree link-type ......................211 spanning-tree loopguard default ....................
Page 21 PART 5: Common to Filtering and QoS 17. Flow Detection Modes and Flow Operations flow action-change cos .......................306 flow detection mode ........................307 flow detection out mode [AX3640S] ..................310 PART 6: Filters 18. Access Lists Names and values that can be specified ..................314 access-list ............................324...
Page 22 mac access-list resequence ......................371 permit (ip access-list extended) ....................373 permit (ip access-list standard) ....................380 permit (ipv6 access-list) ......................382 permit (mac access-list extended) ....................388 remark ............................391 PART 7: QoS 19. QoS Names and values that can be specified ..................394 ip qos-flow-group ........................
Page 23 dot1x reauthentication ........................484 dot1x supplicant-detection ......................485 dot1x system-auth-control ......................487 dot1x timeout keep-unauth ......................488 dot1x timeout quiet-period ......................489 dot1x timeout reauth-period .......................490 dot1x timeout server-timeout ......................492 dot1x timeout supp-timeout ......................493 dot1x timeout tx-period ......................494 dot1x vlan dynamic enable ......................495 dot1x vlan dynamic ignore-eapol-start ..................496 dot1x vlan dynamic max-req ......................497 dot1x vlan dynamic max-supplicant ...................498 dot1x vlan dynamic radius-vlan ....................499...
Page 24 23. MAC-based Authentication Correspondence between configuration commands and operation modes ........ 566 aaa accounting mac-authentication default start-stop group radius ........... 567 aaa authentication mac-authentication default group radius ............568 mac-authentication auth-interval-timer ..................569 mac-authentication auto-logout ....................571 mac-authentication dot1q-vlan force-authorized ............... 572 mac-authentication dynamic-vlan max-user ................
Page 25 backup-lock ..........................628 flush-request-count ........................629 gsrp .............................630 gsrp-vlan .............................631 gsrp direct-link ..........................632 gsrp exception-port ........................633 gsrp limit-control ........................634 gsrp no-flush-port ........................635 gsrp reset-flush-port ........................636 layer3-redundancy ........................637 no-neighbor-to-master ........................638 port-up-delay ..........................640 reset-flush-time ...........................641 selection-pattern .........................642 vlan-group disable ........................643 vlan-group priority ........................644 vlan-group vlan ...........................645 28.
Page 26 31. Storm Control storm-control ..........................690 32. L2 Loop Detection loop-detection ..........................694 loop-detection auto-restore-time ....................696 loop-detection enable ......................... 697 loop-detection hold-time ......................698 loop-detection interval-time ....................... 699 loop-detection threshold ......................700 33. CFM domain name ..........................702 ethernet cfm cc alarm-priority ....................704 ethernet cfm cc alarm-reset-time ....................
Page 27 logging trap ..........................776 36. sFlow Statistics sflow destination .........................780 sflow extended-information-type ....................781 sflow forward egress ........................783 sflow forward ingress .........................784 sflow max-header-size ........................785 sflow max-packet-size ........................786 sflow packet-information-type ....................787 sflow polling-interval .........................788 sflow sample ..........................789 sflow source ..........................792 sflow url-port-add ........................793 sflow version ..........................794 PART 13: Management of Neighboring Device Information 37.
Page 28 40.1.14 Information about flow detection modes and flow operations ......824 40.1.15 Access list information ..................825 40.1.16 QoS information ....................829 40.1.17 IEEE 802.1X information ..................832 40.1.18 Web authentication information ................835 40.1.19 MAC-based authentication information .............. 836 40.1.20 Authentication VLAN information [OP-VAA] ...........
Page 29: Part 1: Reading The Manual
PART 1: Reading the Manual Chapter 1. Reading the Manual Command description format Command mode list Specifiable values for parameters...
Page 30: Command Description Format
1. Reading the Manual Command description format Each command is described in the following format: Function Describes the purpose of the command. Syntax Defines the input format of the command. The format is governed by the following rules: Parameters for setting values or character strings are enclosed in angle brackets ( <>...
Page 31: Command Mode List
1. Reading the Manual Command mode list The following table lists the command modes. Table 1-1: Command mode list Prompt displayed Description Command for mode transition for the command mode (config) Global configuration mode # enable # configure (config-line) Configures remote login and console. (config)# line vty (config)# line console (config-if)
Page 32 1. Reading the Manual Prompt displayed Description Command for mode transition for the command mode (config-ether-cfm) Configures the domain name and MA. (config)# ethernet cfm domain (config-track-object) Configures the tracking functionality for (config)# track-object policy-based routing. (config-pol) Configures the policy-based routing list (config)# policy-list information.
Page 33: Specifiable Values For Parameters
1. Reading the Manual Specifiable values for parameters The following table describes the values that can be specified for parameters. Table 1-2: Specifiable values for parameters Parameter type Description Input example Name Alphabetic characters can be used for the first ip access-list standard inbound1 character, and alphanumeric characters, hyphens ), underscores (...
Page 34 1. Reading the Manual Any character string Alphanumeric characters and special characters can be specified for parameters. Some special characters, however, cannot be used. Character codes are listed in the following table. Characters other than alphanumeric characters in the following list of character codes are special characters. Table 1-3: List of character codes Chara Code...
Page 35 10 remark "mail:xx@xx %tokyo" Range of <nif no.> and <port no.> values The following tables list the range of parameter <nif no.> and <port no.> values. Table 1-5: Range of <nif no.> and <port no.> values [AX3640S] Model Range of values <nif no.>...
Page 36 1. Reading the Manual Table 1-8: Range of <vlan id> values Range of values 1 to 4094 How to specify <vlan id list> and the range of specifiable values If <vlan id list> is written in the parameter input format, use a hyphen ( ) or comma ( ) to set multiple VLAN IDs.
Page 37: Part 2: Operation And Management Of Switches
PART 2: Operation and Management of Switches Chapter 2. Connecting from an Operation Terminal ftp-server line console line vty speed transport input...
Page 38: Ftp-Server
2. Connecting from an Operation Terminal ftp-server Permits access from remote operation terminals by using FTP. To permit or deny a remote operation terminal's access to the Switch, enter config-line mode, create a common access list that is used to restrict both Telnet and FTP access, and specify the IPv4 or IPv6 address of the remote operation terminal in the access list.
Page 39: Line Console
2. Connecting from an Operation Terminal line console Entering this command changes the mode to config-line mode, which permits settings related to the specified CONSOLE (RS232C) port. Syntax To set information: line console 0 To delete information: no line console Input mode (config) Parameters...
Page 40: Line Vty
2. Connecting from an Operation Terminal line vty Permits Telnet remote access to a switch. This command is also used to limit the number of remote users that can be simultaneously logged in to the switch. Configuration with this command enables remote access using the Telnet protocol from any remote operation terminal to be accepted.
Page 41: Speed
2. Connecting from an Operation Terminal speed Sets the communication speed of the CONSOLE (RS232C) port. If a user is already logged in from CONSOLE (RS232C) when the setting is changed, the communication speed is changed after the user logs out. If the communication speed is changed from a remote operation terminal while user login authentication from CONSOLE (RS232C) is in progress, authentication might fail.
Page 42: Transport Input
2. Connecting from an Operation Terminal transport input Restricts access from remote operation terminals based on protocol. Syntax To set or change information: transport input {telnet | all | none} To delete information: no transport input Input mode (config-line) Parameters {telnet | all | none} telnet Accepts remote access that uses the Telnet protocol.
Page 43: Editing And Working With Configurations
Chapter 3. Editing and Working with Configurations quit (exit) save (write) show status...
Page 44: End
3. Editing and Working with Configurations Ends configuration command mode and returns you to administrator mode. Syntax Input mode Configuration command mode Parameters None Default behavior None Impact on communication None When the change is applied None Response messages The following table describes the response messages for the command.
Page 45: Quit (Exit)
3. Editing and Working with Configurations quit (exit) Reverts to an earlier mode. If you are in global configuration mode, this command ends configuration command mode and returns you to administrator mode. If you are editing data in a level-2 or level-3 detailed configuration command mode, you are returned one level higher. For details about operations in user mode and administrator mode, see the manual Operation Command Reference.
Page 46 3. Editing and Working with Configurations to be output. If this message is output, use the command to inconsistency occurred. end configuration command mode. Related commands None...
Page 47: Save (Write)
3. Editing and Working with Configurations save (write) Saves the edited configuration to the startup configuration file or to a backup configuration file. Syntax save [<file name>] [debug] write [<file name>] [debug] Input mode Configuration command mode Parameters <file name> Specifies the name of the configuration file to be saved.
Page 48 3. Editing and Working with Configurations Table 3-3: Response messages for the save command Message Description Configuration file already exist. Configuration file save to This message notifies you that the specified file already <file name>? (y/n): exists, and asks you to confirm whether you want to execute the command and overwrite it.
Page 49: Show
3. Editing and Working with Configurations show Displays the configuration being edited. Syntax show [ <command> [ <parameter> ] ] Input mode Configuration command mode Parameters <command> Specifies a configuration command. <parameter> Specifies parameters such as <vlan id> or <access list name> to limit the displayed items. Default behavior None Impact on communication...
Page 50: Status
3. Editing and Working with Configurations status Displays the status of the configuration being edited. Syntax status Input mode Configuration command mode Parameters None Displayed information The table below describes the items displayed for the command. status Table 3-4: Response messages for the status command Title Displayed information File name...
Page 51 3. Editing and Working with Configurations Notes If the remaining capacity becomes very small, it might not be sufficient to execute some configuration commands. Before and after a switch is restarted, the last-modified time displayed on the first line might be slightly inaccurate.
Page 52: Top
3. Editing and Working with Configurations Returns you from a level-2 or level-3 configuration command mode to global configuration mode (level 1). Syntax Input mode Configuration command mode Parameters None Default behavior None Impact on communication None When the change is applied None Notes None...
Page 53: Login Security And Radius Or Tacacs
Chapter 4. Login Security and RADIUS or TACACS+ aaa accounting commands aaa accounting exec aaa authentication enable aaa authentication enable attribute-user-per-method aaa authentication enable end-by-reject aaa authentication login aaa authentication login console aaa authentication login end-by-reject aaa authorization commands aaa authorization commands console banner commands exec ip access-group...
Page 54: Aaa Accounting Commands
4. Login Security and RADIUS or TACACS+ aaa accounting commands Logs accounting information when commands are used. Syntax To set or change information: aaa accounting commands { 15 | 0-15 } default { start-stop | stop-only } [ broadcast ] group tacacs+ To delete information: no aaa accounting commands...
Page 55 4. Login Security and RADIUS or TACACS+ The TACACS+ server is used as the accounting server. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands tacacs-server host...
Page 56: Aaa Accounting Exec
4. Login Security and RADIUS or TACACS+ aaa accounting exec Enables accounting of login and logout. Syntax To set or change information: aaa accounting exec default { start-stop | stop-only } [ broadcast ] { group radius | group tacacs+ } To delete information: no aaa accounting exec Input mode...
Page 57 4. Login Security and RADIUS or TACACS+ group radius group tacacs+ Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands radius-server host tacacs-server host...
Page 58: Aaa Authentication Enable
4. Login Security and RADIUS or TACACS+ aaa authentication enable Specifies the authentication method to be used when changing to administrator mode ( enable command). If the first specified authentication method fails, the second specified method is used for authentication. You can change how authentication works when the first method failed by using command.
Page 59 4. Login Security and RADIUS or TACACS+ tacacs-server...
Page 60: Aaa Authentication Enable Attribute-User-Per-Method
4. Login Security and RADIUS or TACACS+ aaa authentication enable attribute-user-per-method Based on each authentication method, change the user name attribute to be used for authentication when changing to administrator mode ( command) as follows: enable • For RADIUS authentication, is sent as the User-Name attribute.
Page 61: Aaa Authentication Enable End-By-Reject
4. Login Security and RADIUS or TACACS+ aaa authentication enable end-by-reject Terminates authentication if an attempt to change to administrator mode (by the command) enable is denied. If the authentication fails due to an abnormality, such as an inability to communicate, the next authentication method specified by the command is used to aaa authentication enable...
Page 62: Aaa Authentication Login
4. Login Security and RADIUS or TACACS+ aaa authentication login Specifies the authentication method to be used at login. If the first specified authentication method fails, the second specified method is used for authentication. You can change how authentication works when the first method failed by using the aaa authentication login end-by-reject command.
Page 63 4. Login Security and RADIUS or TACACS+ aaa authentication login end-by-reject...
Page 64: Aaa Authentication Login Console
4. Login Security and RADIUS or TACACS+ aaa authentication login console Applies the authentication method specified by the command when aaa authentication login the user logs in from the console (RS232C). Syntax To set information: aaa authentication login console To delete information: no aaa authentication login console Input mode (config)
Page 65: Aaa Authentication Login End-By-Reject
4. Login Security and RADIUS or TACACS+ aaa authentication login end-by-reject Terminates authentication if login authentication is denied. If the authentication fails due to an abnormality, such as an inability to communicate, the next authentication method specified by the command is used to perform authentication. aaa authentication login Syntax To set information:...
Page 66: Aaa Authorization Commands
4. Login Security and RADIUS or TACACS+ aaa authorization commands This command is specified to perform command authorization by using a RADIUS server, TACACS+ server, or by using local (configuration-based) authorization. Note that, after successful login, you will not be authorized to execute any commands except , and if any of the logout...
Page 67 4. Login Security and RADIUS or TACACS+ this authorizes the use of command class or command list related commands. The command alone is not sufficient for command authorization commands console authorization. You also need to have used the command in aaa authentication login advance.
Page 68: Aaa Authorization Commands Console
4. Login Security and RADIUS or TACACS+ aaa authorization commands console Applies the command authorization specified by the command aaa authorization commands when the user logs in from the console (RS232C). Syntax To set information: aaa authorization commands console To delete information: no aaa authorization commands console Input mode (config)
Page 69: Banner
4. Login Security and RADIUS or TACACS+ banner Sets the messages to be displayed before and after a user logs in. Depending on the specified parameters, messages can be displayed before or after a user login via Telnet, console, or FTP. A separate message can be set for FTP access.
Page 70 4. Login Security and RADIUS or TACACS+ Default value when this parameter is omitted: No login messages are displayed. Range of values: A string consisting of a maximum of 720 alphanumeric characters Note on using this parameter: When entering login messages, check the screen settings for the client so that you do not use characters that cannot be displayed on the client.
Page 71 4. Login Security and RADIUS or TACACS+ Does not display a login message for FTP access even when the parameter is set. login motd Sets the message to be displayed after a user logs in through Telnet, console, or FTP access. plain-text Enter the login message as a plain-text string.
Page 72: Commands Exec
4. Login Security and RADIUS or TACACS+ commands exec Adds a command string to a command list used when local command authorization is enabled. A maximum of 40 commands, including permitted and restricted commands, can be set in a command list. Syntax To set information: commands exec {include | exclude} all <command>...
Page 73 4. Login Security and RADIUS or TACACS+ When the change is applied The changed setting takes effect from the next login. Notes A maximum of 40 commands, including permitted and restricted commands, can be set in a command list. A string consisting of a maximum of 50 characters can be set as a command string.
Page 74: Ip Access-Group
4. Login Security and RADIUS or TACACS+ ip access-group Sets an access list that specifies the IPv4 addresses of remote operation terminals for which remote login to the Switch is permitted or denied. This setting is common to all types of remote access (Telnet or FTP).
Page 75 4. Login Security and RADIUS or TACACS+ Related commands line vty ftp-server transport input ipv6 access-class access-list ip access-list standard...
Page 76: Ipv6 Access-Class
4. Login Security and RADIUS or TACACS+ ipv6 access-class Sets an access list that specifies the IPv6 addresses of remote operation terminals for which remote login to the Switch is permitted or denied. This setting is common to all types of remote access (Telnet or FTP).
Page 77 4. Login Security and RADIUS or TACACS+ ip access-group ipv6 access-list...
Page 78: Parser View
4. Login Security and RADIUS or TACACS+ parser view Generates a command list used when local command authorization is enabled. Entering this command switches to config-view mode in which information about the command list can be set. A maximum of 20 command lists can be generated per device. Syntax To set information: parser view <view name>...
Page 79: Radius-Server Host
4. Login Security and RADIUS or TACACS+ radius-server host Configures the RADIUS server used for authentication, authorization, and accounting purposes. Syntax To set or change information: radius-server host {<ipv4 address> | <ipv6 address> [interface vlan <vlan id>] | <host name>} [auth-port <port>] [acct-port <port>] [timeout <seconds>] [retransmit <retries>] [key <string>] [{auth-only | acct-only}] To delete information: no radius-server host {<ipv4 address>...
Page 80 4. Login Security and RADIUS or TACACS+ character string that does not include any special characters such as a space, you do not need to enclose the character string in double quotation marks ("). For details, see Any character string in Specifiable values for parameters. auth-port <port>...
Page 81 4. Login Security and RADIUS or TACACS+ Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes A maximum of four RADIUS servers can be specified per device. When multiple RADIUS servers are specified, the RADIUS server that is first in the configuration file listing is the first server used for authentication.
Page 82: Radius-Server Key
4. Login Security and RADIUS or TACACS+ radius-server key Sets the default RADIUS server key for authentication, authorization, and accounting purposes. Syntax To set or change information: radius-server key <string> To delete information: no radius-server key Input mode (config) Parameters <string>...
Page 83: Radius-Server Retransmit
4. Login Security and RADIUS or TACACS+ radius-server retransmit Sets the default number of retransmissions to a RADIUS server used for authentication, authorization, and accounting purposes. Syntax To set or change information: radius-server retransmit <retries> To delete information: no radius-server retransmit Input mode (config) Parameters...
Page 84: Radius-Server Timeout
4. Login Security and RADIUS or TACACS+ radius-server timeout Sets a response timeout value for a RADIUS server used for authentication, authorization, and accounting purposes. Syntax To set or change information: radius-server timeout <seconds> To delete information: no radius-server timeout Input mode (config) Parameters...
Page 85: Tacacs-Server Host
4. Login Security and RADIUS or TACACS+ tacacs-server host Configures the TACACS+ server used for authentication or authorization. Syntax To set or change information: tacacs-server host {<host name> | <ip address>} [key <string>] [port <port>] [timeout <seconds>] [{auth-only | acct-only}] To delete information: no tacacs-server host {<host name>...
Page 86 4. Login Security and RADIUS or TACACS+ Sets the timeout period (in seconds) for a response from the TACACS+ server. Default value when this parameter is omitted: The period configured by using is used. If no period is set, the tacacs-server timeout initial value is 5.
Page 87: Tacacs-Server Key
4. Login Security and RADIUS or TACACS+ tacacs-server key Sets the default shared private key of a TACACS+ server used for authentication or authorization purposes. Syntax To set or change information: tacacs-server key <string> To delete information: no tacacs-server key Input mode (config) Parameters...
Page 88: Tacacs-Server Timeout
4. Login Security and RADIUS or TACACS+ tacacs-server timeout Sets the default response timeout value for a TACACS+ server used for authentication or authorization purpose. Syntax To set or change information: tacacs-server timeout <seconds> To delete information: no tacacs-server timeout Input mode (config) Parameters...
Page 89: Username
4. Login Security and RADIUS or TACACS+ username For a specified user, sets the command list or command class permitted by local command authorization. In addition, this command also specifies the auto logout period for each user, paging, and help message display operation. A maximum of 20 users can be specified per device.
Page 90 4. Login Security and RADIUS or TACACS+ 0 to 60 terminal-pager {enable | disable} Specifies whether to enable paging (messaging) of the specified user. This setting is loaded when a user logs in, and has precedence over the settings configured by using the operation command before the user logs in.
Page 91 4. Login Security and RADIUS or TACACS+ This parameter cannot be omitted. Range of values: Specifies any one of , and root allcommandÅCnoconfigÅCnomanage noenable command classes that have been defined in advance on the Switch. For details, see Table 8-10 Command classes in the manual Configuration Guide Vol. 1 For Version 11.7.
Page 93: Time Settings And Ntp
Chapter 5. Time Settings and NTP clock timezone ntp access-group ntp authenticate ntp authentication-key ntp broadcast ntp broadcast client ntp broadcastdelay ntp master ntp peer ntp server ntp trusted-key...
Page 94: Clock Timezone
5. Time Settings and NTP clock timezone Sets the time zone. The Switch maintains the date and time internally in Coordinated Universal Time (UTC). This clock timezone setting affects only time set using the command, and the time displayed set clock by using an operation command.
Page 95 5. Time Settings and NTP Notes None Related commands set clock show clock show logging...
Page 96: Ntp Access-Group
5. Time Settings and NTP ntp access-group Creates an access group that can be permitted or denied access to NTP services by means of an IPv4 address filter. This command allows you to set a maximum of 50 filtering condition entries for an access list.
Page 97 5. Time Settings and NTP Default behavior All accesses to NTP services are permitted. Impact on communication None When the change is applied The change is applied immediately after setting values are changed if ntp peer ntp server , or is set and an IPv4 address filter is set.
Page 98: Ntp Authenticate
5. Time Settings and NTP ntp authenticate Enables the NTP authentication functionality. Syntax To set information: ntp authenticate To delete information: no ntp authenticate Input mode (config) Parameters None Default behavior The NTP authentication functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed if...
Page 99: Ntp Authentication-Key
5. Time Settings and NTP ntp authentication-key Sets an authentication key. This command can set a maximum of 10 authentication key entries. Syntax To set or change information: ntp authentication-key <key id> md5 <value> To delete information: no ntp authentication-key <key id> Input mode (config) Parameters...
Page 100 5. Time Settings and NTP ntp master ntp authenticate ntp trusted-key ntp broadcast client...
Page 101: Ntp Broadcast
5. Time Settings and NTP ntp broadcast Broadcasts NTP packets to each interface and synchronizes other devices with the Switch. This command can be used together with commands to specify a ntp peer ntp server maximum of 10 entries in total. Syntax To set or change information: ntp broadcast [version <number>] [key <key id>]...
Page 102 5. Time Settings and NTP Do not specify 65536 or a larger value as the key number. Related commands ntp broadcast client ntp authentication-key...
Page 103: Ntp Broadcast Client
5. Time Settings and NTP ntp broadcast client Specifies the setting for accepting NTP broadcast messages from devices on the connected subnet. This setting enables the Switch to receive NTP broadcast messages from other switches and synchronize its time with that of other switches. When this command is omitted, no NTP broadcast messages are accepted.
Page 104: Ntp Broadcastdelay
5. Time Settings and NTP ntp broadcastdelay Specifies the estimated latency (time delay) between the NTP broadcast server sending time information and the Switch. Syntax To set or change information: ntp broadcastdelay <micro seconds> To delete information: no ntp broadcastdelay Input mode (config) Parameters...
Page 105: Ntp Master
5. Time Settings and NTP ntp master Designates the switch as a local time server. Perform this setting if a reference NTP server cannot be accessed from the network to which the Switch is normally connected. Syntax To set or change information: ntp master [<stratum>] To delete information: no ntp master...
Page 106: Ntp Peer
5. Time Settings and NTP ntp peer Configures NTP server symmetric active/passive mode. In symmetric active/passive mode, the time of the Switch can be synchronized with that of other switches, and vice versa. This command can be used together with the commands to specify ntp broadcast ntp server...
Page 107 5. Time Settings and NTP Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If there is a 1000 second (about 16 minute) or longer difference between the time of a time reference source (server) switch and the time of this (client) Switch, the specified switch time is treated as invalid (not reconcilable) and it is not synchronized.
Page 108: Ntp Server
5. Time Settings and NTP ntp server Configures client/server mode and specifies client mode for an NTP server. As a result, the time of this Switch is synchronized to that of a time server. The time of this Switch can be synchronized to that of another switch, but the time of another switch cannot be synchronized to that of this Switch.
Page 109 5. Time Settings and NTP Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If there is a 1000 second (about 16 minute) or longer difference between the time of a time reference source (server) switch and the time of this (client) Switch, the specified switch time is treated as invalid (not reconcilable) and it is not synchronized.
Page 110: Ntp Trusted-Key
5. Time Settings and NTP ntp trusted-key Sets a security key number to perform authentication for security purposes when synchronizing with other switches. By default, the key to be used for authentication is not set. This command can be used to set a maximum of 10 key number entries. Syntax To set information: ntp trusted-key <key id>...
Page 111: Host Names And Dns
Chapter 6. Host Names and DNS ip domain lookup ip domain name ip domain reverse-lookup ip host ip name-server ipv6 host...
Page 112: Ip Domain Lookup
6. Host Names and DNS ip domain lookup Enables or disables the DNS resolver functionality. Syntax To set information: no ip domain lookup To delete information: ip domain lookup Input mode (config) Parameters None Default behavior The DNS resolver functionality is enabled. Impact on communication None When the change is applied...
Page 113: Ip Domain Name
6. Host Names and DNS ip domain name Sets the domain name to be used by the DNS resolver. Syntax To set or change information: ip domain name <domain name> To delete information: no ip domain name Input mode (config) Parameters <domain name>...
Page 114: Ip Domain Reverse-Lookup
6. Host Names and DNS ip domain reverse-lookup Disables or enables the reverse lookup functionality (functionality for using an IP address to search for a host name) of the DNS resolver functionality. Syntax To set information: no ip domain reverse-lookup To delete information: ip domain reverse-lookup Input mode...
Page 115: Ip Host
6. Host Names and DNS ip host Sets host name information mapped to an IPv4 address. This command can configure a maximum of 20 entries. Syntax To set or change information: ip host <name> <ip address> To delete information: no ip host <name> Input mode (config) Parameters...
Page 116: Ip Name-Server
6. Host Names and DNS ip name-server Sets the name server referenced by the DNS resolver. A maximum of three name servers can be specified. If multiple name servers are specified, inquiries to the name servers are performed in the order in which they were set.
Page 117 6. Host Names and DNS cannot be specified as an IP address. 127.*.*.* Class D and class E addresses cannot be set as IP addresses. AAAA query information cannot be referenced by using IPv6. AAAA query information is referenced by IPv4. Related commands ip domain name ip domain lookup...
Page 118: Ipv6 Host
6. Host Names and DNS ipv6 host Sets host name information mapped to an IPv6 address. This command can configure a maximum of 20 entries. Syntax To set or change information: ipv6 host <name> <ipv6 address> To delete information: no ipv6 host <name> Input mode (config) Parameters...
Page 119: Device Management
Chapter 7. Device Management swrt_multicast_table swrt_table_resource system fan mode system l2-table mode system memory-soft-error system recovery system temperature-warning-level...
Page 120: Swrt_Multicast_Table
7. Device Management swrt_multicast_table This command is set when the IP multicast routing functionality and IGMP or MLD snooping are used together on the Switch. By setting this command, you can apply information learned from IGMP or MLD snooping when IP multicast forwarding is performed. You need to restart the switch to enable the command settings.
Page 121: Swrt_Table_Resource
IPv6 unicast priority mode. This pattern allocates more resources to IPv6 unicast routing. The following table lists the number of table entries for each allocation pattern: Table 7-1: Number of table entries for each allocation pattern [AX3640S] Item Number of table entries for each allocation pattern...
Page 122 2048 Multicast route 1024 Legend n/a: Not applicable Default value when this parameter is omitted: l3switch-1 Range of values: l3switch-1, l3switch-2, or l3switch-3 [AX3640S] l3switch-1 or l3switch-2 [AX3630S] Default behavior The pattern is used. l3switch-1 Impact on communication Communications that pass through the Switch stop while the Switch is restarting.
Page 123: System Fan Mode
7. Device Management system fan mode Sets the operating mode of the fan. Syntax To set or change information: system fan mode <mode> To delete information: no system fan mode Input mode (config) Parameters <mode> Specify operating mode 1 or 2 for the fan. 1: Low-noise setting 2: Low-temperature setting Default value when this parameter is omitted:...
Page 124: System L2-Table Mode
7. Device Management system l2-table mode Sets the method for searching a Layer 2 hardware table (MAC address table and MAC VLAN table). Syntax To set information: system l2-table mode <mode> To delete information: no system l2-table mode Input mode (config) Parameters <mode>...
Page 125 7. Device Management Notes None Related commands None...
Page 126: System Memory-Soft-Error
7. Device Management system memory-soft-error Configures the Switch to output a log message when a soft error occurs in memory inside the switch processor. Syntax To set information: system memory-soft-error log To delete information: no system memory-soft-error log Input mode (config) Parameters Outputs a log message when a soft error occurs in memory inside the switch processor.
Page 127: System Recovery
7. Device Management system recovery When a failure occurs in a switch, no recovery is performed for the failed part, which will remain stopped after the failure occurs. This functionality covers the send control section. Syntax To set information: no system recovery To delete information: system recovery Input mode...
Page 128: System Temperature-Warning-Level
7. Device Management system temperature-warning-level Outputs a warning message when the intake temperature of the switch exceeds the specified temperature. Syntax To set information: system temperature-warning-level <temperature> To delete information: no system temperature-warning-level Input mode (config) Parameters <temperature> Specify the intake air temperature (in Celsius) for the switch. You can specify the temperature in degrees Celsius.
Page 129: Power Saving Functionality
Chapter 8. Power Saving Functionality schedule-power-control shutdown schedule-power-control time-range...
Page 130: Schedule-Power-Control Shutdown
8. Power Saving Functionality schedule-power-control shutdown Sets a port that is disabled when scheduled power saving functionality is in use. Disabling the port turns off the power, reducing the amount of power consumption. Syntax To set information: schedule-power-control shutdown interface <interface id list> To change information: schedule-power-control shutdown interface {<interface id list>...
Page 131 8. Power Saving Functionality Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If you want a port to always be disabled regardless of the schedule, you must set both the command and this command.
Page 132: Schedule-Power-Control Time-Range
8. Power Saving Functionality schedule-power-control time-range Specifies the execution time of scheduled power saving functionality. Syntax To set or change information: schedule-power-control time-range <entry number> {execution time} action {enable | disable} Execution time • When a date is specified: date start-time <yymmdd> <hhmm> end-time <yymmdd> <hhmm> •...
Page 133 8. Power Saving Functionality Range of values: date, weekly, everyday start-time <yymmdd> <hhmm> Specifies the start date and time. Specify the last two digits of the year in the range from 00 to 38. For example, 00 means the year 2000. Specify the month in the range from 01 to 12.
Page 134 8. Power Saving Functionality start-time {sun | mon | tue | wed | thu | fri | sat} <hhmm> Specifies the start day of the week and the time. Sets Sunday. Sets Monday. Sets Tuesday. Sets Wednesday. Sets Thursday. Sets Friday. Sets Saturday.
Page 135 8. Power Saving Functionality Sets Saturday. Specify the hour (00 to 23). Specify the minute (00 to 59). Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Select , or , and specify a time for <hhmm>. start-time <hhmm>...
Page 136 8. Power Saving Functionality • shutdown Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: enable, disable Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If there is an overlap of time of execution between different parameters, the...
Page 137: Part 3: Network Interfaces
PART 3: Network Interfaces Chapter 9. Ethernet bandwidth description duplex flowcontrol frame-error-notice interface gigabitethernet interface tengigabitethernet link debounce link up-debounce mdix auto media-type power inline [AX3630S] shutdown speed system flowcontrol off system minimum-tagged-frame-length-68 system mtu...
Page 138: Bandwidth
9. Ethernet bandwidth Assigns the bandwidth of a line. This setting is used for calculating the line usage rate on a network monitoring device. Syntax To set or change information: bandwidth <kbit/s> To delete information: no bandwidth Input mode (config-if) Parameters <kbit/s>...
Page 139: Description
9. Ethernet description Sets supplementary information. This command can be used as a comment about the port. Note that when this command is set, information can be checked by using the show interfaces (SNMP MIB) operation command. ifDescr Syntax To set or change information: description <string>...
Page 140: Duplex
1000 (when is specified) full speed 1000 100BASE-FX half [AX3640S] full half Sets the port to half duplex (fixed) mode. full Sets the port to full duplex (fixed) mode. auto Determines the duplex mode by auto-negotiation. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 141 9. Ethernet Default behavior is set for 10BASE-T, 100BASE-TX, 1000BASE-T, or 1000BASE-X. auto is set for 100BASE-FX. [AX3640S] full Impact on communication If this command is specified for a port in use, the port goes down and communication stops temporarily. Thereafter, the port restarts.
Page 142: Flowcontrol
9. Ethernet flowcontrol Sets flow control. Syntax To set or change information: flowcontrol send {desired | on | off} [loose] flowcontrol receive {desired | on | off} To delete information: no flowcontrol send no flowcontrol receive Input mode (config-if) Parameters send {desired | on | off} Specifies the operation for sending flow-control pause packets.
Page 143 Behavior varies depending on the line type. • For 10BASE-T, 100BASE-TX, or 1000BASE-T: Receive operation is but send operation is desired • For 100BASE-FX: [AX3640S] Receive operation is but send operation is • For 1000BASE-X: Receive operation is but send operation is desired •...
Page 144: Frame-Error-Notice
9. Ethernet frame-error-notice Sets the condition for sending a notification when a frame reception error or a frame sending error occurs. A frame reception error or a frame sending error indicates that a frame is discarded due to a failure in receiving or sending a frame, which is caused by a minor error. The cause of the failure is collected as statistics.
Page 145 9. Ethernet error-rate <rate> Specifies, as the error notification condition, the threshold for the error occurrence rate as a percentage (%). The error occurrence rate is calculated as the rate of the number of error frames against the total number of frames. The fractional portion of the rate is truncated, and then it is compared with the set value.
Page 146 9. Ethernet Specifies whether to display a log entry when an error occurrence is reported. If a large number of errors occur continuously, this setting can prevent the log file from being filled with this log entry. Note that this parameter has no impact on private traps. Use the snmp-server command to specify whether to issue a private trap.
Page 147: Interface Gigabitethernet
9. Ethernet interface gigabitethernet Sets the items related to an Ethernet interface that has a maximum line speed of 1000 Mbit/s. Entering this command switches to mode, in which information about the relevant port config-if can be set. Syntax To set information: interface gigabitethernet <nif no.>/<port no.>...
Page 148: Interface Tengigabitethernet
9. Ethernet interface tengigabitethernet Sets the items related to an Ethernet interface that has a maximum line speed of 10 Gbit/s. Entering this command switches to mode, in which information about the relevant port can be config-if set. Syntax To set information: interface tengigabitethernet <nif no.>/<port no.>...
Page 149: Link Debounce
9. Ethernet link debounce Sets the link-down detection time after a link failure is detected until the actual link-down occurs. When a large value is set, temporary link-downs will not be detected, thereby preventing instability of the link. Syntax To set or change information: link debounce [time <mili seconds>] To delete information: no link debounce...
Page 150: Link Up-Debounce
9. Ethernet link up-debounce Sets the link-up detection time after a link failure is detected until the actual link-up occurs. When a large value is set, a temporary link-up will not be detected, thereby preventing instability of the network status. Syntax To set or change information: link up-debounce time <mili seconds>...
Page 151: Mdix Auto
The change is applied immediately after setting values are changed. Notes This command is enabled during auto-negotiation. For 1000BASE-X, this command is disabled. For 10GBASE-R, this command cannot be specified. , this command is disabled. media-type For 100BASE-FX, this command is disabled. [AX3640S] Related commands speed media-type...
Page 152: Media-Type
9. Ethernet media-type Selects a port used in a selectable port that can be used either as a 10BASE-T, 100BASE-TX, 1000BASE-T, or 1000BASE-X port. Syntax To set or change information: media-type {rj45 | sfp} To delete information: no media-type Input mode (config-if) Parameters {rj45 | sfp}...
Page 153: Mtu
9. Ethernet Sets the MTU for ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Syntax To set or change information: mtu <length>...
Page 154 9. Ethernet Table 9-5: MTU and the length of frames that can be sent or received Line type mtu setting system mtu Length of a frame that Port MTU (in setting can be sent or received octets) (in octets) 10BASE-T (full and Not related Not related Tagged 1518...
Page 155: Power Inline [Ax3630S]
9. Ethernet power inline [AX3630S] Sets the PoE functionality for ports. Setting the power priority for each port ensures that power is supplied to the appropriate ports. For a switch that has 24 or fewer PoE ports, priority is meaningless because power is supplied to all ports and a power shortage would not occur. Syntax To set or change information: power inline {critical | high | low | never}...
Page 156 9. Ethernet When the change is applied The change is applied immediately after setting values are changed. Notes This command is invalid if it is entered for a port that does not support PoE functionality. If you enter this command for a selectable port and change , the media-type specification of the command is disabled but is not deleted from the configuration.
Page 157: Shutdown
9. Ethernet shutdown Places the port in the shutdown state. If a port with the PoE functionality is shut down, it is not supplied with power. Syntax To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None...
Page 158: Speed
10 100 auto 10 100 1000 1000BASE-X 1000 auto auto 1000 100BASE-FX [AX3640S] Sets the line speed to 10 Mbit/s. Sets the line speed to 100 Mbit/s. 1000 Sets the line speed to 1000 Mbit/s. auto Sets the line speed to auto-negotiation.
Page 159 Default behavior is set for 10BASE-T, 100BASE-TX, 1000BASE-T, or 1000BASE-X. auto is set for 100BASE-FX. [AX3640S] Impact on communication If this command is specified for a port in use, the port goes down and communication stops temporarily. Thereafter, the port restarts.
Page 160: System Flowcontrol Off
9. Ethernet system flowcontrol off Disable flow control for all ports on the switch. This setting has precedence over flow control settings for specific ports. Syntax To set information: system flowcontrol off To delete information: no system flowcontrol off Input mode (config) Parameters None...
Page 161: System Minimum-Tagged-Frame-Length-68
9. Ethernet system minimum-tagged-frame-length-68 Sets the minimum frame length of tagged frames spontaneously sent by the switch and relayed by software to 68 octets. Even if this configuration is set, tagged 64-octet frames are not discarded. Syntax To set information: system minimum-tagged-frame-length-68 To delete information: no system minimum-tagged-frame-length-68...
Page 162: System Mtu
9. Ethernet system mtu Sets the MTU of all ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Syntax To set or change information: system mtu <length>...
Page 163 9. Ethernet Table 9-8: MTU and the length of frames that can be sent or received Line type mtu setting system mtu Length of a frame that can Port MTU (in setting be sent or received (in octets) octets) 10BASE-T (full and Not related Not related Tagged 1518...
Page 165: Link Aggregation
Chapter 10. Link Aggregation channel-group lacp system-priority channel-group max-active-port channel-group max-detach-port channel-group mode channel-group multi-speed channel-group periodic-timer description interface port-channel lacp port-priority lacp system-priority port-channel load-balance shutdown...
Page 166: Channel-Group Lacp System-Priority
10. Link Aggregation channel-group lacp system-priority Sets the LACP system priority of the applicable channel group for link aggregation. Syntax To set or change information: channel-group lacp system-priority <priority> To delete information: no channel-group lacp system-priority Input mode (config-if) Parameters <priority>...
Page 167: Channel-Group Max-Active-Port
10. Link Aggregation channel-group max-active-port Sets the maximum number of active ports that will be used for link aggregation in the applicable channel group. Syntax To set information: channel-group max-active-port <number> [no-link-down] To change information: channel-group max-active-port <number> channel-group max-active-port <number> no-link-down To delete information: no channel-group max-active-port Input mode...
Page 168 10. Link Aggregation might stop temporarily. When the change is applied The change is applied immediately after setting values are changed. Notes This command is effective only when static link aggregation is used. If you specify the command, match its settings to the settings of the max-active-port commands on the destination device.
Page 169: Channel-Group Max-Detach-Port
10. Link Aggregation channel-group max-detach-port Limits the maximum number of detached ports in the applicable link aggregation channel group. Syntax To set or change information: channel-group max-detach-port <number> To delete information: no channel-group max-detach-port Input mode (config-if) Parameters <number> Specifies the maximum number of ports that can be detached from a channel group used for link aggregation for reasons such as a link down.
Page 170 10. Link Aggregation channel-group mode channel-group lacp system-priority lacp system-priority...
Page 171: Channel-Group Mode
10. Link Aggregation channel-group mode Creates a channel group for link aggregation. Syntax To set information: channel-group <channel group number> mode { on | { active | passive } } To change information: channel-group <channel group number> mode { active | passive } To delete information: no channel-group Input mode...
Page 172 10. Link Aggregation When the change is applied The change is applied immediately after setting values are changed. Notes To change static link aggregation to LACP-based link aggregation, or vice versa, delete this command, change the mode, and then set the command again. When is set, the setting of the specified channel group...
Page 173: Channel-Group Multi-Speed
10. Link Aggregation channel-group multi-speed Sets mixed-speed mode. If this command is set, ports with different transmission speeds can be used simultaneously in a channel group for link aggregation. Syntax To set information: channel-group multi-speed To delete information: no channel-group multi-speed Input mode (config-if) Parameters...
Page 174: Channel-Group Periodic-Timer
10. Link Aggregation channel-group periodic-timer Specifies the interval for sending LACPDUs. Syntax To set or change information: channel-group periodic-timer { long | short } To delete information: no channel-group periodic-timer Input mode (config-if) Parameters { long | short } Specifies the interval at which the remote device sends LACPDUs to a Switch. : 30 seconds long : one second...
Page 175: Description
10. Link Aggregation description Sets supplementary information. Syntax To set or change information: description <string> To delete information: no description Input mode (config-if) Parameters <string> Sets supplementary information for the applicable channel group used for link aggregation. Use this command to create and attach a note to the interface. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 176: Interface Port-Channel
10. Link Aggregation interface port-channel Sets an item related to a port channel interface. Entering this command switches to config-if mode, which allows you to use configuration commands to specify the channel group number. A port channel interface is automatically generated when the command is set.
Page 177: Lacp Port-Priority
10. Link Aggregation lacp port-priority Sets the port priority. Syntax To set or change information: lacp port-priority <priority> To delete information: no lacp port-priority Input mode (config-if) Parameters <priority> Specifies the port priority. The lower the value, the higher the priority. When is specified for the command...
Page 178 10. Link Aggregation channel-group max-active-port...
Page 179: Lacp System-Priority
10. Link Aggregation lacp system-priority Sets the effective LACP system priority for a Switch. Syntax To set or change information: lacp system-priority <priority> To delete information: no lacp system-priority Input mode (config) Parameters <priority> Sets the LACP system priority. The lower the value, the higher the priority. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 180: Port-Channel Load-Balance
10. Link Aggregation port-channel load-balance For link aggregation, sets the method of allocating frames that are to be sent. Syntax To set or change information: port-channel load-balance { dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port | src-ip | src-mac | src-port } To delete information: no port-channel load-balance...
Page 181 10. Link Aggregation Default behavior is used for operation. src-dst-port Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If you specify , or , TCP/UDP port numbers are not used for dst-ip src-dst-ip src-ip...
Page 182: Shutdown
10. Link Aggregation shutdown Always disables the applicable channel group for link aggregation, and stops communication. Syntax To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication If a priority is specified for an active channel group, the channel group goes down. When the change is applied The change is applied immediately after setting values are changed.
Page 183: Part 4: Layer 2 Switching
PART 4: Layer 2 Switching Chapter 11. MAC Address Table mac-address-table aging-time mac-address-table static...
Page 184: Mac-Address-Table Aging-Time
11. MAC Address Table mac-address-table aging-time Sets the aging conditions for MAC address table entries. Syntax To set or change information: mac-address-table aging-time <seconds> To delete information: no mac-address-table aging-time Input mode (config) Parameters <seconds> Sets the aging time in seconds. If is specified, aging is not performed.
Page 185: Mac-Address-Table Static
11. MAC Address Table mac-address-table static Sets static MAC address table information. Syntax To set or change information: mac-address-table static <mac> vlan <vlan id> {interface <interface type> <interface number> | drop} To delete information: no mac-address-table static <mac> vlan <vlan id> Input mode (config) Parameters...
Page 186 11. MAC Address Table - gigabitethernet <nif no.>/<port no.> - tengigabitethernet <nif no.>/<port no.> - port-channel <channel group number> For details about the valid setting range of <nif no.> <port no.> and <channel group number>, see Specifiable values for parameters. Default behavior No static entries are set.
Page 187: Vlan
Chapter 12. VLAN down-debounce interface vlan l2protocol-tunnel eap l2protocol-tunnel stp l2-isolation mac-address mac-based-vlan static-only name protocol state switchport access switchport dot1q ethertype switchport isolation switchport mac switchport mode switchport protocol switchport trunk switchport vlan mapping switchport vlan mapping enable up-debounce vlan vlan-dot1q-ethertype vlan-mac...
Page 188: Down-Debounce
12. VLAN down-debounce Sets the down-determination time of a VLAN interface when no more ports that can be used for relays exist in the VLAN. Syntax To set or change information: down-debounce <seconds> To delete information: no down-debounce Input mode (config-if) This can be set only for VLAN interfaces.
Page 189: Interface Vlan
12. VLAN interface vlan Configures a VLAN interface. Entering this command switches to config-if mode in which the IP address or other settings can be set for the relevant VLAN interface. Syntax To set information: interface vlan <vlan id> To delete information: no interface vlan <vlan id>...
Page 190: L2Protocol-Tunnel Eap
12. VLAN l2protocol-tunnel eap Enables the EAPOL forwarding functionality. The functionality is set for a switch. Syntax To set information: l2protocol-tunnel eap To delete information: no l2protocol-tunnel eap Input mode (config) Parameters None Default behavior The EAPOL forwarding functionality is invalid. Impact on communication None When the change is applied...
Page 191: L2Protocol-Tunnel Stp
12. VLAN l2protocol-tunnel stp Enables the BPDU forwarding functionality. The functionality is set for a switch. Syntax To set information: l2protocol-tunnel stp To delete information: no l2protocol-tunnel stp Input mode (config) Parameters None Default behavior The BPDU forwarding functionality is disabled. Impact on communication None When the change is applied...
Page 192: L2-Isolation
12. VLAN l2-isolation Blocks Layer 2 forwarding within a VLAN. Only Layer 3 forwarding is permitted. Syntax To set information: l2-isolation To delete information: no l2-isolation Input mode (config) Parameters None Default behavior Layer 2 forwarding is not blocked. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 193: Mac-Address
MAC-based authentication, or an authentication VLAN, settings for those functionalities become invalid and settings for this command are enabled. The number of MAC addresses that can be set is as follows: For AX3640S series switches: - 1024 per device For AX3630S series switches:...
Page 194 12. VLAN Related commands mac-based-vlan static-only...
Page 195: Mac-Based-Vlan Static-Only
MAC addresses for MAC VLANs, and sets the mac-address capacity limits as follows: For AX3640S series switches: The maximum number of MAC addresses that can be set by a configuration command is 1024. This value has not been changed.
Page 196 12. VLAN To delete information set by this command for an AX3630S series switch, the number of MAC addresses set for a MAC VLAN must be 64 or less. If there are 65 or more MAC addresses set, this command cannot be set or deleted. Related commands mac-address...
Page 197: Name
12. VLAN name Sets a VLAN name. Syntax To set or change information: name <string> To delete information: no name Input mode (config-vlan) Parameters <string> Sets a VLAN name. This parameter cannot be set if <vlan id list> has been specified by using command.
Page 198: Protocol
12. VLAN protocol Sets the protocol for identifying VLANs in protocol VLANs. Syntax To set information: protocol <protocol name> To delete information: no protocol <protocol name> Input mode (config-vlan) Parameters <protocol name> Specifies the name of the protocol in a protocol-based VLAN. This command can be set only when the applicable VLAN is a protocol-based VLAN.
Page 199: State
12. VLAN state Sets the VLAN status. Syntax To set or change information: state {suspend | active} To delete information: no state Input mode (config-vlan) Parameters {suspend | active} suspend Disables the VLAN status and stops the sending and receiving of all frames on the VLAN.
Page 200: Switchport Access
12. VLAN switchport access Sets access port information. The information you set is also applied to access VLANs of tunneling ports. Syntax To set or change information: switchport access vlan <vlan id> To delete information: no switchport access vlan Input mode (config-if) Parameters vlan <vlan id>...
Page 201: Switchport Dot1Q Ethertype
The change is applied immediately after setting values are changed. Notes For ports specified by using this command, the value specified for vlan-dot1q-ethertype not applied. A maximum of four TPID values can be specified per Switch. [AX3640S] Related commands None...
Page 202: Switchport Isolation
12. VLAN switchport isolation Configures the inter-port relay isolation functionality. Syntax To set information: switchport isolation interface <interface id list> To change information: switchport isolation interface {<interface id list> | add <interface id list> | remove <interface id list>} To delete information: no switchport isolation Input mode (config-if)
Page 203 12. VLAN Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes The functionality for suppressing inter-port forwarding is entered from the line specified by of the command, and discards frames output from the interface switchport isolation port on which the command is set.
Page 204: Switchport Mac
12. VLAN switchport mac Sets MAC VLAN port information. Syntax To set information: switchport mac vlan <vlan id list> switchport mac native vlan <vlan id> switchport mac dot1q vlan <vlan id list> To change information: switchport mac {vlan <vlan id list> | vlan add <vlan id list> | vlan remove <vlan id list> | native vlan <vlan id>...
Page 205 12. VLAN This parameter cannot be omitted. Range of values: For details about how to set <vlan id list> and the specifiable values, see Specifiable values for parameters. vlan add <vlan id list> Adds the currently-valid MAC VLANs for this port to the VLAN list. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 206 12. VLAN When the change is applied The change is applied immediately after setting values are changed. Notes The MAC VLAN specified as a post-authentication VLAN by the authentication functionality is available for communication only when a valid MAC-VLAN has not been set. If valid MAC VLANs have been set, a MAC VLAN specified as a post-authentication VLAN by the authentication functionality is available for communication only when it matches a MAC VLAN that has been set.
Page 207: Switchport Mode
12. VLAN switchport mode Sets Layer 2 interface attributes. Syntax To set or change information: switchport mode {access | trunk | protocol-vlan | mac-vlan | dot1q-tunnel } To delete information: no switchport mode {access | trunk | protocol-vlan | mac-vlan | dot1q-tunnel } Input mode (config-if) Parameters...
Page 208 12. VLAN Default behavior (access mode) is set. access Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If an interface is set to trunking mode, set by using the allowed vlan switchport trunk command.
Page 209: Switchport Protocol
12. VLAN switchport protocol Sets protocol VLAN port information. Syntax To set information: switchport protocol vlan <vlan id list> switchport protocol native vlan <vlan id> To change information: switchport protocol {vlan <vlan id list> | vlan add <vlan id list> | vlan remove <vlan id list> | native vlan <vlan id>} To delete information: no switchport protocol vlan...
Page 210 12. VLAN Removes a currently-valid protocol VLAN on the port from the VLAN list. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For details about how to set <vlan id list> and the specifiable values, see Specifiable values for parameters.
Page 211: Switchport Trunk
12. VLAN switchport trunk Sets trunk port information. Syntax To set information: switchport trunk allowed vlan <vlan id list> switchport trunk native vlan <vlan id> To change information: switchport trunk native vlan <vlan id> switchport trunk allowed vlan {<vlan id list> | add <vlan id list> | remove <vlan id list>} To delete information: no switchport trunk allowed vlan no switchport trunk native vlan...
Page 212 12. VLAN For details about how to set <vlan id list> and the specifiable values, see Specifiable values for parameters. remove <vlan id list> Removes a VLAN from the specified VLAN list. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For details about how to set <vlan id list>...
Page 213: Switchport Vlan Mapping
12. VLAN switchport vlan mapping Sets tag translation information entries. Syntax To set or change information: switchport vlan mapping <vlan tag> <vlan id> To delete information: no switchport vlan mapping <vlan tag> <vlan id> Input mode (config-if) Parameters <vlan tag> Specifies the VLAN tag value used in a LAN.
Page 214 12. VLAN If a frame subject to tag translation is received on a port that uses tag translation, the user priority in the VLAN tag is set to (default). If you want to change the default user priority when using tag translation, use the marking functionality for QoS control. Related commands switchport mode trunk switchport trunk...
Page 215: Switchport Vlan Mapping Enable
12. VLAN switchport vlan mapping enable Enables tag translation. Syntax To set information: switchport vlan mapping enable To delete information: no switchport vlan mapping enable Input mode (config-if) Parameters None Default behavior Tag translation is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 216: Up-Debounce
12. VLAN up-debounce Sets the up-determination time for a VLAN interface after the VLAN interface goes down until another port in the VLAN comes up again as a port that can be used for communication. Syntax To set or change information: up-debounce <seconds>...
Page 217 12. VLAN Related commands None...
Page 218: Vlan
12. VLAN vlan Sets VLAN-related items. Syntax To set information: vlan <vlan id> vlan <vlan id list> vlan <vlan id> protocol-based vlan <vlan id list> protocol-based vlan <vlan id> mac-based vlan <vlan id list> mac-based To delete information: no vlan <vlan id> no vlan <vlan id list>...
Page 219 12. VLAN Note on using this parameter: - To specify protocol VLANs, you must specify protocol-based - This parameter cannot be specified for any VLAN which has already been created as a port-based VLAN or a MAC VLAN. - This parameter and the VLAN tunneling functionality cannot be used at the same time. mac-based Specifies this parameter for MAC VLANs.
Page 220 12. VLAN The following table applies to the command. vlan Table 12-2: Handling default VLAN parameters Parameter Whether specifiable by Behavior specific to the default VLAN the user <vlan id> F (fixed value) Set when the Switch is started. Fixed at .
Page 221: Vlan-Dot1Q-Ethertype
12. VLAN vlan-dot1q-ethertype Sets the TPID for a VLAN tag. Syntax To set or change information: vlan-dot1q-ethertype <hex> To delete information: no vlan-dot1q-ethertype Input mode (config) Parameters <hex> Sets the TPID value of a VLAN tag which is assigned by a Switch. This command sets the default value of the entire Switch.
Page 222: Vlan-Mac
12. VLAN vlan-mac Sets MAC addresses to be used for each VLAN. When L3 forwarding is performed, if you change the MAC used by a Switch on a per-VLAN basis, this makes operation easier when you connect to a Switch that does not perform MAC learning on a per-VLAN basis. You do not have to set this command for VLANs for which L3 forwarding is not performed.
Page 223: Vlan-Mac-Prefix
12. VLAN vlan-mac-prefix Sets an individual MAC address prefix for each VLAN. Syntax To set or change information: vlan-mac-prefix <mac> <mask> To delete information: no vlan-mac-prefix Input mode (config) Parameters <mac> <mask> Sets an individual MAC address to be used for each VLAN. Uses <mac> <mask> specified by using this command as the template, and automatically generates an MAC address for each VLAN by setting numbers corresponding to the VLAN in the lower order bits.
Page 224 12. VLAN Related commands vlan-mac...
Page 225: Vlan-Protocol
12. VLAN vlan-protocol Sets the protocol name and protocol value for a protocol VLAN. Syntax To set or change information: vlan-protocol <protocol name> [ethertype <hex>...] [llc <hex>...] [snap-ethertype <hex>...] To delete information: no vlan-protocol <protocol name> Input mode (config) Parameters <protocol name>...
Page 226 12. VLAN Range of values: Four-digit hexadecimal Note on using this parameter: EtherType values which have already been set by users cannot be specified. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Note, however, that for protocols that have not been specified by the command for the protocol VLAN, the protocol...
Page 227: Spanning Tree Protocol
Chapter 13. Spanning Tree Protocol instance name revision spanning-tree bpdufilter spanning-tree bpduguard spanning-tree cost spanning-tree disable spanning-tree guard spanning-tree link-type spanning-tree loopguard default spanning-tree mode spanning-tree mst configuration spanning-tree mst cost spanning-tree mst forward-time spanning-tree mst hello-time spanning-tree mst max-age spanning-tree mst max-hops spanning-tree mst port-priority spanning-tree mst root priority...
Page 228: Instance
13. Spanning Tree Protocol instance Sets VLANs belonging to Multiple Spanning Tree MST instances. Syntax To set or change information: instance <mst instance id> vlans <vlan range> To delete information: no instance <mst instance id> Input mode (config-mst) Parameters <mst instance id> Sets an MST instance ID.
Page 229 13. Spanning Tree Protocol When the Ring Protocol and Multiple Spanning Tree are used together, the VLAN IDs of VLANs specified by this command and the VLAN IDs specified by VLAN mapping for the Ring Protocol must match. Unmatched VLANs are put in the Blocking status. Related commands spanning-tree mst configuration...
Page 230: Name
13. Spanning Tree Protocol name Sets a string to identify a Multiple Spanning Tree region. Syntax To set or change information: name <name> To delete information: no name Input mode (config-mst) Parameters <name> Sets the character string used to identify a region. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 231: Revision
13. Spanning Tree Protocol revision Sets revision numbers to identify Multiple Spanning Tree regions. Syntax To set or change information: revision <version> To delete information: no revision Input mode (config-mst) Parameters <version> Sets the revision number to identify a region. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 232: Spanning-Tree Bpdufilter
13. Spanning Tree Protocol spanning-tree bpdufilter Sets the BPDU filter functionality for the applicable ports. This command is applied to the applicable ports of all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set information: spanning-tree bpdufilter enable To delete information: no spanning-tree bpdufilter...
Page 233: Spanning-Tree Bpduguard
13. Spanning Tree Protocol spanning-tree bpduguard Sets the BPDU guard functionality for the applicable ports. This command is applied to the applicable ports of all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree), and operates on a port for which the PortFast functionality has been set. Syntax To set or change information: spanning-tree bpduguard { enable | disable }...
Page 234: Spanning-Tree Cost
13. Spanning Tree Protocol spanning-tree cost Sets the path cost of the applicable port. This command is applied to all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set or change information: spanning-tree cost <cost> To delete information: no spanning-tree cost Input mode...
Page 235 13. Spanning Tree Protocol This command is not applied to a virtual link set when both Spanning Tree Protocols and the Ring Protocol are used together. Related commands spanning-tree pathcost method spanning-tree vlan pathcost method spanning-tree vlan cost spanning-tree single pathcost method spanning-tree single cost spanning-tree mst cost...
Page 236: Spanning-Tree Disable
13. Spanning Tree Protocol spanning-tree disable Stops operation of the Spanning Tree functionality for all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set information: spanning-tree disable To delete information: no spanning-tree disable Input mode (config) Parameters None...
Page 237: Spanning-Tree Guard
13. Spanning Tree Protocol spanning-tree guard Sets the guard functionality for the applicable ports. This command is applied to the applicable ports of all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set or change information: spanning-tree guard { loop | none | root } To delete information: no spanning-tree guard...
Page 238 13. Spanning Tree Protocol occurs. This command is not applied to a virtual link set when both Spanning Tree Protocols and the Ring Protocol are used together. Related commands spanning-tree loopguard default...
Page 239: Spanning-Tree Link-Type
13. Spanning Tree Protocol spanning-tree link-type Sets the link type of the applicable port. This command is applied to the applicable ports of all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). If you want to change the high-speed topology when is set by the rapid-pvst spanning-tree mode...
Page 240 13. Spanning Tree Protocol spanning-tree single mode...
Page 241: Spanning-Tree Loopguard Default
13. Spanning Tree Protocol spanning-tree loopguard default Sets the loop guard functionality that is used by default. This command is valid for ports of all Spanning Tree Protocols (PVST+ and Single Spanning Tree). Syntax To set information: spanning-tree loopguard default To delete information: no spanning-tree loopguard default Input mode...
Page 242: Spanning-Tree Mode
13. Spanning Tree Protocol spanning-tree mode The following explains settings for the Spanning Tree operating mode. This command applies to all Spanning Tree Protocols (PVST+ and Multiple Spanning Tree) other than Single Spanning Tree. If the command is set in a PVST+ operating mode, the settings spanning-tree vlan mode for that command are used.
Page 243: Spanning-Tree Mst Configuration
13. Spanning Tree Protocol spanning-tree mst configuration Switches to config-mst mode in which you can set the information necessary for defining Multiple Spanning Tree regions. If this setting is deleted, all previously-set information for defining regions is deleted. Syntax To set information: spanning-tree mst configuration To delete information: no spanning-tree mst configuration...
Page 244: Spanning-Tree Mst Cost
13. Spanning Tree Protocol spanning-tree mst cost Sets the path cost for the applicable Multiple Spanning Tree ports. Syntax To set or change information: spanning-tree mst <mst instance id list> cost <cost> To delete information: no spanning-tree mst <mst instance id list> cost Input mode (config-if) Parameters...
Page 245 13. Spanning Tree Protocol This command is not applied to a virtual link set when both Spanning Tree Protocols and the Ring Protocol are used together. Related commands spanning-tree cost...
Page 246: Spanning-Tree Mst Forward-Time
13. Spanning Tree Protocol spanning-tree mst forward-time Sets the time required for Multiple Spanning Tree state transitions. Syntax To set or change information: spanning-tree mst forward-time <seconds> To delete information: no spanning-tree mst forward-time Input mode (config) Parameters <seconds> Specifies the time in seconds required for the state of a port to change. For ports in stp-compatible mode, only listening and learning states can be maintained for the specified period of time.
Page 247: Spanning-Tree Mst Hello-Time
13. Spanning Tree Protocol spanning-tree mst hello-time Sets the interval for sending BPDUs in Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst hello-time <hello time> To delete information: no spanning-tree mst hello-time Input mode (config) Parameters <hello time> Specifies the interval in seconds for sending BPDUs that are sent regularly from the Switch.
Page 248: Spanning-Tree Mst Max-Age
13. Spanning Tree Protocol spanning-tree mst max-age Sets the maximum valid time of BPDUs that are sent via Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst max-age <seconds> To delete information: no spanning-tree mst max-age Input mode (config) Parameters <seconds>...
Page 249: Spanning-Tree Mst Max-Hops
13. Spanning Tree Protocol spanning-tree mst max-hops Sets the maximum-number-of-hops count for BPDUs in Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst max-hops <hop number> spanning-tree mst <mst instance id list> max-hops <hop number> To delete information: no spanning-tree mst max-hops no spanning-tree mst <mst instance id list>...
Page 250: Spanning-Tree Mst Port-Priority
13. Spanning Tree Protocol spanning-tree mst port-priority Sets the priority of the applicable Multiple Spanning Tree ports for each MST instance. Syntax To set or change information: spanning-tree mst <mst instance id list> port-priority <priority> To delete information: no spanning-tree mst <mst instance id list> port-priority Input mode (config-if) Parameters...
Page 251 13. Spanning Tree Protocol This command is not applied to a virtual link set when both Spanning Tree Protocols and the Ring Protocol are used together. Related commands spanning-tree port-priority...
Page 252: Spanning-Tree Mst Root Priority
13. Spanning Tree Protocol spanning-tree mst root priority Sets the bridge priority for each MST instance in Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst <mst instance id list> root priority <priority> To delete information: no spanning-tree mst <mst instance id list> root priority Input mode (config) Parameters...
Page 253: Spanning-Tree Mst Transmission-Limit
13. Spanning Tree Protocol spanning-tree mst transmission-limit Sets the maximum number of BPDUs that can be sent during each hello-time interval for Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst transmission-limit <count> To delete information: no spanning-tree mst transmission-limit Input mode (config) Parameters...
Page 254: Spanning-Tree Pathcost Method
13. Spanning Tree Protocol spanning-tree pathcost method Sets whether to use 16-bit values or 32-bit values as the path cost of ports. This command does not apply to Multiple Spanning Tree but does apply to all other Spanning Tree Protocols (PVST+ and Single Spanning Tree).
Page 255 13. Spanning Tree Protocol Default behavior is set by path cost mode. short Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When is set by the command, Multiple Spanning Tree operates spanning-tree mode using a 32-bit value.
Page 256: Spanning-Tree Port-Priority
13. Spanning Tree Protocol spanning-tree port-priority Sets the port priority of the applicable ports. This command is applied to all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set or change information: spanning-tree port-priority <priority> To delete information: no spanning-tree port-priority Input mode...
Page 257: Spanning-Tree Portfast
13. Spanning Tree Protocol spanning-tree portfast Sets the PortFast functionality for the applicable ports. This command is applied to the applicable ports of all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set or change information: spanning-tree portfast [{ trunk | disable }] To delete information: no spanning-tree portfast...
Page 258: Spanning-Tree Portfast Bpduguard Default
13. Spanning Tree Protocol spanning-tree portfast bpduguard default Sets the BPDU guard functionality to be used by default. This command is valid for all ports (PVST+, Single Spanning Tree, and Multiple Spanning Tree) on which the PortFast functionality is set. Syntax To set information: spanning-tree portfast bpduguard default...
Page 259: Spanning-Tree Portfast Default
13. Spanning Tree Protocol spanning-tree portfast default Sets the PortFast functionality to be used by default. This command is valid on the access, protocol, and MAC ports of all Spanning Tree Protocols (PVST+, Single Spanning Tree, and Multiple Spanning Tree). Syntax To set information: spanning-tree portfast default...
Page 260: Spanning-Tree Single
13. Spanning Tree Protocol spanning-tree single Starts calculation of the topology for Single Spanning Tree. If the Spanning Tree operating mode is PVST+, VLAN 1 is treated as Single Spanning Tree after this command is executed. Syntax To set information: spanning-tree single To delete information: no spanning-tree single...
Page 261: Spanning-Tree Single Cost
13. Spanning Tree Protocol spanning-tree single cost Sets the path cost for the applicable Single Spanning Tree ports. Syntax To set or change information: spanning-tree single cost <cost> To delete information: no spanning-tree single cost Input mode (config-if) Parameters <cost> Specifies the path cost value.
Page 262 13. Spanning Tree Protocol spanning-tree pathcost method spanning-tree single pathcost method...
Page 263: Spanning-Tree Single Forward-Time
13. Spanning Tree Protocol spanning-tree single forward-time Sets the time required for the state of Single Spanning Tree to change. Syntax To set or change information: spanning-tree single forward-time <seconds> To delete information: no spanning-tree single forward-time Input mode (config) Parameters <seconds>...
Page 264: Spanning-Tree Single Hello-Time
13. Spanning Tree Protocol spanning-tree single hello-time Sets the interval for sending Single Spanning Tree BPDUs. Syntax To set or change information: spanning-tree single hello-time <hello time> To delete information: no spanning-tree single hello-time Input mode (config) Parameters <hello time> Specifies the interval in seconds for sending BPDUs that are sent regularly from the Switch.
Page 265: Spanning-Tree Single Max-Age
13. Spanning Tree Protocol spanning-tree single max-age Sets the maximum valid time of BPDUs that are sent via Single Spanning Tree. Syntax To set or change information: spanning-tree single max-age <seconds> To delete information: no spanning-tree single max-age Input mode (config) Parameters <seconds>...
Page 266: Spanning-Tree Single Mode
13. Spanning Tree Protocol spanning-tree single mode Sets the operating mode of Single Spanning Tree. Syntax To set or change information: spanning-tree single mode { stp | rapid-stp } To delete information: no spanning-tree single mode Input mode (config) Parameters { stp | rapid-stp } Sets the protocol to be used.
Page 267: Spanning-Tree Single Pathcost Method
13. Spanning Tree Protocol spanning-tree single pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for Single Spanning Tree ports. If the command setting is omitted, the following values are applied spanning-tree single cost to the path cost according to the interface speed and the setting of the spanning-tree single command.
Page 268 13. Spanning Tree Protocol Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands None...
Page 269: Spanning-Tree Single Port-Priority
13. Spanning Tree Protocol spanning-tree single port-priority Sets the priority for applicable Single Spanning Tree ports. Syntax To set or change information: spanning-tree single port-priority <priority> To delete information: no spanning-tree single port-priority Input mode (config-if) Parameters <priority> Sets the port priority. Use a multiple of 16 as the port priority. The lower the value, the higher the priority.
Page 270: Spanning-Tree Single Priority
13. Spanning Tree Protocol spanning-tree single priority Sets the bridge priority for Single Spanning Tree. Syntax To set or change information: spanning-tree single priority <priority> To delete information: no spanning-tree single priority Input mode (config) Parameters <priority> Sets the bridge priority. The lower the value, the higher the priority. Use a multiple of 4096 as the bridge priority.
Page 271: Spanning-Tree Single Transmission-Limit
13. Spanning Tree Protocol spanning-tree single transmission-limit Sets the maximum number of BPDUs that can be sent during the hello-time interval for Single Spanning Tree. Syntax To set or change information: spanning-tree single transmission-limit <count> To delete information: no spanning-tree single transmission-limit Input mode (config) Parameters...
Page 272: Spanning-Tree Vlan
13. Spanning Tree Protocol spanning-tree vlan Configures PVST+. If the command is set after the no spanning-tree vlan spanning-tree command has been set, the applicable VLAN operates with Single Spanning Tree. single Syntax To set information: no spanning-tree vlan <vlan id list> To delete information: spanning-tree vlan <vlan id list>...
Page 273: Spanning-Tree Vlan Cost
13. Spanning Tree Protocol spanning-tree vlan cost Sets the path cost for the applicable PVST+ ports. Syntax To set or change information: spanning-tree vlan <vlan id list> cost <cost> To delete information: no spanning-tree vlan <vlan id list> cost Input mode (config-if) Parameters <vlan id list>...
Page 274 13. Spanning Tree Protocol When the change is applied The change is applied immediately after setting values are changed. Notes <vlan id list> cannot be specified if the command is used to set interface range information. This command is not applied to a virtual link set when both Spanning Tree Protocols and the Ring Protocol are used together.
Page 275: Spanning-Tree Vlan Forward-Time
13. Spanning Tree Protocol spanning-tree vlan forward-time Sets the time required for PVST+ state transition. Syntax To set or change information: spanning-tree vlan <vlan id list> forward-time <seconds> To delete information: no spanning-tree vlan <vlan id list> forward-time Input mode (config) Parameters <vlan id list>...
Page 276 13. Spanning Tree Protocol Related commands None...
Page 277: Spanning-Tree Vlan Hello-Time
13. Spanning Tree Protocol spanning-tree vlan hello-time Sets the interval for sending PVST+ BPDUs. Syntax To set or change information: spanning-tree vlan <vlan id list> hello-time <hello time> To delete information: no spanning-tree vlan <vlan id list> hello-time Input mode (config) Parameters <vlan id list>...
Page 278: Spanning-Tree Vlan Max-Age
13. Spanning Tree Protocol spanning-tree vlan max-age Sets the maximum valid time of BPDUs that are sent via PVST+. Syntax To set or change information: spanning-tree vlan <vlan id list> max-age <seconds> To delete information: no spanning-tree vlan <vlan id list> max-age Input mode (config) Parameters...
Page 279: Spanning-Tree Vlan Mode
13. Spanning Tree Protocol spanning-tree vlan mode Sets the PVST+ operating mode. Syntax To set or change information: spanning-tree vlan <vlan id list> mode { pvst | rapid-pvst } To delete information: no spanning-tree vlan <vlan id list> mode Input mode (config) Parameters <vlan id list>...
Page 280: Spanning-Tree Vlan Pathcost Method
13. Spanning Tree Protocol spanning-tree vlan pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for a PVST+ port. If the command setting is omitted, the following values are applied to spanning-tree vlan cost the path cost according to the interface speed and the spanning-tree vlan pathcost method command settings:...
Page 281 13. Spanning Tree Protocol - The default value of the path cost changes. - Changing the path cost value might change the topology. - When 65536 or a larger value is set for the path cost, you cannot change the parameter short Default behavior The setting of the...
Page 282: Spanning-Tree Vlan Port-Priority
13. Spanning Tree Protocol spanning-tree vlan port-priority Sets the priority for the applicable PVST+ ports. Syntax To set or change information: spanning-tree vlan <vlan id list> port-priority <priority> To delete information: no spanning-tree vlan <vlan id list> port-priority Input mode (config-if) Parameters <vlan id list>...
Page 283 13. Spanning Tree Protocol This command is not applied to a virtual link set when both Spanning Tree Protocols and the Ring Protocol are used together. Related commands spanning-tree port-priority...
Page 284: Spanning-Tree Vlan Priority
13. Spanning Tree Protocol spanning-tree vlan priority Sets the PVST+ bridge priority. Syntax To set or change information: spanning-tree vlan <vlan id list> priority <priority> To delete information: no spanning-tree vlan <vlan id list> priority Input mode (config) Parameters <vlan id list> Starts configuration of PVST+ for the set VLAN.
Page 285 13. Spanning Tree Protocol Related commands None...
Page 286: Spanning-Tree Vlan Transmission-Limit
13. Spanning Tree Protocol spanning-tree vlan transmission-limit Sets the maximum number of BPDUs that can be sent within the PVST+ hello-time interval. Syntax To set or change information: spanning-tree vlan <vlan id list> transmission-limit <count> To delete information: no spanning-tree vlan <vlan id list> transmission-limit Input mode (config) Parameters...
Page 287 13. Spanning Tree Protocol spanning-tree vlan mode...
Page 289: Ring Protocol
Chapter 14. Ring Protocol axrp axrp virtual-link axrp vlan-mapping axrp-primary-port axrp-ring-port control-vlan disable flush-request-count flush-request-transmit vlan forwarding-shift-time health-check holdtime health-check interval mode multi-fault-detection holdtime multi-fault-detection interval multi-fault-detection mode multi-fault-detection vlan name preempt-delay vlan-group...
Page 290: Axrp
14. Ring Protocol axrp Sets the ring ID. In addition, to collect information necessary for the Ring Protocol functionality, switches to config-axrp mode. A maximum of 24 ring IDs can be set for a Switch. If this setting is removed, the ring information that is already set for ring IDs is deleted. Syntax To set information: axrp <ring id>...
Page 291: Axrp Virtual-Link
14. Ring Protocol axrp virtual-link Sets a virtual link ID used to identify the root bridge shared by a Spanning Tree Protocol and GSRP. Only one virtual link ID can be set for a Switch. Syntax To set or change information: axrp virtual-link <link id>...
Page 292 14. Ring Protocol Related commands vlan...
Page 293: Axrp Vlan-Mapping
14. Ring Protocol axrp vlan-mapping Sets the VLAN mapping to be applied to a VLAN group and also the VLANs that participate in VLAN mapping. Syntax To set or change information: axrp vlan-mapping <mapping id> vlan <vlan id list> To change information: axrp vlan-mapping <mapping id>...
Page 294 14. Ring Protocol This parameter cannot be omitted. Range of values: For details about how to set <vlan id list> and the specifiable values, see Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 295: Axrp-Primary-Port
14. Ring Protocol axrp-primary-port Sets the primary port on the master node. If this command is set, the primary port is not assigned automatically on the master node, and the interface set by using this command operates as the primary port. The interfaces that can be specified are Ethernet interfaces and port channel interfaces.
Page 296 14. Ring Protocol state. When a Switch is on the following nodes, entering this command has no effect: • Transit node • Master node, which is a edge node for a shared link non-monitoring ring You cannot specify an Ethernet interface that is part of a channel group as the primary port. Conversely, an Ethernet interface that is set as the primary port cannot be assigned to a channel group.
Page 297: Axrp-Ring-Port
14. Ring Protocol axrp-ring-port Sets an interface that operates as the ring port for the Ring Protocol. The interfaces that can be set are Ethernet interfaces and port channel interfaces. Syntax To set or change information: axrp-ring-port <ring id> [{shared-edge | shared}] To delete information: no axrp-ring-port <ring id>...
Page 298 14. Ring Protocol Notes Two ring ports can be specified as corresponding to one ring ID. In a multi-ring configuration with shared links, when a Switch is already operating as a master node in the neighboring ring, if a ring port with a shared-edge specified is set or deleted on a port which is used as the primary port, this functionality is disabled temporarily.
Page 299: Control-Vlan
14. Ring Protocol control-vlan Sets the VLAN to be used as a control VLAN. You can use the VLAN specified by using this command to send and receive control frames that monitor the ring status. Setting the parameter for a transit node allows you to set the time forwarding-delay-time required to transfer the status of the control VLAN to during initial operation.
Page 300 14. Ring Protocol When the change is applied The change is applied immediately after setting values are changed. Notes You cannot specify a VLAN that is used as a control VLAN by another ring ID. You cannot specify a VLAN that is used in a VLAN group. For the control VLAN, you cannot specify a VLAN that is being used by the multi-fault monitoring VLAN.
Page 301: Disable
14. Ring Protocol disable Disables the Ring Protocol functionality. Syntax To set information: disable To delete information: no disable Input mode (config-axrp) Parameters None Default behavior The Ring Protocol functionality is enabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 302: Flush-Request-Count
14. Ring Protocol flush-request-count Specifies the number of times the master node sends flush control frames, which clear the MAC address table, to the transit node in the ring if a ring failure occurs or when recovering from a failure. Syntax To set or change information: flush-request-count <count>...
Page 303: Flush-Request-Transmit Vlan
14. Ring Protocol flush-request-transmit vlan Sets sending of neighboring-ring flush control frames to the devices in the neighboring ring configuration to clear the MAC address table when a ring failure occurs or the failure is corrected. For details about how to specify these settings, see 22.1.11 Configuring flush control frames for neighboring rings in the manual Configuration Guide Vol.
Page 304: Forwarding-Shift-Time
14. Ring Protocol forwarding-shift-time Sets the reception hold time for flush control frames in transit node. When the reception hold time passes, if no flush control frames are received, the status of a ring port changes from Blocking Forwarding Syntax To set or change information: forwarding-shift-time {<seconds>...
Page 305: Health-Check Holdtime
14. Ring Protocol health-check holdtime If the master node does not receive a periodic health-check frame sent by the master node itself or by link non-monitoring ring shared edge nodes, this specifies how long to wait before determining that a failure has occurred. Syntax To set or change information: health-check holdtime <milli seconds>...
Page 306: Health-Check Interval
14. Ring Protocol health-check interval Sets the interval for sending health-check frames from a master node or from shared edge nodes in a shared link non-monitoring ring. Syntax To set or change information: health-check interval <milli seconds> To delete information: no health-check interval Input mode (config-axrp)
Page 307: Mode
14. Ring Protocol mode Sets the operating mode of the Switch used for the ring. In addition, if the ring configuration is a multi-ring configuration with shared links, sets the attributes of a ring configured by Switches, and the positioning of the Switches in the ring. Syntax To set or change information: mode {master | transit} [ring-attribute {rift-ring | rift-ring-edge <edge node id>}]...
Page 308 14. Ring Protocol of a shared link non-monitoring ring. Range of values: , or rift-ring rift-ring-edge1 rift-ring-edge 2 Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Set only one master node Switch in a ring.
Page 309: Multi-Fault-Detection Holdtime
14. Ring Protocol multi-fault-detection holdtime This is used in a multi-ring configuration with shared links. This command sets the hold time before the shared nodes at both ends of a shared link determine that multiple faults occurred when the shared link monitoring rings did not receive any sent multi-fault monitoring frames. Syntax To set or change information: multi-fault-detection holdtime <milli seconds>...
Page 310: Multi-Fault-Detection Interval
14. Ring Protocol multi-fault-detection interval This applies to a multi-ring configuration with shared links. This command sets the sending interval for multi-fault monitoring frames sent to the shared link monitoring rings from the shared nodes placed at both ends of a shared link. Syntax To set or change information: multi-fault-detection interval <milli seconds>...
Page 311: Multi-Fault-Detection Mode
14. Ring Protocol multi-fault-detection mode Sets the multi-fault monitoring mode for shared link monitoring rings. Also sets the ring ID of the shared link non-monitoring ring used as the backup ring for switching the path in the route when multiple faults are detected. Set this command for shared link monitoring rings in a multi-ring configuration with shared links.
Page 312 14. Ring Protocol link. If you enable the monitoring function ( parameter) for a device other monitor-enable than a shared node, multi-fault monitoring cannot be performed correctly. Related commands None...
Page 313: Multi-Fault-Detection Vlan
14. Ring Protocol multi-fault-detection vlan Sets the VLAN for multi-fault monitoring. The VLAN specified for this command is used to send and receive control frames used for monitoring multiple faults. Set this command for shared link monitoring rings in a multi-ring configuration with shared links. Syntax To set or change information: multi-fault-detection vlan <vlan id>...
Page 314: Name
14. Ring Protocol name Sets the name for identifying a ring. Syntax To set or change information: name <name> To delete information: no name Input mode (config-axrp) Parameters <name> Sets the name for identifying a ring. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 315: Preempt-Delay
14. Ring Protocol preempt-delay Sets the delay time between detection of fault recovery by the master node and path switchback operation. When this command is set, if the master node detects fault recovery, recovery operations are not performed until the path switchback suppression time elapses. Syntax To set or change information: preempt-delay { <seconds>...
Page 316: Vlan-Group
14. Ring Protocol vlan-group Sets the VLAN group that will be used for the Ring Protocol and the mapping IDs of the VLANs participating in the VLAN groups. A maximum of two VLAN groups can be set for a ring. In addition, by creating two VLAN groups, loads can be balanced (shared) between the two VLANs.
Page 317 14. Ring Protocol the specified interface has precedence and set as the primary port. Related commands axrp vlan-mapping...
Page 319: Igmp Snooping
Chapter 15. IGMP Snooping ip igmp snooping (global) ip igmp snooping (interface) ip igmp snooping fast-leave ip igmp snooping mrouter ip igmp snooping querier...
Page 320: Ip Igmp Snooping (Global)
15. IGMP Snooping ip igmp snooping (global) Suppresses the IGMP snooping functionality on a Switch. Syntax To set information: no ip igmp snooping To delete information: ip igmp snooping Input mode (config) Parameters None Default behavior The IGMP snooping functionality is enabled on a Switch. Impact on communication The IGMP snooping functionality stops.
Page 321: Ip Igmp Snooping (Interface)
15. IGMP Snooping ip igmp snooping (interface) Enables the IGMP snooping functionality on a VLAN interface. Syntax To set information: ip igmp snooping To delete information: no ip igmp snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after the setting value is changed.
Page 322: Ip Igmp Snooping Fast-Leave
15. IGMP Snooping ip igmp snooping fast-leave Immediately stops multicast communication to the applicable port if IGMP Leave and IGMPv3 Report (detachment request) messages are received on a VLAN interface. Syntax To set information: ip igmp snooping fast-leave To delete information: no ip igmp snooping fast-leave Input mode (config-if)
Page 323: Ip Igmp Snooping Mrouter
15. IGMP Snooping ip igmp snooping mrouter Specifies a multicast router port on a VLAN interface. Syntax To set information: ip igmp snooping mrouter interface <interface type> <interface number> To delete information: no ip igmp snooping mrouter interface <interface type> <interface number> Input mode (config-if) Parameters...
Page 324 15. IGMP Snooping Related commands ip igmp snooping...
Page 325: Ip Igmp Snooping Querier
15. IGMP Snooping ip igmp snooping querier Enables the IGMP querier functionality on a VLAN interface. Syntax To set information: ip igmp snooping querier To delete information: no ip igmp snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
Page 327: Mld Snooping
Chapter 16. MLD Snooping ipv6 mld snooping (global) ipv6 mld snooping (interface) ipv6 mld snooping mrouter ipv6 mld snooping querier...
Page 328: Ipv6 Mld Snooping (Global)
16. MLD Snooping ipv6 mld snooping (global) Suppresses the MLD snooping functionality on a Switch. Syntax To set information: no ipv6 mld snooping To delete information: ipv6 mld snooping Input mode (config) Parameters None Default behavior Enables the MLD snooping functionality on a Switch. Impact on communication The MLD snooping functionality stops.
Page 329: Ipv6 Mld Snooping (Interface)
16. MLD Snooping ipv6 mld snooping (interface) Enables the MLD snooping functionality on a VLAN interface. Syntax To set information: ipv6 mld snooping To delete information: no ipv6 mld snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after the setting value is changed.
Page 330: Ipv6 Mld Snooping Mrouter
16. MLD Snooping ipv6 mld snooping mrouter Specifies a multicast router port on a VLAN interface. Syntax To set information: ipv6 mld snooping mrouter interface <interface type> <interface number> To delete information: no ipv6 mld snooping mrouter interface <interface type> <interface number> Input mode (config-if) Parameters...
Page 331 16. MLD Snooping Related commands ipv6 mld snooping...
Page 332: Ipv6 Mld Snooping Querier
16. MLD Snooping ipv6 mld snooping querier Enables the MLD querier functionality on a VLAN interface. Syntax To set information: ipv6 mld snooping querier To delete information: no ipv6 mld snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
Page 333: Part 5: Common To Filtering And Qos
PART 5: Common to Filtering and QoS Chapter 17. Flow Detection Modes and Flow Operations flow action-change cos flow detection mode flow detection out mode [AX3640S]...
Page 334: Flow Action-Change Cos
17. Flow Detection Modes and Flow Operations flow action-change cos Changes the QoS priority determination operation for the switch. Because this command is used to change the priority determination operation, make sure you set this command during the first stage of actual operation. We recommend that you do not make any changes during operation.
Page 335: Flow Detection Mode
Input mode (config) Parameters {layer3-1 | layer3-2 | layer3-3 | layer3-4 | layer3-5 | layer3-6 | layer3-dhcp-1} [AX3640S] {layer3-1 | layer3-2 | layer3-3 | layer3-4 | layer3-dhcp-1} [AX3630S] Specifies the flow detection mode. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 336 17. Flow Detection Modes and Flow Operations Flow detection mode Applicable command ipv6 access-group access-group traffic-filter qos-flow-group qos-flow-group qos-flow-group layer3-2 layer3-3 layer3-4 layer3-5 layer3-6 layer3-dhcp-1 Legend Y: Can be set; N: Cannot be set #1: Flow detection is performed based on only the IPv6 source addresses. #2: Flow detection is performed based on only the IPv6 destination addresses.
Page 337 17. Flow Detection Modes and Flow Operations Notes None Related commands ip access-group ipv6 traffic-filter mac access-group ip qos-flow-group ipv6 qos-flow-group mac qos-flow-group...
Page 338: Flow Detection Out Mode [Ax3640S]
17. Flow Detection Modes and Flow Operations flow detection out mode [AX3640S] Sets the flow detection mode for filtering functionality for the sending-side interface. This command changes the allocation pattern for the maximum number of entries in a hardware table.
Page 339 VLAN interface. For details about the sending-side flow detection modes, see 1.1.4 Sending-side flow detection mode [AX3640S] in the manual Configuration Guide Vol. 2 For Version 11.7. Default behavior Sending-side flow detection operates as Layer 3-1-out flow detection.
Page 341: Part 6: Filters
PART 6: Filters Chapter 18. Access Lists Names and values that can be specified access-list deny (ip access-list extended) deny (ip access-list standard) deny (ipv6 access-list) deny (mac access-list extended) ip access-group ip access-list extended ip access-list resequence ip access-list standard ipv6 access-list ipv6 access-list resequence ipv6 traffic-filter...
Page 342: Names And Values That Can Be Specified
All IP protocols ipinip ospf sctp tunnel vrrp Protocol names (IPv6) [AX3640S] The following table lists the names that can be specified as IPv6 protocol names. Table 18-2: Protocol names that can be specified (IPv6) Protocol name Applicable protocol number icmp...
Page 343 18. Access Lists Protocol name Applicable protocol number vrrp Port names (TCP) The following table lists the port names that can be specified for TCP. Table 18-3: Port names that can be specified for TCP Port name Applicable port name and number Border Gateway Protocol version 4 (179) chargen Character generator (19)
Page 344 18. Access Lists Port name Applicable port name and number smtps SMTP over TLS/SSL (465) Secure Shell Remote Login Protocol (22) sunrpc Sun Remote Procedure Call (111) tacacs+ Terminal Access Controller Access Control System Plus (49) tacacs-ds TACACS-Database Service (65) talk like tenex link (517) telnet...
Page 345 Trivial File Transfer Protocol (69) time Time server protocol (37) Who service (513) xdmcp X Display Manager Control Protocol (177) Table 18-5: Port names that can be specified for UDP (IPv6) [AX3640S] Port name Applicable port name and number biff Biff (512) dhcpv6-client...
Page 346 18. Access Lists Table 18-6: tos names that can be specified tos name tos value max-reliability max-throughput min-delay min-monetary-cost normal precedence name The following table lists the precedence names that can be specified. Table 18-7: precedence names that can be specified precedence name precedence value critical...
Page 347 The following table lists the Ethernet type names that can be specified. Table 18-9: Ethernet type names that can be specified Ethernet type name Ethernet value Remarks appletalk 0x809b 0x0806 0x88f3 Alaxala Protocol eapol 0x888e gsrp Filters GSRP control packets. ipv4 0x0800 ipv6 0x86dd...
Page 348 18. Access Lists Destination address Destination address Destination address mask specification slow-protocol 0180.C200.0002 0000.0000.0000 Message name (ICMP) The following table lists the message names that can be specified for ICMP. Table 18-11: Message names that can be specified for ICMP (IPv4) Message name Message Type...
Page 349 Not specified traceroute Traceroute Not specified ttl-exceeded TTL exceeded unreachable All unreachable Not specified Table 18-12: Message names that can be specified for ICMP (IPv6) [AX3640S] Message name Message Type Code beyond-scope Destination beyond scope destination-unreachable Destination address is unreachable...
Page 350 18. Access Lists Message name Message Type Code parameter-option Parameter option problems parameter-problem All parameter problems Not specified port-unreachable Port unreachable reassembly-timeout Reassembly timeout renum-command Router renumbering command renum-result Router renumbering result renum-seq-number Router renumbering sequence number reset router-advertisement Neighbor discovery router advertisements Not specified router-renumbering All router renumbering...
Page 351 18. Access Lists Sample code Number of Number of access lists specifications created set for the interface In this example, access list is created and applied to inbound on Ethernet 1 list 2 lists interfaces 0/1 and 0/2. interface gigabitethernet 0/1 ip access-group AAA in interface gigabitethernet 0/2 ip access-group AAA in...
Page 352: Access-List
If permit you use access group commands to apply the target access list to an interface, specify the inbound side of the VLAN interface. [AX3640S] [OS-L3A] Syntax To set or change information: Configuring supplementary information access-list <access list number>...
Page 353 | any} {<destination ipv4> <destination ipv4 wildcard> | host <destination ipv4> | any} [{[tos <tos>] [precedence <precedence>] | dscp <dscp>}] [vlan <vlan id>] [user-priority <priority>] <action-specification> [AX3640S] [OS-L3A] action policy-list <policy list no.> To delete information: no access-list <access list number>...
Page 354 18. Access Lists Range of values: Enclose a character string of no more than 64 characters in double quotation marks ("). Specifiable characters are alphanumeric characters and special characters. To enter a character string that does not include any special characters such as a space, you do not need to enclose the character string in double quotation marks (").
Page 355 18. Access Lists Specifies the upper-layer protocol condition for IPv4 packets. Note that if all protocols are applicable, specify Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Set 0 to 255 (in decimal) or a protocol name. For details about the protocol names that can be specified, see Table 18-1: Protocol names that can be specified (IPv4).
Page 356 18. Access Lists This parameter cannot be omitted. Range of values: Specify <destination ipv4> <destination ipv4 wildcard>, <destination ipv4>, or host Specify the destination IPv4 address for <destination ipv4>. For <destination ipv4 wildcard>, specify a wildcard mask in IPv4 address format that specifies bits in an IPv4 address whose permitted value is arbitrary.
Page 357 18. Access Lists Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 7 (in decimal) or the precedence name. For details about the precedence names that can be specified, see Table 18-7: precedence names that can be specified.
Page 358 18. Access Lists Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Specifies the detection of packets whose RST flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. Default value when this parameter is omitted: None.
Page 359 Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 7 in decimal. Action parameters [AX3640S] [OS-L3A] action To set or change an action parameter, you must set the parameter keyword at the action beginning of the action parameter.
Page 360 If policy-based routing is specified for the action parameter, the following addresses cannot be specified for the source IPv4 address and destination IPv4 address that are set for filtering conditions: [AX3640S] [OS-L3A] • Source IPv4 address Multicast address and internal loopback address •...
Page 361: Deny (Ip Access-List Extended)
18. Access Lists deny (ip access-list extended) Specifies the conditions by which the IPv4 packet filter denies access. Syntax To set or change information: • When the upper-layer protocol is other than TCP, UDP, ICMP, and IGMP [<sequence>] deny {ip | <protocol>} {<source ipv4> <source ipv4 wildcard> | host <source ipv4>...
Page 362 18. Access Lists Note, however, that if the maximum value for the application sequence is greater than 4294967284, the value cannot be omitted. Range of values: Specify 1 to 4294967294 in decimal. {ip | <protocol> | icmp | igmp | tcp | udp} Specifies the upper-layer protocol condition for IPv4 packets.
Page 363 18. Access Lists Specify port numbers so that <source port end> is larger than <source port start>. {<destination ipv4> <destination ipv4 wildcard> | host <destination ipv4> | any} Specifies the destination IPv4 address. To specify all destination IPv4 addresses, specify Default value when this parameter is omitted: This parameter cannot be omitted.
Page 364 18. Access Lists Specify 0 to 15 (in decimal) or a tos name. For details about the tos names that can be specified, see Table 18-6: tos names that can be specified. precedence <precedence> Specifies the precedence value, which is the first 3 bits in the ToS field. Its value is compared with the first 3 bits in the ToS field of the received packet.
Page 365 18. Access Lists Range of values: None Specifies the detection of packets whose PSH flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Specifies the detection of packets whose RST flag in the TCP header is 1.
Page 366 18. Access Lists Specifies the ICMP code. This parameter option is available only when the protocol is ICMP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 255 in decimal. <icmp message>...
Page 367 18. Access Lists If nnn is entered as the source address and the destination address, 0.0.0.0 nnn is displayed. host Related commands access-list ip access-group ip access-list resequence permit (ip access-list extended) remark...
Page 368: Deny (Ip Access-List Standard)
18. Access Lists deny (ip access-list standard) Specifies the conditions by which the IPv4 address filter denies access. Syntax To set or change information: [<sequence>] deny {<ipv4> [<ipv4 wildcard>] | host <ipv4> | any} To delete information: no <sequence> Input mode (config-std-nacl) Parameters <sequence>...
Page 369 18. Access Lists the interface might be discarded temporarily until the entry is applied to the interface. When the change is applied The change is applied immediately after setting values are changed. Notes When is entered as the address wildcard mask, is displayed.
Page 370: Deny (Ipv6 Access-List)
Specifies the conditions by which the IPv6 filter denies access. Syntax To set or change information: [AX3640S] • When the upper-layer protocol is other than TCP, UDP, and ICMP [<sequence>] deny {ipv6 | <protocol>} {<source ipv6>/<length> | host <source ipv6>...
Page 371 <source ipv6> (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn): 0:0:0:0:0:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff <length>: 0 to 128 {eq <source port> | range <source port start> <source port end>} [AX3640S] Specifies a source port number. This parameter option is available only when the protocol is TCP or UDP.
Page 372 <destination ipv6> (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn): 0:0:0:0:0:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff <length>: 0 to 128 {eq <destination port> | range <destination port start> <destination port end>} [AX3640S] Specifies the destination port number. This parameter option is available only when the protocol is TCP or UDP.
Page 373 Range of values: Specify 0 to 255 in decimal. dscp <dscp> [AX3640S] Specifies the DSCP value, which is the first 6 bits in the traffic class field. Its value is compared with the first 6 bits in the traffic class field of the received packet.
Page 374 Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None <icmp type> [AX3640S] Specifies the ICMP type. This parameter option is available only when the protocol is ICMP. Default value when this parameter is omitted: None.
Page 375 18. Access Lists names that can be specified for ICMP (IPv6) [AX3640S]. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None vlan <vlan id> Specifies a VLAN ID.
Page 376: Deny (Mac Access-List Extended)
18. Access Lists deny (mac access-list extended) Specifies the conditions by which the MAC filter denies access. Syntax To set or change information: [<sequence>] deny {<source mac> <source mac mask> | host <source mac> | any} {<destination mac> <destination mac mask> | host <destination mac> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu | slow-protocol } [<ethernet type>] [vlan <vlan id>] [user-priority <priority>] To delete information:...
Page 377 18. Access Lists Specifies the destination MAC address. To specify all destination MAC addresses, specify Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify <destination mac> <destination mac mask>, <destination mac>, host , or bpdu lacp lldp...
Page 378 18. Access Lists Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 7 in decimal. Default behavior None Impact on communication If an entry is added or changed when an access list is applied to an interface, packets received at the interface might be discarded temporarily until the entry is applied to the interface.
Page 379: Ip Access-Group
{<access list number> | <access list name>} in [AX3630S] To delete information: no ip access-group {<access list number> | <access list name>} {in | out} [AX3640S] no ip access-group {<access list number> | <access list name>} in [AX3630S]...
Page 380 You can set one IPv4 access list each for the inbound and outbound sides of an interface. If a filter has already been set, first remove it and then set it again. [AX3640S] You can set one IPv4 access list on the inbound side of an interface. If a filter has already been set, first remove it and then set it again.
Page 381 An access list that contains a VLAN parameter as a flow detection condition can be set on the outbound side if tag translation has not been set for the target interface. [AX3640S] 10. You can set an access list on the outbound side of a VLAN interface if tag translation has not been set for the Ethernet interface contained in the VLAN interface.
Page 382: Ip Access-List Extended
If permit you use access group commands to apply the target access list to an interface, specify the inbound side of the VLAN interface. [AX3640S] [OS-L3A] Syntax To set information: ip access-list extended {<access list number>...
Page 383 18. Access Lists You cannot specify IPv4 address filter names, IPv6 access list names, and MAC access list names that have already been created. Related commands access-list ip access-group ip access-list resequence deny (ip access-list extended) permit (ip access-list extended) remark...
Page 384: Ip Access-List Resequence
18. Access Lists ip access-list resequence Re-sequences the sequence numbers that determine the order in which the IPv4 address filter and IPv4 packet filter apply filter conditions. Syntax To set or change information: ip access-list resequence {<access list number> | <access list name>} [<starting sequence> [<increment sequence>]] Input mode (config)
Page 385 18. Access Lists Notes None Related commands access-list ip access-list standard ip access-list extended...
Page 386: Ip Access-List Standard
18. Access Lists ip access-list standard Configures an access list to serve as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter. This command sets an IPv4 address filter.
Page 387 18. Access Lists Related commands access-list ip access-group ip access-list resequence deny (ip access-list standard) permit (ip access-list standard) remark...
Page 388: Ipv6 Access-List
IPv6 address, destination IPv6 address, VLAN ID, and user priority. For an AX3640S series switch, the access list filters packets based on the above conditions and the traffic class field value, port number, TCP flag, ICMP type, and ICMP code.
Page 389 18. Access Lists remark...
Page 390: Ipv6 Access-List Resequence
18. Access Lists ipv6 access-list resequence Re-sequences the sequence numbers that determine the order in which the IPv6 filter applies filter conditions. Syntax To set or change information: ipv6 access-list resequence <access list name> [<starting sequence> [<increment sequence>]] Input mode (config) Parameters <access list name>...
Page 391 18. Access Lists Related commands ipv6 access-list...
Page 392: Ipv6 Traffic-Filter
18. Access Lists ipv6 traffic-filter For AX3640S series switches, this command applies an IPv6 access list to an Ethernet interface or VLAN interface and enables IPv6 filtering. For AX3630S series switches, this command applies an IPv6 access list to an Ethernet interface and enables IPv6 filtering.
Page 393 You can set one IPv6 access list each for the inbound and outbound sides of an interface. If a filter has already been set, first remove it and then set it again. [AX3640S] You can set one IPv6 access list on the inbound side of an interface. If a filter has already been set, first remove it and then set it again.
Page 394 12. An access list that contains a VLAN parameter as a flow detection condition can be set on the outbound side if tag translation has not been set for the target interface. [AX3640S] 13. You can set an access list on the outbound side of a VLAN interface if tag translation has not been set for the Ethernet interface contained in the VLAN interface.
Page 395: Mac Access-Group
<access list name> {in | out} [AX3640S] mac access-group <access list name> in [AX3630S] To delete information: no mac access-group <access list name> {in | out} [AX3640S] no mac access-group <access list name> in [AX3630S] Input mode (config-if) Parameters <access list name>...
Page 396 You can set one MAC access list each for the inbound and outbound sides of an interface. If a filter has already been set, first remove it and then set it again. [AX3640S] You can set one MAC access list on the inbound side of an interface. If a filter has already been set, first remove it and then set it again.
Page 397 An access list that contains a VLAN parameter as a flow detection condition can be set on the outbound side if tag translation has not been set for the target interface. [AX3640S] 10. You can set an access list on the outbound side of a VLAN interface if tag translation has not been set for the Ethernet interface contained in the VLAN interface.
Page 398: Mac Access-List Extended
18. Access Lists mac access-list extended Sets an access list to be used in a MAC filter. An access list used for a MAC filter filters packets based on source MAC address, destination MAC address, Ethernet type number, VLAN ID, and user priority.
Page 399: Mac Access-List Resequence
18. Access Lists mac access-list resequence Resets the sequence number for the order in which the filter conditions in a MAC filter are applied. Syntax To set or change information: mac access-list resequence <access list name> [<starting sequence> [<increment sequence>]] Input mode (config) Parameters...
Page 400 18. Access Lists Related commands mac access-list extended...
Page 401: Permit (Ip Access-List Extended)
18. Access Lists permit (ip access-list extended) Specifies the conditions by which the IPv4 packet filter permits access. Syntax To set or change information: For AX3640S series switches: <sequence> <filter-condition> <action-specification> ] permit { For AX3630S series switches: <sequence> <filter-condition>...
Page 402 18. Access Lists Parameters <sequence> Specifies the sequence in which filter conditions are applied. Default value when this parameter is omitted: 10 is set as the initial value if there are no conditions in the access list. If conditions have been set, the initial value is the maximum value for the application sequence that has been set plus 10.
Page 403 18. Access Lists None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 65535 (in decimal) or a port name. For details about the port names that can be specified, see Table 18-3: Port names that can be specified for TCP and Table 18-4: Port names that can be specified for UDP (IPv4).
Page 404 18. Access Lists Specifies 4 bits (bits 3 to 6) in the ToS field as the tos value. The TOS value is compared with 4 bits (bits 3 to 6) in the ToS field of the received packet. Default value when this parameter is omitted: None.
Page 405 18. Access Lists None. (The parameter is not set as a detection condition.) Range of values: None Specifies the detection of packets whose FIN flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. Default value when this parameter is omitted: None.
Page 406 See Specifiable values for parameters. user-priority <priority> Specifies the user priority. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 7 in decimal. Action parameters [AX3640S] [OS-L3A] action...
Page 407 If policy-based routing is specified for the action parameter, the following addresses cannot be specified for the source IPv4 address and destination IPv4 address that are set for filtering conditions: [AX3640S] [OS-L3A] • Source IPv4 address Multicast address and internal loopback address •...
Page 408: Permit (Ip Access-List Standard)
18. Access Lists permit (ip access-list standard) Specifies the conditions by which the IPv4 address filter permits access. Syntax To set or change information: [<sequence>] permit {<ipv4> [<ipv4 wildcard>] | host <ipv4> | any} To delete information: no <sequence> Input mode (config-std-nacl) Parameters <sequence>...
Page 409 18. Access Lists the interface might be discarded temporarily until the entry is applied to the interface. When the change is applied The change is applied immediately after setting values are changed. Notes When is entered as the address wildcard mask, is displayed.
Page 410: Permit (Ipv6 Access-List)
(ipv6 access-list) Specifies the conditions by which the IPv6 filter permits access. Syntax To set or change information: [AX3640S] • When the upper-layer protocol is other than TCP, UDP, and ICMP [<sequence>] permit {ipv6 | <protocol>} {<source ipv6>/<length> | host <source ipv6>...
Page 411 <source ipv6> (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn): 0:0:0:0:0:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff <length>: 0 to 128 {eq <source port> | range <source port start> <source port end>} [AX3640S] Specifies a source port number. This parameter option is available only when the protocol is TCP or UDP.
Page 412 <destination ipv6> (nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn): 0:0:0:0:0:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff <length>: 0 to 128 {eq <destination port> | range <destination port start> <destination port end>} [AX3640S] Specifies the destination port number. This parameter option is available only when the protocol is TCP or UDP.
Page 413 Range of values: Specify 0 to 255 in decimal. dscp <dscp> [AX3640S] Specifies the DSCP value, which is the first 6 bits in the traffic class field. Its value is compared with the first 6 bits in the traffic class field of the received packet.
Page 414 Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None <icmp type> [AX3640S] Specifies the ICMP type. This parameter option is available only when the protocol is ICMP. Default value when this parameter is omitted: None.
Page 415 18. Access Lists For details about the ICMP message names that can be specified, see Table 18-12: Message names that can be specified for ICMP (IPv6) [AX3640S]. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.)
Page 416: Permit (Mac Access-List Extended)
18. Access Lists permit (mac access-list extended) Specifies the conditions by which the MAC filter permits access. Syntax To set or change information: [<sequence>] permit {<source mac> <source mac mask> | host <source mac> | any} {<destination mac> <destination mac mask> | host <destination mac> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu | slow-protocol } [<ethernet type>] [vlan <vlan id>] [user-priority <priority>] To delete information:...
Page 417 18. Access Lists Specifies the destination MAC address. To specify all destination MAC addresses, specify Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify <destination mac> <destination mac mask>, <destination mac>, host , or bpdu lacp lldp...
Page 418 18. Access Lists None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 7 in decimal. Default behavior None Impact on communication If an entry is added or changed when an access list is applied to an interface, packets received at the interface might be discarded temporarily until the entry is applied to the interface.
Page 419: Remark
18. Access Lists remark Specifies supplementary information for the access list. Access lists are available for IPv4 address filtering, IPv4 packet filtering, IPv6 filtering, and MAC filtering. A maximum of 1024 information items can be specified for access lists and QoS flow lists. Syntax To set or change information: remark <remark>...
Page 421: Part 7: Qos
PART 7: QoS Chapter 19. QoS Names and values that can be specified ip qos-flow-group ip qos-flow-list ip qos-flow-list resequence ipv6 qos-flow-group ipv6 qos-flow-list ipv6 qos-flow-list resequence limit-queue-length mac qos-flow-group mac qos-flow-list mac qos-flow-list resequence qos (ip qos-flow-list) qos (ipv6 qos-flow-list) qos (mac qos-flow-list) qos-queue-group qos-queue-list...
Page 422: Names And Values That Can Be Specified
Protocol names (IPv6) [AX3640S] The following table lists the names that can be specified as IPv6 protocol names. Table 19-2: Protocol names that can be specified (IPv6) [AX3640S] Protocol name Applicable protocol number icmp ipv6 All IP protocols...
Page 423 19. QoS Protocol name Applicable protocol number vrrp Port names (TCP) The following table lists the port names that can be specified for TCP. Table 19-3: Port names that can be specified for TCP Port name Applicable port name and number Border Gateway Protocol version 4 (179) chargen Character generator (19)
Page 424 19. QoS Port name Applicable port name and number smtps SMTP over TLS/SSL (465) Secure Shell Remote Login Protocol (22) sunrpc Sun Remote Procedure Call (111) tacacs+ Terminal Access Controller Access Control System Plus (49) tacacs-ds TACACS-Database Service (65) talk like tenex link (517) telnet Telnet (23)
Page 425 Trivial File Transfer Protocol (69) time Time server protocol (37) Who service (513) xdmcp X Display Manager Control Protocol (177) Table 19-5: Port names that can be specified for UDP (IPv6) [AX3640S] Port name Applicable port name and number biff Biff (512) dhcpv6-client...
Page 426 19. QoS Table 19-6: tos names that can be specified tos name tos value max-reliability max-throughput min-delay min-monetary-cost normal precedence name The following table lists the precedence names that can be specified. Table 19-7: precedence names that can be specified precedence name precedence value critical...
Page 427 The following table lists the Ethernet type names that can be specified. Table 19-9: Ethernet type names that can be specified Ethernet type name Ethernet value Remarks appletalk 0x809b 0x0806 0x88f3 Alaxala Protocol eapol 0x888e gsrp Performs flow detection for GSRP control packets. ipv4 0x0800 ipv6 0x86dd...
Page 428 19. QoS Destination address Destination address Destination address mask specification slow-protocol 0180.C200.0002 0000.0000.0000 Message name (ICMP) The following table lists the message names that can be specified for ICMP. Table 19-11: Message names that can be specified for ICMP (IPv4) Message name Message Type...
Page 429 Not specified traceroute Traceroute Not specified ttl-exceeded TTL exceeded unreachable All unreachable Not specified Table 19-12: Message names that can be specified for ICMP (IPv6) [AX3640S] Message name Message Type Code beyond-scope Destination beyond scope destination-unreachable Destination address is unreachable...
Page 430 19. QoS Message name Message Type Code parameter-problem All parameter problems Not specified port-unreachable Port unreachable reassembly-timeout Reassembly timeout renum-command Router renumbering command renum-result Router renumbering result renum-seq-number Router renumbering sequence number reset router-advertisement Neighbor discovery router advertisements Not specified router-renumbering All router renumbering Not specified...
Page 431 19. QoS Table 19-14: Examples for calculating the number of QoS flow lists that can be created and the number of specifications that can be set for an interface Sample code Number of QoS Number of flow lists specification created s set for the interface In this example, QoS flow list...
Page 432: Ip Qos-Flow-Group
19. QoS ip qos-flow-group Enables the QoS functionality by applying an IPv4 QoS flow list to an Ethernet interface or a VLAN interface. A maximum of 540 lists of , and ip qos-flow-group ipv6 qos-flow-group can be set for interfaces per device. mac qos-flow-group For details about the number of specifications that can be set for an interface, see Number of specifications that can be set for an interface.
Page 433 The following table shows receiving-side flow detection mode that can be set for each interface. Table 19-15: Specifiable interfaces for each receiving-side flow detection mode (IPv4) [AX3640S] Receiving-side flow detection Whether the mode can be set mode...
Page 434: Ip Qos-Flow-List
19. QoS ip qos-flow-list Creates an IPv4 QoS flow list to be used to set QoS flow detection and action specifications. A maximum of 1024 QoS flow lists (for IPv4, IPv6, and MAC) can be created per device. A maximum of 1024 flow detection and action specification entries can be created. For details about QoS flow lists, see Number of QoS flow lists that can be created.
Page 435: Ip Qos-Flow-List Resequence
19. QoS ip qos-flow-list resequence Resets the sequence numbers of the application sequence in the IPv4 QoS flow list. Syntax To set or change information: ip qos-flow-list resequence <qos flow list name> [<starting sequence> [<increment sequence>] ] Input mode (config) Parameters <qos flow list name>...
Page 436 19. QoS Related commands ip qos-flow-list...
Page 437: Ipv6 Qos-Flow-Group
19. QoS ipv6 qos-flow-group For AX3640S series switches, this command enables the QoS functionality by applying an IPv6 QoS flow list to an Ethernet interface or a VLAN interface. For AX3630S series switches, this command enables the QoS functionality by applying an IPv6 QoS flow list to an Ethernet interface.
Page 438 The following table shows receiving-side flow detection mode that can be set for each interface. Table 19-17: Specifiable interfaces for each receiving-side flow detection mode (IPv6) [AX3640S] Receiving-side flow detection Whether the mode can be set mode...
Page 439 If you apply a list to a VLAN interface, you can set the list if no VLAN parameters are set in the flow detection conditions and the parameter is not set in the action copy-user-priority specifications. [AX3640S] 10. You cannot apply a list to a VLAN interface. [AX3630S] Related commands ipv6 qos-flow-list...
Page 440: Ipv6 Qos-Flow-List
19. QoS ipv6 qos-flow-list Creates an IPv6 QoS flow list to be used to set QoS flow detection and action specifications. A maximum of 1024 QoS flow lists (for IPv4, IPv6, and MAC) can be created per device. A maximum of 1024 flow detection and action specification entries can be created. For details about QoS flow lists, see Number of QoS flow lists that can be created.
Page 441: Ipv6 Qos-Flow-List Resequence
19. QoS ipv6 qos-flow-list resequence Resets the sequence numbers of the application sequence in the IPv6 QoS flow list. Syntax To set or change information: ipv6 qos-flow-list resequence <qos flow list name> [<starting sequence> [<increment sequence>] ] Input mode (config) Parameters <qos flow list name>...
Page 442 19. QoS Related commands ipv6 qos-flow-list...
Page 443: Limit-Queue-Length
19. QoS limit-queue-length Sets the queue length of a physical port for the Switch. This command changes the maximum queue length of a physical port. This command is used to set basic operating conditions for the hardware. You must restart the Switch after you change the settings.
Page 444 19. QoS set the sending of pause packets. When you set a send queue length of 1976 by using this command, the queue length is allocated to only queue 1 and queue 2, resulting in the following scheduling operations: PQ, RR, and WRR: Queues 1 and 2 operate with PQ, RR, or WRR specified. 2PQ+6DRR: Queues 1 and 2 operate with DRR specified.
Page 445: Mac Qos-Flow-Group
19. QoS mac qos-flow-group Enables the QoS functionality by applying a MAC QoS flow list to an Ethernet interface or a VLAN interface. A maximum of 540 lists of , and ip qos-flow-group ipv6 qos-flow-group can be set for interfaces per device. mac qos-flow-group For details about the number of specifications that can be set for an interface, see Number of specifications that can be set for an interface.
Page 446 The following table shows receiving-side flow detection mode that can be set for each interface. Table 19-19: Specifiable interfaces for each receiving-side flow detection mode (MAC) [AX3640S] Receiving-side flow detection Whether the mode can be set mode...
Page 447: Mac Qos-Flow-List
19. QoS mac qos-flow-list Creates a MAC QoS flow list used to set QoS flow detection and action specifications. A maximum of 1024 QoS flow lists (for IPv4, IPv6, and MAC) can be created per device. A maximum of 1024 flow detection and action specification entries can be created. For details about QoS flow lists, see Number of QoS flow lists that can be created.
Page 448: Mac Qos-Flow-List Resequence
19. QoS mac qos-flow-list resequence Resets the sequence numbers of the application sequence in the MAC QoS flow list. Syntax To set or change information: mac qos-flow-list resequence <qos flow list name> [<starting sequence> [<increment sequence>] ] Input mode (config) Parameters <qos flow list name>...
Page 449 19. QoS Related commands mac qos-flow-list...
Page 450: Qos (Ip Qos-Flow-List)
19. QoS qos (ip qos-flow-list) Specifies flow detection conditions and action specifications in the IPv4 QoS flow list. Syntax To set or change information: <sequence> flow detection condition action specification ] qos { • Flow detection conditions When the upper-layer protocol is other than TCP, UDP, ICMP, and IGMP {ip | <protocol>...
Page 451 19. QoS Parameters <sequence> Sets the application sequence in the QoS flow list to be created or changed. Default value when this parameter is omitted: 10 is set as the initial value if there are no conditions in the QoS flow list. If conditions have been set, the initial value is the maximum value for the application sequence that has been set plus 10.
Page 452 19. QoS Range of values: Specify 0 to 65535 (in decimal) or a port name. For details about the port names that can be specified, see Table 19-3: Port names that can be specified for TCP and Table 19-4: Port names that can be specified for UDP (IPv4).
Page 453 19. QoS Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 15 (in decimal) or a tos name. For details about the tos names that can be specified, see Table 19-6: tos names that can be specified.
Page 454 19. QoS None Specifies the detection of packets whose FIN flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: None Specifies the detection of packets whose PSH flag in the TCP header is 1.
Page 455 19. QoS This parameter option is available only when the protocol is ICMP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 255 in decimal. <icmp code> Specifies the ICMP code.
Page 456 19. QoS Default value when this parameter is omitted: None. (This parameter keyword cannot be omitted if an action is set.) action Range of values: None cos <cos> Specifies an index (CoS) indicating the priority on a Switch. Default value when this parameter is omitted: The default CoS values are set.
Page 457 Default value when this parameter is omitted: 32 [AX3640S] 16 [AX3630S] Range of values: [AX3640S] <kbyte>: 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M Range of values: [AX3630S] <kbyte>: 16, 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000...
Page 458 Default value when this parameter is omitted: 32 [AX3640S] 16 [AX3630S] Range of values: [AX3640S] <kbyte>: 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M Range of values: [AX3630S] <kbyte>: 16, 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000...
Page 459 19. QoS Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When is entered for the source address wildcard mask and the destination 255.255.255.255 address wildcard mask, is displayed.
Page 460: Qos (Ipv6 Qos-Flow-List)
] qos { • Flow detection conditions [AX3640S] When the upper-layer protocol is other than TCP, UDP, and ICMP {ipv6 | <protocol>} {<source ipv6>/<length> | host <source ipv6> | any} {<destination ipv6>/<length> | host <destination ipv6> | any} [{traffic-class <traffic class>...
Page 461 4294967284, the value cannot be omitted. Range of values: Specify 1 to 4294967294 in decimal. {ipv6 | <protocol> | icmp | tcp | udp} [AX3640S] Specifies the upper-layer protocol condition for IPv6 packets. Note that if all protocols are applicable, specify...
Page 462 19. QoS 0:0:0:0:0:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff <length>: 0 to 128 {eq <source port> | range <source port start> <source port end>} [AX3640S] Specifies a source port number. This parameter option is available only when the protocol is TCP or UDP. Default value when this parameter is omitted: None.
Page 463 <destination port end>. Specify port numbers so that <destination port end> is larger than <destination port start>. traffic-class <traffic class> [AX3640S] Specifies the traffic class field value. Its value is compared with the traffic class field of the received packet.
Page 464 19. QoS None psh [AX3640S] Specifies the detection of packets whose PSH flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.)
Page 465 This parameter option is available only when the protocol is ICMP. For details about the ICMP message names that can be specified, see Table 19-12: Message names that can be specified for ICMP (IPv6) [AX3640S]. Default value when this parameter is omitted: None.
Page 466 19. QoS The default CoS values are set. For details about the default CoS values, see 3.10.2 CoS values and queuing priority in the manual Configuration Guide Vol. 2 For Version 11.7. Range of values: Specify 0 to 7 in decimal. discard-class <class>...
Page 467 Default value when this parameter is omitted: 32 [AX3640S] 16 [AX3630S] Range of values: [AX3640S] <kbyte>: 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M Range of values: [AX3630S] <kbyte>: 16, 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000...
Page 468 19. QoS 32 [AX3640S] 16 [AX3630S] Range of values: [AX3640S] <kbyte>: 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M Range of values: [AX3630S] <kbyte>: 16, 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M...
Page 469 19. QoS If nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn is entered as the source address and /128 the destination address, nnnn nnnn nnnn nnnn nnnn nnnn nnnn nnnn is displayed. host Related commands ipv6 qos-flow-list ipv6 qos-flow-group ipv6 qos-flow-list resequence remark...
Page 470: Qos (Mac Qos-Flow-List)
19. QoS qos (mac qos-flow-list) Specifies flow detection conditions and action specifications in the MAC QoS flow list. Syntax To set or change information: <sequence> flow detection condition action specification ] qos { • Flow detection conditions {<source mac> <source mac mask> | host <source mac> | any}{<destination mac> <destination mac mask>...
Page 471 19. QoS MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) {<destination mac> <destination mac mask> | host <destination mac> | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu | slow-protocol} Specifies the destination MAC address. To specify all destination MAC addresses, specify Default value when this parameter is omitted: This parameter cannot be omitted.
Page 472 19. QoS user-priority <priority> Specifies the user priority. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) Range of values: Specify 0 to 7 in decimal. Action parameters action To set or change an action parameter, you must set the parameter keyword at the action beginning of the action parameter.
Page 473 Default value when this parameter is omitted: 32 [AX3640S] 16 [AX3630S] Range of values: [AX3640S] <kbyte>: 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M Range of values: [AX3630S] <kbyte>: 16, 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000...
Page 474 Default value when this parameter is omitted: 32 [AX3640S] 16 [AX3630S] Range of values: [AX3640S] <kbyte>: 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000 <Mbyte>M: 1M, 2M, 4M, 8M, 16M Range of values: [AX3630S] <kbyte>: 16, 32, 64, 128, 256, 512, 1000, 2000, 4000, 8000, 16000...
Page 475 19. QoS Related commands mac qos-flow-list mac qos-flow-group mac qos-flow-list resequence remark...
Page 476: Qos-Queue-Group
19. QoS qos-queue-group Sets QoS queue list information for an interface (physical port). Syntax To set information: qos-queue-group <qos queue list name> To delete information: no qos-queue-group Input mode (config-if) Parameters <qos queue list name> Specifies the QoS queue list name. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 477: Qos-Queue-List
19. QoS qos-queue-list Sets the scheduling mode in QoS queue list information. You can create no more than 52 lists per device. Syntax To set or change information: qos-queue-list <qos queue list name> { pq | wrr [ <packet1> <packet2> <packet3> <packet4>...
Page 478 19. QoS packets is controlled so that packets are distributed evenly. When <packet> is specified, weighted (number of packets) round robin is used. If there are packets in multiple queues, packets are sent according to the number of packets set for <packet> as the queues are looked at in order.
Page 479 <rate>: This parameter cannot be omitted. Range of values: For AX3640S series switches: You can set the value from the following two groups. You do not have to enter a group name. However, make sure that the values set for <byte> for queues 6 to 1 belong to the same group.
Page 480 19. QoS Impact on communication If the scheduling mode is changed by specifying the QoS queue list name for the qos-queue-group command, the applicable line restarts, causing communication on the line to stop temporarily. When the change is applied The change is applied immediately after setting values are changed. Notes If the scheduling mode is changed by specifying the QoS queue list name for the command, the new interface (physical port) restarts.
Page 481: Remark
19. QoS remark Specifies supplementary information for a QoS flow list. IPv4 QoS flow list, IPv6 QoS flow list, and MAC QoS flow list are available as QoS flow list. For a Switch, a maximum of 1024 information items can be specified for access lists and QoS flow lists.
Page 482: Traffic-Shape Rate
19. QoS traffic-shape rate Sets the bandwidth by setting port bandwidth control for an interface (physical port) to limit the send bandwidth. Syntax To set or change information: traffic-shape rate { <kbit/s> | <Mbit/s>M | <Gbit/s>G } [ <kbyte> ] To delete information: no traffic-shape rate Input mode...
Page 483 19. QoS Default behavior The send bandwidth is not limited. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Port bandwidth control does not work when the line status is half duplex. When the set bandwidth for port bandwidth control exceeds the line speed, the port bandwidth is not controlled.
Page 485: Layer 2 Authentication
PART 8: Layer 2 Authentication Chapter 20. Layer 2 Authentication Configuration command and applicable Layer 2 authentication types authentication arp-relay authentication force-authorized enable authentication force-authorized vlan authentication ip access-group authentication max-user (global) authentication max-user (interface) authentication radius-server dead-interval...
Page 486: Configuration Command And Applicable Layer 2 Authentication Types
20. Layer 2 Authentication Configuration command and applicable Layer 2 authentication types The following table shows the configuration command used in common for Layer 2 authentication and the applicable Layer 2 authentication types. Table 20-1: Configuration command and applicable Layer 2 authentication types Command name Applicable Layer 2 authentication types MAC-based...
Page 487: Authentication Arp-Relay
20. Layer 2 Authentication authentication arp-relay Outputs ARP packets sent from unauthenticated terminals to other devices to a non-authenticating port. Syntax To set information: authentication arp-relay To delete information: no authentication arp-relay Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
Page 488: Authentication Force-Authorized Enable
20. Layer 2 Authentication authentication force-authorized enable When either of the following states exists for Web authentication and MAC-based authentication, this command forcibly changes the status of a terminal subject to authentication that requested authentication to the authenticated state: RADIUS authentication is specified but there is no response from the designated RADIUS server Local authentication is specified, but no authentication data exists on the device: •...
Page 489 20. Layer 2 Authentication mac-authentication system-auth-control radius-server web-authentication port web-authentication system-auth-control...
Page 490: Authentication Force-Authorized Vlan
20. Layer 2 Authentication authentication force-authorized vlan Assigns a post-authentication VLAN when forced authentication is performed on the applicable port in Web authentication dynamic VLAN mode and MAC-based authentication VLAN mode. Syntax To set or change information: authentication force-authorized vlan <vlan id> To delete information: no authentication force-authorized vlan Input mode...
Page 491: Authentication Ip Access-Group
20. Layer 2 Authentication authentication ip access-group For IP packets sent from an unauthenticated terminal to other terminals, only the packet types enabled by the specified IPv4 access list are forwarded to unauthenticated ports. Note that the Web authentication IP address is not treated as a destination IP address even when it is specified by using this command as a filtering condition.
Page 492 20. Layer 2 Authentication Notes None Related commands dot1x system-auth-control mac-authentication system-auth-control web-authentication system-auth-control...
Page 493: Authentication Max-User (Global)
20. Layer 2 Authentication authentication max-user (global) Sets the maximum number of terminals that can be authenticated on a Switch for IEEE 802.1X authentication, Web authentication, and MAC-based authentication. Syntax To set or change information: authentication max-user <count> To delete information: no authentication max-user Input mode (config)
Page 494: Authentication Max-User (Interface)
20. Layer 2 Authentication authentication max-user (interface) Sets the maximum number of terminals that can be authenticated on the applicable port for IEEE 802.1X authentication, Web authentication, and MAC-based authentication. Syntax To set or change information: authentication max-user <count> To delete information: no authentication max-user Input mode (config-if)
Page 495 20. Layer 2 Authentication IEEE 802.1X VLAN-based authentication (dynamic) mode, which are set concurrently, is restricted to 256. This is due to a restriction on MAC VLANs. [AX3630S] Related commands dot1x port-control dot1x vlan dot1x vlan dynamic mac-authentication port web-authentication port...
Page 496: Authentication Radius-Server Dead-Interval
20. Layer 2 Authentication authentication radius-server dead-interval Specifies how long to wait before operation is resumed on the highest-priority RADIUS server after another server was used for authentication and accounting due to a communication failure with the highest-priority RADIUS server. The highest-priority RADIUS server resumes authentication and accounting after a specified time has elapsed.
Page 497: Ieee802.1X
Chapter 21. IEEE802.1X aaa accounting dot1x default aaa authentication dot1x default aaa authorization network default dot1x force-authorized-port dot1x ignore-eapol-start dot1x logging enable dot1x loglevel dot1x max-req dot1x max-supplicant dot1x multiple-authentication dot1x multiple-hosts dot1x port-control dot1x reauthentication dot1x supplicant-detection dot1x system-auth-control dot1x timeout keep-unauth dot1x timeout quiet-period dot1x timeout reauth-period...
Page 498: Aaa Accounting Dot1X Default
21. IEEE802.1X aaa accounting dot1x default Enables the collection of accounting information on the use of the specified authentication method. Only accounting information for IEEE 802.1X authentication is collected. Syntax To set information: aaa accounting dot1x default start-stop group radius To delete information: no aaa accounting dot1x default Input mode...
Page 499: Aaa Authentication Dot1X Default
21. IEEE802.1X aaa authentication dot1x default Specifies IEEE 802.1X user authentication. Syntax To set information: aaa authentication dot1x default group radius To delete information: no aaa authentication dot1x default Input mode (config) Parameters group radius IEEE 802.1X authentication is performed by a RADIUS server. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 500: Aaa Authorization Network Default
21. IEEE802.1X aaa authorization network default Specify this command to perform per-VLAN VLAN-based authentication (dynamic) using the specified authentication method. Syntax To set information: aaa authorization network default group radius To delete information: no aaa authorization network default Input mode (config) Parameters group radius...
Page 501: Dot1X Force-Authorized-Port
21. IEEE802.1X dot1x force-authorized-port In a VLAN configured for per-VLAN VLAN-based authentication (static), sets a specific port or channel group for which communication is allowed without the need for authentication. Syntax To set information: dot1x force-authorized-port To delete information: no dot1x force-authorized-port Input mode (config-if) Parameters...
Page 502: Dot1X Ignore-Eapol-Start
21. IEEE802.1X dot1x ignore-eapol-start Sets the Switch not to issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Syntax To set information: dot1x ignore-eapol-start To delete information: no dot1x ignore-eapol-start Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 503: Dot1X Logging Enable
21. IEEE802.1X dot1x logging enable For IEEE 802.1X authentication, enables operation log information to be output to a syslog server. Syntax To set information: dot1x logging enable To delete information: no dot1x logging enable Input mode (config) Parameters None Default behavior Operation log information is not output to a syslog server.
Page 504: Dot1X Loglevel
21. IEEE802.1X dot1x loglevel Specifies the level of messages to be logged in an IEEE 802.1X operation log. Use the show dot1x operation command to display the logged messages. logging Syntax To set or change information: dot1x loglevel {error | warning | notice | info} To delete information: no dot1x loglevel Input mode...
Page 505: Dot1X Max-Req
21. IEEE802.1X dot1x max-req Specifies the maximum number of EAP-Request retransmissions if the supp-timeout value is exceeded. If the number of retransmissions exceeds this value, authentication is determined to have failed. Syntax To set or change information: dot1x max-req <count> To delete information: no dot1x max-req Input mode...
Page 506: Dot1X Max-Supplicant
21. IEEE802.1X dot1x max-supplicant Specifies the maximum number of terminals that can be connected to the specified interface when terminal authentication submode is set. If more terminals than this value attempt to connect, the number of terminals that can connect is restricted without attempting authentication. Syntax To set or change information: dot1x max-supplicant <clients>...
Page 507: Dot1X Multiple-Authentication
21. IEEE802.1X dot1x multiple-authentication Sets the IEEE 802.1X authentication submode to terminal authentication mode. The command performs authentication for each terminal and the authentication result determines whether communication is possible. Accordingly, multiple terminals can be connected. For a terminal configured by the command, communication is always possible mac-address-table static regardless of the authentication status if...
Page 508: Dot1X Multiple-Hosts
21. IEEE802.1X dot1x multiple-hosts Sets IEEE 802.1X authentication with a multi-terminal submode. Initially, only the terminal that starts authentication first is subject to authentication. After this authentication is successful, other terminals can communicate without needing to authenticate. Accordingly, multiple terminals can be connected.
Page 509 21. IEEE802.1X dot1x multiple-authentication...
Page 510: Dot1X Port-Control
21. IEEE802.1X dot1x port-control Sets the port-control status for a specified interface. Entering this command also enables the IEEE 802.1X port-based authentication functionality. Syntax To set or change information: dot1x port-control {auto | force-authorized | force-unauthorized} To delete information: no dot1x port-control Input mode (config-if) Parameters...
Page 511 21. IEEE802.1X Do not set the dot1x port-control force-authorized dot1x port-control command for an authentication port for Web authentication or force-unauthorized MAC-based authentication. If you set this command for an authentication port for Web authentication or MAC-based authentication, set the authentication submode to terminal authentication. Related commands dot1x system-auth-control dot1x multiple-hosts...
Page 512: Dot1X Reauthentication
21. IEEE802.1X dot1x reauthentication After successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, packets for EAP-Request/Identity re-authentication are sent at the interval set by using the dot1x timeout reauth-period command to a supplicant as a prompt for supplicant re-authentication.
Page 513: Dot1X Supplicant-Detection
21. IEEE802.1X dot1x supplicant-detection Specifies the behavior when a new terminal is detected after terminal authentication submode has been specified for authentication. Syntax To set or change information: dot1x supplicant-detection {disable | full | shortcut | auto} To delete information: no dot1x supplicant-detection Input mode (config-if)
Page 514 21. IEEE802.1X Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: , or disable full shortcut auto Default behavior is used as the operation when a new terminal is detected. shortcut Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 515: Dot1X System-Auth-Control
21. IEEE802.1X dot1x system-auth-control Enables IEEE 802.1X. Syntax To set information: dot1x system-auth-control To delete information: no dot1x system-auth-control Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the command is set.
Page 516: Dot1X Timeout Keep-Unauth
21. IEEE802.1X dot1x timeout keep-unauth Specifies the period of time (in seconds) for maintaining the communication-disabled state of the interface if two or more terminals are connected to an interface on which the single-mode authentication submode is set. After the time set by using this command elapses, an authenticated terminal must be re-authenticated.
Page 517: Dot1X Timeout Quiet-Period
21. IEEE802.1X dot1x timeout quiet-period Specifies the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication is performed. Syntax To set or change information: dot1x timeout quiet-period <seconds>...
Page 518: Dot1X Timeout Reauth-Period
21. IEEE802.1X dot1x timeout reauth-period Specifies the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to the supplicant at the interval set by using this command as a prompt for supplicant re-authentication. Syntax To set or change information: dot1x timeout reauth-period <seconds>...
Page 519 21. IEEE802.1X dot1x system-auth-control dot1x port-control...
Page 520: Dot1X Timeout Server-Timeout
21. IEEE802.1X dot1x timeout server-timeout Specifies the time (in seconds) to wait for a response, including the time required for retransmitting a response to an authentication server. Syntax To set or change information: dot1x timeout server-timeout <seconds> To delete information: no dot1x timeout server-timeout Input mode (config-if)
Page 521: Dot1X Timeout Supp-Timeout
21. IEEE802.1X dot1x timeout supp-timeout Specifies the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received during the specified period, the EAP-Request packet is retransmitted. Syntax To set or change information: dot1x timeout supp-timeout <seconds>...
Page 522: Dot1X Timeout Tx-Period
21. IEEE802.1X dot1x timeout tx-period Specifies the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X is valid. Syntax To set or change information: dot1x timeout tx-period <seconds> To delete information: no dot1x timeout tx-period Input mode (config-if) Parameters <seconds>...
Page 523: Dot1X Vlan Dynamic Enable
21. IEEE802.1X dot1x vlan dynamic enable Enables IEEE 802.1X VLAN-based authentication (dynamic). Syntax To set information: dot1x vlan dynamic enable To delete information: no dot1x vlan dynamic enable Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 524: Dot1X Vlan Dynamic Ignore-Eapol-Start
21. IEEE802.1X dot1x vlan dynamic ignore-eapol-start Sets the Switch not to issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Syntax To set information: dot1x vlan dynamic ignore-eapol-start To delete information: no dot1x vlan dynamic ignore-eapol-start Input mode (config) Parameters None Default behavior...
Page 525: Dot1X Vlan Dynamic Max-Req
21. IEEE802.1X dot1x vlan dynamic max-req Specifies the maximum number of EAP-Request retransmissions if the supp-timeout value is exceeded. If the number of retransmissions exceeds this value, authentication is determined to have failed. Syntax To set or change information: dot1x vlan dynamic max-req <count> To delete information: no dot1x vlan dynamic max-req Input mode...
Page 526: Dot1X Vlan Dynamic Max-Supplicant
1 to 1024 [AX3640S] 1 to 256 [AX3630S] Default behavior The maximum number of terminals is 1024 for an AX3640S series switch, and 256 for an AX3630S series switch. Impact on communication If the specified value is smaller than the number of terminals that are currently authenticated on the specified interface, the authentication status of all supplicants that are currently authenticated on the specified interface is canceled.
Page 527: Dot1X Vlan Dynamic Radius-Vlan
21. IEEE802.1X dot1x vlan dynamic radius-vlan Specifies VLANs to allow dynamic VLAN allocation according to VLAN information sent from the RADIUS server during IEEE 802.1X authentication. Syntax To set information: dot1x vlan dynamic radius-vlan <vlan id list> To change information: dot1x vlan dynamic radius-vlan {<vlan id list>...
Page 528 21. IEEE802.1X for this command. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the command is set. dot1x system-auth-control This command takes effect only if the command has been set.
Page 529: Dot1X Vlan Dynamic Reauthentication
21. IEEE802.1X dot1x vlan dynamic reauthentication After successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent to a supplicant at the interval set by using the dot1x vlan dynamic command as a prompt for supplicant re-authentication.
Page 530: Dot1X Vlan Dynamic Supplicant-Detection
21. IEEE802.1X dot1x vlan dynamic supplicant-detection Specifies the behavior when a new terminal is detected. Syntax To set or change information: dot1x vlan dynamic supplicant-detection {disable | full | shortcut | auto} To delete information: no dot1x vlan dynamic supplicant-detection Input mode (config) Parameters...
Page 531 21. IEEE802.1X Default behavior is used as the operation when a new terminal is detected. shortcut Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes All IEEE 802.1X settings take effect when the command is set.
Page 532: Dot1X Vlan Dynamic Timeout Quiet-Period
21. IEEE802.1X dot1x vlan dynamic timeout quiet-period Specifies the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication is performed. Syntax To set or change information: dot1x vlan dynamic timeout quiet-period <seconds>...
Page 533: Dot1X Vlan Dynamic Timeout Reauth-Period
21. IEEE802.1X dot1x vlan dynamic timeout reauth-period Specifies the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to the supplicant at the interval set by using this command as a prompt for supplicant re-authentication. Syntax To set or change information: dot1x vlan dynamic timeout reauth-period <seconds>...
Page 534 21. IEEE802.1X dot1x system-auth-control dot1x vlan dynamic enable...
Page 535: Dot1X Vlan Dynamic Timeout Server-Timeout
21. IEEE802.1X dot1x vlan dynamic timeout server-timeout Specifies the time (in seconds) to wait for a response, including the time required for retransmitting a response to an authentication server. Syntax To set or change information: dot1x vlan dynamic timeout server-timeout <seconds> To delete information: no dot1x vlan dynamic timeout server-timeout Input mode...
Page 536: Dot1X Vlan Dynamic Timeout Supp-Timeout
21. IEEE802.1X dot1x vlan dynamic timeout supp-timeout Specifies the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received during the specified period, the EAP-Request packet is retransmitted.
Page 537: Dot1X Vlan Dynamic Timeout Tx-Period
21. IEEE802.1X dot1x vlan dynamic timeout tx-period Specifies the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X authentication is valid. Syntax To set or change information: dot1x vlan dynamic timeout tx-period <seconds> To delete information: no dot1x vlan dynamic timeout tx-period Input mode (config) Parameters...
Page 538: Dot1X Vlan Enable
21. IEEE802.1X dot1x vlan enable Enables IEEE 802.1X VLAN-based authentication (static). Syntax To set information: dot1x vlan <vlan id list> enable To delete information: no dot1x vlan <vlan id list> enable Input mode (config) Parameters <vlan id list> Specifies the IDs of VLANs to which the IEEE 802.1X authentication settings are applied. VLANs that have not been set for the Switch cannot be specified.
Page 539 21. IEEE802.1X Related commands vlan dot1x system-auth-control dot1x port-control dot1x vlan dynamic radius-vlan switchport access...
Page 540: Dot1X Vlan Ignore-Eapol-Start
21. IEEE802.1X dot1x vlan ignore-eapol-start Sets the Switch not to issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Syntax To set information: dot1x vlan <vlan id list> ignore-eapol-start To delete information: no dot1x vlan <vlan id list> ignore-eapol-start Input mode (config) Parameters...
Page 541 21. IEEE802.1X Related commands dot1x vlan reauthentication dot1x vlan supplicant-detection dot1x system-auth-control dot1x vlan enable...
Page 542: Dot1X Vlan Max-Req
21. IEEE802.1X dot1x vlan max-req Specifies the maximum number of EAP-Request retransmissions if the supp-timeout value is exceeded. If the number of retransmissions exceeds this value, authentication is determined to have failed. Syntax To set or change information: dot1x vlan <vlan id list> max-req <count> To delete information: no dot1x vlan <vlan id list>...
Page 543 21. IEEE802.1X Related commands dot1x system-auth-control dot1x vlan timeout supp-timeout dot1x vlan enable...
Page 544: Dot1X Vlan Max-Supplicant
21. IEEE802.1X dot1x vlan max-supplicant Specifies the maximum number of terminals that can be connected to the specified VLAN interface. If more terminals than this value attempt to connect, the number of terminals that can connect is restricted without attempting authentication. Syntax To set or change information: dot1x vlan <vlan id list>...
Page 545 21. IEEE802.1X This command takes effect only if the <vlan id list> command has been dot1x vlan enable set. If the specified value is smaller than the number of terminals that are currently authenticated by VLAN-based authentication (static), authentication status of all supplicants that are authenticated by VLAN-based authentication (static) is canceled.
Page 546: Dot1X Vlan Reauthentication
21. IEEE802.1X dot1x vlan reauthentication After successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent to a supplicant at the interval set by using the <vlan id list>...
Page 547 21. IEEE802.1X dot1x vlan enable...
Page 548: Dot1X Vlan Supplicant-Detection
21. IEEE802.1X dot1x vlan supplicant-detection Specifies the behavior when a new terminal is detected. Syntax To set or change information: dot1x vlan <vlan id list> supplicant-detection {disable | full | shortcut | auto} To delete information: no dot1x vlan <vlan id list> supplicant-detection Input mode (config) Parameters...
Page 549 21. IEEE802.1X communication is temporarily stopped. auto Suppresses EAP-Request/Identity transmission processing for detecting a new terminal, and separately sends EAP-Request/Identity packets and performs authentication when a frame is received from a terminal. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: , or disable...
Page 550: Dot1X Vlan Timeout Quiet-Period
21. IEEE802.1X dot1x vlan timeout quiet-period Specifies the period of time (in seconds) for maintaining the unauthenticated state on the applicable VLAN interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication is performed. Syntax To set or change information: dot1x vlan <vlan id list>...
Page 551 21. IEEE802.1X Related commands dot1x system-auth-control dot1x vlan enable...
Page 552: Dot1X Vlan Timeout Reauth-Period
21. IEEE802.1X dot1x vlan timeout reauth-period Specifies the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to the supplicant at the interval set by using this command as a prompt for supplicant re-authentication. Syntax To set or change information: dot1x vlan <vlan id list>...
Page 553 21. IEEE802.1X Notes All IEEE 802.1X settings take effect when the command is set. dot1x system-auth-control This command takes effect only if the <vlan id list> command has been dot1x vlan enable set. This command takes effect only if re-authentication has been set by using the dot1x vlan <vlan id list>...
Page 554: Dot1X Vlan Timeout Server-Timeout
21. IEEE802.1X dot1x vlan timeout server-timeout Specifies the time (in seconds) to wait for a response, including the time required for retransmitting a response to an authentication server. Syntax To set or change information: dot1x vlan <vlan id list> timeout server-timeout <seconds> To delete information: no dot1x vlan <vlan id list>...
Page 555 21. IEEE802.1X Related commands dot1x system-auth-control dot1x vlan enable...
Page 556: Dot1X Vlan Timeout Supp-Timeout
21. IEEE802.1X dot1x vlan timeout supp-timeout Specifies the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received during the specified period, the EAP-Request packet is retransmitted. Syntax To set or change information: dot1x vlan <vlan id list>...
Page 557 21. IEEE802.1X Related commands dot1x system-auth-control dot1x vlan max-req dot1x vlan enable...
Page 558: Dot1X Vlan Timeout Tx-Period
21. IEEE802.1X dot1x vlan timeout tx-period Specifies the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X is valid. Syntax To set or change information: dot1x vlan <vlan id list> timeout tx-period <seconds> To delete information: no dot1x vlan <vlan id list> timeout tx-period Input mode (config) Parameters...
Page 559 21. IEEE802.1X For the parameter, set a value smaller than the value set by using the <vlan id dot1x vlan list> command. timeout reauth-period Related commands dot1x vlan timeout reauth-period dot1x system-auth-control dot1x vlan enable...
Page 561: Web Authentication
Chapter 22. Web Authentication Correspondence between configuration commands and operation modes aaa accounting web-authentication default start-stop group radius aaa authentication web-authentication default group radius web-authentication auto-logout web-authentication ip address web-authentication jump-url web-authentication logging enable web-authentication logout ping tos-windows web-authentication logout ping ttl web-authentication logout polling count web-authentication logout polling enable web-authentication logout polling interval...
Page 562: Correspondence Between Configuration Commands And Operation Modes
22. Web Authentication Correspondence between configuration commands and operation modes The following table describes the Web authentication operation modes in which Web authentication configuration commands can be set. Table 22-1: Configuration commands and Web authentication operation modes Command name Web authentication operation modes Fixed VLAN mode Dynamic VLAN Legacy mode...
Page 563 22. Web Authentication Command name Web authentication operation modes Fixed VLAN mode Dynamic VLAN Legacy mode mode web-authentication static-vlan max-user web-authentication system-auth-control web-authentication vlan web-authentication web-port Legend: Y: The command can be set, and the setting is applied. --: The command can be set, but the setting is not applied. N: The command cannot be set.
Page 564: Aaa Accounting Web-Authentication Default Start-Stop Group Radius
22. Web Authentication aaa accounting web-authentication default start-stop group radius Notifies the accounting server of the results of Web authentication. Syntax To set information: aaa accounting web-authentication default start-stop group radius To delete information: no aaa accounting web-authentication default Input mode (config) Parameters None...
Page 565: Aaa Authentication Web-Authentication Default Group Radius
22. Web Authentication aaa authentication web-authentication default group radius Sets whether to use the RADIUS server for Web authentication. Syntax To set information: aaa authentication web-authentication default group radius To delete information: no aaa authentication web-authentication default Input mode (config) Parameters None Default behavior...
Page 566: Web-Authentication Auto-Logout
22. Web Authentication web-authentication auto-logout command configures the Switch to detect terminals no web-authentication auto-logout that have been authenticated by Web authentication but have not been used for a certain period of time, and cancels authentication for these terminals. Syntax To set information: no web-authentication auto-logout To delete information:...
Page 567: Web-Authentication Ip Address
22. Web Authentication web-authentication ip address Sets the Web authentication IP address. When the Web authentication IP address has been set by using this command, you can log in from an unauthenticated terminal or log out from an authenticated terminal by using the same IP address on the switch.
Page 568 22. Web Authentication Impact on communication None When the change is applied The change is applied after the operation command restart web-authentication web-server is used to restart the Web server. Notes Because the IP address set by using this command is used exclusively for Web authentication access on a switch, the IP address is not sent outside the switch.
Page 569: Web-Authentication Jump-Url
22. Web Authentication web-authentication jump-url Specifies the URL of a page to be automatically displayed after displaying the page indicating successful authentication. Syntax To set or change information: web-authentication jump-url <url> To delete information: no web-authentication jump-url Input mode (config) Parameters <url>...
Page 570: Web-Authentication Logging Enable
22. Web Authentication web-authentication logging enable Enables the output of Web authentication operation log information to a syslog server. Syntax To set information: web-authentication logging enable To delete information: no web-authentication logging enable Input mode (config) Parameters None Default behavior Operation log information is not output to a syslog server.
Page 571: Web-Authentication Logout Ping Tos-Windows
22. Web Authentication web-authentication logout ping tos-windows When Web authentication in fixed VLAN mode is used, this command sets the TOS value of special packets to cancel the authentication status of the corresponding MAC address when the special packets (ping) are received from authenticated terminals. Syntax To set or change information: web-authentication logout ping tos-windows <tos>...
Page 572: Web-Authentication Logout Ping Ttl
22. Web Authentication web-authentication logout ping ttl When Web authentication in fixed VLAN mode is used, this command sets the TTL value of special packets to cancel the authentication status of the corresponding MAC address when the special packets (ping) are received from authenticated terminals. Syntax To set or change information: web-authentication logout ping ttl <ttl>...
Page 573: Web-Authentication Logout Polling Count
22. Web Authentication web-authentication logout polling count When Web authentication in fixed VLAN mode is used, this command sets the number of times a Switch retransmits the monitoring packet that is sent periodically to check the connection status of authentication terminals when there is no response to the monitoring packet. Syntax To set or change information: web-authentication logout polling count <count>...
Page 574 22. Web Authentication exceed the polling interval, so that the retransmission can complete during one polling interval. (1): web-authentication logout polling interval (2): web-authentication logout polling retry-interval (3): web-authentication logout polling count • To set the monitoring packet sending interval to be shorter than 300 seconds, use the default values for the resending interval and the resending count.
Page 575: Web-Authentication Logout Polling Enable
22. Web Authentication web-authentication logout polling enable Set this command to periodically check whether authenticated terminals are connected, and forcibly log out inactive or disconnected terminals when Web authentication is used in fixed VLAN mode. Periodic monitoring is not performed if the setting of forcible logout based on periodic check is disabled by using the command.
Page 576 22. Web Authentication If the number of retransmissions when a no-response state is detected is set to the maximum (it is set by using the command) and the web-authentication logout polling count resending interval time is set to the minimum (it is set by using the web-authentication command), this also might be a heavy load on the switch.
Page 577: Web-Authentication Logout Polling Interval
22. Web Authentication web-authentication logout polling interval Sets the sending interval of monitoring packets that periodically check whether authenticated terminals are connected when Web authentication in fixed VLAN mode is used. Syntax To set or change information: web-authentication logout polling interval <seconds> To delete information: no web-authentication logout polling interval Input mode...
Page 578 22. Web Authentication Set each value so that retransmission when a no-response state is detected does not exceed the polling interval, so that the retransmission can complete during one polling interval. (1): web-authentication logout polling interval (2): web-authentication logout polling retry-interval (3): web-authentication logout polling count •...
Page 579: Web-Authentication Logout Polling Retry-Interval
22. Web Authentication web-authentication logout polling retry-interval When Web authentication in fixed VLAN mode is used, this command sets the sending interval for retransmitting the monitoring packet when there is no response to a monitoring packet that periodically checks the connection status of authenticated terminals. Syntax To set or change information: web-authentication logout polling retry-interval <seconds>...
Page 580 22. Web Authentication Set each value so that retransmission when a no-response state is detected does not exceed the polling interval, so that the retransmission can complete during one polling interval. (1): web-authentication logout polling interval (2): web-authentication logout polling retry-interval (3): web-authentication logout polling count •...
Page 581: Web-Authentication Max-Timer
22. Web Authentication web-authentication max-timer Specifies the maximum connection time for Web-authenticated users. Syntax To set or change information: web-authentication max-timer <minutes> To delete information: no web-authentication max-timer Input mode (config) Parameters <minutes> Sets the maximum time (in minutes) a user is allowed for connection for authentication in the Web authentication system.
Page 582 22. Web Authentication Related commands web-authentication system-auth-control web-authentication max-user web-authentication vlan web-authentication auto-logout aaa authentication web-authentication default group radius aaa accounting web-authentication default start-stop group radius...
Page 583: Web-Authentication Max-User
Range of values: 1 to 1024 [AX3640S] 1 to 256 [AX3630S] Default behavior The maximum number of users who can be authenticated is 1024 for an AX3640S series switch, and 256 for an AX3630S series switch. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 584: Web-Authentication Port
22. Web Authentication web-authentication port Sets Web authentication for the specified port. If this command is set for an access port or a trunk port, fixed VLAN mode is set. If this command is set to a MAC VLAN, dynamic VLAN mode is set. Syntax To set information: web-authentication port...
Page 585: Web-Authentication Redirect Enable
22. Web Authentication web-authentication redirect enable Sets URL redirection for Web authentication. If the command is set, URL redirection is disabled. no web-authentication redirect enable Syntax To set information: no web-authentication redirect enable To delete information: web-authentication redirect enable Input mode (config) Parameters None...
Page 586: Web-Authentication Redirect-Mode
22. Web Authentication web-authentication redirect-mode Sets a protocol to display the Login page when URL redirect functionality is enabled in Web authentication. Syntax To set or change information: web-authentication redirect-mode {http | https} To delete information: no web-authentication redirect-mode Input mode (config) Parameters {http | https}...
Page 587: Web-Authentication Static-Vlan Max-User
22. Web Authentication web-authentication static-vlan max-user Sets the maximum number of Web-authenticated users allowed in fixed VLAN mode. Syntax To set or change information: web-authentication static-vlan max-user <count> To delete information: no web-authentication static-vlan max-user Input mode (config) Parameters <count> Sets the maximum number of Web-authenticated users allowed in fixed VLAN mode.
Page 588: Web-Authentication System-Auth-Control
22. Web Authentication web-authentication system-auth-control Starts the Web authentication daemon, and enables Web authentication. Note that if the command is executed, the Web no web-authentication system-auth-control authentication daemon stops. Syntax To set information: web-authentication system-auth-control To delete information: no web-authentication system-auth-control Input mode (config) Parameters...
Page 589: Web-Authentication Vlan
22. Web Authentication web-authentication vlan Specifies the ID of the VLAN that is allowed to be switched in legacy mode of Web authentication. Unless a VLAN ID is not set by using this command, no VLANs can be switched after authentication.
Page 590: Web-Authentication Web-Port
22. Web Authentication web-authentication web-port Adds a TCP port number for Web authentication to any port number. Usually, any port numbers can be added to the standard port numbers assigned for http (80) and https (443). This command can be used in any of the following modes: legacy mode, dynamic VLAN mode, or fixed VLAN mode.
Page 591 22. Web Authentication When the change is applied The change is applied after the operation command restart web-authentication web-server is used to restart the Web server. Notes After this command is set or deleted, a user who is in the process of being authenticated must log in again.
Page 593: Mac-Based Authentication
Chapter 23. MAC-based Authentication Correspondence between configuration commands and operation modes aaa accounting mac-authentication default start-stop group radius aaa authentication mac-authentication default group radius mac-authentication auth-interval-timer mac-authentication auto-logout mac-authentication dot1q-vlan force-authorized mac-authentication dynamic-vlan max-user mac-authentication logging enable mac-authentication max-timer mac-authentication password mac-authentication port mac-authentication radius-server host mac-authentication static-vlan max-user...
Page 594: Correspondence Between Configuration Commands And Operation Modes
23. MAC-based Authentication Correspondence between configuration commands and operation modes The following table describes MAC-based authentication operation modes in which MAC-based authentication configuration commands can be set. Table 23-1: Configuration commands and MAC-based authentication operation modes Command name MAC-based authentication operation modes Fixed VLAN mode Dynamic VLAN mode aaa accounting mac-authentication default...
Page 595: Aaa Accounting Mac-Authentication Default Start-Stop Group Radius
23. MAC-based Authentication aaa accounting mac-authentication default start-stop group radius Notifies the accounting server of the results of MAC-based authentication. Syntax To set information: aaa accounting mac-authentication default start-stop group radius To delete information: no aaa accounting mac-authentication default Input mode (config) Parameters None...
Page 596: Aaa Authentication Mac-Authentication Default Group Radius
23. MAC-based Authentication aaa authentication mac-authentication default group radius Sets whether to use the RADIUS server for MAC-based authentication. Syntax To set information: aaa authentication mac-authentication default group radius To delete information: no aaa authentication mac-authentication default Input mode (config) Parameters None Default behavior...
Page 597: Mac-Authentication Auth-Interval-Timer
23. MAC-based Authentication mac-authentication auth-interval-timer Sets the time interval until the next authentication is performed for a MAC address that has failed MAC-based authentication. Syntax To set or change information: mac-authentication auth-interval-timer <minutes> To delete information: no mac-authentication auth-interval-timer Input mode (config) Parameters <minutes>...
Page 598 23. MAC-based Authentication mac-authentication port...
Page 599: Mac-Authentication Auto-Logout
23. MAC-based Authentication mac-authentication auto-logout command configures a Switch so that the Switch no mac-authentication auto-logout detects MAC addresses being authenticated by MAC-based authentication but have not been used for a certain period of time, and cancels the authentication for these MAC addresses. If automatic cancellation is disabled, authentication is not automatically canceled even when the Switch detects, on the MAC address table, that a MAC address being authenticated by MAC-based authentication is not being used.
Page 600: Mac-Authentication Dot1Q-Vlan Force-Authorized
23. MAC-based Authentication mac-authentication dot1q-vlan force-authorized Permits terminals that send and receive tagged frames on a MAC VLAN port to communicate without being authenticated. Syntax To set information: mac-authentication dot1q-vlan force-authorized To delete information: no mac-authentication dot1q-vlan force-authorized Input mode (config-if) Parameters None...
Page 601: Mac-Authentication Dynamic-Vlan Max-User
MAC-based authentication. More MAC addresses than the set number cannot be authenticated. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: 1 to 1024 [AX3640S] 1 to 256 [AX3630S] Default behavior The maximum number of MAC addresses that can be authenticated: 1024 [AX3640S]...
Page 602: Mac-Authentication Logging Enable
23. MAC-based Authentication mac-authentication logging enable Enables the output of operation log information for MAC-based authentication to a syslog server. Syntax To set information: mac-authentication logging enable To delete information: no mac-authentication logging enable Input mode (config) Parameters None Default behavior Operation log information is not output to a syslog server.
Page 603: Mac-Authentication Max-Timer
23. MAC-based Authentication mac-authentication max-timer Sets the maximum connection time used for MAC-based authentication. Syntax To set or change information: mac-authentication max-timer {<minutes> | infinity} To delete information: no mac-authentication max-timer Input mode (config) Parameters {<minutes> | infinity} Sets the maximum connection time (in minutes) used for MAC-based authentication. After a successful authentication, if the period of time set by using this command elapses, the authentication is canceled automatically.
Page 604 23. MAC-based Authentication Related commands mac-authentication system-auth-control mac-authentication port...
Page 605: Mac-Authentication Password
23. MAC-based Authentication mac-authentication password Sets the password used by the terminal user when the user issues a MAC-based authentication request to the RADIUS server. Syntax To set or change information: mac-authentication password <password> To delete information: no mac-authentication password Input mode (config) Parameters...
Page 606: Mac-Authentication Port
23. MAC-based Authentication mac-authentication port Specifies a port for which MAC-based authentication is to be performed. MAC-based authentication does not work on any ports for which this command is not set. If this command is set for an access port or a trunk port, fixed VLAN mode is set. If this command is set to a MAC VLAN, dynamic VLAN mode is set.
Page 607: Mac-Authentication Radius-Server Host
23. MAC-based Authentication mac-authentication radius-server host Configures the RADIUS server used for MAC-based authentication. Syntax To set information: mac-authentication radius-server host {<ipv4 address> | <ipv6 address> [interface vlan <vlan id>] | <host name>} [auth-port <port>][acct-port <port>][timeout <seconds>][retransmit <retries>][key <string>] To delete information: no mac-authentication radius-server host {<ipv4 address>...
Page 608 23. MAC-based Authentication Default value when this parameter is omitted: Port number 1813 is used. Range of values: 1 to 65535 timeout <seconds> Specifies the timeout period (in seconds) for a response from the RADIUS server. Default value when this parameter is omitted: Range of values: 1 to 30 (seconds) retransmit <retries>...
Page 609 23. MAC-based Authentication If multiple RADIUS servers are set by using this command, the RADIUS server listed at the top of the display resulting from this configuration command is used for the first authentication. Related commands mac-authentication system-auth-control mac-authentication port aaa authentication mac-authentication default group radius aaa accounting mac-authentication default start-stop group radius radius-server host...
Page 610: Mac-Authentication Static-Vlan Max-User
23. MAC-based Authentication mac-authentication static-vlan max-user Sets the maximum number of MAC addresses that can be authenticated in fixed VLAN mode of MAC-based authentication. Syntax To set or change information: mac-authentication static-vlan max-user <count> To delete information: no mac-authentication static-vlan max-user Input mode (config) Parameters...
Page 611: Mac-Authentication System-Auth-Control
23. MAC-based Authentication mac-authentication system-auth-control Starts the MAC-based authentication daemon, and enables MAC-based authentication. Note that if the command is executed, the no mac-authentication system-auth-control MAC-based authentication daemon stops. Syntax To set information: mac-authentication system-auth-control To delete information: no mac-authentication system-auth-control Input mode (config) Parameters...
Page 612: Mac-Authentication Vlan-Check
23. MAC-based Authentication mac-authentication vlan-check When a MAC address is checked in fixed VLAN mode of MAC-based authentication, the VLAN ID is also checked. Syntax To set or change information: mac-authentication vlan-check [key <string>] To delete information: no mac-authentication vlan-check Input mode (config) Parameters...
Page 613: Authentication Vlans [Op-Vaa]
Chapter 24. Authentication VLANs [OP-VAA] fense alive-timer [OP-VAA] fense retry-count [OP-VAA] fense retry-timer [OP-VAA] fense server [OP-VAA] fense vaa-name [OP-VAA] fense vaa-sync [OP-VAA] fense vlan [OP-VAA]...
Page 614: Fense Alive-Timer [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense alive-timer [OP-VAA] If a KeepAlive packet does not arrive from the VLANaccessController within the time period (in seconds) specified by this command, the switch will attempt to re-establish the connection to the authentication server. Syntax To set or change information: fense <vaa id>...
Page 615 24. Authentication VLANs [OP-VAA] fense vlan...
Page 616: Fense Retry-Count [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense retry-count [OP-VAA] If a VLANaccessAgent fails to connect to the VLANaccessController, the VLANaccessAgent retries connection at the interval specified by the command. The retries fense retry-timer continue unless the command is executed. However, if the total number of failed no fense server retries performed by all VLANaccessAgents running on the Switch exceeds the allowed number of failed retries set by this command, dynamic MAC addresses for all authentication VLANs in the...
Page 617 24. Authentication VLANs [OP-VAA] be set. Related commands fense vaa-name fense server fense vlan...
Page 618: Fense Retry-Timer [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense retry-timer [OP-VAA] If communication with the VLANaccessController fails, the Switch retries connection at the interval (in seconds) set by this command. Syntax To set or change information: fense <vaa id> retry-timer <seconds> To delete information: no fense <vaa id>...
Page 619: Fense Server [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense server [OP-VAA] Specifies the IP address and TCP port number of the authentication server (VLANaccessController). Syntax To set or change information: fense <vaa id> server <server address> [<port>] To delete information: no fense <vaa id> server Input mode (config) Parameters...
Page 620 24. Authentication VLANs [OP-VAA] When the change is applied The change is applied immediately after setting values are changed. If any of the following conditions are satisfied, the VLANaccessAgent is started, and connection to the authentication server is started: • The device name has been set by the command.
Page 621: Fense Vaa-Name [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense vaa-name [OP-VAA] Sets the name of the VLANaccessAgent that sends packets to the VLANaccessController. Only one name can be set per switch. If multiple switches on which the VLANaccessAgent runs are connected under the authentication server, set different names for the switches. Syntax To set or change information: fense vaa-name <name>...
Page 622 24. Authentication VLANs [OP-VAA] • One or more entries have been set by the command. fense vlan Notes If the command is set for IEEE 802.1X, this command cannot dot1x system-auth-control be set. When you have modified the network configuration of an authentication VLAN system by using this command, be sure to restart the functions of the authentication server, and then restart the authentication VLANs on the Switch.
Page 623: Fense Vaa-Sync [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense vaa-sync [OP-VAA] The Switch operates in normal mode for a MAC address registration request for MAC VLANs from the authentication server. If is set, the Switch operates in selective no fense vaa-sync registration mode. Syntax To set information: no fense vaa-sync To delete information:...
Page 624: Fense Vlan [Op-Vaa]
24. Authentication VLANs [OP-VAA] fense vlan [OP-VAA] Specifies the VLAN ID and subnet of the authorized VLAN. Syntax To set or change information: fense <vaa id> vlan <vlan id> <subnet address> <subnet mask> To delete information: no fense <vaa id> vlan <vlan id> <subnet address> <subnet mask> Input mode (config) Parameters...
Page 625 24. Authentication VLANs [OP-VAA] Impact on communication If an authenticated VLAN is changed or deleted by this command, communication between the VLANaccessAgent and the authentication server is temporarily disconnected and then reconnected, which does not affect communication for authenticated clients. When the change is applied The change is applied immediately after setting values are changed.
Page 627: Part 9: Security
PART 9: Security Chapter 25. DHCP Snooping ip arp inspection limit rate ip arp inspection trust ip arp inspection validate ip arp inspection vlan ip dhcp snooping ip dhcp snooping database url ip dhcp snooping database write-delay ip dhcp snooping information option allow-untrusted ip dhcp snooping limit rate ip dhcp snooping logging enable ip dhcp snooping loglevel...
Page 628: Ip Arp Inspection Limit Rate
25. DHCP Snooping ip arp inspection limit rate Sets the maximum ARP packet reception rate (the number of ARP packets that can be received per second) per Switch when DHCP snooping is enabled on the Switch. ARP packets in excess of this reception rate are discarded.
Page 629: Ip Arp Inspection Trust
25. DHCP Snooping ip arp inspection trust Sets the applicable interface as a trusted port where no dynamic ARP inspection is performed when DHCP snooping is enabled on a Switch. Syntax To set information: ip arp inspection trust To delete information: no ip arp inspection trust Input mode (config-if)
Page 630: Ip Arp Inspection Validate
25. DHCP Snooping ip arp inspection validate Sets inspection items to be added to improve the accuracy of a dynamic ARP inspection when dynamic ARP inspections are enabled on a Switch. Syntax To set or change information: ip arp inspection validate [src-mac] [dst-mac] [ip] To delete information: no ip arp inspection validate Input mode...
Page 631 25. DHCP Snooping None Default behavior Additional dynamic ARP inspections are not performed. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ip arp inspection vlan ip dhcp snooping ip dhcp snooping vlan...
Page 632: Ip Arp Inspection Vlan
25. DHCP Snooping ip arp inspection vlan Sets the VLAN used for dynamic ARP inspections when DHCP snooping is enabled on a Switch. Syntax To set information: ip arp inspection vlan <vlan id list> To change information: ip arp inspection vlan {<vlan id list> | add <vlan id list> | remove <vlan id list>} To delete information: no ip arp inspection vlan Input mode...
Page 633 25. DHCP Snooping When the change is applied The change is applied immediately after setting values are changed. Notes A VLAN ID for which DHCP snooping is enabled must be set for this command. Related commands ip dhcp snooping ip dhcp snooping vlan...
Page 634: Ip Dhcp Snooping
25. DHCP Snooping ip dhcp snooping Enables DHCP snooping on a Switch. Syntax To set information: ip dhcp snooping To delete information: no ip dhcp snooping Input mode (config) Parameters None Default behavior DHCP snooping is not used. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 635: Ip Dhcp Snooping Database Url
25. DHCP Snooping ip dhcp snooping database url Specifies where a binding database is to be saved. Syntax To set or change information: ip dhcp snooping database url {flash | mc <file name>} To delete information: no ip dhcp snooping database url Input mode (config) Parameters...
Page 636 25. DHCP Snooping • When terminal information is dynamically registered, updated, or deleted in a binding database • The command is set (this includes changes to the ip dhcp snooping database url save destination). • When the operation command is executed clear ip dhcp snooping binding If the Switch power is turned off before the timer expires, the binding database cannot be saved.
Page 637: Ip Dhcp Snooping Database Write-Delay
25. DHCP Snooping ip dhcp snooping database write-delay Sets the maximum save delay time to be applied when a binding database is saved. Syntax To set or change information: ip dhcp snooping database write-delay <seconds> To delete information: no ip dhcp snooping database write-delay Input mode (config) Parameters...
Page 638 25. DHCP Snooping ip dhcp snooping vlan...
Page 639: Ip Dhcp Snooping Information Option Allow-Untrusted
25. DHCP Snooping ip dhcp snooping information option allow-untrusted Allows untrusted ports to receive DHCP packets that have the relay agent information option (Option 82). Syntax To set information: ip dhcp snooping information option allow-untrusted To delete information: no ip dhcp snooping information option allow-untrusted Input mode (config) Parameters...
Page 640: Ip Dhcp Snooping Limit Rate
25. DHCP Snooping ip dhcp snooping limit rate Sets the maximum DHCP packet reception rate (the number of DHCP packets that can be received per second) per Switch. DHCP packets exceeding the reception rate are discarded. The actual maximum reception rate is the sum of that set by this command and that set by the ip arp command.
Page 641: Ip Dhcp Snooping Logging Enable
25. DHCP Snooping ip dhcp snooping logging enable Enables the output of DHCP snooping operation log information to a syslog server. Syntax To set information: ip dhcp snooping logging enable To delete information: no ip dhcp snooping logging enable Input mode (config) Parameters None...
Page 642: Ip Dhcp Snooping Loglevel
25. DHCP Snooping ip dhcp snooping loglevel Specifies the level of messages to be logged in a DHCP snooping operation log. Use the show ip operation command to display the logged messages. dhcp snooping logging Syntax To set or change information: ip dhcp snooping loglevel {error | warning | notice | info} To delete information: no ip dhcp snooping loglevel...
Page 643: Ip Dhcp Snooping Trust
25. DHCP Snooping ip dhcp snooping trust Sets whether the interface is a trusted port or an untrusted port. Syntax To set information: ip dhcp snooping trust To delete information: no ip dhcp snooping trust Input mode (config-if) Parameters None Default behavior The applicable interface operates as an untrusted port.
Page 644: Ip Dhcp Snooping Verify Mac-Address
25. DHCP Snooping ip dhcp snooping verify mac-address Sets whether to check if the source MAC address of DHCP packets received from an untrusted port matches the client hardware addresses in the DHCP packet. Syntax To set information: no ip dhcp snooping verify mac-address To delete information: ip dhcp snooping verify mac-address Input mode...
Page 645: Ip Dhcp Snooping Vlan
25. DHCP Snooping ip dhcp snooping vlan Enables DHCP snooping in a VLAN. DHCP snooping is disabled if it is not set by using this command. Syntax To set information: ip dhcp snooping vlan <vlan id list> To change information: ip dhcp snooping vlan {<vlan id list>...
Page 646 25. DHCP Snooping When the change is applied The change is applied immediately after setting values are changed. Notes DHCP snooping is not valid in a VLAN in which this command has not been set. Related commands ip dhcp snooping...
Page 647: Ip Source Binding
25. DHCP Snooping ip source binding Sets a static entry to the binding database. Syntax To set information: ip source binding <mac address> vlan <vlan id> <ip address> interface <interface type> <interface number> To delete information: no ip source binding <mac address> vlan <vlan id> <ip address> interface <interface type> <interface number>...
Page 648 25. DHCP Snooping - tengigabitethernet <nif no.>/<port no.> - port-channel <channel group number> For details about the valid setting range of <nif no.> <port no.> and <channel group number>, see Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 649: Ip Verify Source
25. DHCP Snooping ip verify source Set this command to use the terminal filter based on the DHCP snooping binding database. The terminal filter is functionality used to filter the packets of unregistered source IP and MAC addresses. Syntax To set or change information: ip verify source [{port-security | mac-only}] To delete information: no ip verify source...
Page 650 25. DHCP Snooping ip dhcp snooping ip dhcp snooping trust ip dhcp snooping vlan ip source binding...
Page 651: Part 10: High Reliability Based On Redundant Configurations
PART 10: High Reliability Based on Redundant Configurations Chapter 26. Power Supply Redundancy power redundancy-mode...
Page 652: Power Redundancy-Mode
26. Power Supply Redundancy power redundancy-mode Sets whether to display a message notifying that the redundant power supply has not been implemented. Syntax To set information: power redundancy-mode redundancy-check To delete information: no power redundancy-mode Input mode (config) Parameters redundancy-check Checks whether the redundant power supply has been implemented.
Page 653: Gsrp
Chapter 27. GSRP advertise-holdtime advertise-interval backup-lock flush-request-count gsrp gsrp-vlan gsrp direct-link gsrp exception-port gsrp limit-control gsrp no-flush-port gsrp reset-flush-port layer3-redundancy no-neighbor-to-master port-up-delay reset-flush-time selection-pattern vlan-group disable vlan-group priority vlan-group vlan...
Page 654: Advertise-Holdtime
27. GSRP advertise-holdtime Specifies the retention time of received GSRP Advertise frames in seconds. If the retention time elapses before any GSRP Advertise frames are received, the Switch operates as follows: In master status: Maintains master status. In backup status: Changes to backup status (neighbor unknown) because the partner switch in master status cannot be recognized.
Page 655: Advertise-Interval
27. GSRP advertise-interval Sets the sending interval for GSRP Advertise frames. Syntax To set or change information: advertise-interval <seconds> To delete information: no advertise-interval Input mode (config-gsrp) Parameters <seconds> Specifies the sending interval for GSRP Advertise frames in seconds. This interval can be specified in 0.5 second increments.
Page 656: Backup-Lock
27. GSRP backup-lock Fixes the GSRP status of the Switch to backup status. Syntax To set information: backup-lock To delete information: no backup-lock Input mode (config-gsrp) Parameters None Default behavior None Impact on communication Communications are interrupted. When the change is applied The change is applied immediately after setting values are changed.
Page 657: Flush-Request-Count
27. GSRP flush-request-count Specifies the number of times GSRP Flush request frames are sent to adjacent switches to request the clearing of MAC address tables. Syntax To set or change information: flush-request-count <count> To delete information: no flush-request-count Input mode (config-gsrp) Parameters <count>...
Page 658: Gsrp
27. GSRP gsrp Sets GSRP-related items. Syntax To set information: gsrp <gsrp group id> To delete information: no gsrp <gsrp group id> Input mode (config) Parameters <gsrp group id> Sets a GSRP group ID. For GSRP switches that belong to the same GSRP group, specify the same GSRP group ID.
Page 659: Gsrp-Vlan
27. GSRP gsrp-vlan Specifies a VLAN to be used as the GSRP-managed VLAN. Syntax To set or change information: gsrp-vlan <vlan id> To delete information: no gsrp-vlan Input mode (config-gsrp) Parameters <vlan id> Specifies the ID of the VLAN to be used as the GSRP-managed VLAN. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 660: Gsrp Direct-Link
27. GSRP gsrp direct-link Configures the ports used for a direct link between switches. Syntax To set information: gsrp <gsrp group id> direct-link To delete information: no gsrp <gsrp group id> direct-link Input mode (config-if) Parameters <gsrp group id> Sets a GSRP group ID. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 661: Gsrp Exception-Port
27. GSRP gsrp exception-port Configures a port not under GSRP control. The set port is always able to forward frames. Syntax To set information: gsrp exception-port To delete information: no gsrp exception-port Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied...
Page 662: Gsrp Limit-Control
27. GSRP gsrp limit-control Enables the functionality limiting GSRP control to VLAN-group VLANs. If the functionality limiting GSRP control to VLAN-group VLANs is set by this command, only the VLANs that belong to any VLAN group are under GSRP control. The VLAN ports that do not belong to any VLAN group are able to forward frames.
Page 663: Gsrp No-Flush-Port
27. GSRP gsrp no-flush-port Specifies a port that does not send GSRP Flush request frames. Syntax To set information: gsrp <gsrp group id> no-flush-port To delete information: no gsrp <gsrp group id> no-flush-port Input mode (config-if) Parameters <gsrp group id> Sets a GSRP group ID.
Page 664: Gsrp Reset-Flush-Port
27. GSRP gsrp reset-flush-port Specifies a port on which port resetting is used. Syntax To set information: gsrp <gsrp group id> reset-flush-port To delete information: no gsrp <gsrp group id> reset-flush-port Input mode (config-if) Parameters <gsrp group id> Sets a GSRP group ID. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 665: Layer3-Redundancy
27. GSRP layer3-redundancy Enables the Layer 3 redundancy switching functionality for the target GSRP group. Syntax To set information: layer3-redundancy To delete information: no layer3-redundancy Input mode (config-gsrp) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 666: No-Neighbor-To-Master
27. GSRP no-neighbor-to-master To allow a GSRP switch in backup (neighbor unknown) status to take over the master, you can choose whether to perform manual switchover (by entering a command that changes the Switch status to master status) or automatic switchover (when a direct-link port failure is detected). Syntax To set or change information: no-neighbor-to-master { manual | direct-down [forced-shift-time <seconds>] }...
Page 667 27. GSRP When the change is applied The change is applied immediately after setting values are changed. Notes is set for the operation mode in which a GSRP switch changes from backup direct-down (neighbor unknown) status to master status, the Switch starts operating as the master when all ports specified for a direct link are in a fault state.
Page 668: Port-Up-Delay
27. GSRP port-up-delay Specifies a time for delaying the inclusion of ports that have come up in the number of active ports. GSRP uses the number of active ports as the condition for selecting the master and backup switches. If ports become unstable (for example, ports are frequently enabled and disabled), the number of active ports changes frequently, leading to repeated switchovers between the master and backup switches.
Page 669: Reset-Flush-Time
27. GSRP reset-flush-time Sets the port-down time to be applied when port resetting is used. Syntax To set or change information: reset-flush-time <seconds> To delete information: no reset-flush-time Input mode (config-gsrp) Parameters <seconds> Specifies the port-down time (in seconds) to be applied when port resetting is used. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 670: Selection-Pattern
27. GSRP selection-pattern Specifies the precedence of the conditions for selecting the master and backup GSRP switches (number of active ports, priority, and switch MAC address). Syntax To set or change information: selection-pattern { ports-priority-mac | priority-ports-mac } To delete information: no selection-pattern Input mode (config-gsrp)
Page 671: Vlan-Group Disable
27. GSRP vlan-group disable Disables the GSRP functionality for the specified VLAN group. Syntax To set information: vlan-group <vlan group id> disable To delete information: no vlan-group <vlan group id> disable Input mode (config-gsrp) Parameters <vlan group id> Specifies the ID of a VLAN group that operates under GSRP control. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 672: Vlan-Group Priority
27. GSRP vlan-group priority Sets the priority of a VLAN group that operates under GSRP control. Syntax To set or change information: vlan-group <vlan group id> priority <priority> To delete information: no vlan-group <vlan group id> priority Input mode (config-gsrp) Parameters <vlan group id>...
Page 673: Vlan-Group Vlan
27. GSRP vlan-group vlan Sets VLANs participating a VLAN group that operates under GSRP control. Syntax To set information: vlan-group <vlan group id> vlan <vlan id list> To change information: vlan-group <vlan group id> vlan { <vlan id list> | add <vlan id list> | remove <vlan id list> } To delete information: no vlan-group <vlan group id>...
Page 674 27. GSRP Range of values: For details about how to set <vlan id list> and the specifiable values, see Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes The same VLAN cannot be designated in more than one VLAN group.
Page 675: Vrrp
Chapter 28. VRRP track check-reply-interface track check-status-interval track check-trial-times track failure-detection-interval track failure-detection-times track interface track ip route track recovery-detection-interval track recovery-detection-times vrrp accept vrrp authentication vrrp ietf-ipv6-spec-07-mode vrrp ip vrrp ipv6 vrrp preempt vrrp preempt delay vrrp priority vrrp timers advertise vrrp timers non-preempt-swap vrrp track...
Page 676: Track Check-Reply-Interface
28. VRRP track check-reply-interface Sets whether to check if the interface that received a reply to a VRRP polling request matches the interface that sent the VRRP polling request. Syntax To set information: track <track number> check-reply-interface To delete information: no track <track number>...
Page 677: Track Check-Status-Interval
28. VRRP track check-status-interval Sets the interval for VRRP polling operations. Syntax To set or change information: track <track number> check-status-interval <seconds> To delete information: no track <track number> check-status-interval Input mode (config) Parameters <track number> Specifies the number of the track to which the setting is to be saved. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 678 28. VRRP track interface track ip route vrrp ip vrrp track...
Page 679: Track Check-Trial-Times
28. VRRP track check-trial-times Sets the number of retries for VRRP polling to be attempted while checking whether an interface fault has occurred or whether the interface has recovered from a fault. Syntax To set or change information: track <track number> check-trial-times <count> To delete information: no track <track number>...
Page 680 28. VRRP ip address track interface track ip route vrrp ip vrrp track...
Page 681: Track Failure-Detection-Interval
28. VRRP track failure-detection-interval Sets the interval for VRRP polling attempts to be performed during failure verification related to a failure monitoring interface. Syntax To set or change information: track <track number> failure-detection-interval <seconds> To delete information: no track <track number> failure-detection-interval Input mode (config) Parameters...
Page 682 28. VRRP track ip route vrrp ip vrrp track...
Page 683: Track Failure-Detection-Times
28. VRRP track failure-detection-times Sets the maximum number of retries for VRRP polling to be successful during failure verification related to a failure monitoring interface. Syntax To set or change information: track <track number> failure-detection-times <count> To delete information: no track <track number> failure-detection-times Input mode (config) Parameters...
Page 684 28. VRRP track interface track ip route vrrp ip vrrp track...
Page 685: Track Interface
28. VRRP track interface Specifies the interface used for failure monitoring. When you set VLAN failure monitoring, use this command to set whether to monitor only the interface status or to perform VRRP polling. Syntax To set information: track <track number> interface { vlan <vlan id> { line-protocol | ip routing } | <interface type>...
Page 686 28. VRRP <interface type> <interface number> Specifies the interface for failure monitoring. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: For <interface type> <interface number>, the following values can be set: - gigabitethernet <nif no.>/<port no.> - tengigabitethernet <nif no.>/<port no.>...
Page 687: Track Ip Route
28. VRRP track ip route Sets the destination address for VRRP polling when VRRP polling is performed with a failure monitoring interface. Syntax To set or change information: track <track number> ip route {<ip address> | <ipv6 address>} reachability To delete information: no track <track number>...
Page 688 28. VRRP the configuration, and then set the configuration again. Related commands ip address track interface vrrp ip vrrp track...
Page 689: Track Recovery-Detection-Interval
28. VRRP track recovery-detection-interval Sets the interval for VRRP polling attempts to be performed during failure recovery verification related to a failure monitoring interface. Syntax To set or change information: track <track number> recovery-detection-interval <seconds> To delete information: no track <track number> recovery-detection-interval [<seconds>] Input mode (config) Parameters...
Page 690 28. VRRP track ip route vrrp ip vrrp track...
Page 691: Track Recovery-Detection-Times
28. VRRP track recovery-detection-times Sets the maximum number of retries for VRRP polling to be successful during failure recovery verification related to a failure monitoring interface. Syntax To set or change information: track <track number> recovery-detection-times <count> To delete information: no track <track number>...
Page 692 28. VRRP track interface track ip route vrrp ip vrrp track...
Page 693: Vrrp Accept
28. VRRP vrrp accept Configures a virtual router in accept mode. If access mode is enabled by this command, a virtual router in the master state can receive IP packets even if the router is not the owner of the IP address. Syntax To set information: vrrp <vrid>...
Page 694: Vrrp Authentication
28. VRRP vrrp authentication Sets the password used for advertisement packet authentication on a virtual router. Syntax To set or change information: vrrp <vrid> authentication <text> To delete information: no vrrp <vrid> authentication Input mode (config-if) Parameters <vrid> Specifies the virtual router ID. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 695: Vrrp Ietf-Ipv6-Spec-07-Mode
28. VRRP vrrp ietf-ipv6-spec-07-mode Sets an IPv6 virtual router to operate in the mode according to draft-ietf-vrrp-ipv6-spec-07 This command is valid when an IPv6 virtual router has been set. Syntax To set information: vrrp <vrid> ietf-ipv6-spec-07-mode To delete information: no vrrp <vrid> ietf-ipv6-spec-07-mode Input mode (config-if) Parameters...
Page 696: Vrrp Ip
28. VRRP vrrp ip Assigns an IPv4 address to a virtual router. Syntax To set or change information: vrrp <vrid> ip <ip address> To delete information: no vrrp <vrid> ip Input mode (config-if) Parameters <vrid> Specifies the virtual router ID. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 697: Vrrp Ipv6
28. VRRP vrrp ipv6 Assigns an IPv6 address to a virtual router. Syntax To set or change information: vrrp <vrid> ipv6 <ipv6 address> To delete information: no vrrp <vrid> ipv6 Input mode (config-if) Parameters <vrid> Specifies the virtual router ID. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 698: Vrrp Preempt
28. VRRP vrrp preempt Sets automatic switchbacks for a virtual router. When automatic switchbacks are enabled, if a virtual router detects a master router that has a lower priority than itself, the virtual router automatically takes over the master router. Syntax To set information: no vrrp <vrid>...
Page 699: Vrrp Preempt Delay
28. VRRP vrrp preempt delay Sets a period of time for suppressing automatic switchbacks. If automatic switchbacks are enabled, switchback processing is suppressed for the specified period of time before it is processed. Syntax To set or change information: vrrp <vrid> preempt delay <seconds> To delete information: no vrrp <vrid>...
Page 700: Vrrp Priority
28. VRRP vrrp priority Sets the priority to a virtual router. Syntax To set or change information: vrrp <vrid> priority <priority> To delete information: no vrrp <vrid> priority Input mode (config-if) Parameters <vrid> Specifies the virtual router ID. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 701: Vrrp Timers Advertise
28. VRRP vrrp timers advertise Sets the sending interval of advertisement packets to be sent by a virtual router. Syntax To set or change information: vrrp <vrid> timers advertise <seconds> To delete information: no vrrp <vrid> timers advertise Input mode (config-if) Parameters <vrid>...
Page 702: Vrrp Timers Non-Preempt-Swap
28. VRRP vrrp timers non-preempt-swap Sets the switchback suppression time to be applied when switchback processing is performed while automatic switchbacks are suppressed. Syntax To set or change information: vrrp <vrid> timers non-preempt-swap <seconds> To delete information: no vrrp <vrid> timers non-preempt-swap Input mode (config-if) Parameters...
Page 703: Vrrp Track
28. VRRP vrrp track Allocates a failure monitoring interface (track) to a virtual router. Syntax To set or change information: vrrp <vrid> track <track number> [{ priority | decrement } <priority>] To delete information: no vrrp <vrid> track <track number> Input mode (config-if) Parameters...
Page 704 28. VRRP When <priority> is specified, the specifiable range for the value to be decrement subtracted from the priority value is from 1 to 255. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes command can allocate one failure monitoring interface per virtual vrrp track priority...
Page 705: Uplink Redundancy
Chapter 29. Uplink Redundancy switchport backup flush-request transmit switchport backup interface switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update transmit switchport-backup startup-active-port-selection...
Page 706: Switchport Backup Flush-Request Transmit
29. Uplink Redundancy switchport backup flush-request transmit Enables the sending of flush control frames to upstream switches at switchover or switchback to request that the upstream switches clear their MAC address tables. This command takes effect when it is set for the primary port. Syntax To set or change information: switchport backup flush-request transmit [vlan <vlan id>]...
Page 707: Switchport Backup Interface
29. Uplink Redundancy switchport backup interface Sets a primary port and a secondary port for uplink redundancy and the automatic switchback time. Syntax To set or change information: switchport backup interface <interface type> <interface number> [preemption-delay <seconds>] To delete information: no switchport backup interface Input mode (config-if)
Page 708 29. Uplink Redundancy Notes If this function is disabled, the ports in the standby state are also enabled for communication. This might cause loops. Shut down the primary port or the secondary port to prevent loops, and then disable this function. You cannot specify an Ethernet interface that is part of a channel group as the primary port or the secondary port.
Page 709: Switchport Backup Mac-Address-Table Update Exclude-Vlan
29. Uplink Redundancy switchport backup mac-address-table update exclude-vlan Sets the VLAN to be excluded when sending MAC address update frames. Syntax To set information: switchport backup mac-address-table update exclude-vlan <vlan id list> To change information: switchport backup mac-address-table update exclude-vlan {<vlan id list> | add <vlan id list> | remove <vlan id list>} To delete information: no switchport backup mac-address-table update exclude-vlan...
Page 710 29. Uplink Redundancy Impact on communication None When the change is applied The change is applied immediately after setting values are changed. However, a change in the <vlan id list> value is applied the next time a switch or switchback is performed. Notes Setting the command enables...
Page 711: Switchport Backup Mac-Address-Table Update Transmit
29. Uplink Redundancy switchport backup mac-address-table update transmit Enables the sending of MAC address update frames and sets the number of times the frames are sent to request that the upstream switches update their MAC address tables. Syntax To set or change information: switchport backup mac-address-table update transmit [count <count>] To delete information: no switchport backup mac-address-table update transmit...
Page 712: Switchport-Backup Startup-Active-Port-Selection
29. Uplink Redundancy switchport-backup startup-active-port-selection Enables active port locking at Switch startup. Syntax To set information: switchport-backup startup-active-port-selection primary-only To delete information: no switchport-backup startup-active-port-selection Input mode (config) Parameters primary-only Sets only the primary port as the active port at Switch startup. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 713: Part 11: High Reliability Based On Network Failure Detection
PART 11: High Reliability Based on Network Failure Detection Chapter 30. IEEE 802.3ah/UDLD efmoam active efmoam disable efmoam udld-detection-count...
Page 714: Efmoam Active
30. IEEE 802.3ah/UDLD efmoam active Sets the port to be monitored by the IEEE 802.3ah/OAM functionality to active mode. Syntax To set or change information: efmoam active [udld] To delete information: no efmoam active Input mode (config-if) Parameters udld Specifies that the port be monitored using the IEEE 802.3ah/UDLD functionality and enables the unidirectional link failure detection functionality.
Page 715: Efmoam Disable
30. IEEE 802.3ah/UDLD efmoam disable Enables or disables the IEEE 802.3ah/OAM functionality on a switch. To disable the IEEE 802.3ah/OAM functionality, set the command. efmoam disable To enable the IEEE 802.3ah/OAM functionality again, set the command. no efmoam disable In passive mode, the send process starts when an OAMPDU from the active mode is received. Syntax To set information: efmoam disable...
Page 716: Efmoam Udld-Detection-Count
30. IEEE 802.3ah/UDLD efmoam udld-detection-count Sets the number of OAMPDU response timeouts that must occur to recognize a failure. (The OAMPDU is a monitoring packet of the IEEE 802.3ah/UDLD functionality.) Syntax To set or change information: efmoam udld-detection-count <count> To delete information: no efmoam udld-detection-count Input mode (config)
Page 717: Storm Control
Chapter 31. Storm Control storm-control...
Page 718: Storm-Control
31. Storm Control storm-control Configures the storm control functionality. This functionality sets the threshold of frames to be flooded and received by a Switch. When a broadcast storm or another problem occurs, the flooded frames exceeding the threshold are discarded. As a result, network load and Switch load decrease. When the received frame rate exceeds the threshold and the Switch detects a storm, the Switch can deactivate the port, issue an SNMP trap, and display a log message.
Page 719 31. Storm Control The storm control functionality is not set. level pps <packet/s> Specifies the threshold value for the number of received frames subject to storm control. Frames exceeding the threshold are discarded. If 0 is set, all applicable frames are discarded. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 720 31. Storm Control is deactivated, use the operation command to activate the port. If a storm is detected activate and a port is deactivated, no frames are received. In this state, the end of the storm cannot be detected. When using SNMP traps, you must use the command to set the snmp-server host destination for the traps.
Page 721: L2 Loop Detection
Chapter 32. L2 Loop Detection loop-detection loop-detection auto-restore-time loop-detection enable loop-detection hold-time loop-detection interval-time loop-detection threshold...
Page 722: Loop-Detection
32. L2 Loop Detection loop-detection Sets the port type for the L2 loop detection functionality. Syntax To set or change information: loop-detection {send-inact-port | send-port | uplink-port | exception-port} To delete information: no loop-detection Input mode (config-if) Parameters {send-inact-port | send-port | uplink-port | exception-port} send-inact-port Sets a port as a detecting and blocking port.
Page 723 32. L2 Loop Detection • The number of L2 loop detection frames received until the port is deactivated • Time before automatic-restoration is performed Even if the port type is changed, the statistics for sending and receiving L2 loop detection frames for each port are not cleared.
Page 724: Loop-Detection Auto-Restore-Time
32. L2 Loop Detection loop-detection auto-restore-time Sets the time (in seconds) until a deactivated port is activated automatically. Syntax To set or change information: loop-detection auto-restore-time <seconds> To delete information: no loop-detection auto-restore-time Input mode (config) Parameters <seconds> Sets the time (in seconds) until a deactivated port is activated automatically. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 725: Loop-Detection Enable
32. L2 Loop Detection loop-detection enable Enables the L2 loop detection functionality. Syntax To set information: loop-detection enable To delete information: no loop-detection enable Input mode (config) Parameters None Default behavior The L2 loop detection functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 726: Loop-Detection Hold-Time
32. L2 Loop Detection loop-detection hold-time Specifies the time (in seconds) that the number of received L2 loop detection frames is held before a port is changed to the inactive status. After an L2 loop detection frame is received, if the L2 loop detection hold time elapses without another L2 loop detection frame being received, the L2 loop detection frame count associated with the port is cleared.
Page 727: Loop-Detection Interval-Time
32. L2 Loop Detection loop-detection interval-time Sets the interval for sending L2 loop detection frames. Syntax To set or change information: loop-detection interval-time <seconds> To delete information: no loop-detection interval-time Input mode (config) Parameters <seconds> Specifies the interval (in seconds) for sending L2 loop detection frames. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 728: Loop-Detection Threshold
32. L2 Loop Detection loop-detection threshold Sets the number of received L2 loop detection frames before a port is deactivated. Syntax To set or change information: loop-detection threshold <count> To delete information: no loop-detection threshold Input mode (config) Parameters <count> Specifies the number of L2 loop detection frames that must be received before a port is deactivated.
Page 729: Cfm
Chapter 33. CFM domain name ethernet cfm cc alarm-priority ethernet cfm cc alarm-reset-time ethernet cfm cc alarm-start-time ethernet cfm cc enable ethernet cfm cc interval ethernet cfm domain ethernet cfm enable (global) ethernet cfm enable (interface) ethernet cfm mep ethernet cfm mip ma name ma vlan-group...
Page 730: Domain Name
33. CFM domain name Sets the name used for a domain. Syntax To set or change information: domain name {no-present | str <strings> | dns <name> | mac <mac> <id>} To delete information: no domain name Input mode (config-ether-cfm) Parameters {no-present | str <strings>...
Page 731 33. CFM When the change is applied The change is applied immediately after setting values are changed. Notes When a parameter other than has been specified, if a character string with more no-present than 43 characters is specified for the <strings>...
Page 732: Ethernet Cfm Cc Alarm-Priority
33. CFM ethernet cfm cc alarm-priority Sets the failure level detected by the CC functionality. A failure that exceeds the set failure level is to be detected. Syntax To set or change information: ethernet cfm cc level <level> ma <no.> alarm-priority <priority> To delete information: no ethernet cfm cc level <level>...
Page 733 33. CFM Value set Failure type Display in a command Failure description DefMACstatus PortState A received CCM has information about whether a port or interface is in the down state. DefRemoteCCM Timeout A CCM from a remote MEP has timed out. DefErrorCCM ErrorCCM A MEP configuration error has...
Page 734: Ethernet Cfm Cc Alarm-Reset-Time
33. CFM ethernet cfm cc alarm-reset-time If CC detects repeated failures, this sets the time interval within which the CC functionality recognizes that this is a redetected failure. After detecting a failure, if another failure is detected within the time interval set by using this command, the failure is treated as a redetected failure and no trap is sent.
Page 735 33. CFM set to 10000 milliseconds. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm cc enable ethernet cfm domain ma name ma vlan-group...
Page 736: Ethernet Cfm Cc Alarm-Start-Time
33. CFM ethernet cfm cc alarm-start-time Sets the time from the point at which CC detects a failure until it sends a trap. Syntax To set or change information: ethernet cfm cc level <level> ma <no.> alarm-start-time <time> To delete information: no ethernet cfm cc level <level>...
Page 737 33. CFM When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm cc enable ethernet cfm domain ma name ma vlan-group...
Page 738: Ethernet Cfm Cc Enable
33. CFM ethernet cfm cc enable Sets in a domain an MA in which the CC functionality is used. If the command has already been set, sending from the applicable port to CCM ethernet cfm mep starts. Syntax To set information: ethernet cfm cc level <level>...
Page 739 33. CFM ma vlan-group...
Page 740: Ethernet Cfm Cc Interval
33. CFM ethernet cfm cc interval Sets the CCM transmission interval for a target MA. Syntax To set or change information: ethernet cfm cc level <level> ma <no.> interval {1s | 10s | 1min | 10min} To delete information: no ethernet cfm cc level <level> ma <no.> interval Input mode (config) Parameters...
Page 741 33. CFM , or 1min 10min Default behavior is used as the interval for sending CCMs. 1min Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes If the interval for sending CCMs is set to a shorter value than the initial value, the CPU usage of the device becomes higher, which might affect communication.
Page 742: Ethernet Cfm Domain
33. CFM ethernet cfm domain Sets a domain. Executing this command switches to mode in which the config-ether-cfm domain name and MA can be set. Syntax To set information: ethernet cfm domain level <level> [direction-up] To delete information: no ethernet cfm domain level <level> Input mode (config) Parameters...
Page 743 33. CFM Related commands domain name ethernet cfm cc enable ma name ma vlan-group...
Page 744: Ethernet Cfm Enable (Global)
33. CFM ethernet cfm enable (global) Starts CFM. Syntax To set information: ethernet cfm enable To delete information: no ethernet cfm enable Input mode (config) Parameters None Default behavior CFM does not operate even if another CFM command has been set. Impact on communication None When the change is applied...
Page 745: Ethernet Cfm Enable (Interface)
33. CFM ethernet cfm enable (interface) When is set, CFM PDU transmission processing on the applicable port no ethernet cfm enable or the applicable port channel stops. Syntax To set information: no ethernet cfm enable To delete information: ethernet cfm enable Input mode (config-if) Parameters...
Page 746: Ethernet Cfm Mep
33. CFM ethernet cfm mep Sets an MEP used by the CFM functionality. Syntax To set information: ethernet cfm mep level <level> ma <no.> mep-id <mepid> [{down | up}] To delete information: no ethernet cfm mep level <level> ma <no.> mep-id <mepid> Input mode (config-if) Parameters...
Page 747 33. CFM Default value when this parameter is omitted: When has been set by using the command, Up direction-up ethernet cfm domain MEP is used. If it has not been set, Down MEP is used. Range of values: down Default behavior None Impact on communication None...
Page 748: Ethernet Cfm Mip
33. CFM ethernet cfm mip Sets an MIP used by the CFM functionality. Syntax To set information: ethernet cfm mip level <level> To delete information: no ethernet cfm mip level <level> Input mode (config-if) Parameters level <level> Specifies the domain level that has been set by using the command.
Page 749: Ma Name
33. CFM ma name Sets the name of an MA to be used in the applicable domain. Syntax To set or change information: ma <no.> name {str <strings> | vlan <vlan id>} To delete information: no ma <no.> name Input mode (config-ether-cfm) Parameters <no.>...
Page 750 33. CFM Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
Page 751: Ma Vlan-Group
33. CFM ma vlan-group Sets the VLAN belonging to the MA used in a domain. Syntax To set or change information: ma <no.> vlan-group <vlan id list> [primary-vlan <vlan id>] To delete information: no ma <no.> vlan-group Input mode (config-ether-cfm) Parameters <no.>...
Page 752 33. CFM When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands ethernet cfm domain...
Page 753: Part 12: Remote Network Management
PART 12: Remote Network Management Chapter 34. SNMP hostname rmon alarm rmon collection history rmon event snmp-server community snmp-server contact snmp-server engineID local snmp-server group snmp-server host snmp-server informs snmp-server location snmp-server traps snmp-server user snmp-server view snmp trap link-status...
Page 754: Hostname
34. SNMP hostname Sets the identification name of a Switch. Syntax To set or change information: hostname <name> To delete information: no hostname Input mode (config) Parameters <name> The identification name of a Switch. Set a name that is unique in the network that will be used. This information can be referenced by using the name set in in the system group [sysName]...
Page 755: Rmon Alarm
34. SNMP rmon alarm Sets the control information for the RMON (RFC 1757) alarm group. This command can configure a maximum of 128 entries. Syntax To set or change information: rmon alarm <number> <variable> <interval> {delta | absolute} rising-threshold <value> rising-event-index <event no.>...
Page 756 34. SNMP the current value and the value of the last sampling is compared with the threshold. If is specified, the current value is compared directly with the threshold. This absolute parameter is equivalent to defined in RFC 1757. alarmSampleType Default value when this parameter is omitted: This parameter cannot be omitted.
Page 757 34. SNMP Specifies the identification information of the person who specified this setting. This information is used to identify the person who specified this setting. This parameter is equivalent to defined in RFC 1757. alarmOwner Default value when this parameter is omitted: NULL Range of values: Enclose a character string of no more than 24 characters in double quotation marks (").
Page 758 34. SNMP If the set interval value is too large, is returned for the time being until alarmStatus valid(1) changes from (as a guide, it takes time of about half of the interval valid(1) invalid(4) value). Related commands snmp-server host rmon event...
Page 759: Rmon Collection History
34. SNMP rmon collection history Configures the control information for the RMON (RFC 1757) Ethernet statistics history. Syntax To set or change information: rmon collection history controlEntry <integer> [owner <owner name>] [buckets <bucket number>] [interval <seconds>] To delete information: no rmon collection history controlEntry <integer> Input mode (config-if) Parameters...
Page 760 34. SNMP Specifies the time interval (in seconds) for collecting statistics information. This parameter is equivalent to defined in RFC 1757. historyControlInterval Default value when this parameter is omitted: 1800 Range of values: 1 to 3600 Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 761: Rmon Event
34. SNMP rmon event Sets the control information for an RMON (RFC 1757) event group. This command can configure a maximum of 16 entries. Syntax To set or change information: rmon event <event no.> [log] [trap <community>] [description <string>] [owner <string>] To delete information: no rmon event <event no.>...
Page 762 34. SNMP Uses a character string to specify the description of an event. Use this parameter as a note regarding the event. This parameter is equivalent to defined in RFC 1757. eventDescription Default value when this parameter is omitted: Blank Range of values: Enclose a character string of no more than 79 characters in double quotation marks (").
Page 763 34. SNMP of the operation will not be applied to the configuration. Related commands snmp-server host rmon alarm...
Page 764: Snmp-Server Community
34. SNMP snmp-server community Sets the access list for the SNMP community. A maximum of 50 addresses can be registered by this command. Syntax To set or change information: snmp-server community <community> [{ ro | rw }] [{<access list number> | <access list name>}] To delete information: no snmp-server community <community>...
Page 765 34. SNMP decimal). For <access list name>, specify a name that is no more than 31 characters. For details, see Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands...
Page 766: Snmp-Server Contact
34. SNMP snmp-server contact Sets the contact information of the Switch. Syntax To set or change information: snmp-server contact <contact> To delete information: no snmp-server contact Input mode (config) Parameters <contact> Sets the contact information for the Switch used when a failure occurs on the Switch. This information can be referenced by using the name set in of the system group for [sysContact]...
Page 767: Snmp-Server Engineid Local
34. SNMP snmp-server engineID local Sets SNMP engine ID information. Syntax To set or change information: snmp-server engineID local <engineid string> To delete information: no snmp-server engineID local Input mode (config) Parameters <engineid string> Sets an SNMP engine ID. The SNMP engine ID value set for a Switch is as follows: 1st to 4th octets: A value obtained by the OR bit of an enterprise code and 0x80000000 5th octet: Fixed value of...
Page 768 34. SNMP When the change is applied The change is applied immediately after setting values are changed. Notes If many users (a maximum of 50 users) are set by using the command, snmp-server user setting, changing, or deleting the command takes a maximum snmp-server engineID local of 20 seconds.
Page 769: Snmp-Server Group
34. SNMP snmp-server group Sets SNMP security group information. Security level information and access control information consisting of the SNMP view information set by the command are grouped. A snmp-server view maximum of 50 group names can be set by this command. Syntax To set or change information: snmp-server group <group name>...
Page 770 34. SNMP - GetNextRequest-PDU - GetBulkRequest-PDU Default value when this parameter is omitted: The read access permission is not granted. Range of values: Enclose a character string of no more than 32 characters in double quotation marks ("). Specifiable characters are alphanumeric characters and special characters. To enter a character string that does not include any special characters such as a space, you do not need to enclose the character string in double quotation marks (").
Page 771 34. SNMP information set by this command is invalid. Related commands snmp-server engineID local snmp-server view snmp-server user snmp-server host...
Page 772: Snmp-Server Host
34. SNMP snmp-server host Registers the network management switch (SNMP manager) to which traps or informs are sent. This command can configure a maximum of 50 entries. Syntax To set or change information: snmp-server host <manager address> { traps | informs } <string> [version { 1 | 2c | 3 { noauth | auth | priv } }] [snmp] [{ospf_state | ospf_state_private }] [{ ospf_error | ospf_error_private }] [bgp] [vrrp] [rmon] [oadp] [air-fan] [power] [login] [memory] [system-msg] [temperature] [gsrp] [axrp] [frame_error_snd] [frame_error_rcv] [poe]...
Page 773 34. SNMP Specifiable characters are alphanumeric characters and special characters. To enter a character string that does not include any special characters such as a space, you do not need to enclose the character string in double quotation marks ("). For details, see Any character string in Specifiable values for parameters.
Page 774 [AX3640S] ax3630sAirFanStopTrap [AX3630S] power ax3640sPowerSupplyFailureTrap [AX3640S] ax3630sPowerSupplyFailureTrap [AX3630S] login ax3640sLoginSuccessTrap [AX3640S] ax3630sLoginSuccessTrap [AX3630S] ax3640sLoginFailureTrap [AX3640S] ax3630sLoginFailureTrap [AX3630S] ax3640sLogoutTrap [AX3640S] ax3630sLogoutTrap [AX3630S] memory ax3640sMemoryUsageTrap [AX3640S] ax3630sMemoryUsageTrap [AX3630S]...
Page 775 34. SNMP Parameter Traps and informs frame_error_rcv ax3640sFrameErrorReceiveTrap [AX3640S] ax3630sFrameErrorReceiveTrap [AX3630S] poe [AX3630S] pethPsePortOnOffNotification pethMainPowerUsageOnNotification pethMainPowerUsageOffNotification storm-control ax3640sBroadcastStormDetectTrap [AX3640S] ax3630sBroadcastStormDetectTrap [AX3630S] ax3640sMulticastStormDetectTrap [AX3640S] ax3630sMulticastStormDetectTrap [AX3630S] ax3640sUnicastStormDetectTrap [AX3640S] ax3630sUnicastStormDetectTrap [AX3630S] ax3640sBroadcastStormPortInactivateTrap [AX3640S] ax3630sBroadcastStormPortInactivateTrap [AX3630S] ax3640sMulticastStormPortInactivateTrap [AX3640S] ax3630sMulticastStormPortInactivateTrap [AX3630S] ax3640sUnicastStormPortInactivateTrap [AX3640S] ax3630sUnicastStormPortInactivateTrap [AX3630S]...
Page 776 34. SNMP Parameter Traps and informs policy-base axsPolicyBaseRoutingRouteChange [AX3640S] [OS-L3A] track-object axsTrackObjectStateChange [AX3640S] [OS-L3A] snmp , and traps or coldStart warmStart linkDown linkUp authenticationFailure informs are sent. { ospf_state | ospf_state_private } Sends a trap or an inform for notifying a change in the OSPF status. If ospf_state specified, a standard trap or inform that complies with the RFC is issued.
Page 777 34. SNMP Table 34-3: Traps and informs to be issued for each parameter (Notifying reception of an OSPF error packet) Parameter Traps and informs to be issued ospf_error Domain with the smallest domain number: • ospfIfConfigError • ospfVirtIfConfigError • ospfIfAuthFailure •...
Page 778 A trap or an inform is issued when the status of a gateway that uses dynamic monitoring for static routing changes. policy-base [AX3640S] [OS-L3A] A trap is sent when the routing information for policy-based routing has changed. track-object [AX3640S] [OS-L3A] A private MIB trap is sent when the track status of the tracking function for policy-based routing has changed.
Page 779 34. SNMP Notes For the list of supported MIBs and supported traps, see the manual MIB Reference For Version 11.7. When has been set for the version, if a security user name that has not been set in the command is set by this command, the security user information set in this snmp-server user command is invalid.
Page 780: Snmp-Server Informs
34. SNMP snmp-server informs Sets the conditions for sending informs. This setting is valid for SNMP managers for which the parameter of the command is set. informs snmp-server host Syntax To set or change information: snmp-server informs [retries <retries>] [timeout <seconds>] [pending <pending>] To delete information: no snmp-server informs Input mode...
Page 781 34. SNMP When the change is applied The change is applied immediately after setting values are changed. Notes None Related commands snmp-server host...
Page 782: Snmp-Server Location
34. SNMP snmp-server location Sets the name of the location where the Switch is installed. Syntax To set or change information: snmp-server location <location> To delete information: no snmp-server location Input mode (config) Parameters <location> Sets the name of the location where the Switch is installed. This information can be referenced by using the name set in of the system group for inquiries from the SNMP [sysLocation]...
Page 783: Snmp-Server Traps
34. SNMP snmp-server traps Sets the timing for issuing a trap or an inform. Syntax To set or change information: snmp-server traps [{ limited_coldstart_trap | unlimited_coldstart_trap }] [link_trap_bind_info { private | standard }] [system_msg_trap_level <level>] [agent-address <agent address>] To delete information: no snmp-server traps Input mode (config)
Page 784 34. SNMP private standard system_msg_trap_level <level> Specifies the level of sending system message traps among private traps or informs (in decimal). Traps are issued when an event whose level is equal to or higher than the specified level occurs. The following table describes the overview of the system message traps to be issued for each level specified by this command.
Page 785: Snmp-Server User
34. SNMP snmp-server user Sets SNMP security user information. The user information created by this command is to be used in the command and the command. This command can snmp-server group snmp-server host configure a maximum of 50 entries. This command configures the authentication protocol and the encryption protocol. You can configure the encryption protocol after the authentication protocol has been configured.
Page 786 34. SNMP character string in Specifiable values for parameters. v3 [auth { md5 | sha } <authentication password> [priv des <privacy password>]] auth { md5 | sha } <authentication password> Specifies the authentication protocol and the authentication password. : HMAC-MD5 is used for the authentication protocol. : HMAC-SHA1 is used for the authentication protocol.
Page 787: Snmp-Server View
34. SNMP snmp-server view Sets MIB view information. The MIB view information is used to check the object ID for Variable Bindings contained in SNMP PDUs. The MIB view consists of one subtree or multiple subtrees. A subtree is set by the combination of the object ID and view type. The MIB view created by this command is to be used in the command.
Page 788 34. SNMP Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify either included excluded Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes When you change or delete information, if a wildcard ( ) is specified for a sub-ID for <oid...
Page 789: Snmp Trap Link-Status
34. SNMP snmp trap link-status Prevents a trap or an inform ( traps) from being sent when a link-up failure linkDown linkUp or a link-down failure occurs on a line. Syntax To set information: no snmp trap link-status To delete information: snmp trap link-status Input mode (config-if)
Page 791: Log Data Output Functionality
Chapter 35. Log Data Output Functionality logging email logging email-event-kind logging email-from logging email-interval logging email-server logging event-kind logging facility logging host logging syslog-dump logging trap...
Page 792: Logging Email
35. Log Data Output Functionality logging email Sets the email address to which log information is output as an email. This command can configure a maximum of 64 entries. Syntax To set information: logging email <e-mail address> To delete information: no logging email <e-mail address>...
Page 793 35. Log Data Output Functionality ip domain name ip name-server ip domain lookup...
Page 794: Logging Email-Event-Kind
Specifies the event type of the log information to be output. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify , or . [AX3640S] [OS-L3A] Default behavior is set as the event type. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 795: Logging Email-From
35. Log Data Output Functionality logging email-from Sets the sender of the log information output as an email. Syntax To set or change information: logging email-from <e-mail address> To delete information: no logging email-from Input mode (config) Parameters <e-mail address> Specifies the source email address.
Page 796: Logging Email-Interval
35. Log Data Output Functionality logging email-interval Sets the interval for sending output log information as an email. Syntax To set or change information: logging email-interval <seconds> To delete information: no logging email-interval Input mode (config) Parameters <seconds> Specifies the interval for sending emails. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 797: Logging Email-Server
35. Log Data Output Functionality logging email-server Sets the SMTP server information for outputting log information as an email. This command can configure a maximum of 16 entries. Syntax To set information: logging email-server {<host name> | <ip address>} [port <port number>] To delete information: no logging email-server {<host name>...
Page 798 35. Log Data Output Functionality This functionality can use IPv4 only. Therefore, if you specify as the SMTP server the name of a host that has only an IPv6 address set by using the command, emails sent to ipv6 host the server will be discarded.
Page 799: Logging Event-Kind
Specifies the event type of the log information to be output. Default value when this parameter is omitted: This parameter cannot be omitted. Range of values: Specify , or . [AX3640S] [OS-L3A] Default behavior is set as the event type. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 800: Logging Facility
35. Log Data Output Functionality logging facility Sets a facility to which log information is output via the syslog interface. Syntax To set or change information: logging facility <facility> To delete information: no logging facility Input mode (config) Parameters <facility> Specifies the facility for syslog.
Page 801: Logging Host
35. Log Data Output Functionality logging host Sets the output destination for log information. The command can configure up to 20 entries. Syntax To set information: logging host { <host name> | <ip address> | <ipv6 address> } [no-date-info] To delete information: no logging host { <host name>...
Page 802 35. Log Data Output Functionality When the change is applied The change is applied immediately after setting values are changed. Notes To use the syslog functionality, a syslog daemon program must be running on the destination host and the host must be configured so that it can receive the syslog information from the Switch.
Page 803: Logging Syslog-Dump
35. Log Data Output Functionality logging syslog-dump Configures the settings so that log data generated on a switch is not stored in the internal flash memory. Syntax To set information: no logging syslog-dump To delete information: logging syslog-dump Input mode (config) Parameters None...
Page 804: Logging Trap
35. Log Data Output Functionality logging trap Sets the level of importance for log information to be sent to the syslog server. Syntax To set or change information: logging trap { <level> | <keyword> } To delete information: no logging trap Input mode (config) Parameters...
Page 805 35. Log Data Output Functionality Related commands logging host...
Page 807: Sflow Statistics
Chapter 36. sFlow Statistics sflow destination sflow extended-information-type sflow forward egress sflow forward ingress sflow max-header-size sflow max-packet-size sflow packet-information-type sflow polling-interval sflow sample sflow source sflow url-port-add sflow version...
Page 808: Sflow Destination
36. sFlow Statistics sflow destination Specifies the IP address of the collector, which is the destination for sFlow packets. Syntax To set information: sflow destination { <ip address> | <ipv6 address> } [<udp port>] To delete information: no sflow destination { <ip address> | <ipv6 address> } [<udp port>] Input mode (config) Parameters...
Page 809: Sflow Extended-Information-Type
36. sFlow Statistics sflow extended-information-type Sets whether to send flow samples in an extended data format. Syntax To set or change information: sflow extended-information-type { [switch] [router] [gateway] [user] [url] | none } To delete information: no sflow extended-information-type Input mode (config) Parameters { [switch] [router] [gateway] [user] [url] | none }...
Page 810 36. sFlow Statistics Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes Any new setting of this command overwrites the old setting. If you want to change a parameter, enter all the necessary parameter values at the same time when you set this command.
Page 811: Sflow Forward Egress
You cannot set this command for the following models: • AX3640S-48TW and AX3640S-48T2XW • AX3630S-48TW and AX3630S-48T2XW Related commands sflow forward ingress...
Page 812: Sflow Forward Ingress
36. sFlow Statistics sflow forward ingress Causes the received traffic of the specified port to be monitored by the sFlow statistics functionality. Syntax To set information: sflow forward ingress To delete information: no sflow forward ingress Input mode (config-if) Parameters None Default behavior None...
Page 813: Sflow Max-Header-Size
36. sFlow Statistics sflow max-header-size If the header type is used for the basic data format (see the sflow packet-information-type command), sets the maximum size from the beginning of the sample packet to be copied. Syntax To set or change information: sflow max-header-size <bytes>...
Page 814: Sflow Max-Packet-Size
36. sFlow Statistics sflow max-packet-size Specifies the maximum size of an sFlow packet. Syntax To set or change information: sflow max-packet-size <bytes> To delete information: no sflow max-packet-size Input mode (config) Parameters <bytes> Specifies the maximum size of an sFlow packet (in bytes). Specify a value equal to or smaller than the MTU length value (in bytes) assigned to the interface from which the sFlow packet is to be sent to the collector.
Page 815: Sflow Packet-Information-Type
36. sFlow Statistics sflow packet-information-type Sets the basic data format of the flow sample. Syntax To set information: sflow packet-information-type ip To delete information: no sflow packet-information-type Input mode (config) Parameters Sets the basic data format of the flow sample. When has been specified, flow samples are sent to the collector in IPv4 format if the applicable packet is an IPv4 packet, or in IPv6 format if the applicable packet is an IPv6...
Page 816: Sflow Polling-Interval
36. sFlow Statistics sflow polling-interval Specifies the interval for sending counter samples to the collector. Syntax To set or change information: sflow polling-interval <seconds> To delete information: no sflow polling-interval Input mode (config) Parameters <seconds> Specifies the interval for sending counter samples to the collector (in seconds). If 0 second is specified, counter samples are not sent to the collector.
Page 817: Sflow Sample
36. sFlow Statistics sflow sample Specifies the sampling interval applying to the Switch. Syntax To set or change information: sflow sample <sample count> To delete information: no sflow sample Input mode (config) Parameters <sample count> Specifies the sampling interval (in the unit of packets) that applies to the Switch. The sampling probability is one packet (sampled) per sampling interval.
Page 818 36. sFlow Statistics Total PPS Sampling interval to be used as a Example implementation to be used guideline as a guideline Up to 3.2 Mpps 32768 Up to 6.4 Mpps 65536 10-Gbit/s Ethernet x 1 Up to 13 Mpps 131072 Up to 26 Mpps 262144 1-Gbit/s Ethernet x 48...
Page 819 36. sFlow Statistics Notes None Related commands None...
Page 820: Sflow Source
36. sFlow Statistics sflow source Specifies the IP address to be configured as the sFlow packet source (agent). Syntax To set or change information: sflow source { <ip address> | <ipv6 address> } To delete information: no sflow source { <ip address> | <ipv6 address> } Input mode (config) Parameters...
Page 821: Sflow Url-Port-Add
36. sFlow Statistics sflow url-port-add When URL information is used in the extended data format, sets the port number used for HTTP packets to a port number other than 80. Syntax To set or change information: sflow url-port-add <url port> To delete information: no sflow url-port-add Input mode...
Page 822: Sflow Version
36. sFlow Statistics sflow version Sets the version of the sFlow packet to be sent. Syntax To set information: sflow version <version no.> To delete information: no sflow version Input mode (config) Parameters <version no.> Sets the version of the sFlow packet to be sent. The sFlow packet of the specified version is sent to the collector.
Page 823: Part 13: Management Of Neighboring Device Information
PART 13: Management of Neighboring Device Information Chapter 37. LLDP lldp enable lldp hold-count lldp interval-time lldp run...
Page 824: Lldp Enable
37. LLDP lldp enable Enables operation of LLDP for a port. Syntax To set information: lldp enable To delete information: no lldp enable Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 825: Lldp Hold-Count
37. LLDP lldp hold-count Specifies how long the LLDP frames sent from the Switch to neighboring devices will be retained on the neighboring devices. Syntax To set or change information: lldp hold-count <count> To delete information: no lldp hold-count Input mode (config) Parameters <count>...
Page 826: Lldp Interval-Time
37. LLDP lldp interval-time Specifies the interval at which the Switch sends LLDP frames. Syntax To set or change information: lldp interval-time <seconds> To delete information: no lldp interval-time Input mode (config) Parameters <seconds> Specifies the transmission interval (in seconds) between LLDP frames sent from the Switch. Default value when this parameter is omitted: This parameter cannot be omitted.
Page 827: Lldp Run
37. LLDP lldp run Enables the LLDP functionality. Syntax To set information: lldp run To delete information: no lldp run Input mode (config) Parameters None Default behavior The LLDP functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 829: Oadp
Chapter 38. OADP oadp cdp-listener oadp enable oadp hold-time oadp ignore-vlan oadp interval-time oadp run...
Page 830: Oadp Cdp-Listener
38. OADP oadp cdp-listener Specifies whether the CDP reception functionality is enabled on the Switch. Syntax To set information: oadp cdp-listener To delete information: no oadp cdp-listener Input mode (config) Parameters None Default behavior The CDP reception functionality is disabled. Impact on communication None When the change is applied...
Page 831: Oadp Enable
38. OADP oadp enable Enables OADP for a port or link aggregation. Syntax To set information: oadp enable To delete information: no oadp enable Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 832: Oadp Hold-Time
38. OADP oadp hold-time Specifies how long the OADP frames sent from the Switch to neighboring devices will be retained on the neighboring devices. Syntax To set or change information: oadp hold-time <seconds> To delete information: no oadp hold-time Input mode (config) Parameters <seconds>...
Page 833: Oadp Ignore-Vlan
38. OADP oadp ignore-vlan Specifies that any OADP frames received from the VLAN specified by the VLAN ID are to be ignored. Syntax To set or change information: oadp ignore-vlan <vlan id list> To delete information: no oadp ignore-vlan Input mode (config) Parameters <vlan id list>...
Page 834: Oadp Interval-Time
38. OADP oadp interval-time Specifies the interval at which the Switch sends OADP frames. Syntax To set or change information: oadp interval-time <seconds> To delete information: no oadp interval-time Input mode (config) Parameters <seconds> Specifies the sending interval (in seconds) between OADP frames sent from the Switch. OADP frames are actually sent at the interval that changes randomly from 2/3 to 3/2 of the specified value.
Page 835: Oadp Run
38. OADP oadp run Enables the OADP functionality. Syntax To set information: oadp run To delete information: no oadp run Input mode (config) Parameters None Default behavior The OADP functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
Page 837: Port Mirroring
PART 14: Port Mirroring Chapter 39. Port Mirroring monitor session...
Page 838: Monitor Session
39. Port Mirroring monitor session Configures the port mirroring functionality. Syntax To set or change information: monitor session <session no.> source interface <interface id list> [{rx | tx | both}] destination interface {gigabitethernet | tengigabitethernet } <nif no.>/<port no.> To change information: monitor session <session no.>...
Page 839 39. Port Mirroring See Specifiable values for parameters. {rx | tx | both} Specifies the direction of the traffic subject to port mirroring. Received frames are mirrored. Sent frames are mirrored. both Both sent and received frames are mirrored. Default value when this parameter is omitted: both Range of values: See the following table.
Page 840 39. Port Mirroring When the change is applied The change is applied immediately after setting values are changed. Notes A port that has already been set as a monitor port cannot be set as a monitor port or a mirror port.
Page 841: Part 15: Configuration Error Messages
PART 15: Configuration Error Messages Chapter 40. Error Messages Displayed When Editing the Configuration 40.1 Error messages displayed when editing the configuration...
Page 842: Error Messages Displayed When Editing The Configuration
40. Error Messages Displayed When Editing the Configuration 40.1 Error messages displayed when editing the configuration 40.1.1 Common Table 40-1: Common error messages Message Description <value1> has already been set -- <value2>. <value1> information has already been set. <value2> could not be set. Delete <value1>...
Page 843 40. Error Messages Displayed When Editing the Configuration Message Description Invalid nif number. -- <value1> <value1> is outside the valid NIF number range. Set a value within the range. <value1>: Invalid value Invalid port number. -- <value1> <value1> is outside the valid port number range. Set a value within the range.
Page 844: Editing Configurations And Operation Information
40. Error Messages Displayed When Editing the Configuration Message Description <value1>: Number of digits that can be entered 40.1.2 Editing configurations and operation information Table 40-2: Error messages displayed while editing and using configurations Message Description <process> is starting. Please try again. A program is being started.
Page 845: Login Security And Radius Or Tacacs+ Information
40. Error Messages Displayed When Editing the Configuration Message Description Not enough memory, configuration file is too There is not enough memory to save the configuration because it is too big. large. Not enough space on device. Capacity at the write destination is insufficient. Delete files that are no longer needed.
Page 846: Ethernet Information
40. Error Messages Displayed When Editing the Configuration 40.1.6 Ethernet information Table 40-6: Ethernet error messages Message Description Can not change media-type. The applicable port cannot be changed from 10BASE-T, 100BASE-TX, or 1000BASE-T to 1000BASE-X, and vice versa. Cannot attach the interface specified as a The interface set as a ring port cannot participate in the port channel.
Page 847: Mac Address Table Information
40. Error Messages Displayed When Editing the Configuration 40.1.8 MAC address table information Table 40-8: MAC address table error messages Message Description Relations between vlan in mac-address-table VLAN specification and the mac-address-table static static configuration and switchport configuration do not match. A VLAN set by using switchport configuration are inconsistent.
Page 848 40. Error Messages Displayed When Editing the Configuration Message Description Maximum number of entries are already If the command has not been entered, 65 mac-based-vlan static-only defined. <mac> or more MAC addresses cannot be entered for the command. mac-address <mac>: MAC address Maximum number of TPID value which can Too many TPID values are specified.
Page 849: Spanning Tree Information
40. Error Messages Displayed When Editing the Configuration Message Description Relations between vlan in dot1q cannot be switchport mac dot1q vlan switchport mac vlan configuration and mac vlan configuration are set because they use the same VLAN. inconsistent. Relations between vlan in dot1q switchport mac dot1q vlan switchport mac native vlan configuration and native configuration are...
Page 850: Ring Protocol Information
40. Error Messages Displayed When Editing the Configuration 40.1.11 Ring Protocol information Table 40-11: Ring Protocol error messages Message Description axrp-<ring id>-<group id>: vlan-mapping The specified VLAN mapping has already been set for a VLAN group in the <mapping id> is already configured in same ring.
Page 851 40. Error Messages Displayed When Editing the Configuration Message Description axrp-<ring id>: vlan <vlan id> is already The specified VLAN has already been set in the multi-fault monitoring configured in multi-fault-detection-vlan of VLAN of another ring. other ring. Either delete the applicable VLAN from the other ring's multi-fault monitoring VLAN or use another VLAN.
Page 852: Igmp Snooping Information
40. Error Messages Displayed When Editing the Configuration 40.1.12 IGMP snooping information Table 40-12: IGMP snooping error messages Message Description Maximum number of VLAN are already The number of VLANs that can be specified by using the IGMP snooping defined. functionality is 32.
Page 853: Access List Information
The flow detection mode cannot be changed because an access list or a QoS flow list is applied to the interface. • For AX3640S series switches: To change the flow detection mode, delete all the lists that are applied to the receiving-side interface and the sending-side interface.
Page 854 If the receiving-side flow detection mode is , the access list layer3-3 mode layer3-3. cannot be applied. • For AX3640S series switches: If the receiving-side flow detection mode is , IPv4 and IPv6 layer3-3 access lists can be applied to the Ethernet interface.
Page 855 40. Error Messages Displayed When Editing the Configuration Message Description Cannot attach this list because flow detection If the receiving-side flow detection mode is , the access list layer3-6 mode layer3-6. cannot be applied. If the flow detection mode is , IPv4 and IPv6 access lists can be layer3-6 applied to the VLAN interface.
Page 856 40. Error Messages Displayed When Editing the Configuration Message Description Relations between access-list and An access list that contains a VLAN ID as a detection condition cannot be dot1q-tunnel are inconsistent. set on the outbound side because a tunneling port is set on the Switch. A tunneling port cannot be set if an access list that contains a VLAN ID as a detection condition is applied to the outbound side.
Page 857: Qos Information
If the receiving-side flow detection mode is , the QoS flow list layer3-3 mode layer3-3. cannot be applied. • For AX3640S series switches: If the receiving-side flow detection mode is , IPv4 QoS and layer3-3 IPv6 QoS flow lists can be applied to the Ethernet interface.
Page 858 If the receiving-side flow detection mode is , the QoS flow list layer3-4 mode layer3-4. cannot be applied. • For AX3640S series switches: If the receiving-side flow detection mode is , IPv4 QoS and layer3-4 IPv6 QoS flow lists can be applied to the Ethernet interface.
Page 859 40. Error Messages Displayed When Editing the Configuration Message Description Minrate must be less than maxrate. The minimum bandwidth rate is not smaller than the maximum bandwidth rate. For the minimum bandwidth rate, set a value smaller than the maximum bandwidth rate.
Page 860: Ieee 802.1X Information
40. Error Messages Displayed When Editing the Configuration 40.1.17 IEEE 802.1X information Table 40-17: IEEE 802.1X error messages Message Description ChGr <channel group number>: Per-VLAN VLAN-based static authentication is inconsistent with Inconsistency is found between the dot1x port-based authentication of channel groups. port-control and the dot1x vlan <vlan id>...
Page 861 40. Error Messages Displayed When Editing the Configuration Message Description Inconsistency is found between the dot1x The IEEE 802.1X configuration is inconsistent with the authentication and the fense configuration. VLAN configuration. command cannot be set together with dot1x system-auth-control any of the following commands: •...
Page 862 40. Error Messages Displayed When Editing the Configuration Message Description The total count of dot1x vlan definitions is The number of VLANs for which VLAN-based authentication (static or beyond the maximum value (1024). dynamic) is set exceeds the maximum. Make sure that the number does not exceed the maximum (1024). The total count of dot1x vlan ports and The total number of ports and channel groups belonging to a VLAN that has port-channel combined is beyond the...
Page 863: Web Authentication Information
40. Error Messages Displayed When Editing the Configuration Message Description vlan dynamic: Inconsistency is found For a VLAN that uses VLAN-based authentication (dynamic), the between the supplicant-detection and the settings must be ignore-eapol-start supplicant-detection ignore-eapol-start configuration. consistent. is set, then cannot be ignore-eapol-start supplicant-detection...
Page 864: Mac-Based Authentication Information
40. Error Messages Displayed When Editing the Configuration Message Description Relations between IGMP snooping and An authentication access list command and IGMP snooping cannot be used authentication ip access-list configuration concurrently on the same device. are inconsistent. Relations between IGMP snooping and Web authentication and IGMP snooping cannot be used concurrently on the web-authentication configuration are same device.
Page 865: Dhcp Snooping Information
40. Error Messages Displayed When Editing the Configuration Message Description <server address>: Indicates the IP address of an authentication server. fense: duplicate vlan subnet address That subnet address and mask have already been set elsewhere. <subnet address> and subnet mask <subnet mask>.
Page 866: Vrrp Information
40. Error Messages Displayed When Editing the Configuration Message Description gsrp-<gsrp group id>: can not specify both You cannot specify for a channel reset-flush-port no-flush-port any flush methods and direct-link on the group that has been specified in the direct link settings. channel-group <channel group number>.
Page 867: Uplink Redundancy Information
40. Error Messages Displayed When Editing the Configuration Message Description Network prefix of VRRP virtual router ipv6 The network prefixes of the VRRP virtual and real IPv6 addresses are address and IPv6 address is different on different. accept mode. When specifying accept mode or if accept mode has already been specified, the network prefixes of the virtual and real IPv6 addresses must match.
Page 868: Cfm Information
40. Error Messages Displayed When Editing the Configuration 40.1.25 CFM information Table 40-25: CFM error messages Message Description Cannot change cfm domain direction. The MEP direction that is set in a domain cannot be changed. Cannot change cfm mep direction. The MEP direction cannot be changed.
Page 869: Sflow Statistics
40. Error Messages Displayed When Editing the Configuration Message Description <group name>: Indicates the group name. Informs is supported by only SNMPv2C. The inform function is supported by SNMPv2C. Select SNMPv2C to use the inform function. Invalid oid-tree. <oid tree> The value for <oid tree>...
Page 870: Port Mirroring Information
40. Error Messages Displayed When Editing the Configuration 40.1.29 Port mirroring information Table 40-29: Port mirroring error messages Message Description Mirror port and monitor port are inconsistent. Both mirror port and monitor port settings cannot be specified simultaneously. Mirror port and switchport are inconsistent. Both mirror port and switchport settings cannot be specified simultaneously.
Page 871: Index
Index clock timezone 66 command description format 2 aaa accounting commands 26 commands exec 44 aaa accounting dot1x default 470 control-vlan 271 aaa accounting exec 28 aaa accounting mac-authentication default start-stop group radius 567 aaa accounting web-authentication default start-stop group deny (ip access-list extended) 333 radius 536 deny (ip access-list standard) 340...
Page 872 Index dot1x vlan timeout reauth-period 524 dot1x vlan timeout server-timeout 526 instance 200 dot1x vlan timeout supp-timeout 528 interface gigabitethernet 119 dot1x vlan timeout tx-period 530 interface port-channel 148 down-debounce 160 interface tengigabitethernet 120 duplex 112 interface vlan 161 ip access-group [access list] 351 ip access-group [login security and RADIUS or TACACS+] efmoam active 686 efmoam disable 687...
Page 873 Index l2protocol-tunnel eap 162 mdix auto 123 l2protocol-tunnel stp 163 media-type 124 lacp port-priority 149 mode 279 lacp system-priority 151 monitor session 810 layer3-redundancy 637 mtu 125 limit-queue-length 415 multi-fault-detection holdtime 281 line console 11 multi-fault-detection interval 282 line vty 12 multi-fault-detection mode 283 link debounce 121 multi-fault-detection vlan 285...
Page 874 Index spanning-tree mst max-age 220 spanning-tree mst max-hops 221 radius-server host 51 spanning-tree mst port-priority 222 radius-server key 54 spanning-tree mst root priority 224 radius-server retransmit 55 spanning-tree mst transmission-limit 225 radius-server timeout 56 spanning-tree pathcost method 226 remark [access list] 391 spanning-tree port-priority 228 remark [QoS] 453 spanning-tree portfast 229...
Page 875 Index system minimum-tagged-frame-length-68 133 web-authentication logout polling count 545 system mtu 134 web-authentication logout polling enable 547 system recovery 99 web-authentication logout polling interval 549 system temperature-warning-level 100 web-authentication logout polling retry-interval 551 web-authentication max-timer 553 web-authentication max-user 555 web-authentication port 556 tacacs-server host 57 web-authentication redirect enable 557 tacacs-server key 59...

This manual is also suitable for:

Ax3630s

Alaxala AX3640S Software Manual

PART 1: Reading the Manual

1 Reading the Manual

PART 2: Operation and Management of Switches

2 Connecting from an Operation Terminal

3 Editing and Working with Configurations

4 Login Security and RADIUS or TACACS

5 Time Settings and NTP

6 Host Names and DNS

7 Device Management

8 Power Saving Functionality

PART 3: Network Interfaces

9 Ethernet

10 Link Aggregation

PART 4: Layer 2 Switching

11 MAC Address Table

12 Vlan

13 Spanning Tree Protocol

14 Ring Protocol

15 IGMP Snooping

16 MLD Snooping

PART 5: Common to Filtering and Qos

17 Flow Detection Modes and Flow Operations

PART 6: Filters

18 Access Lists

PART 7: Qos

19 Qos

20 Layer 2 Authentication

21 Ieee802.1X

Quick Links

Related Manuals for Alaxala AX3640S

Summary of Contents for Alaxala AX3640S