Motorola EX-3524 Cli Reference Manual

Layer 2 gigabit ethernet poe/poe+ switch.
Hide thumbs
   
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617
Motorola Solutions
EX-3524/EX-3548
Layer 2 Gigabit Ethernet PoE/PoE+ Switch
CLI Reference Guide
www.edge-core.com

   Also See for Motorola EX-3524

   Summary of Contents for Motorola EX-3524

  • Page 1

    Motorola Solutions EX-3524/EX-3548 Layer 2 Gigabit Ethernet PoE/PoE+ Switch CLI Reference Guide www.edge-core.com...

  • Page 3: How To Use This Guide

    How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.

  • Page 4: How To Use This Guide

    How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.

  • Page 5: Table Of Contents

    Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections Configuring the Switch for Remote Management Setting an IP Address Enabling SNMP Management Access Managing System Files...

  • Page 6: Table Of Contents

    Contents Configuring NTP Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...

  • Page 7: Table Of Contents

    Contents 4 System Management Commands Device Designation hostname System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show users show version Frame Size jumbo frame File Management General Commands boot system copy delete whichboot Automatic Code Upgrade Commands upgrade opcode auto...

  • Page 8: Table Of Contents

    Contents stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands...

  • Page 9: Table Of Contents

    Contents periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 5 SNMP Commands General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host SNMPv3 Commands...

  • Page 10: Table Of Contents

    Contents show snmp notify-filter 6 Remote Monitoring Commands rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Authentication Commands User Accounts enable password username Authentication Sequence authentication enable authentication login RADIUS Client...

  • Page 11: Table Of Contents

    Contents aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-port ip http secure-server Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries...

  • Page 12: Table Of Contents

    Contents Authenticator Commands dot1x intrusion-action dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate Supplicant Commands dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period dot1x timeout start-period Information Display Commands...

  • Page 13: Table Of Contents

    Contents network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP)

  • Page 14: Table Of Contents

    Contents IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration...

  • Page 15: Table Of Contents

    Contents IPv6 ACLs access-list ipv6 permit, deny, redirect-to (Standard IPv6 ACL) permit, deny, redirect-to (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group MAC ACLs access-list mac permit, deny, redirect-to (MAC ACL) mac access-group show mac access-group show mac access-list ARP ACLs access-list arp permit, deny (ARP ACL)

  • Page 16: Table Of Contents

    Contents show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver Cable Diagnostics test cable-diagnostics show cable-diagnostics Power Savings power-save show power-save 11 Link Aggregation Commands Manual Configuration Commands channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel)

  • Page 17: Table Of Contents

    Contents show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 14 Congestion Control Commands Rate Limit Commands rate-limit Storm Control Commands switchport packet-rate Automatic Traffic Control Commands Threshold Commands auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control auto-traffic-control action...

  • Page 18: Table Of Contents

    Contents 15 Address Table Commands mac-address-table aging-time mac-address-table static clear mac-address-table dynamic show mac-address-table show mac-address-table aging-time show mac-address-table count 16 Spanning Tree Commands spanning-tree spanning-tree cisco-prestandard spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree transmission-limit max-hops...

  • Page 19: Table Of Contents

    Contents spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 17 VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups vlan database...

  • Page 20: Table Of Contents

    Contents Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority...

  • Page 21: Table Of Contents

    Contents show qos map phb-queue show qos map trust-mode 19 Quality of Service Commands class-map description match rename policy-map class police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface 20 Multicast Filtering Commands IGMP Snooping ip igmp snooping...

  • Page 22: Table Of Contents

    Contents ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static show ip igmp snooping show ip igmp snooping group show ip igmp snooping mrouter Static Multicast Routing...

  • Page 23: Table Of Contents

    Contents lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv max-frame lldp dot3-tlv poe lldp med-location civic-addr lldp med-notification...

  • Page 24: Table Of Contents

    Contents clear cdp table show cdp show cdp interface show cdp neighbors 23 Domain Name Service Commands ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts 24 DHCP Commands DHCP Client DHCP for IPv4...

  • Page 25: Table Of Contents

    Contents show ip traffic traceroute ping ARP Configuration ip proxy-arp clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu show ipv6 default-gateway show ipv6 interface show ipv6 mtu show ipv6 traffic...

  • Page 26: Table Of Contents

    The GNU General Public License GNU Lesser General Public License, version 3.0 The BSD License Open Source Software Used ISC License C Customer Support Motorola Solutions Enterprise Mobility Support Center Customer Support Web Site Manuals Glossary Index of CLI Commands Index...

  • Page 27

    Figures Figure 1: Storm Control by Limiting the Traffic Rate Figure 2: Storm Control by Shutting Down a Port Figure 3: Configuring VLAN Trunking – 27 –...

  • Page 28: Figures

    Figures – 28 –...

  • Page 29: Table Of Contents

    Tables Table 1: Options 60, 66 and 67 Statements Table 2: Options 55 and 124 Statements Table 3: General Command Modes Table 4: Configuration Command Modes Table 5: Keystroke Commands Table 6: Command Group Index Table 7: General Commands Table 8: System Management Commands Table 9: Device Designation Commands Table 10: System Status Commands Table 11: show system –...

  • Page 30: Tables

    Tables Table 30: RMON Commands Table 31: Authentication Commands Table 32: User Access Commands Table 33: Default Login Settings Table 34: Authentication Sequence Commands Table 35: RADIUS Client Commands Table 36: TACACS+ Client Commands Table 37: AAA Commands Table 38: Web Server Commands Table 39: HTTPS System Support Table 40: Telnet Server Commands Table 41: Secure Shell Commands...

  • Page 31

    Tables Table 65: show lacp internal - display description Table 66: show lacp neighbors - display description Table 67: show lacp sysid - display description Table 68: PoE Commands Table 69: show power inline status - display description Table 70: show power mainpower - display description Table 71: Port Mirroring Commands Table 72: Mirror Port Commands Table 73: RSPAN Commands...

  • Page 32: Table Of Contents

    Tables Table 100: Multicast Filtering Commands Table 101: IGMP Snooping Commands Table 102: Static Multicast Interface Commands Table 103: IGMP Filtering and Throttling Commands Table 104: Multicast VLAN Registration Commands Table 105: show mvr - display description Table 106: show mvr interface - display description Table 107: show mvr members - display description Table 108: LLDP Commands Table 109: LLDP MED Location CA Types...

  • Page 33: Getting Started

    Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP. This section includes these chapters: ◆ "Initial Switch Configuration" on page 35 – 33 –...

  • Page 34: Section I Getting Started

    Section I | Getting Started – 34 –...

  • Page 35: Initial Switch Configuration, Connecting To The Switch

    Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).

  • Page 36: Initial Switch Configuration

    Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 256 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆ Configure IP routing for unicast traffic ◆ Configure IGMP multicast filtering ◆...

  • Page 37

    Passwords can consist of up to 32 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: Open the console interface with the default user name “motorola” and password “admin” to access the Privileged Exec level.

  • Page 38

    Console(config)#username motorola password 0 [password] Console(config)# * This manual covers both the EX-3524 and EX-3548 Gigabit Ethernet PoE/PoE+ switches. Other than the difference in the number of ports, there are no other significant differences. Therefore nearly all of the screen display examples are based on the EX-3524.

  • Page 39

    Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: ◆...

  • Page 40: Configuring The Switch For Remote Management

    Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway, ”...

  • Page 41

    Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Joined Group Address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Address for Multi-segment Network —...

  • Page 42: Dynamic Configuration

    Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Link-Local Address: FE80::260:3EFF:FE11:6700/64 Global Unicast Address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined Group Address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console#show ipv6 default-gateway...

  • Page 43

    Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup- config.

  • Page 44: Enabling Snmp Management Access

    Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages.

  • Page 45: Enabling Snmp Management Access

    “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.) To remove an existing string, simply type “no snmp-server community string, ” where “string” is the community access string to remove. Press <Enter>. Console(config)#snmp-server community motorola rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings.

  • Page 46

    Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...

  • Page 47: Managing System Files

    Chapter 1 | Initial Switch Configuration Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.

  • Page 48: Managing System Files

    Chapter 1 | Initial Switch Configuration Managing System Files Upgrading the The following example shows how to download new firmware to the switch and activate it. The TFTP server could be any standards-compliant server running on Operation Code Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server.

  • Page 49

    Chapter 1 | Initial Switch Configuration Managing System Files The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup- config”...

  • Page 50

    Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Configuring Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file server.

  • Page 51: Configuring Automatic Installation Of Operation Code And Configuration Settings

    (“”) will be used for the connection. This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://motorola:billy@192.168.0.1/sm24/ Console(config)# – 51 –...

  • Page 52: Specifying A Dhcp Client Identifier

    Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# Set the switch to automatically upgrade the current operational code when a new version is detected on the server.

  • Page 53

    Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.

  • Page 54

    Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information: ◆...

  • Page 55: Setting The System Clock

    Chapter 1 | Initial Switch Configuration Setting the System Clock subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 class "Option66,67_1" { #DHCP Option 60 Vendor class two match if option vendor-class-identifier = "EX3524_Op.cfg";...

  • Page 56: Setting The System Clock

    Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 Console(config)# To display the clock configuration settings, enter the following command. Console#show calendar Current Time : Apr...

  • Page 57

    Chapter 1 | Initial Switch Configuration Setting the System Clock Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time : Apr 29 13:57:32 2011 Polling : 1024 seconds Current Mode : unicast NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server...

  • Page 58

    Chapter 1 | Initial Switch Configuration Setting the System Clock – 58 –...

  • Page 59: Command Line Interface

    Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ “General Commands” on page 73 ◆ “System Management Commands” on page 81 ◆...

  • Page 60: Command Line Interface

    Section II | Command Line Interface ◆ “Quality of Service Commands” on page 441 ◆ “Multicast Filtering Commands” on page 459 ◆ “LLDP Commands” on page 493 ◆ “CDP Commands” on page 517 ◆ “Domain Name Service Commands” on page 523 ◆...

  • Page 61: Using The Command Line, Accessing The Cli

    To access the switch through the console port, perform these steps: At the console prompt, enter the user name and password. (The default user names are “motorola” and “guest” with corresponding passwords of “admin” and “guest. ” ) When the administrator user name and password is entered, the CLI displays the “Console#”...

  • Page 62: Using The Command Line Interface

    When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: motorola Password: CLI session with the EX-3524 is opened. To end the CLI session, enter [Exit]. Vty-0# – 62 –...

  • Page 63: Entering Commands

    To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter: Console(config)#username motorola password 0 smith Minimum The CLI will accept a minimum number of characters that uniquely identify a Abbreviation command.

  • Page 64: Showing Commands, System Commands

    Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list Commands keywords or parameters.

  • Page 65

    Chapter 2 | Using the Command Line Interface Entering Commands running-config Information on the running configuration snmp Simple Network Management Protocol configuration and statistics sntp Simple Network Time Protocol configuration spanning-tree Spanning-tree configuration Secure shell server connections startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system...

  • Page 66

    You can access all commands only from the Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name “motorola” and password “admin. ” The system will now display the “Console#” command prompt. You can...

  • Page 67

    “super. ” To enter Privileged Exec mode, enter the following user names and passwords: Username: motorola Password: [admin login password] CLI session with the EX-3524 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the EX-3524 is opened.

  • Page 68: Configuration Commands

    Chapter 2 | Using the Command Line Interface Entering Commands ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. ◆ Time Range - Sets a time range for use by other functions, such as Access Control Lists. ◆...

  • Page 69

    Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other Processing currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...

  • Page 70: Cli Command Groups, Table 6: Command Group Index

    Chapter 2 | Using the Command Line Interface CLI Command Groups Note that the output modifier begin can only be used as the first modifier if more than one modifier is used in a command. CLI Command Groups The system commands can be broken down into the functional groups shown below Table 6: Command Group Index Command Group...

  • Page 71: Cli Command Groups

    Chapter 2 | Using the Command Line Interface CLI Command Groups (Continued) Table 6: Command Group Index Command Group Description Page VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling Class of Service Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue,...

  • Page 72

    Chapter 2 | Using the Command Line Interface CLI Command Groups – 72 –...

  • Page 73: General Commands

    General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 7: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...

  • Page 74: General Commands

    Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.

  • Page 75: Understanding Command Modes

    Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. ◆...

  • Page 76: Enable

    Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (78) enable password (166) quit This command exits the configuration program.

  • Page 77: Show History

    Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console#...

  • Page 78: Disable

    Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.

  • Page 79: Show Reload

    Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.

  • Page 80: Exit

    Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 80 –...

  • Page 81: System Management, Device Designation

    System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 8: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...

  • Page 82: System Status

    Chapter 4 | System Management Commands System Status hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...

  • Page 83: System Status

    Chapter 4 | System Management Commands System Status Table 10: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show access-list...

  • Page 84: Show Process Cpu

    Chapter 4 | System Management Commands System Status Console# show process cpu This command shows the CPU utilization parameters. Command Mode Normal Exec, Privileged Exec Example Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# show running-config This command displays the configuration information currently in use.

  • Page 85: Command Mode

    | System Management Commands System Status snmp-server community private rw snmp-server enable traps authentication username motorola access-level 15 username motorola password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database...

  • Page 86

    The POST results should all display “PASS. ” If any POST test indicates “FAIL, ” contact your distributor for assistance. ◆ The number of fans provided: EX-3524 - 2, EX-3548 - 3 Example Console#show system System Description : EX-3524 Managed POE/POE+ Switch System OID String : 1.3.6.1.4.1.388.19.101...

  • Page 87: Show System, Table 11: Show System – Display Description

    User Name Accounts: User Name Privilege Public-Key --------- --------- ---------- motorola 15 None guest 0 None steve Online Users: Line Username Idle time (h:m:s) Remote IP addr. ----------- -------- ----------------- --------------- console motorola 0:14:14 VTY 0 motorola 0:00:00 192.168.1.19 – 87 –...

  • Page 88: Show Version, Table 12: Show Version – Display Description

    Web Online Users: Line Remote IP Addr User Name Idle time (h:m:s) ----------- --------------- --------- ------------------ HTTP 192.168.1.19 motorola 0:00:0 Console# show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec...

  • Page 89: Frame Size

    Chapter 4 | System Management Commands Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 13: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports.

  • Page 90: File Management

    Chapter 4 | System Management Commands File Management File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation.

  • Page 91: File Management

    Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.

  • Page 92

    Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.

  • Page 93: Copy

    Chapter 4 | System Management Commands File Management ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.

  • Page 94

    Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...

  • Page 95: Delete

    | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: motorola Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX...

  • Page 96: Table 15: File Directory Information

    Chapter 4 | System Management Commands File Management This command displays a list of files in flash memory. Syntax dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image.

  • Page 97: Whichboot

    Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.

  • Page 98: Upgrade Opcode Auto

    Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.

  • Page 99: Upgrade Opcode Path

    This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://motorola:billy@192.168.0.1/sm24/ Console(config)# show upgrade This command shows the opcode upgrade configuration settings.

  • Page 100: Table 16: Line Commands

    Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 16: Line Commands Command Function...

  • Page 101: Line

    Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.

  • Page 102

    Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.

  • Page 103: Login

    Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.

  • Page 104: Parity

    Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity...

  • Page 105: Password

    Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the...

  • Page 106: Password-thresh

    Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands silent-time (106) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.

  • Page 107: Speed

    Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.

  • Page 108: Stopbits

    Chapter 4 | System Management Commands Line Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting.

  • Page 109: Console Connection

    Chapter 4 | System Management Commands Line disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0”...

  • Page 110: Event Logging, Logging Facility

    Chapter 4 | System Management Commands Event Logging Baud Rate : 115200 Data Bits Parity : None Stop Bits VTY Configuration: Password Threshold : 3 times Inactive Timeout : 600 sec. Login Timeout : 300 sec. Silent Time : 30 sec. Console# Event Logging This section describes commands used to configure event logging on the switch.

  • Page 111: Event Logging

    Chapter 4 | System Management Commands Event Logging Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.

  • Page 112: Logging History

    Chapter 4 | System Management Commands Event Logging Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages.

  • Page 113: Logging On

    Chapter 4 | System Management Commands Event Logging Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.

  • Page 114

    Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).

  • Page 115: Show Log

    Chapter 4 | System Management Commands Event Logging Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification."...

  • Page 116: Smtp Alerts, Table 19: Show Logging Flash/ram - Display Description

    Chapter 4 | System Management Commands SMTP Alerts Table 19: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command.

  • Page 117: Smtp Alerts

    Chapter 4 | System Management Commands SMTP Alerts Table 21: Event Logging Commands (Continued) Command Function Mode logging sendmail level Severity threshold used to trigger alert messages logging sendmail Email recipients of alert messages destination-email logging sendmail Email address used for “From” field of alert messages source-email show logging sendmail Displays SMTP event handler settings...

  • Page 118: Logging Sendmail

    Chapter 4 | System Management Commands SMTP Alerts Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.

  • Page 119: Logging Sendmail Level

    Chapter 4 | System Management Commands SMTP Alerts Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.

  • Page 120: Logging Sendmail Source-email, Table 22: Time Commands

    Chapter 4 | System Management Commands Time Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec...

  • Page 121: Time

    Chapter 4 | System Management Commands Time Table 22: Time Commands (Continued) Command Function Mode Manual Configuration Commands clock summer-time Configures summer time for the switch’s internal clock clock timezone Sets the time zone for the switch’s internal clock clock timezone-predefined Sets the time zone for the switch’s internal clock using predefined time zone configurations calendar set...

  • Page 122: Sntp Client

    Chapter 4 | System Management Commands Time Current Server: 137.92.140.80 Console# Related Commands sntp server (122) sntp poll (122) show sntp (123) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll...

  • Page 123: Sntp Poll

    Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received.

  • Page 124: Manual Configuration Commands

    Chapter 4 | System Management Commands Time Manual Configuration Commands clock summer-time This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time.

  • Page 125: Clock Summer-time

    Chapter 4 | System Management Commands Time time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone. Example Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console(config)# Related Commands...

  • Page 126: Clock Timezone

    Chapter 4 | System Management Commands Time clock timezone- This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. predefined Syntax clock timezone-predefined offset-city no clock timezone-predefined offset - Select the offset from GMT.

  • Page 127: Calendar Set

    Chapter 4 | System Management Commands Time month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit). (Range: 1970-2037) Default Setting None Command Mode Privileged Exec...

  • Page 128: Time Range

    Chapter 4 | System Management Commands Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 23: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute...

  • Page 129: Time Range

    Chapter 4 | System Management Commands Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.

  • Page 130: Absolute

    Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range. Syntax [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend | hour minute}...

  • Page 131: Switch Clustering

    Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range. (Range: 1-30 characters) Default Setting None Command Mode Privileged Exec Example Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic...

  • Page 132: Switch Clustering

    Chapter 4 | System Management Commands Switch Clustering Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.

  • Page 133: Cluster

    Chapter 4 | System Management Commands Switch Clustering ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes.

  • Page 134: Cluster Ip-pool

    Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.

  • Page 135: Cluster Member

    ◆ There is no need to enter the username and password for access to the Member switch CLI. Example Console#rcommand id 1 CLI session with the EX-3524 is opened. To end the CLI session, enter [Exit]. Vty-0## – 135 –...

  • Page 136: Show Cluster, Show Cluster Members, Show Cluster Candidates

    Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : EX-3524 Managed POE/POE+ Switch Console# show cluster This command shows the discovered Candidate switches in the network. candidates Command Mode Privileged Exec...

  • Page 137: Snmp Commands

    SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...

  • Page 138: General Snmp Commands

    Chapter 5 | SNMP Commands General SNMP Commands Table 25: SNMP Commands (Continued) Command Function Mode Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter Displays the configured notification logs ATC Trap Commands...

  • Page 139: General Snmp Commands

    Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community community string. Syntax snmp-server community string [ro | rw] no snmp-server community string...

  • Page 140: Snmp-server Contact

    Chapter 5 | SNMP Commands General SNMP Commands Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (140) snmp-server location This command sets the system location string. Use the no form to remove the location string.

  • Page 141: Snmp Target Host Commands, Default Setting

    Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp SNMP Agent : Enabled...

  • Page 142: Snmp Target Host Commands

    Chapter 5 | SNMP Commands SNMP Target Host Commands Command Mode Global Configuration Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.

  • Page 143: Snmp-server Host

    Chapter 5 | SNMP Commands SNMP Target Host Commands community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend defining it with the snmp-server community command prior to using the...

  • Page 144

    Chapter 5 | SNMP Commands SNMP Target Host Commands To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 138). Create a view with the required notification messages (page 148). Create a group that includes the required notify view (page 146).

  • Page 145

    Chapter 5 | SNMP Commands SNMPv3 Commands SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.

  • Page 146: Snmpv3 Commands

    Chapter 5 | SNMP Commands SNMPv3 Commands Example Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# Related Commands snmp-server host (142) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}...

  • Page 147: Snmp-server Group

    Chapter 5 | SNMP Commands SNMPv3 Commands ◆ For additional information on the notification messages supported by this switch, see the table for “Supported Notification Messages” in the System Reference Guide. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with snmp-server enable traps command.

  • Page 148: Snmp-server User

    Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆...

  • Page 149: Snmp-server View

    Chapter 5 | SNMP Commands SNMPv3 Commands excluded - Defines an excluded view. Default Setting defaultview (includes access to the entire MIB tree) Command Mode Global Configuration Command Usage ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree.

  • Page 150: Privileged Exec, Table 26: Show Snmp Engine-id - Display Description

    Chapter 5 | SNMP Commands SNMPv3 Commands 80000000030004e2b316c54321 192.168.1.19 Console# Table 26: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured.

  • Page 151: Show Snmp Group, Table 27: Show Snmp Group - Display Description

    Chapter 5 | SNMP Commands SNMPv3 Commands Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 27: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version.

  • Page 152: Show Snmp User, Table 29: Show Snmp View - Display Description

    Chapter 5 | SNMP Commands SNMPv3 Commands Table 28: show snmp user - display description (Continued) Field Description Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry. Row Status The row status of this entry.

  • Page 153

    Chapter 5 | SNMP Commands Notification Log Commands Notification Log Commands This command enables or disables the specified notification log. Syntax [no] nlm filter-name filter-name - Notification log name. (Range: 1-64 characters) Default Setting Enabled Command Mode Global Configuration Command Usage ◆...

  • Page 154: Notification Log Commands

    Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether those are Traps or Informs that exceed retransmission limits.

  • Page 155: Show Nlm Oper-status

    Chapter 5 | SNMP Commands Notification Log Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Filter Name: A2 Oper-Status: Operational Console# show snmp This command displays the configured notification logs.

  • Page 156

    Chapter 5 | SNMP Commands Notification Log Commands – 156 –...

  • Page 157: Remote Monitoring Commands

    Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.

  • Page 158: Remote Monitoring Commands

    Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...

  • Page 159: Rmon Alarm

    Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.

  • Page 160: Rmon Event

    Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.

  • Page 161: Rmon Collection History

    Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running- config...

  • Page 162: Show Rmon Alarms, Show Rmon Events, Show Rmon History

    Chapter 6 | Remote Monitoring Commands ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command. ◆ The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and packets of specified lengths Example...

  • Page 163: Statistics Group

    Chapter 6 | Remote Monitoring Commands Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01 Received 77671 octets, 1077 packets, 61 broadcast and 978 multicast packets,...

  • Page 164

    Chapter 6 | Remote Monitoring Commands – 164 –...

  • Page 165: Authentication Commands, User Accounts

    Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.

  • Page 166: Authentication Commands

    (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config)#enable password level 15 0 motorola Console(config)# Related Commands enable (75) authentication enable (168) –...

  • Page 167

    Table 33: Default Login Settings username access-level password guest guest motorola admin Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/TFTP server.

  • Page 168: Authentication Sequence

    Chapter 7 | Authentication Commands Authentication Sequence Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 34: Authentication Sequence Commands Command Function...

  • Page 169: Authentication Sequence

    Chapter 7 | Authentication Commands Authentication Sequence is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked. Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (166) authentication login This command defines the login authentication method and precedence.

  • Page 170: Radius Client

    Chapter 7 | Authentication Commands RADIUS Client Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (167) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS- aware devices on the network.

  • Page 171: Radius Client

    Chapter 7 | Authentication Commands RADIUS Client Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812...

  • Page 172: Radius-server Key

    Chapter 7 | Authentication Commands RADIUS Client retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting auth-port - 1812 acct-port - 1813...

  • Page 173: Radius-server Retransmit

    Chapter 7 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.

  • Page 174: Show Radius-server

    Chapter 7 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times...

  • Page 175: Tacacs+ Client

    Chapter 7 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [port port-number] [timeout timeout] [key key] no tacacs-server index index - The index for this server.

  • Page 176: Tacacs-server Key

    Chapter 7 | Authentication Commands TACACS+ Client Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.

  • Page 177

    Chapter 7 | Authentication Commands Server Port Number : 181 Server Time Out : 4 Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 37: AAA Commands Command Function...

  • Page 178: Aaa Accounting Dot1x

    Chapter 7 | Authentication Commands group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.

  • Page 179: Aaa Accounting Exec

    Chapter 7 | Authentication Commands Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.

  • Page 180: Aaa Accounting Update

    Chapter 7 | Authentication Commands Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.

  • Page 181

    Chapter 7 | Authentication Commands aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.

  • Page 182: Aaa Group Server

    Chapter 7 | Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the...

  • Page 183: Accounting Dot1x

    Chapter 7 | Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec...

  • Page 184: Web Server

    Chapter 7 | Authentication Commands Web Server exec - Displays Exec accounting records. statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) Default Setting None Command Mode...

  • Page 185: Web Server

    Chapter 7 | Authentication Commands Web Server Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port.

  • Page 186: Ip Http Port

    Chapter 7 | Authentication Commands Web Server Related Commands ip http port (185) show system (86) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port...

  • Page 187: Ip Http Secure-port

    Chapter 7 | Authentication Commands Web Server Command Usage ◆ HTTP and HTTPS are implemented as mutually exclusive services on the switch. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆...

  • Page 188: Telnet Server

    Chapter 7 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch. Table 40: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...

  • Page 189: Telnet Server

    Chapter 7 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...

  • Page 190: Show Ip Telnet, Secure Shell

    Chapter 7 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell...

  • Page 191: Secure Shell

    Chapter 7 | Authentication Commands Secure Shell Table 41: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.

  • Page 192

    Chapter 7 | Authentication Commands Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.

  • Page 193: Ip Ssh Authentication-retries

    Chapter 7 | Authentication Commands Secure Shell When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.

  • Page 194: Ip Ssh Server

    Chapter 7 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage ◆ The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.

  • Page 195: Ip Ssh Timeout

    Chapter 7 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...

  • Page 196: Delete Public-key

    Chapter 7 | Authentication Commands Secure Shell Example Console#delete public-key motorola dsa Console# ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type.

  • Page 197: Ip Ssh Crypto Host-key Generate

    Chapter 7 | Authentication Commands Secure Shell ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key.

  • Page 198: Show Public-key

    Chapter 7 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (196) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...

  • Page 199: Show Ssh

    This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started motorola ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 42: show ssh - display description Field Description Connection The session number. (Range: 0-3) Version The Secure Shell version number.

  • Page 200: X Port Authentication

    Chapter 7 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).

  • Page 201: X Port Authentication

    Chapter 7 | Authentication Commands 802.1X Port Authentication Table 43: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Information Display Commands show dot1x Shows all dot1x related information General Commands...

  • Page 202

    Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default. eapol-pass-through Syntax [no] dot1x eapol-pass-through Default Setting Discards all EAPOL frames when dot1x is globally disabled Command Mode...

  • Page 203: Authenticator Commands

    Chapter 7 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.

  • Page 204: Dot1x Max-req

    Chapter 7 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.

  • Page 205: Dot1x Operation-mode

    Chapter 7 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto –...

  • Page 206: Dot1x Re-authentication

    Chapter 7 | Authentication Commands 802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command.

  • Page 207: Dot1x Timeout Re-authperiod

    Chapter 7 | Authentication Commands 802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet.

  • Page 208: Dot1x Timeout Tx-period

    Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to tx-period reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period...

  • Page 209

    Chapter 7 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.

  • Page 210: Supplicant Commands

    Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port. Syntax [no] dot1x pae supplicant Default...

  • Page 211: Dot1x Timeout Auth-period

    Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response from the authenticator. Use the no form to restore the default setting. auth-period Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.

  • Page 212: Dot1x Timeout Start-period

    Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator. Use the no form to restore the default start-period setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.

  • Page 213

    Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 202). ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 209).

  • Page 214

    Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Backend State Machine State – Current state (including request, response, success, fail, timeout, ■ idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant ■ without receiving a response. Identifier (Server)–...

  • Page 215: Management Ip Filter

    Chapter 7 | Authentication Commands Management IP Filter Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize 802.1X Supplicant is disabled on port 1/50 Console# Management IP Filter This section describes commands used to configure IP management access to the switch.

  • Page 216: Management Ip Filter

    Chapter 7 | Authentication Commands Management IP Filter Command Usage ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. ◆...

  • Page 217

    Chapter 7 | Authentication Commands Management IP Filter 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# –...

  • Page 218

    Chapter 7 | Authentication Commands Management IP Filter – 218 –...

  • Page 219: General Security Measures

    General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes.

  • Page 220: Port Security

    Chapter 8 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.

  • Page 221: Port Security

    Chapter 8 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.

  • Page 222

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (304) shutdown (300)

  • Page 223: Network Access (mac Address Authentication)

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Table 47: Network Access Commands (Continued) Command Function Mode mac-authentication Determines the port response when a connected host intrusion-action fails MAC authentication. mac-authentication Sets the maximum number of MAC addresses that can be max-mac-count authenticated on a port via MAC authentication clear network-access...

  • Page 224

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address. mac-filter Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table.

  • Page 225: Mac-authentication Reauth-time

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage ◆ The reauthentication time is a global setting and applies to all ports. ◆ When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server.

  • Page 226: Network-access Dynamic-qos

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the last user logs off of a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port. ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.

  • Page 227: Network-access Dynamic-vlan

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table. Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)#...

  • Page 228

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable link detection for the selected port. Use the no form of this command to restore the default. link-detection Syntax [no] network-access link-detection Default Setting Disabled Command Mode Interface Configuration...

  • Page 229: Network-access Link-detection

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to link-detection link-up disable this feature.

  • Page 230: Network-access Link-detection Link-up

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# network-access Use this command to set the maximum number of MAC addresses that can be max-mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.

  • Page 231: Network-access Mode Mac-authentication

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. ◆...

  • Page 232: Network-access Port-mac-filter

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Mode ◆ Entries in the MAC address filter table can be configured with the network- access mac-filter command. ◆ Only one filter table can be assigned to a port. Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1...

  • Page 233: Mac-authentication Max-mac-count

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries.

  • Page 234: Show Network-access

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC address Aging : Disabled Port : 1/1 MAC Authentication...

  • Page 235: Show Network-access Mac-address-table

    Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF- 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF- FF-FF to be displayed.

  • Page 236: Web Authentication

    Chapter 8 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.

  • Page 237: Web Authentication

    Chapter 8 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After the limit is reached, the switch refuses further login attempts until the quiet time login-attempts expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts...

  • Page 238: Web-auth Session-timeout

    Chapter 8 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains valid. When the session timeout has been reached, the host is logged off and must session-timeout re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.

  • Page 239: Web-auth System-auth-control

    Chapter 8 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.

  • Page 240: Web-auth

    Chapter 8 | General Security Measures Web Authentication web-auth This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. re-authenticate (IP) Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.

  • Page 241: Show Web-auth

    Chapter 8 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and statistics. interface Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...

  • Page 242: Dhcp Snooping, Ip Dhcp Snooping

    Chapter 8 | General Security Measures DHCP Snooping DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.

  • Page 243: Dhcp Snooping

    Chapter 8 | General Security Measures DHCP Snooping an untrusted interface (as specified by the no ip dhcp snooping trust command) from a device not listed in the DHCP snooping table will be dropped. ◆ When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.

  • Page 244

    Chapter 8 | General Security Measures DHCP Snooping ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (using the ip dhcp snooping trust command).

  • Page 245: Ip Dhcp Snooping Information Option

    Chapter 8 | General Security Measures DHCP Snooping ◆ Use the ip dhcp snooping information option command to specify how to handle DHCP client request packets which already contain Option 82 information. Example This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping...

  • Page 246: Ip Dhcp Snooping Verify Mac-address

    Chapter 8 | General Security Measures DHCP Snooping ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable verify mac-address this function.

  • Page 247: Ip Dhcp Snooping Vlan

    Chapter 8 | General Security Measures DHCP Snooping will be performed on any untrusted ports within the VLAN as specified by the dhcp snooping trust command. ◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.

  • Page 248: Ip Dhcp Snooping Trust

    Chapter 8 | General Security Measures DHCP Snooping ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.

  • Page 249: Show Ip Dhcp Snooping

    Chapter 8 | General Security Measures DHCP Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable...

  • Page 250: Ip Source Guard

    Chapter 8 | General Security Measures IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping”...

  • Page 251: Ip Source Guard

    Chapter 8 | General Security Measures IP Source Guard Command Usage ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP- SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. ◆ All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command...

  • Page 252

    Chapter 8 | General Security Measures IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...

  • Page 253: Ip Source-guard

    Chapter 8 | General Security Measures IP Source Guard sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. If the DHCP snooping is enabled, IP source guard will check the VLAN ID, ■...

  • Page 254: Ip Source-guard Max-binding

    Chapter 8 | General Security Measures IP Source Guard Command Usage This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command.

  • Page 255: Arp Inspection

    Chapter 8 | General Security Measures ARP Inspection Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.

  • Page 256: Arp Inspection

    Chapter 8 | General Security Measures ARP Inspection Table 52: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is...

  • Page 257: Ip Arp Inspection

    Chapter 8 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL.

  • Page 258: Ip Arp Inspection Log-buffer Logs

    Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default log-buffer logs settings.

  • Page 259: Ip Arp Inspection Validate

    Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate Syntax ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header...

  • Page 260: Ip Arp Inspection Vlan

    Chapter 8 | General Security Measures ARP Inspection Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.

  • Page 261: Ip Arp Inspection Limit

    Chapter 8 | General Security Measures ARP Inspection Default Setting Command Mode Interface Configuration (Port) Command Usage ◆ This command only applies to trusted or untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.

  • Page 262: Show Ip Arp Inspection Configuration

    Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection. configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...

  • Page 263: Show Ip Arp Inspection

    Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...

  • Page 264: Denial Of Service Protection

    Chapter 8 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.

  • Page 265: Flow Tcp-udp-port-zero

    Chapter 8 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Note: This switch cannot trap packets where both the source port and destination port are set to zero. Example Console(config)#flow tcp-udp-port-zero forward Console(config)# show flow This command shows the action taken against attacks which set the Layer 4 source or destination port to zero.

  • Page 266: Port-based Traffic Segmentation

    Chapter 8 | General Security Measures Port-based Traffic Segmentation traffic-segmentation This command enables traffic segmentation globally, or configures the uplink and down-link ports for a segmented group of ports. Use the no form to disable traffic segmentation globally. Syntax [no] traffic-segmentation [uplink interface-list downlink interface-list] uplink –...

  • Page 267: Traffic-segmentation

    Chapter 8 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments. traffic-segmentation Command Mode Privileged Exec Example Console#show traffic-segmentation Private VLAN status: Disabled Up-link Port: Ethernet 1/12 Down-link Port: Ethernet 1/5 Ethernet 1/6 Ethernet 1/7 Ethernet 1/8 Console# –...

  • Page 268

    Chapter 8 | General Security Measures Port-based Traffic Segmentation – 268 –...

  • Page 269: Access Control Lists, Ipv4 Acls

    Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type).

  • Page 270: Access Control Lists

    Chapter 9 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...

  • Page 271

    Chapter 9 | Access Control Lists IPv4 ACLs permit, deny, This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. redirect-to (Standard IP ACL) Syntax...

  • Page 272

    Chapter 9 | Access Control Lists IPv4 ACLs Related Commands access-list ip (270) Time Range (128) permit, deny, This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source redirect-to or destination protocol ports, or TCP control codes.

  • Page 273

    Chapter 9 | Access Control Lists IPv4 ACLs destination – Destination IP address. address-bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp –...

  • Page 274

    Chapter 9 | Access Control Lists IPv4 ACLs 32 (urg) – Urgent pointer ■ For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use “control-code 2 2” ■ Both SYN and ACK valid, use “control-code 18 18” ■...

  • Page 275: Ip Access-group

    Chapter 9 | Access Control Lists IPv4 ACLs Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage ◆ Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.

  • Page 276: Show Ip Access-list

    Chapter 9 | Access Control Lists IPv4 ACLs Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny, redirect-to (271) ip access-group (274) – 276 –...

  • Page 277: Ipv6 Acls

    Chapter 9 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.

  • Page 278: Ipv6 Acls

    Chapter 9 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny, redirect-to (Standard IPv6 ACL) (278) permit, deny, redirect-to (Extended IPv6 ACL) (279) ipv6 access-group (282) show ipv6 access-list (281) permit, deny, This command adds a rule to a Standard IPv6 ACL.

  • Page 279

    Chapter 9 | Access Control Lists IPv6 ACLs Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)#...

  • Page 280

    Chapter 9 | Access Control Lists IPv6 ACLs Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (The switch only checks the first 64 bits of the destination address.) prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix;...

  • Page 281

    Chapter 9 | Access Control Lists IPv6 ACLs This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43. ” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# Related Commands...

  • Page 282: Show Ipv6 Access-list

    Chapter 9 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...

  • Page 283: Mac Acls

    Chapter 9 | Access Control Lists MAC ACLs Related Commands ipv6 access-group (282) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.

  • Page 284: Mac Acls

    Chapter 9 | Access Control Lists MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny, redirect-to (284) mac access-group (286) show mac access-list (287) permit, deny, This command adds a rule to a MAC ACL. The rule filters packets matching a redirect-to specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.

  • Page 285

    Chapter 9 | Access Control Lists MAC ACLs {permit | deny | redirect-to interface} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny | redirect-to interface} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask]...

  • Page 286

    Chapter 9 | Access Control Lists MAC ACLs Command Usage ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP ■...

  • Page 287: Mac Access-group

    Chapter 9 | Access Control Lists MAC ACLs Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (287) Time Range (128) show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group...

  • Page 288

    Chapter 9 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command...

  • Page 289: Arp Acls

    Chapter 9 | Access Control Lists ARP ACLs permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching a (ARP ACL) specified source or destination address in ARP messages. Use the no form to remove a rule.

  • Page 290: Acl Information

    Chapter 9 | Access Control Lists ACL Information Related Commands access-list arp (288) show arp access-list This command displays the rules for configured ARP ACLs. Syntax show arp access-list [acl-name] acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example...

  • Page 291: Acl Information

    Chapter 9 | Access Control Lists ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization]] arp –...

  • Page 292

    Chapter 9 | Access Control Lists ACL Information – 292 –...

  • Page 293: Interface Commands

    Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 61: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...

  • Page 294: Interface Commands

    Chapter 10 | Interface Commands Interface Configuration Table 61: Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Interface Configuration interface This command configures an interface type and enters interface configuration mode.

  • Page 295: Interface Configuration

    Chapter 10 | Interface Commands Interface Configuration alias This command configures an alias name for the interface. Use the no form to remove the alias name. Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface.

  • Page 296: Capabilities

    Chapter 10 | Interface Commands Interface Configuration Default Setting 100BASE-FX: 100full (SFP) 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.

  • Page 297: Description

    Chapter 10 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.

  • Page 298: Flowcontrol

    Chapter 10 | Interface Commands Interface Configuration Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (299) capabilities (flowcontrol, symmetric) (295) giga-phy-mode This command forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports.

  • Page 299: Giga-phy-mode

    Chapter 10 | Interface Commands Interface Configuration ◆ If auto-negotiation is enabled at the far end of a link, and disabled on the local end, a link should eventually be established regardless of the selected giga-phy mode. Example This forces the switch port to master mode on port 24. Console(config)#interface ethernet 1/50 Console(config-if)#no negotiation Console(config-if)#speed-duplex 1000full...

  • Page 300: Negotiation

    Chapter 10 | Interface Commands Interface Configuration Related Commands capabilities (295) speed-duplex (300) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been...

  • Page 301: Speed-duplex

    Chapter 10 | Interface Commands Interface Configuration ◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.

  • Page 302: Clear Counters

    Chapter 10 | Interface Commands Interface Configuration Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.

  • Page 303: Show Interfaces Counters

    Chapter 10 | Interface Commands Interface Configuration port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk Statistics”...

  • Page 304: Show Interfaces Status

    Chapter 10 | Interface Commands Interface Configuration 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets ===== Port Utilization (recent 300 seconds) ===== 0 Octets input per second 0 Packets input per second...

  • Page 305

    Chapter 10 | Interface Commands Interface Configuration Media Type (Combo Forced Mode) : None Giga PHY Mode : Master Current Status: Link Status : Up Port Operational Status : Up Operational Speed-Duplex : 100full Flow Control Type : None Console# show interfaces This command displays the administrative and operational status of the specified switchport...

  • Page 306: Show Interfaces Switchport

    Chapter 10 | Interface Commands Interface Configuration 802.1Q-tunnel TPID : 8100(Hex) Console# Table 62: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it also Threshold shows the threshold level (page 345).

  • Page 307: Show Interfaces Transceiver

    Chapter 10 | Interface Commands Interface Configuration show interfaces This command displays identifying information for the specified transceiver, including connector type and vendor-related parameters, as well as the transceiver temperature, voltage, bias current, transmit power, and receive power. Syntax show interfaces transceiver [interface] interface ethernet unit/port unit - Unit identifier.

  • Page 308

    Chapter 10 | Interface Commands Cable Diagnostics Options Console# Cable Diagnostics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length. Syntax test cable-diagnostics interface interface interface ethernet unit/port unit - Unit identifier.

  • Page 309: Cable Diagnostics

    Chapter 10 | Interface Commands Cable Diagnostics Example Console#test cable-diagnostics interface ethernet 1/23 Console#show cable-diagnostics interface ethernet 1/23 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ----------------- Eth 1/23 OK (21) OK (21) 2009-11-13 09:44:19 Console#...

  • Page 310

    Chapter 10 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Syntax [no] power-save Command Mode Interface Configuration (Ethernet, Ports 1-24) Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.

  • Page 311: Power Savings

    Chapter 10 | Interface Commands Power Savings Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. Example Console(config)#interface ethernet 1/1 Console(config-if)#power-save...

  • Page 312

    Chapter 10 | Interface Commands Power Savings – 312 –...

  • Page 313: Link Aggregation Commands

    Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.

  • Page 314: Link Aggregation Commands

    Chapter 11 | Link Aggregation Commands Manual Configuration Commands ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.

  • Page 315: Channel-group

    Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface.

  • Page 316: Dynamic Configuration Commands

    Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Console#show interfaces status port-channel 1 Information of Trunk 1 Port Type : 1000T MAC Address : B4-0E-DC-39-F4-4D Configuration: Name Port Admin : Up Speed-Duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled VLAN Trunking...

  • Page 317: Lacp Port-priority

    Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. ◆...

  • Page 318

    Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link.

  • Page 319: Lacp System-priority

    Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. (Port Channel) Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.

  • Page 320: Show Lacp

    Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages.

  • Page 321: Trunk Status Display Commands

    Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Console#show lacp 1 internal Port Channel : 1 ------------------------------------------------------------------------- Oper Key Admin Key : 0 Eth 1/ 1 ------------------------------------------------------------------------- LACPDUs Internal : 30 seconds LACP System Priority : 32768 LACP Port Priority : 32768 Admin Key Oper Key...

  • Page 322

    Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key Oper Key Admin State: defaulted, distributing, collecting, synchronization, long timeout,...

  • Page 323

    Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 67: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC System MAC address.

  • Page 324

    Chapter 11 | Link Aggregation Commands Trunk Status Display Commands – 324 –...

  • Page 325: Power Over Ethernet Commands

    Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-24. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.

  • Page 326: Power Over Ethernet Commands

    Chapter 12 | Power over Ethernet Commands Command Usage ◆ The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Ethernet copper-media ports. When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device.

  • Page 327: Power Inline

    Watts power budget. This means that up to 11/22 ports can supply a maximum 34.2W of power simultaneously to connected devices (802.3at), up to 24/48 ports can supply up to 15.4W (802.3af ). Values for EX-3524 and EX-3548. – 327 –...

  • Page 328: Power Inline Maximum Allocation

    Chapter 12 | Power over Ethernet Commands ◆ If a device is connected to a switch port and the switch detects that it requires more than the maximum power allocated to the port or to the overall switch, no power is supplied to the device (i.e., port power remains off ). Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000...

  • Page 329: Power Inline Priority

    | Power over Ethernet Commands Note (EX-3524): If power priority is not set for any ports, and there is not sufficient power to supply all of the ports during bootup, available power is provided to the ports based on the PSE chips in following order:...

  • Page 330: Show Power Inline Status

    Chapter 12 | Power over Ethernet Commands show power inline This command displays the current power status for all ports or for specific ports. status Syntax show power inline status [interface] interface ethernet unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48) Command Mode Privileged Exec Example...

  • Page 331: Show Power Inline, Show Power Poe

    Chapter 12 | Power over Ethernet Commands show power inline This command displays the time-range and current status for specific ports or for all ports. time-range Syntax show power inline time-range time-range-name [interface] time-range-name - Name of the time range. (Range: 1-30 characters) interface ethernet...

  • Page 332

    Chapter 12 | Power over Ethernet Commands Table 70: show power mainpower - display description Field Description PoE Maximum The available power budget for the switch Available Power System Operation The current operating power status (displays on or off ) Status PoE Power The current power consumption on the switch in watts...

  • Page 333: Port Mirroring Commands, Local Port Mirroring Commands

    Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 71: Port Mirroring Commands Command Function...

  • Page 334: Port Mirroring Commands

    Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. Default Setting ◆ No mirror session is defined. ◆...

  • Page 335

    Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands ◆ The destination port cannot be a trunk or trunk member port. ◆ RSPAN and 802.1X are mutual exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source ports and destination ports can still be configured.

  • Page 336: Rspan Mirroring Commands

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Console#show port monitor Port Mirroring ------------------------------------- Destination Port (listen port): Eth1/11 Source Port (monitored port) : Eth1/ 6 Mode :RX/TX Console# RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.

  • Page 337: Rspan Mirroring Commands

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN Limitations The following limitations apply to the use of RSPAN on this switch: ◆ RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface –...

  • Page 338

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.

  • Page 339: Rspan Destination

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. Syntax rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id –...

  • Page 340: Rspan Remote Vlan

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.

  • Page 341: No Rspan Session

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session...

  • Page 342: Show Rspan

    Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None BOTH : None Destination Port (monitor port) : Eth 1/2 Destination Tagged Mode : Untagged Switch Role...

  • Page 343: Congestion Control Commands, Rate Limit Commands

    Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.

  • Page 344: Congestion Control Commands

    Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output}...

  • Page 345: Storm Control Commands

    Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.

  • Page 346: Automatic Traffic Control Commands

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆...

  • Page 347: Automatic Traffic Control Commands

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 77: ATC Commands (Continued) Command Function Mode auto-traffic-control Sets the upper threshold for ingress traffic beyond IC (Port) alarm-fire-threshold which a storm control response is triggered after the apply timer expires auto-traffic-control auto- Automatically releases a control response IC (Port)

  • Page 348

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams. Figure 1: Storm Control by Limiting the Traffic Rate Traffic without storm control Traffic without storm control TrafficControl...

  • Page 349: Threshold Commands

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port.

  • Page 350: Auto-traffic-control Release-timer

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp- server enable port-traps atc multicast-control-apply...

  • Page 351

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.

  • Page 352: Auto-traffic-control

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage ◆...

  • Page 353

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm- clear command or...

  • Page 354: Auto-traffic-control Action

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.

  • Page 355: Auto-traffic-control Alarm-clear-threshold

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. Command Mode Interface Configuration (Ethernet) Command Usage...

  • Page 356: Auto-traffic-control Alarm-fire-threshold

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. enable port-traps atc broadcast-alarm-fire Syntax [no] snmp-server enable port-traps atc broadcast-alarm-fire Default Setting Disabled...

  • Page 357

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer enable port-traps atc expires. Use the no form to disable this trap. broadcast-control- release Syntax...

  • Page 358

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. enable port-traps atc multicast-alarm-fire Syntax [no] snmp-server enable port-traps atc multicast-alarm-fire Default Setting Disabled...

  • Page 359

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires. enable port-traps atc Use the no form to disable this trap.

  • Page 360: Show Auto-traffic-control

    Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands show auto-traffic- This command shows interface configuration settings and storm control status for the specified port. control interface Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.

  • Page 361: Address Table Commands

    - Aging time. (Range: 10-844/672 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information. Values for EX-3524 and EX-3548. – 361 –...

  • Page 362: Address Table Commands

    Chapter 15 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.

  • Page 363: Mac-address-table Static

    Chapter 15 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear This command removes any learned entries from the forwarding database. mac-address-table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show This command shows classes of entries in the bridge-forwarding database.

  • Page 364: Show Mac-address-table

    Chapter 15 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...

  • Page 365: Show Mac-address-table Count

    Chapter 15 | Address Table Commands show This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. mac-address-table count Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.

  • Page 366

    Chapter 15 | Address Table Commands – 366 –...

  • Page 367: Spanning Tree Commands

    Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 79: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree Configures spanning tree operation to be compatible with cisco-prestandard...

  • Page 368: Spanning Tree Commands

    Chapter 16 | Spanning Tree Commands Table 79: Spanning Tree Commands (Continued) Command Function Mode spanning-tree Configures loopback release mode for a port loopback-detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a port loopback-detection trap spanning-tree mst cost Configures the path cost of an interface in the MST instance IC spanning-tree Configures the priority of an interface in the MST instance...

  • Page 369: Spanning-tree

    Chapter 16 | Spanning Tree Commands Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with Cisco cisco-prestandard prestandard versions. Use the no form to restore the default setting. [no] spanning-tree cisco-prestandard Default Setting Disabled...

  • Page 370: Spanning-tree Forward-time

    Chapter 16 | Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.

  • Page 371: Spanning-tree Hello-time

    Chapter 16 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. max-age Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].

  • Page 372: Spanning-tree Mode

    Chapter 16 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network.

  • Page 373: Spanning-tree Pathcost Method

    Chapter 16 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.

  • Page 374: Spanning-tree Priority

    Chapter 16 | Spanning Tree Commands Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.

  • Page 375: Spanning-tree Transmission-limit

    Chapter 16 | Spanning Tree Commands Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded.

  • Page 376: Mst Priority

    Chapter 16 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.

  • Page 377

    Chapter 16 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.

  • Page 378: Name

    Chapter 16 | Spanning Tree Commands Related Commands revision (378) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...

  • Page 379: Spanning-tree Bpdu-filter

    Chapter 16 | Spanning Tree Commands conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs. However, note that if a trunking port connected to another switch or bridging device is mistakenly configured as an edge port, and BPDU filtering is enabled on this port, this might cause a loop in the spanning tree.

  • Page 380: Spanning-tree Bpdu-guard

    Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard Console(config-if)# Related Commands spanning-tree edge-port (381) spanning-tree spanning-disabled (389) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost...

  • Page 381: Spanning-tree Cost

    Chapter 16 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.

  • Page 382: Spanning-tree Edge-port

    Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.

  • Page 383: Spanning-tree Loopback-detection

    Chapter 16 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W- 2001 9.3.4 (Note 1).

  • Page 384: Spanning-tree Loopback-detection Action

    Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection action shutdown 600 Console(config-if)# spanning-tree This command configures the release mode for a port that was placed in the loopback-detection discarding state because a loopback BPDU was received. Use the no form to restore the default.

  • Page 385: Spanning-tree Loopback-detection Release-mode

    Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections. Use the no form to restore the default. trap Syntax [no] spanning-tree loopback-detection trap Default Setting Disabled Command Mode...

  • Page 386: Spanning-tree Mst Cost

    Chapter 16 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Each spanning-tree instance is associated with a unique set of VLAN IDs. ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices.

  • Page 387: Spanning-tree Port-priority

    Chapter 16 | Spanning Tree Commands ◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (385) spanning-tree This command configures the priority for the specified interface.

  • Page 388: Spanning-tree Root-guard

    Chapter 16 | Spanning Tree Commands spanning-tree This command prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable root-guard this feature. Syntax [no] spanning-tree root-guard Default Setting Disabled Command Mode...

  • Page 389: Spanning-tree Spanning-disabled

    Chapter 16 | Spanning Tree Commands spanning-tree This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the specified interface. spanning-disabled Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example...

  • Page 390: Spanning-tree Protocol-migration

    Chapter 16 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec...

  • Page 391: Show Spanning-tree

    Chapter 16 | Spanning Tree Commands Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. ◆...

  • Page 392: Show Spanning-tree Mst Configuration

    Chapter 16 | Spanning Tree Commands Designated Bridge : 32768.0.123412341234 Fast Forwarding : Disabled Forward Transitions Admin Edge Port : Disabled Oper Edge Port : Disabled Admin Link Type : Auto Oper Link Type : Point-to-point Spanning-Tree Status : Enabled Loopback Detection Status : Enabled Loopback Detection Release Mode : Auto...

  • Page 393: Vlan Commands

    VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.

  • Page 394: Gvrp And Bridge Extension Commands

    Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.

  • Page 395: Gvrp And Bridge Extension Commands

    Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.

  • Page 396: Garp Timer

    Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (398) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.

  • Page 397: Switchport Gvrp

    Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode...

  • Page 398: Bridge-ext Gvrp

    Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands Table 84: show bridge-ext - display description Field Description Maximum The maximum number of VLANs supported on this switch. Supported VLAN Numbers Maximum The maximum configurable VLAN identifier supported on this switch. Supported VLAN ID Extended Multicast This switch does not support the filtering of individual multicast addresses...

  • Page 399: Editing Vlan Groups

    Chapter 17 | VLAN Commands Editing VLAN Groups Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP timer status: Join Timer: 20 centiseconds Leave Timer: 60 centiseconds Leaveall Timer: 1000 centiseconds Console# Related Commands garp timer (395) show gvrp This command shows if GVRP is enabled.

  • Page 400: Editing Vlan Groups

    Chapter 17 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan...

  • Page 401: Configuring Vlan Interfaces

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands”...

  • Page 402: Configuring Vlan Interfaces

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces Table 86: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport ingress-filtering Enables ingress filtering on an interface switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames vlan-trunking...

  • Page 403: Switchport Acceptable-frame-types

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.

  • Page 404: Switchport Allowed Vlan

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces Default Setting All ports are assigned to VLAN 1 by default. The default frame type is untagged. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If a port or trunk has switchport mode set to access, then only one VLAN can be added with this command.

  • Page 405: Switchport Ingress-filtering

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Ingress filtering only affects tagged frames. ◆ If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).

  • Page 406: Switchport Mode

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces Command Usage Access mode is mutually exclusive with VLAN trunking (see the vlan-trunking command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa. Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid:...

  • Page 407

    Chapter 17 | VLAN Commands Configuring VLAN Interfaces vlan-trunking This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature. Syntax [no] vlan-trunking Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...

  • Page 408: Displaying Vlan Information, Show Vlan

    Chapter 17 | VLAN Commands Displaying VLAN Information flooded to all other ports where VLAN trunking is enabled. (In other words, VLAN trunking will still be effectively enabled for the unknown VLAN). Example The following example enables VLAN trunking on ports 27 and 28 to establish a path across the switch for unknown VLAN groups: Console(config)#interface ethernet 1/27 Console(config-if)#vlan-trunking...

  • Page 409: Show Vlan

    Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S)

  • Page 410: Configuring Ieee 802.1q Tunneling

    Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See dot1q-tunnel tpid.) Configure the QinQ tunnel access port to join the SPVLAN as an untagged...

  • Page 411: Dot1q-tunnel System-tunnel-control

    Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (413) show interfaces switchport (305) dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value for all ports. Use the no form to restore the default setting. Syntax dot1q-tunnel tpid tpid no dot1q-tunnel tpid...

  • Page 412: Dot1q-tunnel Tpid

    Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#dot1q-tunnel tpid 9100 Console(config)# Related Commands show interfaces switchport (305) switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...

  • Page 413: Switchport Dot1q-tunnel Mode

    Chapter 17 | VLAN Commands Configuring Protocol-based VLANs show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.

  • Page 414: Configuring Protocol-based Vlans

    Chapter 17 | VLAN Commands Configuring Protocol-based VLANs To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 400). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.

  • Page 415: Protocol-vlan Protocol-group (configuring Interfaces)

    Chapter 17 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. protocol-group (Configuring Interfaces) Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group.

  • Page 416: Show Protocol-vlan Protocol-group

    Chapter 17 | VLAN Commands Configuring Protocol-based VLANs show protocol-vlan This command shows the frame and protocol type associated with protocol groups. protocol-group Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group. (Range: 1-2147483647) Default Setting All protocol groups are displayed.

  • Page 417: Configuring Ip Subnet Vlans

    Chapter 17 | VLAN Commands Configuring IP Subnet VLANs Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID VLAN ID ---------- ------------------ ----------- Eth 1/1 vlan2...

  • Page 418: Configuring Ip Subnet Vlans

    Chapter 17 | VLAN Commands Configuring IP Subnet VLANs Default Setting Priority: 0 Command Mode Global Configuration Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a subnet mask. The specified VLAN need not be an existing VLAN.

  • Page 419: Configuring Mac Based Vlans

    Chapter 17 | VLAN Commands Configuring MAC Based VLANs 192.168.12.224 255.255.255.240 192.168.12.240 255.255.255.248 192.168.12.248 255.255.255.252 192.168.12.252 255.255.255.254 192.168.12.254 255.255.255.255 192.168.12.255 255.255.255.255 Console# Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.

  • Page 420: Configuring Mac Based Vlans

    Chapter 17 | VLAN Commands Configuring MAC Based VLANs Command Mode Global Configuration Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆...

  • Page 421: Configuring Voice Vlans

    Chapter 17 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.

  • Page 422: Configuring Voice Vlans

    Chapter 17 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN.

  • Page 423: Voice Vlan Aging

    Chapter 17 | VLAN Commands Configuring Voice VLANs Example The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# voice vlan This command specifies MAC address ranges to add to the OUI Telephony list. Use mac-address the no form to remove an entry from the list.

  • Page 424: Voice Vlan Mac-address

    Chapter 17 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.

  • Page 425: Switchport Voice Vlan

    Chapter 17 | VLAN Commands Configuring Voice VLANs Default Setting Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port.

  • Page 426: Switchport Voice Vlan Rule

    Chapter 17 | VLAN Commands Configuring Voice VLANs Example The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# switchport voice vlan This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port.

  • Page 427: Show Voice Vlan

    Chapter 17 | VLAN Commands Configuring Voice VLANs Default Setting None Command Mode Privileged Exec Example Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode...

  • Page 428

    Chapter 17 | VLAN Commands Configuring Voice VLANs – 428 –...

  • Page 429: Class Of Service Commands

    Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.

  • Page 430: Class Of Service Commands

    Chapter 18 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.

  • Page 431: Queue Mode

    Chapter 18 | Class of Service Commands Priority Commands (Layer 2) queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value. ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing.

  • Page 432: Queue Weight

    Chapter 18 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# Related Commands queue mode (430) show queue weight (433)

  • Page 433: Switchport Priority Default

    Chapter 18 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (305) show queue mode This command shows the current queue mode.

  • Page 434

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 95: Priority Commands (Layer 3 and 4) Command Function Mode...

  • Page 435: Qos Map Cos-dscp

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) EFAULT ETTING Table 96: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence (0,0) (0,0) (1,0) (1,0) (2,0) (2,0) (3,0) (3,0) (4,0) (4,0) (5,0) (5,0) (6,0) (6,0) (7,0) (7,0) Command Mode Global Configuration...

  • Page 436

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the dscp-mutation default settings.

  • Page 437: Qos Map Dscp-mutation

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain.

  • Page 438: Qos Map Phb-queue

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#qos map phb-queue 0 from 1 2 3 Console(config)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.

  • Page 439: Show Qos Map Cos-dscp

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp Command Mode Privileged Exec Example Console#show qos map cos-dscp CoS-DSCP Map.

  • Page 440: Show Qos Map Phb-queue

    Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) (6,0) (6,3) (6,0) (6,1) (6,0) (6,3) (7,0) (7,1) (7,0) (7,3) (7,0) (7,1) (7,0) (7,3) Console# show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue...

  • Page 441: Quality Of Service Commands

    Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.

  • Page 442: Quality Of Service Commands

    Chapter 19 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an access...

  • Page 443: Class-map

    Chapter 19 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 445). The policy map is then bound by a service policy to an interface (page 456). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the...

  • Page 444

    Chapter 19 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan-id} acl-name - Name of the access control list.

  • Page 445: Match

    Chapter 19 | Quality of Service Commands This example creates a class map call “rd-class#2, ” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3, ” and sets it to match packets marked for VLAN 1.

  • Page 446: Policy-map

    Chapter 19 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆...

  • Page 447: Class

    Chapter 19 | Quality of Service Commands set cos command sets the class of service value in matching packets. ■ (This modifies packet priority in the VLAN tag.) set ip dscp command sets the IP DSCP value in matching packets. ■...

  • Page 448: Police Flow

    Chapter 19 | Quality of Service Commands Default Setting None Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes.

  • Page 449

    Chapter 19 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp}...

  • Page 450: Police Srtcm-color

    Chapter 19 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green if it doesn't exceed the CIR and BC, yellow if it does exceed the CIR and BC, but not the BE, and red otherwise.

  • Page 451: Police Trtcm-color

    Chapter 19 | Quality of Service Commands command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the excess burst size.

  • Page 452

    Chapter 19 | Quality of Service Commands new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆...

  • Page 453

    Chapter 19 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode: If the packet has been precolored as red or if Tp(t)-B < 0, the packet is red, ■...

  • Page 454

    Chapter 19 | Quality of Service Commands ◆ The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command. Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ”...

  • Page 455

    Chapter 19 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and...

  • Page 456: Service-policy

    Chapter 19 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure...

  • Page 457: Show Class-map

    Chapter 19 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.

  • Page 458: Show Policy-map

    Chapter 19 | Quality of Service Commands Example Console#show policy-map Policy Map rd-policy Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input...

  • Page 459: Multicast Filtering Commands, Igmp Snooping

    Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.

  • Page 460: Multicast Filtering Commands

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Table 101: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping Specifies how often the upstream interface should unsolicited-report-interval transmit unsolicited IGMP reports (when proxy reporting is enabled) ip igmp snooping version...

  • Page 461

    Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it. Syntax [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Disabled...

  • Page 462: Ip Igmp Snooping

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.

  • Page 463: Ip Igmp Snooping Router-alert-option-check

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Default Setting Disabled Command Mode Global Configuration Command Usage As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with the Maximum Response Time set to a large value.

  • Page 464

    Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology change notification (TCN) occurs. Use the no form to disable flooding. tcn-flood Syntax [no] ip igmp snooping tcn-flood Default Setting Disabled Command Mode...

  • Page 465: Ip Igmp Snooping Tcn-flood

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.

  • Page 466: Ip Igmp Snooping Unregistered-data-flood

    Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. unregistered-data- flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration...

  • Page 467: Ip Igmp Snooping Unsolicited-report-interval

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default. Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1...

  • Page 468: Ip Igmp Snooping Version

    Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the ip igmp version-exclusive snooping version command. Use the no form to disable this feature. Syntax ip igmp snooping [vlan vlan-id] version-exclusive no ip igmp snooping version-exclusive...

  • Page 469: Ip Igmp Snooping Vlan Immediate-leave

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.

  • Page 470

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-and- last-memb-query- source-specific query messages that are sent out before the system assumes there are no more local members.

  • Page 471

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Default Setting 10 (1 second) Command Mode Global Configuration Command Usage ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific query message, and starts a timer.

  • Page 472: Ip Igmp Snooping Vlan Mrd

    Chapter 20 | Multicast Filtering Commands IGMP Snooping ◆ Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the expiration of a periodic timer, as a part of a router's start up procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message.

  • Page 473: Ip Igmp Snooping Vlan Query-interval

    Chapter 20 | Multicast Filtering Commands IGMP Snooping To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command. Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.

  • Page 474: Ip Igmp Snooping Vlan Query-resp-intvl

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ An IGMP general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined. ◆...

  • Page 475: Ip Igmp Snooping Vlan Static

    Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the port. static Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface...

  • Page 476: Show Ip Igmp Snooping

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP snooping : Disabled Router port expire time : 300 s Router alert check : Disabled Tcn flood : Disabled Tcn query solicit : Disabled Unregistered data flood...

  • Page 477: Show Ip Igmp Snooping Group

    Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:0 VLAN Group Source Port List -------- ---------------- ---------------- --------------------------------- 224.1.1.12 Eth 1/12(S) 224.1.1.12...

  • Page 478: Static Multicast Routing

    Chapter 20 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 102: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...

  • Page 479: Igmp Filtering And Throttling

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 11 as a multicast router port within VLAN Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.

  • Page 480: Igmp Filtering And Throttling

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses;...

  • Page 481: Ip Igmp Profile

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage ◆...

  • Page 482: Ip Igmp Filter

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. (Interface Configuration) Syntax [no] ip igmp filter profile-number...

  • Page 483: Ip Igmp Max-groups

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting Command Mode Interface Configuration (Ethernet) Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions;...

  • Page 484: Show Ip Igmp Filter, Show Ip Igmp Profile

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier.

  • Page 485: Show Ip Igmp Profile

    Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp throttle This command displays the interface settings for IGMP throttling.

  • Page 486: Multicast Vlan Registration

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Multicast VLAN Registration This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.

  • Page 487: Multicast Vlan Registration

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Default Setting MVR is disabled. No MVR group address is defined. MVR VLAN ID is 1. Command Mode Global Configuration Command Usage ◆ Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.

  • Page 488

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.

  • Page 489: Mvr Type

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration ◆ Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN.

  • Page 490: Mvr Vlan Group

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Command Usage ◆ Multicast groups can be statically assigned to a receiver port using this command. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.

  • Page 491: Show Mvr, Table 105: Show Mvr - Display Description

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN. Example The following shows the global MVR settings: Console#show mvr MVR Config Status : Enabled MVR Running Status : Active...

  • Page 492: Table 107: Show Mvr Members - Display Description

    Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Table 106: show mvr interface - display description (Continued) Field Description Immediate Leave Shows if immediate leave is enabled or disabled. Static Group Address Shows any static MVR group assigned to an interface, and the receiver VLAN.

  • Page 493: Lldp Commands

    LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.

  • Page 494: Lldp Commands

    Chapter 21 | LLDP Commands Table 108: LLDP Commands (Continued) Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise the system-description system description lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name Configures an LLDP-enabled port to advertise the lldp dot1-tlv proto-ident supported protocols Configures an LLDP-enabled port to advertise port...

  • Page 495

    Chapter 21 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP advertisements. multiplier Use the no form to restore the default setting.

  • Page 496: Lldp

    Chapter 21 | LLDP Commands lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to count restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.

  • Page 497: Lldp Notification-interval

    Chapter 21 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.

  • Page 498: Lldp Reinit-delay

    Chapter 21 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.

  • Page 499: Lldp Admin-status

    Chapter 21 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.

  • Page 500: Lldp Basic-tlv Management-ip-address

    Chapter 21 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.

  • Page 501: Lldp Basic-tlv System-capabilities

    Chapter 21 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities...

  • Page 502: Lldp Basic-tlv System-name

    Chapter 21 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.

  • Page 503: Lldp Dot1-tlv Proto-vid

    Chapter 21 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 413). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.

  • Page 504: Lldp Dot1-tlv Vlan-name

    Chapter 21 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 403 “protocol-vlan protocol-group (Configuring Interfaces)” on page 415. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg...

  • Page 505: Lldp Dot3-tlv Max-frame

    Chapter 21 | LLDP Commands Command Usage Refer to “Frame Size” on page 89 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over- Ethernet (PoE) capabilities.

  • Page 506

    Chapter 21 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to restore the default settings. civic-addr Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code –...

  • Page 507: Lldp Med-location Civic-addr

    Chapter 21 | LLDP Commands Table 109: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Group of streets below the neighborhood level Exchange Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519...

  • Page 508: Lldp Med-notification

    Chapter 21 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP- EXT-DOT1 and LLDP-EXT-DOT3 MIBs.

  • Page 509: Lldp Med-tlv Ext-poe

    Chapter 21 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv ext-poe Console(config-if)# lldp med-tlv inventory This command configures an LLDP-MED-enabled port to advertise its inventory identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv inventory Default Setting Enabled Command Mode...

  • Page 510: Lldp Med-tlv Location

    Chapter 21 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature. Syntax [no] lldp med-tlv med-cap Default Setting Enabled Command Mode...

  • Page 511: Lldp Med-tlv Network-policy

    Chapter 21 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv network-policy Console(config-if)# lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes. Use the no form to disable LLDP notifications. Syntax [no] lldp notification Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel)

  • Page 512: Lldp Notification

    Chapter 21 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec...

  • Page 513

    LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : EX-3524 Managed POE/POE+ Switch System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.101 (IPv4) – 513 –...

  • Page 514: Show Lldp Info Local-device

    Chapter 21 | LLDP Commands LLDP Port Information Port PortID Type PortID Port Description -------- ---------------- ----------------- -------------------------------- Eth 1/1 MAC Address 00-1A-7E-AC-2B-13 Ethernet Port on unit 1, port 1 Eth 1/2 MAC Address 00-1A-7E-AC-2B-14 Ethernet Port on unit 1, port 2 Eth 1/3 MAC Address 00-1A-7E-AC-2B-15 Ethernet Port on unit 1, port 3...

  • Page 515: Show Lldp Info Remote-device

    Port ID Type : MAC Address Port ID : 70-72-CF-95-DC-48 System Name System Description : EX-3524 Managed POE/POE+ Switch Port Description : Ethernet Port on unit 1, port 2 System Capabilities Supported : Bridge System Capabilities Enabled : Bridge Remote Management Address: 192.168.0.2 (IPv4)

  • Page 516: Show Lldp Info Statistics

    Chapter 21 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDP- enabled interfaces. statistics Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.

  • Page 517

    CDP Commands Cisco Discovery Protocol (CDP) is a proprietary protocol that discovers information about neighboring devices by passing messages across the Data Link Layer. It is used to share information about nearby network equipment. Participating devices send CDP announcements from each connected network interface to the multicast address 01-00-0C-CC-CC-CC.

  • Page 518: Cdp Commands

    Chapter 22 | CDP Commands This command enables CDP globally on the switch. Use the no form to disable CDP. (Global Configuration) Syntax [no] cdp Default Setting Disabled Command Mode Global Configuration Example Console(config)#cdp Console(config)# cdp hold-time This command specifies the amount of time the receiving device should hold a CDP packet sent from this switch.

  • Page 519: Cdp Transmit-interval

    Chapter 22 | CDP Commands cdp transmit-interval This command specifies the periodic transmission interval for CDP advertisements. Use the no form to restore the default setting. Syntax cdp transmit-interval seconds no cdp transmit-interval seconds - The interval at which the switch send CDP updates. (Range: 5-254 seconds) Default Setting 60 seconds...

  • Page 520: Cdp (interface Configuration)

    Chapter 22 | CDP Commands This command enables CDP on the selected interface. Use the no form to disable CDP on the selected interface. (Interface Configuration) Syntax [no] cdp Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#cdp Console(config-if)# clear cdp table...

  • Page 521: Show Cdp

    Chapter 22 | CDP Commands show cdp interface This command shows whether or not CDP is enabled on an interface. Syntax show cdp interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...

  • Page 522: Show Cdp Neighbors, Table 111: Show Cdp Neighbors - Display Description

    Chapter 22 | CDP Commands Example Console#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Interface Version Device ID Hold Remain Capability Platform Port ID Time Time...

  • Page 523: Domain Name Service

    Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.

  • Page 524: Domain Name Service Commands

    Chapter 23 | Domain Name Service Commands Command Mode Global Configuration Command Usage ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.

  • Page 525: Ip Domain-lookup

    Chapter 23 | Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands...

  • Page 526

    Chapter 23 | Domain Name Service Commands Related Commands ip domain-list (523) ip name-server (526) ip domain-lookup (524) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host.

  • Page 527: Ip Name-server

    Chapter 23 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list.

  • Page 528: Clear Host

    Chapter 23 | Domain Name Service Commands Command Mode Global Configuration Example This example maps an IPv6 address to a host name. Console(config)#ipv6 host rd6 2001:0db8:1::12 Console(config)#end Console#show hosts Flag Type IP Address Domain ---- ---- ------- -------------------- ----- ------------------------------- 2 Address 192.168.1.55 2 Address 2001:DB8:1::12 Console#...

  • Page 529: Show Dns Cache, Table 113: Show Dns Cache - Display Description

    Chapter 23 | Domain Name Service Commands Example This example clears all dynamic entries from the DNS table. Console(config)#clear host * Console(config)# show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name:...

  • Page 530: Show Dns, Table 114: Show Hosts - Display Description

    Chapter 23 | Domain Name Service Commands Table 113: show dns cache - display description (Continued) Field Description IP Address The IP address associated with this record. The time to live reported by the name server. Domain The host name associated with this record. show hosts This command displays the static host name-to-address mapping table.

  • Page 531: Dhcp Commands, Dhcp Client

    DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. Table 115: DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP Client Use the commands in this section to allow the switch’s VLAN interfaces to dynamically acquire IP address information.

  • Page 532: Dhcp Commands

    - A text string. (Range: 1-32 characters) hex - A hexadecimal value. (Range: 1-64 characters) Default Setting Class identifier option enabled, with the name Motorola Solutions Inc. Command Mode Interface Configuration (VLAN) Command Usage ◆...

  • Page 533: Dhcp For Ipv4

    Chapter 24 | DHCP Commands DHCP for IPv4 Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command.

  • Page 534

    Chapter 24 | DHCP Commands DHCP for IPv6 DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no rapid-commit vlan form to disable this option.

  • Page 535: Dhcp For Ipv6

    Chapter 24 | DHCP Commands DHCP for IPv6 Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.

  • Page 536: Show Ipv6 Dhcp Duid, Show Ipv6 Dhcp Vlan

    Chapter 24 | DHCP Commands DHCP for IPv6 Related Commands ipv6 address (550) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage ◆ DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.

  • Page 537: Ip Interface Commands, Ipv4 Interface

    IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.

  • Page 538: Ip Interface Commands

    Chapter 25 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch. Table 119: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this router can reach other subnetworks...

  • Page 539: Ip Address

    Chapter 25 | IP Interface Commands IPv4 Interface attached and the router’s host number on that network. In other words, a router interface address defines the network and subnetwork numbers of the segment that is connected to that interface, and allows you to send IP packets to or from the router.

  • Page 540: Ip Default-gateway

    Chapter 25 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (532) ip default-gateway (540) ipv6 address (550) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway...

  • Page 541: Related Commands, Show Ip Interface

    Chapter 25 | IP Interface Commands IPv4 Interface Related Commands ip address (538) ip route (574) ipv6 default-gateway (549) show ip interface This command displays the settings of an IPv4 interface. Command Mode Privileged Exec Example Console#show ip interface Vlan 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500, Bandwidth: 1g Address Mode is DHCP...

  • Page 542

    Chapter 25 | IP Interface Commands IPv4 Interface ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent...

  • Page 543: Traceroute

    Chapter 25 | IP Interface Commands IPv4 Interface ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one.

  • Page 544: Ping

    Chapter 25 | IP Interface Commands IPv4 Interface Default Setting count: 5 size: 32 bytes Command Mode Normal Exec, Privileged Exec Command Usage ◆ Use the ping command to see if another site on the network can be reached. ◆ The following are some results of the ping command: Normal response - The normal response occurs in one to ten seconds, ■...

  • Page 545: Arp Configuration

    Chapter 25 | IP Interface Commands IPv4 Interface ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch. Table 120: Address Resolution Protocol Commands Command Function Mode Adds a static entry in the ARP cache ip proxy-arp Enables proxy ARP service clear arp-cache...

  • Page 546: Ip Proxy-arp

    Chapter 25 | IP Interface Commands IPv4 Interface Example Console(config)#arp 10.1.0.19 01-02-03-04-05-06 Console(config)# Related Commands clear arp-cache (547) show arp (547) ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP. Syntax [no] ip proxy-arp Default Setting Disabled...

  • Page 547

    Chapter 25 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.

  • Page 548: Ipv6 Interface, Table 121: Ipv6 Configuration Commands

    Chapter 25 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands. Table 121: IPv6 Configuration Commands Command Function Mode Interface Address Configuration and Utilities ipv6 default-gateway Sets an IPv6 default gateway for traffic with no known next ipv6 address Configures an IPv6 global unicast address, and enables IPv6 on an interface...

  • Page 549: Ipv6 Interface

    Chapter 25 | IP Interface Commands IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway. Syntax ipv6 default-gateway ipv6-address no ipv6 address...

  • Page 550

    Chapter 25 | IP Interface Commands IPv6 Interface ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.

  • Page 551: Ipv6 Address

    Chapter 25 | IP Interface Commands IPv6 Interface Global Unicast Address(es): 2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96 Joined Group Address(es): FF02::1:FF00:72 FF02::1:FF34:E63C FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Related Commands...

  • Page 552: Ipv6 Address Autoconfig

    Chapter 25 | IP Interface Commands IPv6 Interface Example This example assigns a dynamic global unicast address to the switch. Console(config)#interface vlan 1 Console(config-if)#ipv6 address autoconfig Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is stale, AUTOCONFIG is enabled Link-Local Address: FE80::2E0:CFF:FE00:FD/64 Global Unicast Address(es):...

  • Page 553

    Chapter 25 | IP Interface Commands IPv6 Interface Command Usage ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.

  • Page 554: Ipv6 Address Link-local

    Chapter 25 | IP Interface Commands IPv6 Interface Joined Group Address(es): FF02::1:FF00:72 FF02::1:FF34:E63C FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Related Commands ipv6 address autoconfig (551)

  • Page 555

    Chapter 25 | IP Interface Commands IPv6 Interface Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269. Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::269:3EF9:FE19:6779 link-local Console(config-if)#end...

  • Page 556: Ipv6 Enable

    Chapter 25 | IP Interface Commands IPv6 Interface ◆ If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console. ◆ The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address.

  • Page 557: Ipv6 Mtu

    Chapter 25 | IP Interface Commands IPv6 Interface Command Usage ◆ The maximum value set by this command cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented.

  • Page 558: Table 122: Show Ipv6 Interface - Display Description

    Chapter 25 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface.

  • Page 559: Show Ipv6 Interface

    Chapter 25 | IP Interface Commands IPv6 Interface Table 122: show ipv6 interface - display description (Continued) Field Description Link-local Shows the link-local address assigned to this interface address Global unicast Shows the global unicast address(es) assigned to this interface address(es) Joined group In addition to the unicast addresses assigned to an interface, a host is also...

  • Page 560: Show Ipv6 Mtu, Table 123: Show Ipv6 Mtu - Display Description

    Chapter 25 | IP Interface Commands IPv6 Interface Example The following example shows the MTU cache for this device: Console#show ipv6 mtu Since Destination Address 1400 00:04:21 5000:1::3 1280 00:04:50 FE80::203:A0FF:FED6:141D Console# Table 123: show ipv6 mtu - display description Field Description Adjusted MTU contained in the ICMP packet-too-big message returned from this...

  • Page 561: Show Ipv6 Traffic, Table 124: Show Ipv6 Traffic - Display Description

    Chapter 25 | IP Interface Commands IPv6 Interface ICMPv6 Statistics: ICMPv6 received 0 input 0 errors 0 destination unreachable messages 0 packet too big messages 0 time exceeded messages 0 parameter problem message 0 echo request messages 0 echo reply messages 0 redirect messages 0 group membership query messages 0 group membership response messages...

  • Page 562

    Chapter 25 | IP Interface Commands IPv6 Interface Table 124: show ipv6 traffic - display description (Continued) Field Description address errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.

  • Page 563

    Chapter 25 | IP Interface Commands IPv6 Interface Table 124: show ipv6 traffic - display description (Continued) Field Description generated fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. fragment succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.

  • Page 564: Clear Ipv6 Traffic

    Chapter 25 | IP Interface Commands IPv6 Interface Table 124: show ipv6 traffic - display description (Continued) Field Description destination unreachable The number of ICMP Destination Unreachable messages sent by the messages interface. packet too big messages The number of ICMP Packet Too Big messages sent by the interface. time exceeded messages The number of ICMP Time Exceeded messages sent by the interface.

  • Page 565

    Chapter 25 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture, ”...

  • Page 566: Ipv6 Nd Dad Attempts

    Chapter 25 | IP Interface Commands IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 3 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console#...

  • Page 567: Ipv6 Nd Dad Attempts

    Chapter 25 | IP Interface Commands IPv6 Interface Default Setting Command Mode Interface Configuration (VLAN) Command Usage ◆ Configuring a value of 0 disables duplicate address detection. ◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ◆...

  • Page 568: Ipv6 Nd Ns-interval

    Chapter 25 | IP Interface Commands IPv6 Interface FF02::1:FF00:79/104 FF02::1:FF90:0/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 1000 milliseconds Console# Related Commands ipv6 nd ns-interval (568) show ipv6 neighbors (570) ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface.

  • Page 569: Ipv6 Nd Reachable-time

    Chapter 25 | IP Interface Commands IPv6 Interface IPv6 is enabled. Link-local address: FE80::200:E8FF:FE90:0/64 Global unicast address(es): 2009:DB9:2229::79, subnet is 2009:DB9:2229:0::/64 Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF00:79/104 FF02::1:FF90:0/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 30000 milliseconds ND router advertisements are sent every 30 seconds Console#...

  • Page 570: Clear Ipv6 Neighbors

    Chapter 25 | IP Interface Commands IPv6 Interface Example The following sets the reachable time for a remote node to 1000 milliseconds: Console(config)#interface vlan 1 Console(config)#pv6 nd reachable-time 1000 Console(config)# clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example...

  • Page 571: Show Ipv6 Neighbors, Table 125: Show Ipv6 Neighbors - Display Description

    Chapter 25 | IP Interface Commands IPv6 Interface Table 125: show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent. ” Link-layer Addr Physical layer MAC address.

  • Page 572

    Chapter 25 | IP Interface Commands IPv6 Interface – 572 –...

  • Page 573: Ip Routing Commands, Global Routing Configuration

    IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks. However, to forward traffic to devices on other subnetworks, either configure fixed paths with static routing commands, or enable a dynamic routing protocol that exchanges information with other routers on the network to automatically...

  • Page 574: Ip Routing Commands

    Chapter 26 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip –...

  • Page 575: Ip Route

    Chapter 26 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database –...

  • Page 576: Show Ip Route

    Chapter 26 | IP Routing Commands Global Routing Configuration show ip route This command displays entries in the Routing Information Base (RIB). database Command Mode Privileged Exec Command Usage The RIB contains all available routes learned through dynamic routing protocols, directly attached networks, and any additionally configured routes such as static routes.

  • Page 577

    Section I Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 579 ◆ “License Information” on page 581 ◆ “Customer Support” on page 593 – 577 –...

  • Page 578: Appendices

    Section I | Appendices – 578 –...

  • Page 579: Troubleshooting, Problems Accessing The Management Interface, Table 205: Troubleshooting Chart

    Troubleshooting Problems Accessing the Management Interface Table 205: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered up. Telnet, web browser, or ◆ Check network cabling between the management station and the SNMP software switch. ◆...

  • Page 580: Using System Logs

    Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.

  • Page 581: License Information, The Gnu General Public License

    License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.

  • Page 582: B License Information

    Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...

  • Page 583

    Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...

  • Page 584

    Appendix B | License Information GNU Lesser General Public License, version 3.0 If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.

  • Page 585: Gnu Lesser General Public License, Version 3.0

    Appendix B | License Information GNU Lesser General Public License, version 3.0 Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library"...

  • Page 586: The Bsd License

    Appendix B | License Information The BSD License Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.

  • Page 587: Open Source Software Used, Isc License

    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Open Source Software Used Motorola's Support Central Web site, located at http://supportcentral.motorolasolutions.com/ provides information and online assistance including developer tools, software downloads, product manuals, support contact information and online repair requests.

  • Page 588: Isc License

    Appendix B | License Information ISC License WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OFTHIS SOFTWARE. SNMP License (netsnmp5.1) Various copyrights apply to this package, listed in various separate parts below.

  • Page 589

    Appendix B | License Information ISC License ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----- Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and...

  • Page 590

    Appendix B | License Information ISC License ---- Part 5: Sparta, Inc copyright notice (BSD) ----- Copyright (c) 2003-2009, Sparta, Inc All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Page 591

    Appendix B | License Information ISC License ---- Part 7: Fabasoft R&D Software GmbH & Co KG copyright notice (BSD) ----- Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003 oss@fabasoft.com Author: Bernhard Penz Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and...

  • Page 592

    Appendix B | License Information ISC License ---- Part 9: ScienceLogic, LLC copyright notice (BSD) ----- Copyright (c) 2009, ScienceLogic, LLC All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  • Page 593: Customer Support

    ◆ Software type and version number Motorola Solutions responds to calls by e-mail, telephone or fax within the time limits set forth in support agreements. If you purchased your product from a Motorola Solutions business partner, contact that business partner for support.

  • Page 594: C Customer Support

    Appendix C | Customer Support Manuals – 594 –...

  • Page 595: Configuration Options

    Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.

  • Page 596: Glossary

    Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a well- defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.

  • Page 597

    Glossary GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.

  • Page 598

    Glossary IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.

  • Page 599

    Glossary MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.

  • Page 600

    Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively.

  • Page 601

    Glossary SNTP allows a device to set its internal clock based on periodic Simple Network Time Protocol updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Secure Shell is a secure replacement for remote access functions, including Telnet.

  • Page 602

    Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected. – 602 –...

  • Page 603: Auto-traffic-control Auto-control-release

    Index of CLI Commands clear ipv6 neighbors clear ipv6 traffic aaa accounting dot1x clear log aaa accounting exec clear mac-address-table dynamic aaa accounting update clear network-access aaa authorization exec clock summer-time aaa group server clock timezone absolute clock timezone-predefined access-list arp cluster access-list ip cluster commander...

  • Page 604: Ip Http Server

    Index of CLI Commands enable password ip igmp snooping router-port-expire-time ip igmp snooping tcn-flood exec-timeout 102 ip igmp snooping tcn-query-solicit exit ip igmp snooping unregistered-data-flood ip igmp snooping unsolicited-report-interval 466 ip igmp snooping version ip igmp snooping version-exclusive 468 ip igmp snooping vlan general-query-suppression flow tcp-udp-port-zero flowcontrol ip igmp snooping vlan immediate-leave...

  • Page 605: Network-access Link-detection Link-down

    Index of CLI Commands lacp port-priority mvr type lacp system-priority mvr vlan group line lldp lldp admin-status lldp basic-tlv management-ip-address name lldp basic-tlv port-description negotiation 299 lldp basic-tlv system-capabilities network-access aging lldp basic-tlv system-description 501 network-access dynamic-qos lldp basic-tlv system-name network-access dynamic-vlan lldp dot1-tlv proto-ident 502 network-access guest-vlan 227...

  • Page 606: Show Ip Telnet

    Index of CLI Commands qos map dscp-mutation 436 show flow 265 qos map phb-queue show garp timer qos map trust-mode 438 show gvrp configuration 399 queue mode show history queue weight show hosts quit show interfaces brief show interfaces counters show interfaces protocol-vlan protocol-group show interfaces status show interfaces switchport 305...

  • Page 607

    Index of CLI Commands show mac-vlan snmp-server community 139 show management 216 snmp-server contact show memory snmp-server enable port-traps atc broadcast-alarm- show mvr clear show network-access snmp-server enable port-traps atc broadcast-alarm- show network-access mac-address-table 234 fire 356 show network-access mac-filter snmp-server enable port-traps atc broadcast-control- show nlm oper-status apply...

  • Page 608: Web-auth Re-authenticate (port)

    Index of CLI Commands switchport acceptable-frame-types switchport allowed vlan 403 upgrade opcode auto switchport dot1q-tunnel mode 412 upgrade opcode path 98 switchport forbidden vlan username switchport gvrp switchport ingress-filtering switchport mode 405 switchport native vlan vlan 400 switchport packet-rate vlan database switchport priority default vlan-trunking 407 switchport voice vlan...

  • Page 609

    Index Numerics aging time, displaying 364 aging time, setting 361 802.1Q tunnel 409 administrative users, displaying 87 access 412 configuration, guidelines 409 ACL 257 configuration, limitations 410 configuration 545 ethernet type 411 proxy 546 mode selection 412 ARP inspection 255 status, configuring 410 ACL filter 257 TPID 411...

  • Page 610: Index

    Index broadcast storm, threshold 345 DHCP snooping 242 enabling 242 global configuration 242 information option 244 cable diagnostics 308 information option policy 245 CDP 517 information option, enabling 244 enabling for interfaces 520 policy selection 245 enabling globally 518 specifying trusted interfaces 247 hold time 518 verifying MAC addresses 246 message attributes 517...

  • Page 611

    Index DoS protection 264 downloading software 92 hardware version, displaying 88 automatically 97 HTTP, web server 185 using FTP or TFTP 92 HTTPS 186 drop precedence configuring 186 CoS priority mapping 434 replacing SSL certificate 92 DSCP ingress map 436 secure-site certificate 92 DSA encryption 196 UDP port, configuring 186...

  • Page 612

    Index static host interface 475 static multicast routing 478 static port assignment 475 private 190 static router interface 478 public 190 static router port, configuring 478 user public, importing 92 TCN flood 464 key pair unregistered data flooding 466 host 190 version exclusive 468 host, generating 196 version for interface, setting 467...

  • Page 613

    Index logging multicast static router port 478 messages, displaying 114 configuring 478 syslog traps 113 multicast storm, threshold 345 to syslog servers 112 multicast, filtering and throttling 479 logon authentication 165 encryption keys 172 assigning static multicast groups 489 RADIUS client 170 configuring 486 RADIUS server 170 interface status, configuring 487...

  • Page 614

    Index ports srTCM police meter 449 autonegotiation 299 trTCM 451 broadcast storm threshold 345 trTCM police meter 451 capabilities 295 QoS policy, committed information rate 447 configuring 293 QoS policy, peak information rate 451 duplex mode 300 queue mode, setting 430 flow control 297 queue weight, assigning to CoS 431 Gigabit PHY Mode 298...

  • Page 615

    Index filtering IP addresses 215 displaying 85 global settings, configuring 138 setting 91 trap manager 142 static addresses, setting 362 – SNMPv3 145 static routes, configuring 574 engine ID 145 statistics engine identifier, local 145 ARP 541 engine identifier, remote 145 ICMP 541 groups 146 IP 541...

  • Page 616

    Index LACP 313 MAC-based 419 static 314 mirroring 333 trunks port members, displaying 408 mirroring 333 protocol 413 mirroring local traffic 333 protocol, configuring 413 tunneling unknown VLANs, VLAN trunking 407 protocol, configuring groups 414 protocol, configuring interfaces 415 protocol, group configuration 414 protocol, interface configuration 415 unicast routing 573 PVID 406...

  • Page 617

    Schaumburg, IL 60196-1078, U.S.A. http://www.motorolasolutions.com MOTOROLA, MOTO, MOTOROLA SOLUTIONS and the Stylized M Logo are trademarks or registered trademarks of Motorola Trademark Holdings, LLC and are used under license. All other trademarks are the property of their respective owners. © 2014 Motorola Solutions, Inc. All Rights Reserved.

This manual also for:

Ex-3548

Comments to this Manuals

Symbols: 0
Latest comments: