Specifications

ManualsBrandsAlaxala ManualsComputer equipmentAX1240S Series

AX2200S / AX1250S / AX1240S Software Manual

Configuration Command Reference

For Version 2.4

AX1240S-S003X-60

Summary of content (700 pages)

PAGE 1
AX2200S / AX1250S / AX1240S Software Manual Configuration Command Reference For Version 2.
PAGE 2
Relevant products This manual applies to the AX2200S, AX1250S, and AX1240S models of switches, and describes the functionality in software version 2.4 of the AX2200S, AX1250S, and AX1240S series switches that is supported by the OS-LT4, OS-LT3, and OS-LT2 software and optional licenses.
PAGE 3
Location and title Changes Ring Protocol The following commands were added.  multi-fault-detection mode  multi-fault-detection vlan Access Lists The explanations of the following commands were changed.  deny (ip access-list extended)  ip access-group  mac access-group  permit (ip access-list extended) QoS The explanations of the following commands were changed.
PAGE 4
Location and title Changes MAC-based Authentication The following commands was added.  aaa authentication mac-authentication end-by-reject In addition to the above changes, minor editorial corrections were made. Ver. 2.2 (Edition 4) Table Summary of amendments Location and title Changes Addition of series  A description of AX1250S was added. Reading the Manual  A description of AX1250S was added. Device Management The explanation of the following command was changed.
PAGE 5
Location and title Changes Device Management The following command was added.  system recovery Power Saving Functionality The timing when the settings of the following command are applied was changed.  system fan-control Ethernet The following command was added.  linkscan-mode VLAN The explanation about the parameters of the following command was changed.  switchport mode Ring Protocol This chapter was added. IEEE802.1X The following commands were added.
PAGE 6
Location and title Changes MAC-based Authentication The following commands were added.  aaa accounting mac-authentication  mac-authentication authentication The parameter was added to the following command.  mac-authentication radius-server host Notes on the following commands were changed.  mac-authentication interface  mac-authentication force-authorized vlan  mac-authentication vlan  mac-authentication static-vlan force-authorized The following command name was changed.
PAGE 7
Location and title Changes Login Security and RADIUS The explanations of the following commands were changed.  radius-server dead-interval  radius-server host  radius-server key  radius-server retransmit  radius-server timeout Time Settings and NTP Notes on the following commands were changed.  clock timezone Power Saving Functionality The following commands were added.
PAGE 8
Location and title Changes IEEE802.1X The following commands were added.  dot1x auto-logout  dot1x radius-server dead-interval  dot1x radius-server host The parameter was added to the following command.  dot1x supplicant-detection Notes on the following commands were changed.  dot1x force-authorized  dot1x force-authorized eapol  dot1x force-authorized vlan  dot1x port-control  dot1x vlan dynamic enable  dot1x vlan dynamic radius-vlan Web Authentication The following commands were added.
PAGE 9
Location and title Changes Error messages displayed when editing the configuration The following information was added.  Information about the power saving functionality  Multistep authentication information  Storm control information The error messages for the following information were changed.  Link aggregation information  MAC address table information  VLAN information  IGMP snooping information  MLD snooping information  Layer 2 authentication common information  IEEE 802.
PAGE 10
PAGE 11
Preface Applicable products and software versions This manual applies to the AX2200S, AX1250S, and AX1240S models of switches, and describes the functionality in software version 2.4 of the AX2200S, AX1250S, and AX1240S series switches that is supported by the OS-LT4, OS-LT3, OS-LT3-A, OS-LT2, and OS-LT2-A software and optional licenses. Before you operate the equipment, carefully read the manual and make sure that you understand all instructions and cautionary notes.
PAGE 12
Preface Abbreviations used in the manual AC ACK ADSL ALG ANSI ARP AS AUX BGP BGP4 BGP4+ bit/s BPDU BRI CC II Alternating Current ACKnowledge Asymmetric Digital Subscriber Line Application Level Gateway American National Standards Institute Address Resolution Protocol Autonomous System Auxiliary Border Gateway Protocol Border Gateway Protocol - version 4 Multiprotocol Extensions for Border Gateway Protocol - version 4 bits per second (can also appear as bps) Bridge Protocol Data Unit Basic Rate Interface
PAGE 13
Preface CDP CFM CIDR CIR CIST CLNP CLNS CONS CRC CSMA/CD CSNP CST DA DC DCE DHCP DIS DNS DR DSAP DSCP DTE DVMRP E-Mail EAP EAPOL EFM ES FAN FCS FDB FQDN FTTH GBIC GSRP HMAC IANA ICMP ICMPv6 ID IEC IEEE IETF IGMP IP IPCP IPv4 IPv6 IPV6CP IPX ISO ISP IST L2LD LAN LCP LED LLC LLDP LLQ+3WFQ LSP LSP LSR Cisco Discovery Protocol Connectivity Fault Management Classless Inter-Domain Routing Committed Information Rate Common and Internal Spanning Tree ConnectionLess Network Protocol ConnectionLess Network System Co
PAGE 14
Preface MA MAC MC MD5 MDI MDI-X MEP MIB MIP MRU MSTI MSTP MTU NAK NAS NAT NCP NDP NET NLA ID NPDU NSAP NSSA NTP OADP OAM OSPF OUI packet/s PAD PAE PC PCI PDU PICS PID PIM PIM-DM PIM-SM PIM-SSM PoE PRI PS PSNP QoS RA RADIUS RDI REJ RFC RIP RIPng RMON RPF RQ RSTP SA SD SDH SDU SEL SFD SFP IV Maintenance Association Media Access Control Memory Card Message Digest 5 Medium Dependent Interface Medium Dependent Interface crossover Maintenance association End Point Management Information Base Maintenance domain
PAGE 15
Preface SMTP SNAP SNMP SNP SNPA SPF SSAP STP TA TACACS+ TCP/IP TLA ID TLV TOS TPID TTL UDLD UDP ULR UPC UPC-RED VAA VLAN VRRP WAN WDM WFQ WRED WS WWW XFP Simple Mail Transfer Protocol Sub-Network Access Protocol Simple Network Management Protocol Sequence Numbers PDU Subnetwork Point of Attachment Shortest Path First Source Service Access Point Spanning Tree Protocol Terminal Adapter Terminal Access Controller Access Control System Plus Transmission Control Protocol/Internet Protocol Top-Level Aggregation
PAGE 16
Preface VI
PAGE 17
Contents Preface .............................................................................................................................................. I Part 1: Reading the Manual ............................................................................................................ 1 1. Reading the Manual .................................................................................................................... 1 Command description format ............................................
PAGE 18
Contents schedule-power-control system-sleep [AX1250S] [AX1240S] ................................................ 64 schedule-power-control time-range ......................................................................................... 65 system fan-control [AX1240S]................................................................................................. 70 system port-led ........................................................................................................................
PAGE 19
Contents switchport trunk ....................................................................................................................... 141 vlan ......................................................................................................................................... 143 vlan-protocol ............................................................................................................................ 146 12. Spanning Tree Protocols ............................................
PAGE 20
Contents mode........................................................................................................................................ 215 multi-fault-detection mode ....................................................................................................... 216 multi-fault-detection vlan ......................................................................................................... 217 name..................................................................................
PAGE 21
Contents permit (ip access-list extended) .............................................................................................. 299 permit (ip access-list standard) ............................................................................................... 305 permit (mac access-list extended) .......................................................................................... 307 remark ......................................................................................................
PAGE 22
Contents dot1x vlan dynamic radius-vlan ............................................................................................... 400 dot1x vlan dynamic reauthentication ....................................................................................... 402 dot1x vlan dynamic supplicant-detection ................................................................................ 403 dot1x vlan dynamic timeout quiet-period................................................................................
PAGE 23
Contents aaa authentication mac-authentication end-by-reject ............................................................. 493 mac-authentication access-group ........................................................................................... 494 mac-authentication authentication .......................................................................................... 495 mac-authentication auto-logout ...............................................................................................
PAGE 24
Contents ethernet cfm cc alarm-priority .................................................................................................. 574 ethernet cfm cc alarm-reset-time ............................................................................................ 576 ethernet cfm cc alarm-start-time ............................................................................................. 578 ethernet cfm cc enable .....................................................................................
PAGE 25
Contents 36.1.11 Ring Protocol information ................................................................................. 649 36.1.12 DHCP snooping information ............................................................................ 651 36.1.13 IGMP snooping information ............................................................................. 653 36.1.14 MLD snooping information ............................................................................... 653 36.1.
PAGE 26
Contents x
PAGE 27
Part 1: Reading the Manual 1.
PAGE 28
1 Reading the Manual Command description format Each command is described in the following format. Function Describes the purpose of the command. Syntax Defines the input format of the command. The format is governed by the following rules: 1. Parameters for setting values or character strings are enclosed in angle brackets (<>). 2. Characters that are not enclosed in angle brackets (<>) are keywords that must be typed exactly as they appear. 3. {A|B} indicates that either A or B must be selected.
PAGE 29
1 Reading the Manual Command mode list The following table lists the command modes. Table 1-1 Command mode list # Command mode name Description Command for mode transition 1 (config) Global configuration mode. > enable # configure 2 (config-line) Configures remote login. (config)# line vty 3 (config-group) Configures a RADIUS server group. (config)# aaa group server radius 4 (config-if) Configures an interface. (config)# interface 5 (config-if-range) Configures multiple interfaces.
PAGE 30
1 Reading the Manual Specifiable values for parameters The following table describes the values that can be specified for parameters. If there are no limitations on parameter names, see Any character string. Table 1-2 Specifiable values for parameters 4 Parameter type Description Input example Any character string See List of character codes. name Access list name QoS flow list name See List of character codes. The first character must be an alphabetical character.
PAGE 31
1 Reading the Manual Parameter type Description Input example Specification of multiple interfaces Set the information about multiple interfaces. You can specify fastethernet, gigabitethernet, vlan, and port-channel interfaces. However, you cannot specify both fastethernet and gigabitethernet.
PAGE 32
1 Reading the Manual Table 1-4 Range of values for AX1250S series switches # Model Ethernet type Range of values 1 AX1250S-24T2C fastethernet 0/1 to 0/24 gigabitethernet 0/25 to 0/26 Table 1-5 Range of values for AX1240S series switches # Model Ethernet type Range of values 1 AX1240S-24T2C/AX1240S-24P2C fastethernet 0/1 to 0/24 gigabitethernet 0/25 to 0/26 fastethernet 0/1 to 0/48 gigabitethernet 0/49 to 0/50 2 AX1240S-48T2C How to specify and the range of va
PAGE 33
1 Reading the Manual Table 1-7 Range of values # Model Range of values 1 All models 1 to 8 How to specify and the range of values that can be set If is written in parameter input format, use hyphens (-) or commas (,) to specify multiple channel group numbers. You can also specify one channel group number, as when is written. The range of specifiable values is the same as the range of values above.
PAGE 34
1 Reading the Manual List of character codes Character codes are listed in the following table. Characters other than alphanumeric characters in the following list of character codes are special characters.
PAGE 35
Part 2: Operation and Management of Switches 2.
PAGE 36
ftp-server ftp-server Permits access from remote operation terminals by using FTP. To set the IPv4 address of a remote operation terminal to permit or deny logging in to a Switch, set a common access list that is shared by Telnet access in config-line mode. Syntax To set information: ftp-server To delete information: no ftp-server Input mode (config) Parameters None Default behavior Does not allow remote FTP access.
PAGE 37
line vty line vty Permits Telnet remote access to a switch. This command is also used to limit the number of remote users that can be simultaneously logged in to the switch. Configuration with this command enables remote access using the Telnet protocol from any remote operation terminal to be accepted. To limit access, set ip access-group and transport input.
PAGE 38
transport input transport input Restricts access from remote operation terminals based on protocol. Syntax To set or change information: transport input {telnet | all | none} To delete information: no transport input Input mode (config-line) Parameters {telnet | all | none} telnet Accepts remote access that uses the Telnet protocol. all Accepts remote access using any protocol (currently only Telnet is supported). none Does not accept remote access using any protocol. 1.
PAGE 39
3.
PAGE 40
end end Ends configuration command mode and returns you to administrator mode. Syntax end Parameters None Response messages The following table describes the response messages for the end command.
PAGE 41
exit exit Returns to the previous mode. If you are editing data in config mode, configuration command mode ends and administrator mode resumes. If you are editing data in subcommand mode, you are returned to the next higher level. Syntax exit Parameters None Response messages The following table describes the response messages for the exit command.
PAGE 42
save (write) save (write) Saves the edited configuration to the startup configuration file. Syntax save write Parameters None Response messages None Notes 1. Saving the configuration file does not end configuration command mode. To finish editing and exit configuration command mode, use the exit command or end command.
PAGE 43
show show Displays the configuration being edited. Syntax show [ [ ] ] Parameters Specifies a configuration command. Use this parameter to limit the number of items to be displayed. Notes 1. If there are many items in the configuration, the command might take time to execute. 2. In global configuration mode, [] can be specified for a command that switches to level-2 configuration mode.
PAGE 44
top top After a switch to configuration command mode, enter this command restores level-1 global configuration mode.
PAGE 45
4.
PAGE 46
aaa group server radius aaa group server radius Configures a RADIUS server group. Entering this command switches to config-group mode in which the RADIUS server group information can be set. Syntax To set or change information: aaa group server radius To delete information: no aaa group server radius Input mode (config) Parameters Configures the RADIUS server group name. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 47
aaa authentication login aaa authentication login Sets one or more authentication methods to be used for remote login. If the first specified method fails, the second specified method is used. You can change how authentication works when the first method failed by using the aaa authentication login end-by-reject command.
PAGE 48
aaa authentication login 2. You cannot simultaneously specify both group radius (general-purpose RADIUS server authentication) and group group-name (RADIUS server group authentication), because both methods are treated as RADIUS authentication service. Use either of them in combination with local password authentication.
PAGE 49
aaa authentication login end-by-reject aaa authentication login end-by-reject Terminates authentication if login authentication is denied. If authentication fails due to communication not being possible, such as an unresponsive RADIUS server, the next authentication method specified by the aaa authentication login command is used to perform authentication.
PAGE 50
ip access-group ip access-group Sets the access list that specifies the IPv4 addresses of the remote operation terminals for which remote login to the Switch is to be permitted or denied is set. This setting is common to all types of remote access (Telnet or FTP). Multiple lines for no more than 16 entries can be set.
PAGE 51
ip access-group ftp-server transport input 25
PAGE 52
radius-server attribute station-id capitalize radius-server attribute station-id capitalize Sends the MAC address that is used for sending data to a RADIUS server with the RADIUS attribute in upper case.
PAGE 53
radius-server dead-interval radius-server dead-interval Configures a monitoring timer that operates for automatically restoring the primary general RADIUS server as the current general RADIUS server. The monitoring timer starts when either of the following occurs: The currently operating server (the destination for RADIUS authentication requests) switches to a valid secondary general RADIUS server, or all servers are disabled.
PAGE 54
radius-server dead-interval monitoring timer is not reset and continues to run. 2. 3. In general, when the monitoring timer has started, it does not reset until it expires. However, as exceptions, it resets in the following cases:  When radius-server dead-interval 0 is configured by using this command.
PAGE 55
radius-server host radius-server host Configures the general RADIUS server used for authentication. Syntax To set or change information: radius-server host [auth-port ] [acct-port ] [timeout ] [retransmit ] [key ] To delete information: no radius-server host Input mode (config) Parameters Specifies the IPv4 address of the RADIUS server. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 56
radius-server host retransmit Specifies the number of times an authentication request is resent to the RADIUS server. 1. Default value when this parameter is omitted: The number of times configured by using radius-server retransmit is used. If no value is set, the initial value is 3. 2. Range of values: 0 to 15 (times) timeout Specifies the timeout period (in seconds) for a response from the RADIUS server. 1.
PAGE 57
radius-server host radius-server key radius-server retransmit radius-server timeout 31
PAGE 58
radius-server key radius-server key Configures the default RADIUS server key used for authentication on a general RADIUS server or an authentication-specific RADIUS server. Syntax To set or change information: radius-server key To delete information: no radius-server key Input mode (config) Parameters Specifies the RADIUS key used for encryption or for authentication of communication with the RADIUS server. The same RADIUS key must be set for the client and the RADIUS server. 1.
PAGE 59
radius-server retransmit radius-server retransmit Configures the default number of times an authentication request is resent to the general RADIUS server used for authentication or to an authentication-specific RADIUS server. Syntax To set or change information: radius-server retransmit To delete information: no radius-server retransmit Input mode (config) Parameters Specifies the number of times an authentication request is resent to the RADIUS server. 1.
PAGE 60
radius-server timeout radius-server timeout Configures the default response timeout value for the general RADIUS server used for authentication or for an authentication-specific RADIS server. Syntax To set or change information: radius-server timeout To delete information: no radius-server timeout Input mode (config) Parameters Specifies the timeout period for a response from the RADIUS server. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 61
server server Configures a RADIUS server host in the RADIUS server group. Syntax To set or change information: server [auth-port ] [acct-port ] To delete information: no server Input mode (config-group) Parameters Specifies the IPv4 address of the RADIUS server. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify the IPv4 address (dot notation). 1.0.0.0 to 126.255.255.255, 128.0.0.0 to 223.
PAGE 62
server Notes 1. A maximum of four RADIUS servers can be specified for each group. 2. 127.*.*.* cannot be set as an IPv4 address. 3. The configuration of this command must meet both of the following conditions: 4.  The value in this command is the same as the value in the radius-server host command (the values of auth-port and acct-port are also the same).
PAGE 63
5.
PAGE 64
clock timezone clock timezone Sets the time zone. The Switch maintains the date and time internally in Coordinated Universal Time (UTC). This clock timezone setting affects only time set using the set clock command, and the time displayed by using an operation command. Syntax To set or change information: clock timezone [] To delete information: no clock timezone Input mode (config) Parameters Sets the name used to identify a time zone. 1.
PAGE 65
clock timezone When the change is applied The change is applied immediately after setting values are changed. Notes If you change the Switch's time zone, statistics on CPU usage collected by the Switch will be cleared to zero.
PAGE 66
ntp client server ntp client server Sets the address of the NTP server from which time information can be obtained. A maximum of two entries can be set. The address that is set first is called primary, and the address that is set later is called secondary. If a request to acquire the time from the primary NTP server address fails, a request to acquire time information is sent to the secondary NTP server address.
PAGE 67
ntp client broadcast ntp client broadcast Sets acceptance of time information broadcast from an NTP server. Syntax To set information: ntp client broadcast To delete information: no ntp client broadcast Input mode (config) Parameters None Default behavior The time information broadcast from the NTP server is not accepted. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 68
ntp client multicast ntp client multicast Sets acceptance of time information multicast from an NTP server. Syntax To set information: ntp client multicast To delete information: no ntp client multicast Input mode (config) Parameters None Default behavior The time information multicast from the NTP server is not accepted. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 69
ntp interval ntp interval Sets the interval for regularly obtaining time information from an NTP server. Syntax To set or change information: ntp interval To delete information: no ntp interval Input mode (config) Parameters Sets the interval for obtaining time information from the NTP server. The interval is set in seconds in decimal. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 70
ntp interval 44
PAGE 71
6.
PAGE 72
system fan mode system fan mode Sets the operating mode of the Switch fan. Syntax To set information: system fan mode To delete information: no system fan mode Input mode (config) Parameters Specifies operating mode 1 or 2 for the fan. 1: Low-noise setting 2: Low-temperature setting 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 1 and 2 Default behavior Operating mode 1 (Low-noise setting) is set.
PAGE 73
system fan mode Model Fan operation type Behavior when the command is set AX2230S-24P AX1240S-24P2C Fixed fan speed Behavior for the low-temperature setting is performed if the command is omitted or the low-noise setting is specified.
PAGE 74
system function [AX1250S] [AX1240S] system function [AX1250S] [AX1240S] All functionality of the AX1250S and AX1240S can be used even if the system function command is not set. To maintain configuration compatibility with the AX1230S, the system function command can be entered for the AX1250S and AX1240S.
PAGE 75
system l2-table mode system l2-table mode Sets the search method for the Layer 2 hardware table. Syntax To set or change information: system l2-table mode To delete information: no system l2-table mode Input mode (config) Parameters Selects the method for searching a table used for registration in the hardware table. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 76
system l2-table mode Please execute the reload command after save, because this command becomes effective after reboot.
PAGE 77
system recovery system recovery When the no system recovery form of the command is set and a failure is detected, the Switch is not restarted and remains in the failure state. For details about the entities subject to failure and restoration, see 10 Switch Management in the Configuration Guide Vol. 1. Syntax To set information: no system recovery To delete information: system recovery Input mode (config) Parameters None Default behavior Restarts the Switch when a failure is detected.
PAGE 78
system temperature-warning-level system temperature-warning-level Outputs a warning message when the intake temperature of the switch exceeds the specified temperature. Syntax To set information: system temperature-warning-level To delete information: no system temperature-warning-level Input mode (config) Parameters Sets the temperature (in Celsius). The temperature can be set in units of one degree Celsius. 1.
PAGE 79
system temperature-warning-level Related commands None 53
PAGE 80
system temperature-warning-level average system temperature-warning-level average Outputs an operation message when the average temperature during the specified period exceeds the specified temperature. Syntax To set information: system temperature-warning-level average [] [ period ] To delete information: no system temperature-warning-level average Input mode (config) Parameters Sets the average temperature (in Celsius).
PAGE 81
system temperature-warning-level average When the change is applied The change is applied immediately after setting values are changed. The threshold of the average temperature is checked at noon or when the Switch is started. Notes 1. 2. If the following operating environment conditions are not met, the log might be output at a temperature lower than the specified average temperature:  Provide sufficient ventilation to efficiently remove the heat from around the Switches.  Do not stack Switches.
PAGE 82
system temperature-warning-level average 56
PAGE 83
7.
PAGE 84
power-control port cool-standby power-control port cool-standby Enables power saving operation of the link-down port. Syntax To set information: power-control port cool-standby To delete information: no power-control port cool-standby Input mode (config) Parameters None Default behavior Operation is at normal power consumption. Impact on communication Yes When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 85
schedule-power-control port cool-standby schedule-power-control port cool-standby Configures power saving operation for link-down ports during scheduled power saving operation. Syntax To set information: schedule-power-control port cool-standby To delete information: no schedule-power-control port cool-standby Input mode (config) Parameters None Default behavior Operation is at normal power consumption when the port is in the link-down state.
PAGE 86
schedule-power-control port-led schedule-power-control port-led Configures LED operation during scheduled power saving. Syntax To set or change information: schedule-power-control port-led { enable | disable } [AX2200S] schedule-power-control port-led { enable | economy | disable } [AX1250S] [AX1240S] To delete information: no schedule-power-control port-led Input mode (config) Parameters enable Turns on the Switch LED according to the operating status.
PAGE 87
schedule-power-control port-led enable, disable [AX2200S] enable, economy, disable [AX1250S] and [AX1240S] Default behavior Regardless of operation status, the Switch turns on and blinks with normal brightness. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. When the LED has been disabled (turned off), ST1 and ACC (the memory card access LED) turn on with power saving brightness. 2.
PAGE 88
schedule-power-control shutdown interface schedule-power-control shutdown interface Sets the port that shuts down while the scheduled power saving functionality is used. Shutting down the port turns off the power, reducing the amount of power consumed.
PAGE 89
schedule-power-control shutdown interface Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. If you want a port to be always shut down regardless of a schedule, you must set both the shutdown command and this command.
PAGE 90
schedule-power-control system-sleep [AX1250S] [AX1240S] schedule-power-control system-sleep [AX1250S] [AX1240S] Puts a Switch in the sleep state during the scheduled time range. Putting the Switch in the sleep state reduces the amount of power consumed. Syntax To set information: schedule-power-control system-sleep To delete information: no schedule-power-control system-sleep Input mode (config) Parameters None Default behavior The Switch does not switch to the sleep state.
PAGE 91
schedule-power-control time-range schedule-power-control time-range Specifies the execution time of scheduled power saving functionality.
PAGE 92
schedule-power-control time-range Parameters for specifying a date start-time Specifies the start date and time. YY Specify the last two digits of the year in the range from 00 to 38. For example, 00 means the year 2000. MM Specify the month in the range from 01 to 12. DD Specify the day of the month in the range from 01 to 31. HH Specify the hour (00 to 23). MM Specify the minute (00 to 59). 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 93
schedule-power-control time-range mon Sets Monday. tue Sets Tuesday. wed Sets Wednesday. thu Sets Thursday. fri Sets Friday. sat Sets Saturday. HH Specify the hour (00 to 23). MM Specify the minute (00 to 59). 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Select sun, mon, tue, wed, thu, fri, or sat, and specify a time for . end-time {sun | mon | tue | wed | thu | fri | sat} Specifies the end day of the week and the time.
PAGE 94
schedule-power-control time-range Select sun, mon, tue, wed, thu, fri, or sat, and specify a time for . Parameters for specifying everyday start-time Specifies the start time. HH Specify the hour (00 to 23). MM Specify the minute (00 to 59). 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a time for . end-time Specifies the end time. HH Specify the hour (00 to 23). MM Specify the minute (00 to 59). 1.
PAGE 95
schedule-power-control time-range Impact on communication If sleep mode is set, all communications stop when the scheduled time range starts. When the change is applied The change is applied immediately after setting values are changed. Notes 1. If there is an overlap of time of execution between different action parameters, the action disable setting has precedence. 2.
PAGE 96
system fan-control [AX1240S] system fan-control [AX1240S] Enables the cooling fan control functionality, which operates by monitoring the internal temperature. Syntax To set information: system fan-control To delete information: no system fan-control Input mode (config) Parameters None Default behavior The fan operates continuously. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 97
system fan-control [AX1240S] Related commands system fan mode 71
PAGE 98
system port-led system port-led Configures a Switch's LED operation. Syntax To set or change information: system port-led { enable | disable } [AX2200S] system port-led { enable | economy | disable } [AX1250S] and [AX1240S] To delete information: no system port-led Input mode (config) Parameters enable Turns on the Switch LED according to the operating status. When the system port-led trigger command is not set: Regardless of the operating status, the LED turns on and blinks with normal brightness.
PAGE 99
system port-led enable, economy, disable [AX1250S] and [AX1240S] Default behavior Regardless of operation status, the Switch turns on and blinks with normal brightness. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. When the LED has been disabled (turned off), ST1 and ACC (the memory card access LED) turn on with power saving brightness. 2. The PWR LED always on with normal brightness. 3.
PAGE 100
system port-led trigger console system port-led trigger console Adds login to and logout from a Switch via a console (RS-232C) connection as a trigger for automatic LED operation. Syntax To set information: system port-led trigger console To delete information: no system port-led trigger console Input mode (config) Parameters None Default behavior Login to and logout from a Switch via a console (RS-232C) connection are not regarded as conditions for automatic operation.
PAGE 101
system port-led trigger interface system port-led trigger interface Adds link-up and link-down of the specified physical port as a trigger for automatic LED operation. Syntax To set or change information: system port-led trigger interface To delete information: no system port-led trigger interface Input mode (config) Parameters Specify the relevant port. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 102
system port-led trigger mc system port-led trigger mc Adds insertion and removal of a memory card as a trigger for automatic LED operation. Syntax To set information: system port-led trigger mc To delete information: no system port-led trigger mc Input mode (config) Parameters None Default behavior Insertion and removal of a memory card are not regarded as conditions for automatic operation.
PAGE 103
Part 3: Network Interfaces 8.
PAGE 104
bandwidth bandwidth Assigns the bandwidth of a line. This setting is used for calculating the line usage rate on a network monitoring device. Syntax To set or change information: bandwidth To delete information: no bandwidth Input mode (config-if) Parameters Assigns the line bandwidth in kbit/s. This setting is used for the ifSpeed/ifHighSpeed (SNMP MIB) value of the applicable line, and has no impact on communication. 1.
PAGE 105
description description Sets supplementary information. This command can be used as a comment about the line. Note that when this command is set, information can be checked by using the show interfaces or ifDescr (SNMP MIB) operation command. Syntax To set or change information: description To delete information: no description Input mode (config-if) Parameters Sets supplementary information for an Ethernet interface. 1.
PAGE 106
duplex duplex Sets the duplex mode of a port. Syntax To set or change information: duplex {half | full |auto} To delete information: no duplex Input mode (config-if) Parameters {half | full |auto} Sets the connection mode of a port to half duplex (fixed), full-duplex (fixed), or auto-negotiation. The following table shows the combinations of line type and parameters that can be set. auto is selected if a non-specifiable parameter is specified.
PAGE 107
duplex Default behavior auto is set. Impact on communication If this command is set for the port in use, the port goes down and communication stops temporarily. Thereafter, the port restarts. When the change is applied The change is applied immediately after setting values are changed. Notes 1. If auto or a parameter containing auto is set for speed or duplex, auto-negotiation is performed. 2. For 1000BASE-X, if you do not want to use auto-negotiation, set 1000 for speed and full for duplex.
PAGE 108
flowcontrol flowcontrol Sets flow control. Syntax To set or change information: flowcontrol send {desired | on | off} flowcontrol receive {desired | on | off} To delete information: no flowcontrol send no flowcontrol receive Input mode (config-if) Parameters send {desired | on | off} Sets send operation for the pause packets of the flow control functionality. Specify the same settings as those for the receive operation for the pause packets of the flow control functionality at the destination.
PAGE 109
flowcontrol 2. Range of values: receive desired, receive on, receive off Default behavior Behavior varies depending on the line type.  For 10BASE-T, 100BASE-TX, or 1000BASE-T: Receive operation is off but send operation is desired.  For 1000BASE-X: Receive operation is off but send operation is desired. For 100BASE-FX [AX1250S] Receive operation is off but send operation is on. Impact on communication If this command is set for the port in use, the port goes down and communication stops temporarily.
PAGE 110
interface fastethernet [AX1250S] [AX1240S] interface fastethernet [AX1250S] [AX1240S] Sets items related to 10BASE-T or 100BASE-TX. Entering this command switches to config-if mode, in which information about the relevant port can be set. Syntax To set or change information: interface fastethernet Input mode (config) Parameters IF# Sets the interface port number. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 111
interface gigabitethernet interface gigabitethernet Sets items related to 10BASE-T/100BASE-TX/1000BASE-T, 100BASE-FX, and 1000BASE-X. Entering this command switches to config-if mode, in which information about the relevant port can be set. Syntax To set or change information: interface gigabitethernet Input mode (config) Parameters IF# Sets the interface port number. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 112
link debounce link debounce Sets the link-down detection time after a link failure is detected until the actual link-down occurs. When a large value is set for this command, temporary link-downs will not be detected so the link will be prevented from becoming unstable. Syntax To set or change information: link debounce [time ] To delete information: no link debounce Input mode (config-if) Parameters time Sets the debounce timer value in milliseconds. 1.
PAGE 113
linkscan-mode [AX1250S] [AX1240S] linkscan-mode [AX1250S] [AX1240S] Sets the operating mode for monitoring the link status of a Switch. Syntax To set information: linkscan-mode To delete information: no linkscan-mode Input mode (config) Parameters Sets the operating mode for monitoring the link status. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 1 (The link status is monitored by hardware.
PAGE 114
mdix auto mdix auto Sets the MDI functionality of the port to be used. When no mdix auto is specified, the automatic MDIX functionality is disabled and the port is fixed to MDI-X. Syntax To set information: no mdix auto To delete information: mdix auto Input mode (config-if) Parameters None Default behavior During auto-negotiation, MDI and MDI-X are switched automatically. Impact on communication If this command is set for the port in use, the port goes down and communication stops temporarily.
PAGE 115
media-type [AX1250S] [AX1240S] media-type [AX1250S] [AX1240S] Selects the type of port to be used as a port on which 10BASE-T/100BASE-TX/1000BASE-T (RJ45) and 100BASE-FX/1000BASE-X (SFP) can be switched.
PAGE 116
media-type [AX1250S] [AX1240S] 3. If media-type auto is set, the following commands cannot be set. Use the default value. duplex, mdix auto, and speed 4. 5. When media-type auto is set and RJ45 is used with a 1000BASE-SX2 SFP transceiver inserted, ports are not switched automatically because 1000BASE-X link-up does not occur. Therefore, for 1000BASE-SX2, use either of the following methods:  Use the fixed media setting.
PAGE 117
mtu mtu Sets the MTU for ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Syntax To set or change information: mtu To delete information: no mtu Input mode (config-if) Parameters # Sets the MTU of ports in octets. The MTU is the maximum length of the data section for frames in Ethernet V2 format. #: For details about the frame format, see 13.1.
PAGE 118
mtu sublayers in the Configuration Guide Vol. 1.
PAGE 119
power inline [AX2200S] [AX1240S] power inline [AX2200S] [AX1240S] Sets the port priority. Setting the power priority for each port ensures that power is supplied to the appropriate ports. Syntax To set or change information: power inline {critical | high | low | never} To delete information: no power inline Input mode (config-if) Parameters critical Power is allocated to the most important port. Set this value for a port for which power must always be supplied.
PAGE 120
power inline [AX2200S] [AX1240S] set, power is not supplied. 6. If more than one port has the same setting, the port with the lower port number has priority. 7. The priority is controlled separately for system 1 and system 2 according to their respective ranges.
PAGE 121
power inline allocation [AX2200S] [AX1240S] power inline allocation [AX2200S] [AX1240S] Sets power allocation for each port either based on its class or manually. Syntax To set or change information: power inline allocation {auto | limit } To delete information: no power inline allocation Input mode (config-if) Parameters auto Detects a power-receiving device and automatically categorizes power classes, and sets the amount of power allocated to the applicable port based on its class.
PAGE 122
power inline allocation [AX2200S] [AX1240S] Port Setting range (in mW) Increment (in mW) 0/5 to 0/24 4000 to 30000 200 [AX1240S] Sets the amount of power for a port and the amount of power consumption to be used for priority control in steps of 200 mW. This parameter becomes valid when limit is specified. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 4000 to 30000 (mW) Default behavior auto is set.
PAGE 123
power inline priority-control disable [AX2200S] [AX1240S] power inline priority-control disable [AX2200S] [AX1240S] Assigns priority to a powered port. Syntax To set information: power inline priority-control disable To delete information: no power inline priority-control disable Input mode (config) Parameters None Default behavior The priority setting for ports is enabled. Impact on communication Power to all ports is temporarily stopped.
PAGE 124
power inline system-allocation [AX2200S] power inline system-allocation [AX2200S] Manually sets the maximum amount of power that can be supplied to system 1. The maximum amount of power for system 2 is calculated by subtracting the value set by this command from the maximum amount of power that can be supplied to this Switch.
PAGE 125
shutdown shutdown Places the port in the shutdown state. If a port with the PoE functionality is shut down, power is no longer supplied. Syntax To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 126
speed speed Sets the port speed. Syntax To set or change information: speed { 10 | 100 | 1000 | auto | auto {10 | 100 | 1000 | 10 100 | 10 100 1000} } To delete information: no speed Input mode (config-if) Parameters { 10 | 100 | 1000 | auto | auto {10 | 100 | 1000 | 10 100 | 10 100 1000} } Sets the line speed. The following table shows the combinations of line type and parameters that can be set. auto is selected if a non-specifiable parameter is specified.
PAGE 127
speed auto Sets the line speed to auto-negotiation. auto {10 | 100 | 1000 | 10 100 | 10 100 1000} Auto-negotiation is performed at the specified line speed. This setting prevents the line speed from operating at an unexpected speed, so the line usage rate is prevented from increasing. If negotiation cannot be performed at the specified line speed, the status of the link does not switch to the link-up state. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 128
system mtu system mtu Sets the MTU of all ports. With this configuration, jumbo frames can be used to improve the throughput of data transfers. As a result, the usability of a network and devices connected to the network improves. Syntax To set or change information: system mtu To delete information: no system mtu Input mode (config) Parameters Sets the MTU of all ports in octets. The MTU is the maximum length of the data # section for frames in Ethernet V2 format.
PAGE 129
system mtu Table 8-5 MTU and the length of frames that can be sent or received Line type mtu setting system mtu setting Length of a frame that can be sent or received (in octets) Line MTU (in octets) 10BASE-T (full and half-duplex), 100BASE-TX (half-duplex) Not related Not related Tagged 1518 Untagged 1514 1500 All other cases Set Not related Tagged M1 +18 #1 Untagged M1 +14 Not set Set Not set #1 M1 #1 Tagged M2 +18 #2 Untagged M2 +14 #2 M2 #2 Tagged 1518 Untagged 1514 1500 #1: Th
PAGE 130
system mtu 104
PAGE 131
9.
PAGE 132
channel-group lacp system-priority channel-group lacp system-priority Sets the LACP system priority of a channel group for link aggregation. Syntax To set or change information: channel-group lacp system-priority To delete information: no channel-group lacp system-priority Input mode (config-if) Parameters Sets the LACP system priority. The lower the value, the higher the priority. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 133
channel-group max-active-port channel-group max-active-port Sets the maximum number of ports actually used in a channel group for link aggregation. Syntax To set or change information: channel-group max-active-port [no-link-down] To delete information: no channel-group max-active-port Input mode (config-if) Parameters [no-link-down] Sets the maximum number of ports actually used in a channel group for link aggregation.
PAGE 134
channel-group max-active-port Related commands interface port-channel channel-group lacp system-priority lacp system-priority lacp port-priority 108
PAGE 135
channel-group mode channel-group mode Creates a channel group for link aggregation. Syntax To set information: channel-group mode { on | { active | passive } } To change information: channel-group mode { active | passive } To delete information: no channel-group Input mode (config-if) Parameters Sets the channel group number for link aggregation. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 136
channel-group mode Notes 1. To change static link aggregation to LACP-based link aggregation, or vice versa, delete this command, change the mode, and then set the command again. 2. When channel-group mode is set, the port-channel setting of the specified channel group is automatically generated. If port-channel has already been set, no specific operation is required. 3.
PAGE 137
channel-group periodic-timer channel-group periodic-timer Sets the LACPDU sending interval. Syntax To set or change information: channel-group periodic-timer { long | short } To delete information: no channel-group periodic-timer Input mode (config-if) Parameters { long | short } Sets the interval at which the remote device sends LACPDUs to a Switch. long: 30 seconds short: one second 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 138
description description Sets supplementary information. Syntax To set or change information: description To delete information: no description Input mode (config-if) Parameters Sets supplementary information for the applicable channel group for link aggregation. Use this command to create and attach a note to the interface. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 139
interface port-channel interface port-channel Sets an item related to a port channel interface. Entering this command switches to config-if mode, which allows you to use configuration commands to specify the channel group number. A port channel interface is automatically generated when the channel-group mode command is set.
PAGE 140
lacp port-priority lacp port-priority Sets the port priority. Syntax To set or change information: lacp port-priority To delete information: no lacp port-priority Input mode (config-if) Parameters Sets the port priority. The lower the value, the higher the priority. When on is set for the channel-group mode command This parameter is used with the max-active-port command to select the standby links.
PAGE 141
lacp port-priority channel-group mode channel-group max-active-port 115
PAGE 142
lacp system-priority lacp system-priority Sets the effective LACP system priority for a Switch. Syntax To set or change information: lacp system-priority To delete information: no lacp system-priority Input mode (config) Parameters Sets the LACP system priority. The lower the value, the higher the priority. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 143
shutdown shutdown Always disables the applicable channel group for link aggregation, and stops communication. Syntax To set information: shutdown To delete information: no shutdown Input mode (config-if) Parameters None Default behavior None Impact on communication If the priority is set for an operating channel group, the channel group goes down. When the change is applied The change is applied immediately after setting values are changed.
PAGE 144
shutdown 118
PAGE 145
Part 4: Layer 2 Switching 10.
PAGE 146
mac-address-table aging-time mac-address-table aging-time Sets the aging conditions for MAC address table entries. Syntax To set or change information: mac-address-table aging-time To delete information: no mac-address-table aging-time Input mode (config) Parameters Sets the aging time in seconds. If 0 is set, aging is not performed. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 147
mac-address-table static mac-address-table static Sets static MAC address table information.
PAGE 148
mac-address-table static Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. If you set a static entry for the default VLAN (VLAN ID = 1), explicitly set vlan 1 for the output destination interface. 2. If interface has been set, a frame is output to the interface specified for frames matching the destination MAC address.
PAGE 149
11.
PAGE 150
interface vlan interface vlan Configures a VLAN interface. Setting the VLAN interface allows you to set IP addresses for VLANs. Syntax To set or change information: interface vlan To delete information: no interface vlan Input mode (config) Parameters Sets the VLAN ID. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: See Specifiable values for parameters.
PAGE 151
l2protocol-tunnel eap l2protocol-tunnel eap Enables the EAPOL forwarding functionality. The functionality is set for a switch. Syntax To set information: l2protocol-tunnel eap To delete information: no l2protocol-tunnel eap Input mode (config) Parameters None Default behavior The EAPOL forwarding functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 152
l2protocol-tunnel stp l2protocol-tunnel stp Enables the BPDU forwarding functionality. The functionality is set for a switch. Syntax To set information: l2protocol-tunnel stp To delete information: no l2protocol-tunnel stp Input mode (config) Parameters None Default behavior The BPDU forwarding functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 153
mac-address mac-address Sets the MAC address used to identify a MAC VLAN. Syntax To set or change information: mac-address To delete information: no mac-address Input mode (config-vlan) (MAC VLAN only) Parameters Sets the MAC address that will be set for the MAC VLAN. This command can be set only when the applicable VLAN is a MAC VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 0000.0000.0000 to feff.ffff.
PAGE 154
name name Sets a VLAN name. Syntax To set or change information: name To delete information: no name Input mode (config-vlan) Parameters Sets a VLAN name. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a character string that is no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters.
PAGE 155
protocol protocol Sets the protocol for identifying VLANs in protocol VLANs. Syntax To set or change information: protocol To delete information: no protocol Input mode (config-vlan) Parameters Sets the protocol name of a protocol VLAN. This command can be set only when the applicable VLAN is a protocol VLAN. If you want to use multiple protocol names for a single VLAN, set the command separately for each protocol name used. 1.
PAGE 156
state state Sets the VLAN status. Syntax To set or change information: state {suspend | active} To delete information: no state Input mode (config-vlan) Parameters {suspend | active} suspend Disables the VLAN status and stops the sending and receiving of all frames on the VLAN. active Sets the VLAN status to enable and starts the sending and receiving of all frames. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 157
switchport access switchport access Sets access port information. Syntax To set or change information: switchport access vlan To delete information: no switchport access vlan Input mode (config-if) Parameters vlan Sets the access port VLAN. Specifiable VLANs are port VLANs or MAC VLANs. A protocol VLAN cannot be set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: See Specifiable values for parameters.
PAGE 158
switchport isolation switchport isolation Configures the inter-port relay isolation functionality.
PAGE 159
switchport isolation 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: For details about how to specify and the specifiable range of values, see Specifiable values for parameters. Default behavior Forwarding between ports is not isolated. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 160
switchport mac switchport mac Sets the MAC port information.
PAGE 161
switchport mac switchport mac vlan command cannot be set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: For details about how to specify and the specifiable values, see Specifiable values for parameters. vlan add Adds the currently-valid MAC VLANs for this port to the VLAN list. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 162
switchport mac When the change is applied The change is applied immediately after setting values are changed. Notes 1. If no valid MAC VLANs have been set, the port operates as an access port. 2. The switchport mac dot1q vlan setting takes effect when switchport mode mac is set. 3.
PAGE 163
switchport mode switchport mode Configures the Layer 2 interface attribute (port type). Syntax To set or change information: switchport mode {access | trunk | protocol-vlan | mac-vlan } To delete information: no switchport mode Input mode (config-if) Parameters {access | trunk | protocol-vlan | mac-vlan} Configures the Layer 2 interface attribute (port type). access Sets the applicable interface as an access port. An access port sends untagged frames. An access port can be used by only one VLAN.
PAGE 164
switchport mode switchport trunk command. If an interface is set as a trunk port and allowed vlan is not set, all frames on the applicable interface are discarded. 2. If the applicable interface is set as a protocol port, set the protocol VLAN by using the switchport protocol command. If the protocol VLAN is not set, the applicable interface operates as an access port. 3.
PAGE 165
switchport protocol switchport protocol Sets the protocol port information.
PAGE 166
switchport protocol This parameter cannot be omitted. 2. Range of values: For details about how to specify and the specifiable range of values, see Specifiable values for parameters. Default behavior None. If a protocol port has been set by using the switchport mode protocol command and the switchport protocol command is omitted, the default VLAN is set. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 167
switchport trunk switchport trunk Sets trunk port information.
PAGE 168
switchport trunk values, see Specifiable values for parameters. remove Removes a VLAN from the VLAN list that is set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: For details about how to specify and the specifiable range of values, see Specifiable values for parameters. Default behavior None.
PAGE 169
vlan vlan Sets VLAN-related items. Syntax To set or change information: vlan vlan vlan protocol-based vlan protocol-based vlan mac-based vlan mac-based To delete information: no vlan no vlan Input mode (config) Parameters Sets the VLAN ID. When this command is entered, the mode switches to config-vlan mode. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 170
vlan - You cannot specify this parameter for VLANs you have already created as port VLANs and MAC VLANs. mac-based Set this parameter for MAC VLANs. 1. Default value when this parameter is omitted: The VLANs become port-based VLANs. 2. Note on using this parameter: - When configuring MAC VLANs, you must set mac-based. - You cannot specify this parameter for VLANs you have already created as port VLANs and protocol VLANs. Default behavior No VLANs are configured.
PAGE 171
vlan vlan command: The following table applies to the vlan command. # Parameter Whether specifiable by the user Behavior specific to the default VLAN 1 F (fixed value) Set when the Switch is started. Fixed at 1. Cannot be changed or deleted.
PAGE 172
vlan-protocol vlan-protocol Sets the protocol name and protocol value for a protocol VLAN. Syntax To set or change information: vlan-protocol [ethertype ] [llc ] [snap-ethertype ] To delete information: no vlan-protocol Input mode (config) Parameters Sets the protocol name used for configuring the protocol VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 173
vlan-protocol Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Note, however, that for protocols that have not been set by the protocol command for the protocol VLAN, the change is applied when the protocol name is set by the protocol command. Notes 1. If a value smaller than 05ff is set for the ethertype value (four-digit hexadecimal), 0000 is set. 2.
PAGE 174
vlan-protocol 148
PAGE 175
12.
PAGE 176
vlan-protocol spanning-tree vlan mode spanning-tree vlan pathcost method spanning-tree vlan port-priority spanning-tree vlan priority spanning-tree vlan transmission-limit 150
PAGE 177
instance instance Sets VLANs belonging to Multiple Spanning Tree MST instances. Syntax To set or change information: instance vlans To delete information: no instance Input mode (config-mst) Parameters Sets an MST instance ID. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 0 to 4095 vlans Sets VLANs belonging to MST instances.
PAGE 178
instance Notes 1. The show command does not display information about MST instance ID0.
PAGE 179
name name Sets a string to identify a Multiple Spanning Tree region. Syntax To set or change information: name To delete information: no name Input mode (config-mst) Parameters Sets the character string used to identify a region. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a character string that is no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters.
PAGE 180
revision revision Sets revision numbers to identify Multiple Spanning Tree regions. Syntax To set or change information: revision To delete information: no revision Input mode (config-mst) Parameters Sets the revision number to identify a region. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 0 to 65535 3.
PAGE 181
spanning-tree bpdufilter spanning-tree bpdufilter Sets the BPDU filter functionality for the applicable ports. This command is applied to the applicable ports of PVST+, Single Spanning Tree, and Multiple Spanning Tree.
PAGE 182
spanning-tree bpduguard spanning-tree bpduguard Sets the BPDU guard functionality for the applicable ports. This command is applied to the applicable ports of PVST+, Single Spanning Tree, and Multiple Spanning Tree, and operates on ports on which the PortFast functionality has been set.
PAGE 183
spanning-tree cost spanning-tree cost Sets the path cost of the applicable port. This command is applied to PVST+, Single Spanning Tree, and Multiple Spanning Tree. Syntax To set or change information: spanning-tree cost To delete information: no spanning-tree cost Input mode (config-if) Parameters Specifies the path cost value. The lower the value, the higher the possibility that the port will be used for forwarding the applicable frames. 1.
PAGE 184
spanning-tree cost spanning-tree vlan pathcost method spanning-tree vlan cost spanning-tree single pathcost method spanning-tree single cost spanning-tree mst cost 158
PAGE 185
spanning-tree disable spanning-tree disable Stops operation of the Spanning Tree functionality for PVST+, Single Spanning Tree, and Multiple Spanning Tree. Syntax To set information: spanning-tree disable To delete information: no spanning-tree disable Input mode (config) Parameters None Default behavior The Spanning Tree Protocols are enabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 186
spanning-tree guard spanning-tree guard Sets the guard functionality for the applicable ports. This command is applied to the applicable PVST+, Single Spanning Tree, and Multiple Spanning Tree. Syntax To set or change information: spanning-tree guard { loop | none | root } To delete information: no spanning-tree guard Input mode (config-if) Parameters { loop | none | root } loop: The loop guard functionality is applied to the applicable ports.
PAGE 187
spanning-tree guard guard setting is applied.
PAGE 188
spanning-tree link-type spanning-tree link-type Sets the link type of the applicable port. This command is applied to the applicable ports of PVST+, Single Spanning Tree, and multiple-spanning-tree ports. If you want to change the high-speed topology when rapid-pvst or mst is set by the spanning-tree mode command, and rapid-pvst is set by the spanning-tree vlan mode command, the connection between bridges must be a point-to-point connection.
PAGE 189
spanning-tree loopguard default spanning-tree loopguard default Sets the loop guard functionality that is used by default. This command is valid for PVST+ and Single Spanning Tree ports. Syntax To set information: spanning-tree loopguard default To delete information: no spanning-tree loopguard default Input mode (config) Parameters None Default behavior If the spanning-tree guard command has been set, that setting is used.
PAGE 190
spanning-tree mode spanning-tree mode The following explains settings for the Spanning Tree operating mode. This command is applied to PVST+ other than Single Spanning Tree, and to Multiple Spanning Tree. If the spanning-tree vlan mode command is set in a PVST+ operating mode, the settings for that command are used.
PAGE 191
spanning-tree mst configuration spanning-tree mst configuration Switches to config-mst mode in which you can set the information necessary for defining Multiple Spanning Tree regions. If this setting is deleted, all previously-set information for defining regions is deleted.
PAGE 192
spanning-tree mst cost spanning-tree mst cost Sets the path cost for the applicable Multiple Spanning Tree ports. Syntax To set or change information: spanning-tree mst cost To delete information: no spanning-tree mst cost Input mode (config-if) Parameters Sets an MST instance ID. One MST instance ID can be set. You can use a hyphen (-) or a comma (,) to set multiple MST instance IDs at one time. 1.
PAGE 193
spanning-tree mst forward-time spanning-tree mst forward-time Sets the time required for Multiple Spanning Tree state transitions. Syntax To set or change information: spanning-tree mst forward-time To delete information: no spanning-tree mst forward-time Input mode (config) Parameters Specifies the time in seconds required for the state of a port to change. For ports in stp-compatible mode, listening and learning states can be maintained for the specified period of time.
PAGE 194
spanning-tree mst hello-time spanning-tree mst hello-time Sets the interval for sending BPDUs in Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst hello-time To delete information: no spanning-tree mst hello-time Input mode (config) Parameters Specifies the interval in seconds for sending BPDUs that are sent regularly from the Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 195
spanning-tree mst max-age spanning-tree mst max-age Sets the maximum valid time of BPDUs that are sent via Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst max-age To delete information: no spanning-tree mst max-age Input mode (config) Parameters Sets the maximum valid time in seconds for BPDUs that are sent from the Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 6 to 40 (seconds) 3.
PAGE 196
spanning-tree mst max-hops spanning-tree mst max-hops Sets the maximum-number-of-hops count for BPDUs in Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst max-hops spanning-tree mst max-hops To delete information: no spanning-tree mst max-hops no spanning-tree mst max-hops Input mode (config) Parameters Sets an MST instance ID. One MST instance ID can be set.
PAGE 197
spanning-tree mst port-priority spanning-tree mst port-priority Sets the priority of the applicable Multiple Spanning Tree ports for each MST instance. Syntax To set or change information: spanning-tree mst port-priority To delete information: no spanning-tree mst port-priority Input mode (config-if) Parameters Sets an MST instance ID. One MST instance ID can be set.
PAGE 198
spanning-tree mst root priority spanning-tree mst root priority Sets the bridge priority for each MST instance in Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst root priority To delete information: no spanning-tree mst root priority Input mode (config) Parameters Sets an MST instance ID. One MST instance ID can be set. You can use a hyphen (-) or a comma (,) to set multiple MST instance IDs at one time. 1.
PAGE 199
spanning-tree mst transmission-limit spanning-tree mst transmission-limit Sets the maximum number of BPDUs that can be sent during each hello-time interval for Multiple Spanning Tree. Syntax To set or change information: spanning-tree mst transmission-limit To delete information: no spanning-tree mst transmission-limit Input mode (config) Parameters Sets the maximum number of BPDUs that can be sent per hello-time interval. 1.
PAGE 200
spanning-tree pathcost method spanning-tree pathcost method Sets whether to use 16-bit values or 32-bit values as the path cost of ports. This command is applied to PVST+ and Single Spanning Tree, but not to Multiple Spanning Tree. When the spanning-tree vlan pathcost method command or the spanning-tree single pathcost method command is set, the value of the spanning-tree pathcost method command is not applied.
PAGE 201
spanning-tree pathcost method Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. When mst is set by the spanning-tree mode command, Multiple Spanning Tree operates using a 32-bit value. To set a value of 65536 or larger for the path cost using the spanning-tree cost command, you must set long for this command. You do not need to set this command before setting a path cost value using the spanning-tree mst cost command.
PAGE 202
spanning-tree port-priority spanning-tree port-priority Sets the port priority of the applicable ports. This command is applied to PVST+, Single Spanning Tree, and Multiple Spanning Tree. Syntax To set or change information: spanning-tree port-priority To delete information: no spanning-tree port-priority Input mode (config-if) Parameters Sets the port priority. Use a multiple of 16 as the port priority. The lower the value, the higher the priority. 1.
PAGE 203
spanning-tree portfast spanning-tree portfast Sets the PortFast functionality for the applicable ports. This command is applied to the applicable ports of PVST+, Single Spanning Tree, and Multiple Spanning Tree. Syntax To set or change information: spanning-tree portfast [{ trunk | disable }] To delete information: no spanning-tree portfast Input mode (config-if) Parameters { trunk | disable } If trunk is set, the PortFast functionality is applied to access, trunk, protocol, and MAC ports.
PAGE 204
spanning-tree portfast bpduguard default spanning-tree portfast bpduguard default Sets the BPDU guard functionality to be used by default. This command is valid for all ports on which the PortFast functionality of PVST+, Single Spanning Tree, and Multiple Spanning Tree is set.
PAGE 205
spanning-tree portfast default spanning-tree portfast default Sets the PortFast functionality to be used by default. This command is valid on the access, protocol, and MAC ports of PVST+, Single Spanning Tree, and Multiple Spanning Tree. Syntax To set information: spanning-tree portfast default To delete information: no spanning-tree portfast default Input mode (config) Parameters None Default behavior If the spanning-tree portfast command has been set, that setting is used.
PAGE 206
spanning-tree single spanning-tree single Starts calculation of the topology for Single Spanning Tree. If the Spanning Tree operating mode is PVST+, VLAN 1 is treated as Single Spanning Tree after this command is executed. Syntax To set information: spanning-tree single To delete information: no spanning-tree single Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 207
spanning-tree single cost spanning-tree single cost Sets the path cost for the applicable Single Spanning Tree ports. Syntax To set or change information: spanning-tree single cost To delete information: no spanning-tree single cost Input mode (config-if) Parameters Specifies the path cost value. The lower the value, the higher the possibility that the port will be used for forwarding the applicable frames. 1.
PAGE 208
spanning-tree single forward-time spanning-tree single forward-time Sets the time required for the state of Single Spanning Tree to change. Syntax To set or change information: spanning-tree single forward-time To delete information: no spanning-tree single forward-time Input mode (config) Parameters Specifies the time in seconds required for the state of a port to change. If stp (802.
PAGE 209
spanning-tree single hello-time spanning-tree single hello-time Sets the interval for sending Single Spanning Tree BPDUs. Syntax To set or change information: spanning-tree single hello-time To delete information: no spanning-tree single hello-time Input mode (config) Parameters Specifies the interval in seconds for sending BPDUs that are sent regularly from the Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 210
spanning-tree single max-age spanning-tree single max-age Sets the maximum valid time of BPDUs that are sent via Single Spanning Tree. Syntax To set or change information: spanning-tree single max-age To delete information: no spanning-tree single max-age Input mode (config) Parameters Sets the maximum valid time in seconds for BPDUs that are sent from the Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 211
spanning-tree single mode spanning-tree single mode Sets the operating mode of Single Spanning Tree. Syntax To set or change information: spanning-tree single mode { stp | rapid-stp } To delete information: no spanning-tree single mode Input mode (config) Parameters { stp | rapid-stp } Sets the protocol to be used. If the protocol is changed during Spanning Tree operation, the Spanning Tree Protocol is re-initialized. If stp is set, Spanning Tree mode is used.
PAGE 212
spanning-tree single pathcost method spanning-tree single pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for Single Spanning Tree ports. If the spanning-tree single cost command setting is omitted, the following values are applied to the path cost according to the interface speed and the setting of the spanning-tree single pathcost method command.
PAGE 213
spanning-tree single pathcost method When the change is applied The change is applied immediately after setting values are changed.
PAGE 214
spanning-tree single port-priority spanning-tree single port-priority Sets the priority for applicable Single Spanning Tree ports. Syntax To set or change information: spanning-tree single port-priority To delete information: no spanning-tree single port-priority Input mode (config-if) Parameters Sets the port priority. Use a multiple of 16 as the port priority. The lower the value, the higher the priority. 1.
PAGE 215
spanning-tree single priority spanning-tree single priority Sets the bridge priority for Single Spanning Tree. Syntax To set or change information: spanning-tree single priority To delete information: no spanning-tree single priority Input mode (config) Parameters Sets the bridge priority. The lower the value, the higher the priority. Use a multiple of 4096 as the bridge priority. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 216
spanning-tree single transmission-limit spanning-tree single transmission-limit Sets the maximum number of BPDUs that can be sent during the hello-time interval for Single Spanning Tree. Syntax To set or change information: spanning-tree single transmission-limit To delete information: no spanning-tree single transmission-limit Input mode (config) Parameters Sets the maximum number of BPDUs that can be sent per hello-time interval. This parameter is valid only when rapid-stp (802.
PAGE 217
spanning-tree vlan spanning-tree vlan Configures PVST+. If the no spanning-tree vlan command is set after the spanning-tree single command has been set, the applicable VLAN operates with Single Spanning Tree. Syntax To set or change information: no spanning-tree vlan To delete information: spanning-tree vlan Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1.
PAGE 218
spanning-tree vlan cost spanning-tree vlan cost Sets the path cost for the applicable PVST+ ports. Syntax To set or change information: spanning-tree vlan cost To delete information: no spanning-tree vlan cost Input mode (config-if) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 219
spanning-tree vlan cost Notes None Related commands spanning-tree cost spanning-tree pathcost method spanning-tree vlan pathcost method 193
PAGE 220
spanning-tree vlan forward-time spanning-tree vlan forward-time Sets the time required for PVST+ state transition. Syntax To set or change information: spanning-tree vlan forward-time To delete information: no spanning-tree vlan forward-time Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 221
spanning-tree vlan forward-time Related commands spanning-tree mode spanning-tree vlan mode 195
PAGE 222
spanning-tree vlan hello-time spanning-tree vlan hello-time Sets the interval for sending PVST+ BPDUs. Syntax To set or change information: spanning-tree vlan hello-time To delete information: no spanning-tree vlan hello-time Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 223
spanning-tree vlan max-age spanning-tree vlan max-age Sets the maximum valid time of BPDUs that are sent via PVST+. Syntax To set or change information: spanning-tree vlan max-age To delete information: no spanning-tree vlan max-age Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 224
spanning-tree vlan mode spanning-tree vlan mode Sets the PVST+ operating mode. Syntax To set or change information: spanning-tree vlan mode { pvst | rapid-pvst } To delete information: no spanning-tree vlan mode Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 225
spanning-tree vlan pathcost method spanning-tree vlan pathcost method Sets whether to use a 16-bit value or a 32-bit value as the path cost for a PVST+ port.
PAGE 226
spanning-tree vlan pathcost method Default behavior The setting of the spanning-tree pathcost method command is used. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 227
spanning-tree vlan port-priority spanning-tree vlan port-priority Sets the priority for the applicable PVST+ ports. Syntax To set or change information: spanning-tree vlan port-priority To delete information: no spanning-tree vlan port-priority Input mode (config-if) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 228
spanning-tree vlan priority spanning-tree vlan priority Sets the PVST+ bridge priority. Syntax To set or change information: spanning-tree vlan priority To delete information: no spanning-tree vlan priority Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 229
spanning-tree vlan transmission-limit spanning-tree vlan transmission-limit Sets the maximum number of BPDUs that can be sent within the PVST+ hello-time interval. Syntax To set or change information: spanning-tree vlan transmission-limit To delete information: no spanning-tree vlan transmission-limit Input mode (config) Parameters Starts configuration of PVST+ for the set VLAN. 1.
PAGE 230
spanning-tree vlan transmission-limit Related commands spanning-tree mode spanning-tree vlan mode spanning-tree vlan hello-time 204
PAGE 231
13.
PAGE 232
axrp axrp Sets the ring ID. In addition, to set information necessary for the Ring Protocol functionality, switches to config-axrp mode. A maximum of 4 ring IDs can be set for a Switch. If this setting is removed, the ring information that is already set for ring IDs is deleted. Syntax To set information: axrp To delete information: no axrp Input mode (config) Parameters Sets the ring ID. The same ring ID must be specified for all switches belonging to the same ring.
PAGE 233
axrp vlan-mapping axrp vlan-mapping Sets the VLAN mapping to be applied to a VLAN group and also the VLANs that participate in VLAN mapping. Syntax To set information: axrp vlan-mapping vlan To change information: axrp vlan-mapping {vlan | vlan add | vlan remove } To delete information: no axrp vlan-mapping Input mode (config) Parameters Specifies the VLAN mapping ID. 1.
PAGE 234
axrp vlan-mapping vlan remove Specifies the VLANs to be removed from the VLAN list you have configured. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: For details about how to specify and the specifiable range of values, see Specifiable values for parameters. 3.
PAGE 235
axrp-ring-port axrp-ring-port Sets an interface that operates as the ring port for the Ring Protocol. The interfaces that can be set are Ethernet interfaces and port channel interfaces. Syntax To set information: axrp-ring-port [shared] To delete information: no axrp-ring-port Input mode (config-if) Parameters Sets the ring ID. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 236
axrp-ring-port Related commands axrp 210
PAGE 237
control-vlan control-vlan Sets the VLAN to be used as a control VLAN. You can use the VLANs set by using this command to send and receive control frames that monitor the ring status. Specifying the forwarding-delay-time parameter allows you to set the time required to change the status of the control VLAN to Forwarding during initial operation.
PAGE 238
control-vlan When the change is applied The change is applied immediately after setting values are changed. Notes 1. You cannot specify a VLAN that is used as a control VLAN by another ring ID. 2. You cannot specify a VLAN that is used in a VLAN group. 3. For the control VLAN, you cannot specify a VLAN that is being used by the multi-fault monitoring VLAN. 4. While the Ring Protocol is operating, if you change or delete the control VLAN, this functionality is temporarily disabled.
PAGE 239
disable disable Disables the Ring Protocol functionality. Syntax To set information: disable To delete information: no disable Input mode (config-axrp) Parameters None Default behavior The Ring Protocol functionality is enabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. If this command is entered while the Ring Protocol is operating, the Ring Protocol functionality is disabled.
PAGE 240
forwarding-shift-time forwarding-shift-time Sets the reception hold time for flush control frames in transit node. When the reception hold time passes, if no flush control frames are received, the status of a ring port changes from Blocking to Forwarding.
PAGE 241
mode mode Sets the operating mode of the Switch used for the ring. Syntax To set information: mode transit To delete information: no mode Input mode (config-axrp) Parameters transit Operates as a transit node. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 242
multi-fault-detection mode multi-fault-detection mode Sets the multi-fault monitoring mode for shared link monitoring rings. Syntax To set information: multi-fault-detection mode transport-only To delete information: no multi-fault-detection mode Input mode (config-axrp) Parameters transport-only Transfers multi-fault monitoring frames. Multi-fault monitoring is not performed. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 243
multi-fault-detection vlan multi-fault-detection vlan Sets the VLAN for multi-fault monitoring. The VLAN specified by this command forwards control frames used for monitoring multiple faults. Set this command for shared link monitoring rings in a multi-ring configuration with shared links. Syntax To set information: multi-fault-detection vlan To delete information: no multi-fault-detection vlan Input mode (config-axrp) Parameters Transfers multi-fault monitoring frames.
PAGE 244
name name Sets the name for identifying a ring. Syntax To set information: name To delete information: no name Input mode (config-axrp) Parameters Sets the name for identifying a ring. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a character string that has no more than 32 characters. For details about the characters that can be specified, see Any character string in Specifiable values for parameters.
PAGE 245
vlan-group vlan-group Sets the VLAN group that will be used for the Ring Protocol and the mapping IDs of the VLANs participating in the VLAN group. A maximum of two VLAN groups can be set for the ring. Syntax To set or change information: vlan-group vlan-mapping To delete information: no vlan-group Input mode (config-axrp) Parameters Specifies the VLAN group ID that will be used for the Ring Protocol. 1.
PAGE 246
vlan-group 220
PAGE 247
14.
PAGE 248
ip arp inspection limit rate ip arp inspection limit rate Sets the ARP packet reception rate (the number of ARP packets that can be received per second) on the applicable port when the DHCP snooping functionality is enabled on a Switch. ARP packets in excess of this reception rate are discarded.
PAGE 249
ip arp inspection trust ip arp inspection trust Sets the applicable interface as a trusted port where no dynamic ARP inspection is performed when the DHCP snooping functionality is enabled on a Switch. Syntax To set information: ip arp inspection trust To delete information: no ip arp inspection trust Input mode (config-if) Parameters None Default behavior Dynamic ARP inspection is performed.
PAGE 250
ip arp inspection validate ip arp inspection validate Sets inspection items to be added to improve the accuracy of the dynamic ARP inspection when the dynamic ARP inspection functionality is enabled on a Switch.
PAGE 251
ip arp inspection validate Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. You cannot omit all of the parameters in this command. You must set at least one.
PAGE 252
ip arp inspection vlan ip arp inspection vlan Sets the VLAN used for dynamic ARP inspection when the DHCP snooping functionality is enabled on a Switch. Syntax To set or change information: ip arp inspection vlan { | add | remove } To delete information: no ip arp inspection vlan Input mode (config) Parameters Sets the IDs of the VLANs used for dynamic ARP inspection. 1.
PAGE 253
ip arp inspection vlan When the change is applied The change is applied immediately after setting values are changed. Notes 1. Set a VLAN ID set by using the ip dhcp snooping vlan command. 2. If this command is set, the binding database entries registered by using the ip source binding command are also subject to dynamic ARP inspection. 3. If a VLAN set by this command is accommodated on a port set by using the ip arp inspection trust command, dynamic ARP inspection is not performed.
PAGE 254
ip dhcp snooping ip dhcp snooping Enables the DHCP snooping functionality on a Switch. Syntax To set information: ip dhcp snooping To delete information: no ip dhcp snooping Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes This command cannot be set if dhcp-snooping was not set when the system function command was set.
PAGE 255
ip dhcp snooping database url ip dhcp snooping database url Specifies where a binding database is to be saved. Syntax To set or change information: ip dhcp snooping database url { flash | mc } To delete information: no ip dhcp snooping database url Input mode (config) Parameters flash The database is saved to internal flash memory. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 256
ip dhcp snooping database url to the save destination).  The clear ip dhcp snooping binding operation command is executed If the Switch power is turned off before the timer expires, the binding database cannot be saved. 2. If the no ip dhcp snooping database url command is entered after the timer set by using the ip dhcp snooping database write-delay command has started, the binding database is not saved.
PAGE 257
ip dhcp snooping database write-delay ip dhcp snooping database write-delay Sets the wait-to-write time used when a binding database is saved. Syntax To set or change information: ip dhcp snooping database write-delay To delete information: no ip dhcp snooping database write-delay Input mode (config) Parameters Sets the wait-to-write time used when a binding database is saved. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 258
ip dhcp snooping database write-delay ip dhcp snooping vlan 232
PAGE 259
ip dhcp snooping information option allow-untrusted ip dhcp snooping information option allow-untrusted Set this command to allow DHCP packets that have option [82] information to be received on an untrusted port. If this setting is omitted, DHCP packets that have option [82] information are discarded.
PAGE 260
ip dhcp snooping limit rate ip dhcp snooping limit rate Sets the DHCP packet reception rate (the number of DHCP packets that can be received per second) on the applicable port. DHCP packets exceeding the reception rate are discarded. Syntax To set or change information: ip dhcp snooping limit rate To delete information: no ip dhcp snooping limit rate Input mode (config-if) Parameters Specify the number of DHCP packets that can be received per second. 1.
PAGE 261
ip dhcp snooping trust ip dhcp snooping trust Sets whether the interface is a trusted port or an untrusted port. Syntax To set information: ip dhcp snooping trust To delete information: no ip dhcp snooping trust Input mode (config-if) Parameters None Default behavior The applicable interface operates as an untrusted port. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 262
ip dhcp snooping verify mac-address ip dhcp snooping verify mac-address Sets whether to check if the source MAC address of DHCP packets received from an untrusted port matches the client hardware addresses in the DHCP packet. Syntax To set information: no ip dhcp snooping verify mac-address To delete information: ip dhcp snooping verify mac-address Input mode (config) Parameters None Default behavior The source MAC address and the client hardware address are checked to see if they match.
PAGE 263
ip dhcp snooping vlan ip dhcp snooping vlan Enables DHCP snooping in a VLAN. DHCP snooping is disabled if it is not set by using this command. A maximum of 32 VLANs can be set with this command. Syntax To set or change information: ip dhcp snooping vlan To delete information: no ip dhcp snooping vlan Input mode (config) Parameters Specify the IDs of VLANs on which DHCP snooping is to be enabled. 1.
PAGE 264
ip source binding ip source binding Sets static for the binding database.
PAGE 265
ip source binding This parameter cannot be omitted. 2. Range of values: See Specifiable values for parameters. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes A maximum of 64 entries can be set. Note, however, that no entries can be set if, when entries are set, the number of binding database entries, including dynamic entries, exceeds the maximum number of entries.
PAGE 266
ip verify source ip verify source Set this command to use the terminal filter based on the DHCP snooping binding database. (The terminal filter is functionality used to filter the packets of unregistered source IP and MAC addresses.) Syntax To set or change information: ip verify source [{port-security | mac-only}] To delete information: no ip verify source Input mode (config-if) Parameters {port-security | mac-only} Sets a terminal filter condition.
PAGE 267
ip verify source ip dhcp snooping trust ip source binding 241
PAGE 268
ip verify source 242
PAGE 269
15.
PAGE 270
ip igmp snooping (global) ip igmp snooping (global) When no ip igmp snooping is set, the Switch suppresses the IGMP snooping functionality. Syntax To set information: no ip igmp snooping To delete information: ip igmp snooping Input mode (config) Parameters None Default behavior The IGMP snooping functionality is enabled on a Switch. Impact on communication The IGMP snooping functionality stops. When the change is applied The change is applied immediately after the setting value is changed.
PAGE 271
ip igmp snooping (interface) ip igmp snooping (interface) Enables the IGMP snooping functionality on a VLAN interface. Syntax To set information: ip igmp snooping To delete information: no ip igmp snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after the setting value is changed. Notes This command cannot be set if igmp-snooping is not set when the system function command has been set.
PAGE 272
ip igmp snooping mrouter ip igmp snooping mrouter Sets a multicast router port for the VLAN interface.
PAGE 273
ip igmp snooping mrouter operation is performed.
PAGE 274
ip igmp snooping querier ip igmp snooping querier Enables the IGMP querier functionality on a VLAN interface. Syntax To set information: ip igmp snooping querier To delete information: no ip igmp snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after the setting value is changed. Notes 1.
PAGE 275
16.
PAGE 276
ipv6 mld snooping (global) ipv6 mld snooping (global) When no ipv6 mld snooping is set, the Switch suppresses the MLD snooping functionality. Syntax To set information: no ipv6 mld snooping To delete information: ipv6 mld snooping Input mode (config) Parameters None Default behavior Enables the MLD snooping functionality on a Switch. Impact on communication The MLD snooping functionality stops. When the change is applied The change is applied immediately after the setting value is changed.
PAGE 277
ipv6 mld snooping (interface) ipv6 mld snooping (interface) Enables the MLD snooping functionality on a VLAN interface. Syntax To set information: ipv6 mld snooping To delete information: no ipv6 mld snooping Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after the setting value is changed. Notes This command cannot be set iff mld-snooping was not set when the system function command was set.
PAGE 278
ipv6 mld snooping source ipv6 mld snooping source Sets the source IPv6 address of the MLD snooping functionality to be used on a VLAN interface. Syntax To set or change information: ipv6 mld snooping source To delete information: no ipv6 mld snooping source Input mode (config-if) Parameters Sets the source IPv6 address for the MLD snooping functionality. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 279
ipv6 mld snooping mrouter ipv6 mld snooping mrouter Sets a multicast router port for the VLAN interface.
PAGE 280
ipv6 mld snooping mrouter 3. If you specify a port number belonging to a port channel for a multicast router port, no operation is performed.
PAGE 281
ipv6 mld snooping querier ipv6 mld snooping querier Enables the MLD querier functionality on a VLAN interface. Syntax To set information: ipv6 mld snooping querier To delete information: no ipv6 mld snooping querier Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after the setting value is changed. Notes 1.
PAGE 282
ipv6 mld snooping querier 256
PAGE 283
Part 5: Forwarding IPv4 Packets 17.
PAGE 284
ip address ip address Sets the local IPv4 address. Syntax To set or change information: ip address To delete information: no ip address Input mode (config-if) Parameters Sets the local IPv4 address. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 1.0.0.0 to 126.255.255.255, 128.0.0.0 to 223.255.255.255 Sets the subnet mask. 1.
PAGE 285
ip route ip route Sets a static route IPv4 address. Syntax To set or change information: ip route To delete information: no ip route Input mode (config) Parameters Sets the destination IPv4 address for a static route. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 0.0.0.0 to 255.255.255.
PAGE 286
ip route Related commands None 260
PAGE 287
ip mtu ip mtu Sets the send IP MTU length for an interface. Syntax To set or change information: ip mtu To delete information: no ip mtu Input mode (config-if) Parameters Sets the send IP MTU length for an interface. In actuality, the frame length set in port MTU information and this parameter value are compared, and the smaller value is used as the IP MTU length of the interface. For the frame length set in the port MTU information, see mtu .
PAGE 288
ip mtu 262
PAGE 289
Part 6: Common to Filtering and QoS 18.
PAGE 290
flow detection mode flow detection mode Sets the flow detection mode for the filtering and QoS functionality. This command changes the allocation pattern for the maximum number of entries in a hardware table. By changing the allocation pattern according to the operating mode, you can concentrate hardware resources on the necessary tables for use. This command is used to set the basic operating conditions for hardware.
PAGE 291
flow detection mode For details about the flow detection modes, see 1.1.3 Flow detection modes in the Configuration Guide Vol.2 and 3.1.1 Flow detection modes in the Configuration Guide Vol.2. Default behavior Flow detection operates as Layer 2-2 flow detection. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 292
flow detection mode 266
PAGE 293
Part 7: Filters 19.
PAGE 294
Names that can be specified Names that can be specified Protocol names (IPv4) The following table lists the names that can be specified as IPv4 protocol names. Table 19-1 Protocol names that can be specified (IPv4) Protocol name Applicable protocol number ah 51 esp 50 gre 47 icmp 1 igmp 2 ip All IP protocols ipinip 4 ospf 89 pcp 108 pim 103 sctp 132 tcp 6 tunnel 41 udp 17 vrrp 112 Port names (TCP) The following table lists the port names that can be specified for TCP.
PAGE 295
Names that can be specified Port name Applicable port name and number echo Echo (7) exec Remote process execution (512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC Host Name Server (101) http HyperText Transfer Protocol (80) https HTTP over TLS/SSL (443) ident Ident Protocol (113) imap3 Interactive Mail Access Protocol version 3 (220) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerber
PAGE 296
Names that can be specified Port name Applicable port name and number tacacs-ds TACACS-Database Service (65) talk like tenex link (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) Port names (UDP) The following table lists the port names that can be specified for UDP.
PAGE 297
Names that can be specified Port name Applicable port name and number tacacs-ds TACACS-Database Service (65) talk like tenex link (517) tftp Trivial File Transfer Protocol (69) time Time server protocol (37) who Who service (513) xdmcp X Display Manager Control Protocol (177) TOS name The following table lists the TOS names that can be specified.
PAGE 298
Names that can be specified DSCP name The following table lists the DSCP names that can be specified. Table 19-6 DSCP names that can be specified DSCP name DSCP value af11 10 af12 12 af13 14 af21 18 af22 20 af23 22 af31 26 af32 28 af33 30 af41 34 af42 36 af43 38 cs1 8 cs2 16 cs3 24 cs4 32 cs5 40 cs6 48 cs7 56 default 0 ef 46 Ethernet type name The following table lists the Ethernet type names that can be specified.
PAGE 299
Names that can be specified Table 19-7 Ethernet type names that can be specified Ethernet type name Ethernet value appletalk 0x809b arp 0x0806 eapol 0x888e gsrp -- ipv4 0x0800 ipv6 0x86dd ipx 0x8137 xns 0x0600 # Remarks Filters GSRP control packets. #: The value is not made public. Destination MAC address names The following table lists the destination MAC address names that can be specified.
PAGE 300
deny (ip access-list extended) deny (ip access-list extended) Specifies the conditions by which the IPv4 packet filter denies access.
PAGE 301
deny (ip access-list extended) Set 0 to 255 (in decimal) or a protocol name. See Table 19-1 Protocol names that can be specified (IPv4). { | host | any} Specifies the source IPv4 address. To specify all source IPv4 addresses, specify any. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify , host , or any.
PAGE 302
deny (ip access-list extended) The destination IPv4 address is not included as a filter condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 eq Specifies the destination port number. This parameter option is available only when the protocol is TCP or UDP. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 65535 (in decimal) or a port name.
PAGE 303
deny (ip access-list extended) 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 63 (in decimal) or the DSCP name. For details about the DSCP names that can be specified, see Table 19-6 DSCP names that can be specified. ack Specifies the detection of packets whose ACK flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. 1.
PAGE 304
deny (ip access-list extended) None. (The parameter is not set as a detection condition.) 2. Range of values: None urg Specifies the detection of packets whose URG flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: None vlan Specifies a VLAN ID.
PAGE 305
deny (ip access-list extended) permit (ip access-list extended) remark 279
PAGE 306
deny (ip access-list standard) deny (ip access-list standard) Specifies the conditions by which the IPv4 address filter denies access. Syntax To set or change information: [] deny { [] | host | any} To delete information: no Input mode (config-std-nacl) Parameters Specifies the sequence in which filter conditions are applied. 1.
PAGE 307
deny (ip access-list standard) Impact on communication If any entry is added when an access list with no entries set is being applied to an interface, the IP packets received on the applicable interface are discarded temporarily until the entry is applied to the interface. When the change is applied The change is applied immediately after setting values are changed. Notes 1. When 255.255.255.255 is entered as the address wildcard, any is displayed. 2. When nnn.nnn.nnn.nnn 0.0.0.
PAGE 308
deny (mac access-list extended) deny (mac access-list extended) Specifies the conditions by which the MAC filter denies access.
PAGE 309
deny (mac access-list extended) { | host | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu} Specifies the destination MAC address. To specify all destination MAC addresses, specify any. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify , host , any, bpdu, cdp, lacp, lldp, oadp, or pvst-plus-bpdu.
PAGE 310
deny (mac access-list extended) None. (The parameter is not set as a detection condition.) 2. Range of values: See Specifiable values for parameters. user-priority Specifies the user priority. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 7 in decimal.
PAGE 311
ip access-group ip access-group Applies an IPv4 access list to an Ethernet interface or a VLAN interface, and enables the IPv4 filtering functionality. Syntax To set information: ip access-group in To delete information: no ip access-group in Input mode (config-if) Parameters Specifies the identifier of the IPv4 address filter or the IPv4 packet filter that is to be set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 312
ip access-group remove it and then set it again. 3. If you specify a non-existent IPv4 filter, this will be ignored. The identifier of the IPv4 filter is registered. 4. The following table shows receiving-side flow detection mode that can be set for each interface. Table 19-9 Specifiable interfaces for each receiving-side flow detection mode (IPv4) Flow detection mode Whether the mode can be set Ethernet VLAN Layer 2-1 N N Layer 2-2 Y Y Legend Y: Can be set; N: Cannot be set 5.
PAGE 313
ip access-list extended ip access-list extended Configures an access list to serve as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter. This command sets an IPv4 packet filter. An IPv4 packet filter filters based on source IPv4 address, destination IPv4 address, VLAN ID, user priority, TOS field value, port number, and TCP flag.
PAGE 314
ip access-list extended ip access-list resequence deny (ip access-list extended) permit (ip access-list extended) remark 288
PAGE 315
ip access-list resequence ip access-list resequence Re-sequences the sequence numbers that determine the order in which the IPv4 address filter and IPv4 packet filter apply filter conditions. Syntax To set or change information: ip access-list resequence [ []] Input mode (config) Parameters Specifies the identifier of the IPv4 address filter or the IPv4 packet filter that is to be set. 1.
PAGE 316
ip access-list resequence Related commands ip access-list standard ip access-list extended 290
PAGE 317
ip access-list standard ip access-list standard Configures an access list to serve as an IPv4 filter. There are two types of access lists that operate as IPv4 filters. One type is an IPv4 address filter and the other type is an IPv4 packet filter. This command sets an IPv4 address filter. An IPv4 address filter filters packets based on IPv4 address. Multiple filter conditions can be set by using a single access list ID. For Ethernet and VLAN interfaces, a maximum of 127 filter conditions can be set.
PAGE 318
ip access-list standard deny (ip access-list standard) permit (ip access-list standard) remark 292
PAGE 319
mac access-group mac access-group Applies a MAC access list to an Ethernet interface or a VLAN interface and enables the MAC filtering functionality. Syntax To set information: mac access-group in To delete information: no mac access-group in Input mode (config-if) Parameters Specifies the identifier of the MAC filter that is to be set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 320
mac access-group 3. If you specify a non-existent MAC filter, this will be ignored. The identifier of a MAC access list is registered. 4. The following table shows the flow detection mode that can be set for each interface. Table 19-10 Specifiable interfaces for each flow detection mode (MAC) Flow detection mode Whether the mode can be set Ethernet VLAN Layer 2-1 Y Y Layer 2-2 N N Legend Y: Can be set; N: Cannot be set 5.
PAGE 321
mac access-list extended mac access-list extended Sets an access list to be used in a MAC filter. An access list used for a MAC filter filters packets based on source MAC address, destination MAC address, Ethernet type number, VLAN ID, and user priority. Multiple filter conditions can be set by using a single access list ID. For Ethernet and VLAN interfaces, a maximum of 127 filter conditions can be set. For a Switch, a maximum of 512 access lists (for IPv4 and MAC) can be created.
PAGE 322
mac access-list extended remark 296
PAGE 323
mac access-list resequence mac access-list resequence Re-sequences the sequence numbers that determine the order in which the MAC filter applies filter conditions. Syntax To set or change information: mac access-list resequence [ []] Input mode (config) Parameters Specifies the identifier of the MAC filter that is to be set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 324
mac access-list resequence Related commands mac access-list extended 298
PAGE 325
permit (ip access-list extended) permit (ip access-list extended) Specifies the conditions by which the IPv4 packet filter permits access.
PAGE 326
permit (ip access-list extended) Set 0 to 255 (in decimal) or a protocol name. See Table 19-1 Protocol names that can be specified (IPv4). { | host | any} Specifies the source IPv4 address. To specify all source IPv4 addresses, specify any. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify , host , or any.
PAGE 327
permit (ip access-list extended) The destination IPv4 address is not included as a filter condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 eq Specifies the destination port number. This parameter option is available only when the protocol is TCP or UDP. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 65535 (in decimal) or a port name.
PAGE 328
permit (ip access-list extended) 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 63 (in decimal) or the DSCP name. For details about the DSCP names that can be specified, see Table 19-6 DSCP names that can be specified. ack Specifies the detection of packets whose ACK flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. 1.
PAGE 329
permit (ip access-list extended) None. (The parameter is not set as a detection condition.) 2. Range of values: None urg Specifies the detection of packets whose URG flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: None vlan Specifies a VLAN ID.
PAGE 330
permit (ip access-list extended) deny (ip access-list extended) remark 304
PAGE 331
permit (ip access-list standard) permit (ip access-list standard) Specifies the conditions by which the IPv4 address filter permits access. Syntax To set or change information: [] permit { [] | host | any} To delete information: no Input mode (config-std-nacl) Parameters Specifies the sequence in which filter conditions are applied. 1.
PAGE 332
permit (ip access-list standard) Impact on communication If any entry is added when an access list with no entries set is being applied to an interface, the IP packets received on the applicable interface are discarded temporarily until the entry is applied to the interface. When the change is applied The change is applied immediately after setting values are changed. Notes 1. When 255.255.255.255 is entered as the address wildcard, any is displayed. 2. When nnn.nnn.nnn.nnn 0.0.0.
PAGE 333
permit (mac access-list extended) permit (mac access-list extended) Specifies the conditions by which the MAC filter permits access.
PAGE 334
permit (mac access-list extended) { | host | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu } Specifies the destination MAC address. To specify all destination MAC addresses, specify any. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify , host , any, bpdu, cdp, lacp, lldp, oadp, or pvst-plus-bpdu.
PAGE 335
permit (mac access-list extended) None. (The parameter is not set as a detection condition.) 2. Range of values: See Specifiable values for parameters. user-priority Specifies the user priority. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 7 in decimal.
PAGE 336
remark remark Sets supplementary information for an access list. Access lists are available for IPv4 address filtering, IPv4 packet filtering, and MAC filtering. Syntax To set or change information: remark To delete information: no remark Input mode (config-ext-nacl) (config-std-nacl) (config-ext-macl) Parameters Sets supplementary information according to input mode. One line can be set for each access list. Entering new information overwrites the existing information. 1.
PAGE 337
Part 8: QoS 20.
PAGE 338
Names and values that can be specified Names and values that can be specified Protocol names (IPv4) The following table lists the names that can be specified as IPv4 protocol names.
PAGE 339
Names and values that can be specified Port name Applicable port name and number echo Echo (7) exec Remote process execution (512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC Host Name Server (101) http HyperText Transfer Protocol (80) https HTTP over TLS/SSL (443) ident Ident Protocol (113) imap3 Interactive Mail Access Protocol version 3 (220) irc Internet Relay Chat (194) klogin Kerberos login (543) ksh
PAGE 340
Names and values that can be specified Port name Applicable port name and number tacacs-ds TACACS-Database Service (65) talk like tenex link (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) Port names (UDP) The following table lists the port names that can be specified for UDP.
PAGE 341
Names and values that can be specified Port name Applicable port name and number tacacs-ds TACACS-Database Service (65) talk like tenex link (517) tftp Trivial File Transfer Protocol (69) time Time server protocol (37) who Who service (513) xdmcp X Display Manager Control Protocol (177) TOS name The following table lists the TOS names that can be specified.
PAGE 342
Names and values that can be specified DSCP name The following table lists the DSCP names that can be specified. Table 20-6 DSCP names that can be specified DSCP name DSCP value af11 10 af12 12 af13 14 af21 18 af22 20 af23 22 af31 26 af32 28 af33 30 af41 34 af42 36 af43 38 cs1 8 cs2 16 cs3 24 cs4 32 cs5 40 cs6 48 cs7 56 default 0 ef 46 Ethernet type name The following table lists the Ethernet type names that can be specified.
PAGE 343
Names and values that can be specified Table 20-7 Ethernet type names that can be specified Ethernet type name Ethernet value appletalk 0x809b arp 0x0806 eapol 0x888e gsrp -- ipv4 0x0800 ipv6 0x86dd ipx 0x8137 xns 0x0600 # Remarks Performs flow detection for GSRP control packets. #: The value is not made public. Destination MAC address names The following table lists the destination MAC address names that can be specified.
PAGE 344
ip qos-flow-group ip qos-flow-group Enables the QoS functionality by applying an IPv4 QoS flow list to an Ethernet interface or a VLAN interface. Syntax To set information: ip qos-flow-group in To delete information: no ip qos-flow-group in Input mode (config-if) Parameters Specifies the IPv4 QoS flow list name. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 345
ip qos-flow-group QoS flow list name is registered. 4. The following table shows flow detection mode that can be set for each interface. Table 20-9 Specifiable interfaces for each flow detection mode (IPv4) Flow detection mode Whether the mode can be set Ethernet VLAN Layer 2-1 N N Layer 2-2 Y Y Legend Y: Can be set; N: Cannot be set 5. If another list has been set for an interface by using this command, no more lists can be set. Remove the existing list first, and then set another list. 6.
PAGE 346
ip qos-flow-list ip qos-flow-list Creates an IPv4 QoS flow list to be used to set QoS flow detection and action specifications. A maximum of 512 IPv4 and MAC QoS flow lists can be created for a Switch. A maximum of 1024 flow detection and action specification entries can be created.
PAGE 347
ip qos-flow-list resequence ip qos-flow-list resequence Resets the sequence numbers of the application sequence in the IPv4 QoS flow list. Syntax To set or change information: ip qos-flow-list resequence [ [] ] Input mode (config-ip-qos) Parameters Specifies the name of the IPv4 QoS flow list to be changed. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 348
ip qos-flow-list resequence Related commands ip qos-flow-list 322
PAGE 349
limit-queue-length limit-queue-length Sets for a Switch the maximum send queue length of a physical port. If this command is omitted or if setting information is deleted, the send queue length is set to 32. This command is used to set basic operating conditions for the hardware. You must restart the Switch after you change the settings.
PAGE 350
limit-queue-length command, the send queue length is as follows: Queues 1 to 8: 32 5. When 128 has been set as the send queue length by using the limit-queue-length command, the send queue length is as follows: Queues 1 to 4: 128 Queues 5 to 8: 0 6. When 728 has been set as the send queue length by using the limit-queue-length command, the send queue length is as follows: Queue 1: 728 Queue 2: 32 Queues 3 to 8: 0 At this time, use the flowcontrol command to configure the sending of pause packets.
PAGE 351
mac qos-flow-group mac qos-flow-group Enables the QoS functionality by applying a MAC QoS flow list to an Ethernet interface or a VLAN interface. Syntax To set information: mac qos-flow-group in To delete information: no mac qos-flow-group in Input mode (config-if) Parameters Specifies the MAC QoS flow list name. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 352
mac qos-flow-group QoS flow list name is registered. 4. The following table shows flow detection mode that can be set for each interface. Table 20-10 Specifiable interfaces for each flow detection mode (MAC) Receiving-side flow detection mode Whether the mode can be set Ethernet VLAN Layer 2-1 Y Y Layer 2-2 N N Legend Y: Can be set; N: Cannot be set 5. If another list has been set for an interface by using this command, no more lists can be set.
PAGE 353
mac qos-flow-list mac qos-flow-list Creates a MAC QoS flow list used to set QoS flow detection and action specifications. A maximum of 512 IPv4 and MAC QoS flow lists can be created for a Switch. A maximum of 1024 flow detection and action specification entries can be created. Syntax To set or change information: mac qos-flow-list To delete information: no mac qos-flow-list Input mode (config) Parameters Specifies the MAC QoS flow list name.
PAGE 354
mac qos-flow-list resequence mac qos-flow-list resequence Resets the sequence numbers of the application sequence in the MAC QoS flow list. Syntax To set or change information: mac qos-flow-list resequence [ [] ] Input mode (config-mac-qos) Parameters Specifies the MAC QoS flow list name to be changed. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 355
mac qos-flow-list resequence Related commands mac qos-flow-list 329
PAGE 356
qos (ip qos-flow-list) qos (ip qos-flow-list) Specifies flow detection conditions and action specifications in the IPv4 QoS flow list.
PAGE 357
qos (ip qos-flow-list) 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: - : Set 0 to 255 (in decimal) or a protocol name. See Table 20-1 Protocol names that can be specified (IPv4). { | host | any } Specifies the source IPv4 address. To specify all source IPv4 addresses, specify any. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 358
qos (ip qos-flow-list) For , specify a wildcard in IPv4 address format that sets bits that permit an arbitrary value in an IPv4 address. - host specification: The flow detection condition is a perfect match of . - any specification: The destination IPv4 address is not included as a flow detection condition. IPv4 address (nnn.nnn.nnn.nnn): 0.0.0.0 to 255.255.255.255 eq Specifies the destination port number.
PAGE 359
qos (ip qos-flow-list) dscp Specifies the DSCP value, which is the first six bits in the TOS field. The value is compared with the first six bits in the TOS field of the received packet. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: Specify 0 to 63 (in decimal) or the DSCP name. For details about the DSCP names that can be set, see Table 20-6 DSCP names that can be specified.
PAGE 360
qos (ip qos-flow-list) syn Specifies the detection of packets whose SYN flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: None urg Specifies the detection of packets whose URG flag in the TCP header is 1. This parameter option is available only when the protocol is TCP. 1. Default value when this parameter is omitted: None.
PAGE 361
qos (ip qos-flow-list) Specify 0 to 7 in decimal. replace-user-priority Specifies the value for rewriting the user priority. The user priority of the received packet is replaced with the specified value. 1. Default value when this parameter is omitted: None. (The user priority is not replaced.) 2. Range of values: Specify 0 to 7 in decimal. replace-dscp Specifies the value for rewriting DSCP.
PAGE 362
qos (mac qos-flow-list) qos (mac qos-flow-list) Specifies flow detection conditions and action specifications in the MAC QoS flow list.
PAGE 363
qos (mac qos-flow-list) - any specification: The source MAC address is not included as a flow detection condition. MAC address (nnnn.nnnn.nnnn): 0000.0000.0000 to ffff.ffff.ffff (hexadecimal) { | host | any | bpdu | cdp | lacp | lldp | oadp | pvst-plus-bpdu } Specifies the destination MAC address. To specify all destination MAC addresses, specify any. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 364
qos (mac qos-flow-list) vlan Specifies a VLAN ID. This parameter has an effect only when it is applied to an Ethernet interface. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2. Range of values: See Specifiable values for parameters. user-priority Specifies the user priority. 1. Default value when this parameter is omitted: None. (The parameter is not set as a detection condition.) 2.
PAGE 365
qos (mac qos-flow-list) When the change is applied The change is applied immediately after setting values are changed. Notes 1. If nnnn.nnnn.nnnn ffff.ffff.ffff is entered as the source address and the destination address, any is displayed. 2. If a protocol name is set for the destination address or if the address of a protocol name that can be set is set, the protocol name is displayed.
PAGE 366
qos-queue-group qos-queue-group Sets QoS queue list information for an interface (physical port). Syntax To set information: qos-queue-group To delete information: no qos-queue-group Input mode (config-if) Parameters Specifies the QoS queue list name. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: This name can be 3 to 31 characters.
PAGE 367
qos-queue-list qos-queue-list Sets the scheduling mode in QoS queue list information. A maximum of 52 lists can be created for a Switch.
PAGE 368
qos-queue-list queues are looked at in order. A number from 1 to 8 suffixed to indicates the queue number. 1. Default value when this parameter is omitted: : This parameter cannot be omitted. Note, however, that all values can be omitted. If they are omitted, round robin is used. 2.
PAGE 369
qos-queue-list 2. Range of values: : 1 to 15 Default behavior None Impact on communication If the scheduling mode is changed by specifying a QoS queue list name for the qos-queue-group command and queued packets remain in the send queue of the applicable line, all packets are cleared. When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 370
remark remark Sets supplementary information for a QoS flow list. IPv4 QoS flow list and MAC QoS flow list are available as QoS flow list. Syntax To set or change information: remark To delete information: no remark Input mode (config-ip-qos) (config-mac-qos) Parameters Sets supplementary information about the applicable QoS flow list depending on input mode. Only one line can be set for one QoS flow list. Entering new information overwrites the existing information. 1.
PAGE 371
traffic-shape rate traffic-shape rate Sets the bandwidth by setting port bandwidth control for an interface (physical port) to limit the send bandwidth. Syntax To set or change information: traffic-shape rate { | M } To delete information: no traffic-shape rate Input mode (config-if) Parameters rate { | M } Sets port bandwidth control. Using this functionality limits the total-line send bandwidth to the specified bandwidth. 1.
PAGE 372
traffic-shape rate When the change is applied The change is applied immediately after setting values are changed. Notes 1. There might be a maximum error of 10% between the set port bandwidth value and the actual value. 2. When the line status is half duplex, port bandwidth control is not supported. 3. To use port bandwidth control and scheduling of QoS queue list information at the same time, set PQ as the scheduling mode. 4.
PAGE 373
control-packet user-priority control-packet user-priority Specifies the user priority in the VLAN tags of frames spontaneously sent by a Switch. If this command is not set or if information is deleted, 7 is used as the user priority of frames spontaneously sent.
PAGE 374
control-packet user-priority 348
PAGE 375
Part 9: Layer 2 Authentication 21.
PAGE 376
authentication arp-relay authentication arp-relay Relays ARP packets received from unauthenticated terminals to other ports. When the Layer 2 authentication functionality is used, set this command to output ARP packets destined for another device sent from an unauthenticated terminal to a non-authenticating port. This command can be used in the following authentication modes:  IEEE 802.
PAGE 377
authentication arp-relay interfaces and port channel interfaces.  IEEE 802.1X port-based authentication (dynamic), Web authentication, and MAC-based authentication can be set only for Ethernet interfaces.
PAGE 378
authentication force-authorized enable authentication force-authorized enable When the following state exists for all Layer 2 authentications, a terminal subject to authentication that requested authentication is forcibly changed to the authenticated state.
PAGE 379
authentication force-authorized enable 6. Private Trap with forced authentication is sent regardless of the snmp-server traps command setting. 7. This functionality is not subject to legacy mode.
PAGE 380
authentication force-authorized vlan authentication force-authorized vlan In dynamic VLAN mode of Web authentication and MAC-based authentication, and port-based authentication (dynamic) for IEEE 802.1X authentication, set this command to allocate a post-authentication VLAN when forced authentication is performed on the applicable port.
PAGE 381
authentication ip access-group authentication ip access-group Applies the IPv4 access list specified by using this command to IP packets received from unauthenticated terminals, and relays only the matched (permitted) packets to other ports. IP packets that match (permitted) the IPv4 access list specified by using this command are not subject to URL redirection. This command can be used in the following authentication modes:  IEEE 802.
PAGE 382
authentication ip access-group  3. When you use authentication IPv4 access list for IEEE 802.1X port-based authentication (static), note the following:  4. mac-authentication port This command cannot be set if the system function command is set and extended-authentication has not been set. (This command can be set if the system function command has not been set.) [AX1250S] [AX1240S] Interfaces that can be set for this command vary depending on the authentication functionality.  IEEE 802.
PAGE 383
22. IEEE802.
PAGE 384
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes IEEE 802.1X authentication modes in which IEEE 802.1X configuration commands can be set. Table 22-1 Configuration commands and IEEE 802.1X authentication modes IEEE 802.
PAGE 385
Correspondence between configuration commands and authentication modes IEEE 802.
PAGE 386
Correspondence between configuration commands and authentication modes Guide Vol. 2.
PAGE 387
aaa accounting dot1x aaa accounting dot1x Sends IEEE 802.1X accounting information to the accounting server. Syntax To set information: aaa accounting dot1x default start-stop group radius To delete information: no aaa accounting dot1x default Input mode (config) Parameters default Sets the default accounting method of a Switch. start-stop If authentication is successful, the accounting start notification is sent to the accounting server.
PAGE 388
aaa authentication dot1x aaa authentication dot1x Sets an IEEE 802.1X authentication method group. If default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set.
PAGE 389
aaa authentication dot1x Default behavior None Impact on communication If the setting of this command is changed, the Switch clears the authentication status of the affected terminals.  When the Switch default is added, authentication is not canceled.  When the Switch default is changed or deleted, authentication of the terminals authenticated by using the Switch default is canceled.
PAGE 390
aaa authorization network default aaa authorization network default Set this command to perform VLAN-based authentication (dynamic) according to the VLAN information set by using an authentication method. Syntax To set information: aaa authorization network default group radius To delete information: no aaa authorization network default Input mode (config) Parameters group radius IEEE 802.1X authentication is performed by a RADIUS server.
PAGE 391
dot1x authentication dot1x authentication Sets the name of an authentication method list for the port-based authentication method. Syntax To set or change information: dot1x authentication To delete information: no dot1x authentication Input mode (config-if) Parameters Sets the authentication method list name set by using the aaa authentication dot1x command. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 392
dot1x authentication  mac-authentication vlan 4. If the authentication method list name set by using this command does not match the authentication method list name set by using the aaa authentication dot1x command, the default settings of the Switch are used. 5. This command can be set only for Ethernet interfaces.
PAGE 393
dot1x auto-logout dot1x auto-logout The no dot1x auto-logout command disables the setting to automatically cancel authentication when no frame is received from a terminal authenticated by IEEE 802.1X for a certain period of time. Syntax To set information: no dot1x auto-logout To delete information: dot1x auto-logout Input mode (config) Parameters None Default behavior Authentication is automatically canceled if no frames are received from a terminal authenticated by IEEE 802.
PAGE 394
dot1x force-authorized dot1x force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
PAGE 395
dot1x force-authorized request is sent to the RADIUS server: No.=82 WARNING:SYSTEM: () Failed to connect to RADIUS server. :IP You can use the show dot1x logging command to check the accounting log. #2 When forced authentication is used as the Switch default, set default group radius. #3 When forced authentication is used as the authentication method by port, set aaa authentication dot1x . 5.
PAGE 396
dot1x force-authorized eapol dot1x force-authorized eapol Sends according to the IEEE 802.1X forced authentication settings the EAPOL-Success response packet from the Switch to the terminal to be authenticated when its status has been forcibly changed to authentication authorized.
PAGE 397
dot1x force-authorized vlan dot1x force-authorized vlan When the RADIUS authentication method is used, if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure, this command forcibly changes the status of a terminal, that requests authentication on the applicable port, to authentication authorized and assigns a post-authentication VLAN.
PAGE 398
dot1x force-authorized vlan #1, #4 - dot1x port-control auto - aaa authorized network default - dot1x vlan dynamic enable - dot1x vlan dynamic radius-vlan - vlan mac-based - switchport mac vlan - switchport mode mac-vlan - dot1x force-authorized vlan - aaa authentication dot1x - dot1x authentication #2 #2 #2, #3 #3 #2, #3, #4 #4 #3, #4 #5 #6 #1 Set this command when using port-based authentication (dynamic).
PAGE 399
dot1x force-authorized vlan dot1x vlan dynamic enable dot1x vlan dynamic radius-vlan switchport mac switchport mode vlan radius-server host or dot1x radius-server host 373
PAGE 400
dot1x ignore-eapol-start dot1x ignore-eapol-start Sets the Switch not to issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Syntax To set information: dot1x ignore-eapol-start To delete information: no dot1x ignore-eapol-start Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. All IEEE 802.
PAGE 401
dot1x max-req dot1x max-req Specifies the maximum number of EAP-Request retransmissions if the supp-timeout value is exceeded. If the number of retransmissions exceeds this value, authentication is determined to have failed. Syntax To set or change information: dot1x max-req To delete information: no dot1x max-req Input mode (config-if) Parameters Specifies the maximum number of EAP-Request retransmissions. 1.
PAGE 402
dot1x multiple-authentication dot1x multiple-authentication Sets the IEEE 802.1X authentication submode to terminal authentication mode. The command performs authentication for each terminal and the authentication result determines whether communication is possible. Accordingly, multiple terminals can be connected. If terminal authentication mode is not set as the authentication submode, single mode is used as the submode. Single mode authentication permits connection of only one terminal.
PAGE 403
dot1x multiple-authentication  When this command has been set (terminal authentication mode) Regardless of the authentication status, if auto is set for the dot1x port-control command, communication is always possible.
PAGE 404
dot1x port-control dot1x port-control Sets the port-control status for an interface that has been set. Entering this command also enables the IEEE 802.1X port-based authentication functionality. Syntax To set or change information: dot1x port-control {auto | force-authorized | force-unauthorized} To delete information: no dot1x port-control Input mode (config-if) Parameters {auto | force-authorized | force-unauthorized} auto IEEE 802.1X authentication processing is performed.
PAGE 405
dot1x port-control the authentication mode in which the command's settings are operable. 3. 4.
PAGE 406
dot1x radius-server dead-interval dot1x radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary IEEE 802.1X authentication RADIUS server from the IEEE 802.1X authentication RADIUS server. The primary IEEE 802.1X authentication RADIUS server is restored when either of the following occurs: The current server (the destination for RADIUS authentication requests in operation) switches to a valid secondary IEEE 802.
PAGE 407
dot1x radius-server dead-interval Notes 1. All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. 2. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable. 3. If three or more IEEE 802.1X authentication RADIUS servers are configured and the current server switches to another IEEE 802.
PAGE 408
dot1x radius-server host dot1x radius-server host Configures the general-use RADIUS server used for IEEE 802.1X. Syntax To set or change information: dot1x radius-server host [auth-port ] [acct-port ] [timeout ] [retransmit ] [key ] To delete information: no dot1x radius-server host Input mode (config) Parameters Specifies the IPv4 address of the RADIUS server. 1.
PAGE 409
dot1x radius-server host server. 1. Default value when this parameter is omitted: The number of times set by using the radius-server retransmit command is used. If no value is set, the initial value is 3. 2. Range of values: 0 to 15 (times) key Specifies the RADIUS key used for encryption or for authentication of communication with the RADIUS server. The same RADIUS key must be set for the client and the RADIUS server. 1.
PAGE 410
dot1x radius-server host server is used as the initial current server (the destination for RADIUS authentication requests during operation). If a failure occurs on the primary IEEE 802.1X authentication RADIUS server, the current server switches to the next effective IEEE 802.1X authentication RADIUS server (the secondary RADIUS server). For details about automatic restoration of the primary IEEE 802.1X authentication RADIUS server, see the description of the dot1x radius-server dead-interval command. 8.
PAGE 411
dot1x reauthentication dot1x reauthentication After successful IEEE 802.1X authentication, this command sets whether a supplicant is to be re-authenticated. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent at the interval set by using the dot1x timeout reauth-period command to a supplicant as a prompt for supplicant re-authentication.
PAGE 412
dot1x supplicant-detection dot1x supplicant-detection Sets the behavior when a new terminal is detected after the terminal authentication mode has been set to an authentication submode.
PAGE 413
dot1x supplicant-detection Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. 2. See Table 22-1 Configuration commands and IEEE 802.1X authentication modes for the authentication mode in which the command's settings are operable. 3. This command takes effect only if the dot1x port-control command has been set. 4.
PAGE 414
dot1x system-auth-control dot1x system-auth-control Enables IEEE 802.1X. Syntax To set information: dot1x system-auth-control To delete information: no dot1x system-auth-control Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. See Table 22-1 Configuration commands and IEEE 802.
PAGE 415
dot1x timeout keep-unauth dot1x timeout keep-unauth Sets the period of time (in seconds) for maintaining the communication-disabled state of the interface if two or more terminals are connected to an interface on which the single-mode authentication submode is set. After the time set by using this command elapses, an authenticated terminal must be re-authenticated.
PAGE 416
dot1x timeout keep-unauth dot1x multiple-authentication 390
PAGE 417
dot1x timeout quiet-period dot1x timeout quiet-period Specifies the time (in seconds) to maintain the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication is performed.
PAGE 418
dot1x timeout reauth-period dot1x timeout reauth-period Specifies the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to the supplicant at the interval set by using this command as a prompt for supplicant re-authentication.
PAGE 419
dot1x timeout reauth-period Related commands dot1x timeout tx-period dot1x reauthentication dot1x system-auth-control dot1x port-control 393
PAGE 420
dot1x timeout server-timeout dot1x timeout server-timeout Specifies the time (in seconds) to wait for a response, including the time required for retransmitting a response to an authentication server. Syntax To set or change information: dot1x timeout server-timeout To delete information: no dot1x timeout server-timeout Input mode (config-if) Parameters Specifies the time (in seconds) to wait for a response. 1.
PAGE 421
dot1x timeout supp-timeout dot1x timeout supp-timeout Specifies the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received during the specified period, the EAP-Request packet is retransmitted.
PAGE 422
dot1x timeout tx-period dot1x timeout tx-period Specifies the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X is valid. Syntax To set or change information: dot1x timeout tx-period To delete information: no dot1x timeout tx-period Input mode (config-if) Parameters Specifies the interval (in seconds) for sending EAP-Request/Identity packets. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 423
dot1x vlan dynamic enable dot1x vlan dynamic enable Enables IEEE 802.1X VLAN-based authentication (dynamic). Syntax To set information: dot1x vlan dynamic enable To delete information: no dot1x vlan dynamic enable Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. 2.
PAGE 424
dot1x vlan dynamic ignore-eapol-start dot1x vlan dynamic ignore-eapol-start Sets the Switch not to issue EAP-Request/Identity packets in response to EAPOL-Start from a supplicant. Syntax To set information: dot1x vlan dynamic ignore-eapol-start To delete information: no dot1x vlan dynamic ignore-eapol-start Input mode (config) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 425
dot1x vlan dynamic max-req dot1x vlan dynamic max-req Specifies the maximum number of EAP-Request retransmissions if the supp-timeout value is exceeded. If the number of retransmissions exceeds this value, authentication is determined to have failed. Syntax To set or change information: dot1x vlan dynamic max-req To delete information: no dot1x vlan dynamic max-req Input mode (config) Parameters Specifies the maximum number of EAP-Request retransmissions. 1.
PAGE 426
dot1x vlan dynamic radius-vlan dot1x vlan dynamic radius-vlan Specifies VLANs to allow dynamic VLAN allocation according to VLAN information sent from the RADIUS server during IEEE 802.1X authentication.
PAGE 427
dot1x vlan dynamic radius-vlan values, see Specifiable values for parameters. Note that the default VLAN (VLAN ID = 1) cannot be specified for this command. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. All IEEE 802.1X settings take effect when the dot1x system-auth-control command is set. 2. See Table 22-1 Configuration commands and IEEE 802.
PAGE 428
dot1x vlan dynamic reauthentication dot1x vlan dynamic reauthentication Sets whether a supplicant is to be re-authenticated after successful IEEE 802.1X authentication. When this command is in effect, EAP-Request/Identity packets for re-authentication are sent to a supplicant at the interval set by using the dot1x vlan dynamic timeout reauth-period command as a prompt for supplicant re-authentication.
PAGE 429
dot1x vlan dynamic supplicant-detection dot1x vlan dynamic supplicant-detection Specifies the behavior when a new terminal is detected. Syntax To set or change information: dot1x vlan dynamic supplicant-detection {disable | shortcut} To delete information: no dot1x vlan dynamic supplicant-detection Input mode (config) Parameters {disable | shortcut} Specifies the behavior when a new terminal is detected.
PAGE 430
dot1x vlan dynamic supplicant-detection the authentication mode in which the command's settings are operable. 3. This command takes effect only if the dot1x vlan dynamic enable command has been set. 4. On the interface on which the dot1x vlan dynamic ignore-eapol-start command is set, disable cannot be set for the dot1x vlan dynamic supplicant-detection command.
PAGE 431
dot1x vlan dynamic timeout quiet-period dot1x vlan dynamic timeout quiet-period Specifies the period of time (in seconds) for maintaining the unauthenticated state on the applicable interface after an IEEE 802.1X authentication failure. During this period, no EAPOL packets are sent and received EAPOL packets are ignored. Also, no authentication is performed.
PAGE 432
dot1x vlan dynamic timeout reauth-period dot1x vlan dynamic timeout reauth-period Specifies the interval (in seconds) for re-authenticating a supplicant after a successful IEEE 802.1X authentication. EAP-Request/Identify packets for re-authentication are sent to the supplicant at the interval set by using this command as a prompt for supplicant re-authentication.
PAGE 433
dot1x vlan dynamic timeout reauth-period dynamic timeout tx-period command.
PAGE 434
dot1x vlan dynamic timeout server-timeout dot1x vlan dynamic timeout server-timeout Specifies the time (in seconds) to wait for a response, including the time required for retransmitting a response to an authentication server. Syntax To set or change information: dot1x vlan dynamic timeout server-timeout To delete information: no dot1x vlan dynamic timeout server-timeout Input mode (config) Parameters Specifies the time (in seconds) to wait for a response. 1.
PAGE 435
dot1x vlan dynamic timeout supp-timeout dot1x vlan dynamic timeout supp-timeout Specifies the time (in seconds) to wait for a response from a supplicant for an EAP-Request packet sent to a supplicant. If no response is received during the specified period, the EAP-Request packet is retransmitted.
PAGE 436
dot1x vlan dynamic timeout tx-period dot1x vlan dynamic timeout tx-period Specifies the interval (in seconds) for sending EAP-Request/Identity packets when IEEE 802.1X authentication is valid. Syntax To set or change information: dot1x vlan dynamic timeout tx-period To delete information: no dot1x vlan dynamic timeout tx-period Input mode (config) Parameters Specifies the interval (in seconds) for sending EAP-Request/Identity packets. 1.
PAGE 437
23.
PAGE 438
dot1x vlan dynamic timeout tx-period max-lease network service dhcp 412
PAGE 439
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes Web authentication modes in which Web authentication configuration commands can be set.
PAGE 440
Correspondence between configuration commands and authentication modes Web authentication modes Command name F D L web-authentication radius-server dead-interval Y Y Y web-authentication radius-server host Y Y Y web-authentication redirect-mode Y Y -- web-authentication redirect enable Y Y -- web-authentication redirect tcp-port Y Y -- web-authentication roaming -- Y -- web-authentication static-vlan force-authorized Y -- -- web-authentication static-vlan max-user Y -- -
PAGE 441
Correspondence between configuration commands and authentication modes : The command can be entered, but it will have no effect. N :The command cannot be entered. #1 For details about command input formats, see 21. Common to Layer 2 Authentication. #2 The specification of this command affects the switching of authentication modes. #3 For details such as a description of the authentication modes, see the Configuration Guide Vol. 2.
PAGE 442
aaa accounting web-authentication aaa accounting web-authentication Sends accounting information for Web authentication to the accounting server. Syntax To set information: aaa accounting web-authentication default start-stop group radius To delete information: no aaa accounting web-authentication default Input mode (config) Parameters default Sets the default accounting method of a Switch. start-stop If a user logs in, an accounting start notification is sent to the accounting server.
PAGE 443
aaa authentication web-authentication aaa authentication web-authentication Sets an authentication method group for Web authentication. If the first specified method fails, the second specified method is used. You can change how authentication works when the first method failed by using the aaa authentication web-authentication end-by-reject command. If default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set.
PAGE 444
aaa authentication web-authentication group Web authentication is performed by a RADIUS server. The RADIUS server to use is a RADIUS server group. Specify the group name set by the aaa group server radius command. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a character string that has no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters.
PAGE 445
aaa authentication web-authentication end-by-reject aaa authentication web-authentication end-by-reject Terminates authentication if login authentication is denied. If authentication fails due to a communication not being possible, such as an unresponsive RADIUS server, the next authentication method specified by the aaa authentication web-authentication command is used to perform authentication.
PAGE 446
web-authentication authentication web-authentication authentication Sets the name of an authentication method list for the port-based authentication method. Syntax To set or change information: web-authentication authentication To delete information: no web-authentication authentication Input mode (config-if) Parameters Specify the authentication method list name set by using the aaa authentication web-authentication command. 1.
PAGE 447
web-authentication authentication  mac-authentication vlan 4. If the name of the authentication method list set by using this command does not match the name of the authentication method list set by using the aaa authentication web-authentication command, the Switch default is used. 5. This command can be set only for Ethernet interfaces.
PAGE 448
web-authentication auto-logout web-authentication auto-logout The no web-authentication auto-logout command disables the setting for automatic authentication logout when it is detected that the status that frames have not been received from a terminal authenticated via Web authentication for a certain period of time.
PAGE 449
web-authentication force-authorized vlan web-authentication force-authorized vlan When the RADIUS authentication method is used, if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure, this command forcibly changes the status of a terminal, that requests authentication on the applicable port, to authentication authorized and assigns a post-authentication VLAN.
PAGE 450
web-authentication force-authorized vlan 3. Set a VLAN ID for which mac-based (MAC VLAN) has been set in the vlan command. 4. Be especially careful when using this functionality, as it can pose a security problem. 5.
PAGE 451
web-authentication force-authorized vlan Related commands aaa authentication web-authentication radius-server host or web-authentication radius-server host switchport mac switchport mode vlan web-authentication port web-authentication system-auth-control web-authentication vlan 425
PAGE 452
web-authentication html-fileset web-authentication html-fileset Sets a custom file name for the Web authentication page displayed for each port. Syntax To set or change information: web-authentication html-fileset To delete information: no web-authentication html-fileset Input mode (config-if) Parameters Specify the custom file set name registered on the Switch by using the set web-authentication html-files operation command. 1.
PAGE 453
web-authentication ip address web-authentication ip address Configure an IP address and a domain name to be used exclusively for Web authentication. When the Web authentication IP address has been set by using this command, you can log in from an unauthenticated terminal or log out from an authenticated terminal by using the same IP address on the switch.
PAGE 454
web-authentication ip address 2. See Table 23-1 Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. 3. This command cannot be set if the system function command is set and extended-authentication has not been set. (This command can be set if the system function command has not been set.) [AX1250S] [AX1240S] 4.
PAGE 455
web-authentication jump-url web-authentication jump-url Configures a URL to be automatically displayed after the Authentication Success page is displayed and the time required before jumping to the URL. Syntax To set or change information: web-authentication jump-url [ delay ] To delete information: no web-authentication jump-url Input mode (config) Parameters Displays the page of the specified URL after the page indicating successful authentication is displayed.
PAGE 456
web-authentication jump-url When the change is applied The change is applied immediately after setting values are changed. Notes 1. All Web authentication settings take effect when the web-authentication system-auth-control command is set. 2. See Table 23-1 Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. 3.
PAGE 457
web-authentication logout ping tos-windows web-authentication logout ping tos-windows Sets the TOS value of a special frame used to log out from an authenticated terminal. Syntax To set or change information: web-authentication logout ping tos-windows To delete information: no web-authentication logout ping tos-windows Input mode (config) Parameters Sets the TOS value for the special frame used for logout. 1. Default value when this parameter is omitted: This parameter cannot be omitted.
PAGE 458
web-authentication logout ping ttl web-authentication logout ping ttl Sets the TTL value of a special frame used to log out from an authenticated terminal. Syntax To set or change information: web-authentication logout ping ttl To delete information: no web-authentication logout ping ttl Input mode (config) Parameters Sets the TTL value of the special frame used for logout. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 459
web-authentication logout polling count web-authentication logout polling count Specifies the number of times a Switch retransmits the monitoring frame when there is no response to a monitoring frame that periodically checks a connection status of authenticated terminals.
PAGE 460
web-authentication logout polling count Polling condition: (1) Polling interval > (2) Retransmission interval × (3) Number of retransmissions web-authentication logout polling interval web-authentication logout polling retry-interval web-authentication logout polling count We recommend you use the default value for the number of retransmissions.
PAGE 461
web-authentication logout polling enable web-authentication logout polling enable The no web-authentication logout polling enable command disables the auto logout functionality executed when periodic connection monitoring detects that an authenticated terminal is not connected.
PAGE 462
web-authentication logout polling enable web-authentication max-timer command) expires, the Switch stops monitoring the applicable terminal and logs it out. 5. The polling interval (set by using the web-authentication logout polling interval command) is the time between the receipt of ARP Reply from an authenticated terminal and the next polling monitoring. 6.
PAGE 463
web-authentication logout polling interval web-authentication logout polling interval Specifies the polling interval of a monitoring frame that periodically monitors the connection status of an authenticated terminal. Syntax To set or change information: web-authentication logout polling interval To delete information: no web-authentication logout polling interval Input mode (config) Parameters Sets the polling interval of monitoring frames.
PAGE 464
web-authentication logout polling interval number of authenticated users, overloading the Switch. Set the polling interval by using the following formula as a guide: Polling condition: (1) Polling interval > (2) Retransmission interval × (3) Number of retransmissions web-authentication logout polling interval web-authentication logout polling retry-interval web-authentication logout polling count We recommend you use the default value for the number of retransmissions.
PAGE 465
web-authentication logout polling retry-interval web-authentication logout polling retry-interval Sets the interval between retransmissions of monitoring frames that periodically monitor the connection status of authenticated terminals when a no-response state is detected.
PAGE 466
web-authentication logout polling retry-interval (1) Polling interval > (2) Retransmission interval × (3) Number of retransmissions web-authentication logout polling interval web-authentication logout polling retry-interval web-authentication logout polling count We recommend you use the default value for the number of retransmissions.
PAGE 467
web-authentication max-timer web-authentication max-timer Sets the maximum connection time. Syntax To set or change information: web-authentication max-timer { | infinity } To delete information: no web-authentication max-timer Input mode (config) Parameters { | infinity } Sets the maximum time (in minutes) that an authenticated user is allowed to be connected. After a user has logged in, if the time set by using this command elapses, the user is automatically logged out.
PAGE 468
web-authentication max-timer web-authentication vlan web-authentication auto-logout web-authentication port 442
PAGE 469
web-authentication max-user web-authentication max-user Sets the maximum number of users that can be authenticated on a Switch. Syntax To set or change information: web-authentication max-user To delete information: no web-authentication max-user Input mode (config) Parameters Sets the maximum number of users that can be authenticated on a Switch on which user authentication is performed. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 470
web-authentication max-user 6. If the DHCP snooping functionality is also used, the maximum number of users is limited to 246.
PAGE 471
web-authentication max-user (interface) web-authentication max-user (interface) Sets the maximum number of users that can be authenticated on the applicable port. Syntax To set or change information: web-authentication max-user To delete information: no web-authentication max-user Input mode (config-if) Parameters Specify the maximum number of users that can be authenticated on the applicable port when the port requires authentication. 1.
PAGE 472
web-authentication max-user (interface) 6. If the DHCP snooping functionality is also used, the maximum number of users is limited to 246.
PAGE 473
web-authentication port web-authentication port Sets the authentication mode for ports. Syntax To set information: web-authentication port To delete information: no web-authentication port Input mode (config-if) Parameters None Default behavior When Web authentication is valid, the port operates in legacy mode. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 474
web-authentication radius-server dead-interval web-authentication radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary Web authentication RADIUS server from the Web authentication RADIUS server.
PAGE 475
web-authentication radius-server dead-interval 2. See Table 23-1 Configuration commands and Web authentication modes for the authentication mode in which the command's settings are operable. 3. If three or more Web authentication RADIUS servers are configured and another Web authentication RADIUS server becomes the current server after the monitoring timer starts, the monitoring timer is not reset and continues to run. 4.
PAGE 476
web-authentication radius-server host web-authentication radius-server host Configures the RADIUS server used for Web authentication. Syntax To set or change information: web-authentication radius-server host [auth-port ] [acct-port ] [timeout ] [retransmit ] [key ] To delete information: no web-authentication radius-server host Input mode (config) Parameters Specifies the IPv4 address of the RADIUS server. 1.
PAGE 477
web-authentication radius-server host retransmit Specifies the number of times an authentication request is resent to the RADIUS server. 1. Default value when this parameter is omitted: The number of times set by using the radius-server retransmit command is used. If no value is set, the initial value is 3. 2. Range of values: 0 to 15 (times) key Specifies the RADIUS key used for encryption or for authentication of communication with the RADIUS server.
PAGE 478
web-authentication radius-server host displayed first by using the show radius-server operation command is the address of the primary Web authentication RADIUS server. The primary Web authentication RADIUS server is used as the first current server (the destination for RADIUS authentication requests during operation). If a failure occurred in the primary Web authentication RADIUS server, the current server switches to the next effective Web authentication RADIUS server (secondary RADIUS server).
PAGE 479
web-authentication redirect-mode web-authentication redirect-mode Sets a protocol to display the Web authentication Login page when the URL redirect functionality is enabled. Syntax To set or change information: web-authentication redirect-mode {http | https} To delete information: no web-authentication redirect-mode Input mode (config) Parameters {http | https} Sets a protocol to display the Web authentication Login page when the URL redirect functionality is enabled.
PAGE 480
web-authentication redirect enable web-authentication redirect enable The no web-authentication redirect enable command disables the URL redirect functionality. Syntax To set information: no web-authentication redirect enable To delete information: web-authentication redirect enable Input mode (config) Parameters None Default behavior The URL redirect functionality is enabled.
PAGE 481
web-authentication redirect tcp-port web-authentication redirect tcp-port When the URL redirect functionality is enabled, this command sets an additional TCP destination port number for a frame subject to URL redirect on a Switch. Usually, a port number can be added to the standard port number assigned for http (80).
PAGE 482
web-authentication redirect tcp-port If different port numbers are specified for these two commands, each specification becomes valid. How the commands are handled if the same port number is specified is described in the following table. web-authentication redirect tcp-port web-authentication redirect tcp-port web-authentication web-port http Redirect as HTTP https Redirect as HTTP (The port number specified by https is ignored.
PAGE 483
web-authentication roaming web-authentication roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Syntax To set or change information: web-authentication roaming [action trap] To delete information: no web-authentication roaming Input mode (config) Parameters [action trap] When a change to another port due to roaming is detected, a private trap is issued.
PAGE 484
web-authentication roaming Related commands web-authentication system-auth-control web-authentication port snmp-server host 458
PAGE 485
web-authentication static-vlan force-authorized web-authentication static-vlan force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
PAGE 486
web-authentication static-vlan force-authorized - #3 web-authentication authentication #1 Specify the same Ethernet port. - The following accounting log data is collected when an authentication request is sent to the RADIUS server: No=21: NOTICE:LOGIN:(additional information) Login failed ; Failed to connection to RADIUS server. Additional information:MAC, USER, IP, PORT, VLAN Check the account log with the show web-authentication logging operation command.
PAGE 487
web-authentication static-vlan max-user web-authentication static-vlan max-user Sets the maximum number of users that can be authenticated on a Switch. Syntax To set or change information: web-authentication static-vlan max-user To delete information: no web-authentication static-vlan max-user Input mode (config) Parameters Sets the maximum number of users that can be authenticated on a Switch on which user authentication is performed. 1.
PAGE 488
web-authentication static-vlan max-user 6. If the DHCP snooping functionality is also used, the maximum number of users is limited to 246.
PAGE 489
web-authentication static-vlan max-user (interface) web-authentication static-vlan max-user (interface) Sets the maximum number of users that can be authenticated on the applicable port. Syntax To set or change information: web-authentication static-vlan max-user To delete information: no web-authentication static-vlan max-user Input mode (config-if) Parameters Specify the maximum number of users that can be authenticated on the applicable port when the port requires authentication. 1.
PAGE 490
web-authentication static-vlan max-user (interface) 6. If the DHCP snooping functionality is also used, the maximum number of users is limited to 246.
PAGE 491
web-authentication static-vlan roaming web-authentication static-vlan roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring.
PAGE 492
web-authentication static-vlan roaming Related commands web-authentication system-auth-control web-authentication port snmp-server host 466
PAGE 493
web-authentication system-auth-control web-authentication system-auth-control Enables Web authentication. Note that if the no web-authentication system-auth-control command is executed, Web authentication stops. Syntax To set information: web-authentication system-auth-control To delete information: no web-authentication system-auth-control Input mode (config) Parameters None Default behavior Web authentication is not performed.
PAGE 494
web-authentication user-group web-authentication user-group Enables the user ID-based authentication method. To handle IDs in the forms [] and [], use the at mark (@) to separate the entered user IDs. Syntax To set information: web-authentication user-group To delete information: no web-authentication user-group Input mode (config) Parameters None Default behavior Entered user IDs are not separated by an at mark (@).
PAGE 495
web-authentication user-group Related commands aaa authentication web-authentication web-authentication system-auth-control web-authentication port 469
PAGE 496
web-authentication user replacement web-authentication user replacement Enables the switch-user option. Enables authentication with a different user ID after successful authentication with the first user ID when several user IDs are used for a terminal.
PAGE 497
web-authentication vlan web-authentication vlan Sets the VLAN ID to dynamically switch after user authentication. Unless this command is set, no VLANs can be switched after authentication. Syntax To set or change information: web-authentication vlan To delete information: no web-authentication vlan Input mode (config) Parameters Sets the VLAN ID list of MAC VLANs that can be switched after user authentication. 1.
PAGE 498
web-authentication vlan  web-authentication user-group Related commands switchport mac vlan web-authentication system-auth-control 472
PAGE 499
web-authentication web-port web-authentication web-port When the URL redirect functionality is enabled, this command sets an additional TCP destination port number for a frame subject to URL redirect on a Switch. Usually, one port number each can be added to the port number assigned for http (80) and for https (443).
PAGE 500
web-authentication web-port If different port numbers are specified for these two commands, each specification becomes valid. How the commands are handled if the same port number is specified is described in the following table. web-authentication redirect tcp-port web-authentication redirect tcp-port web-authentication web-port http Redirect as HTTP https Redirect as HTTP (The port number specified by https is ignored.
PAGE 501
default-router default-router Sets the router option that is distributed to clients. A router option is an IP address the client can use as a router IP address over the subnet (default router). Syntax To set or change information: default-router To delete information: no default-router Input mode (dhcp-config) Parameters Sets a router IP address for the subnet of a client (default router). 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 502
dns-server dns-server Sets the domain name server option that is distributed to clients. The domain name server option is the IP address of a DNS server that a client can use. Syntax To set or change information: dns-server [] To delete information: no dns-server Input mode (dhcp-config) Parameters Sets the IP address of the DNS server that a client can use. Specify the address of the server with the highest priority first. 1.
PAGE 503
ip dhcp excluded-address ip dhcp excluded-address Sets a range of IP addresses that are to be excluded from distribution in the IP address pool specified by using the network command.
PAGE 504
ip dhcp pool ip dhcp pool Sets DHCP address pool information. Syntax To set or change information: ip dhcp pool To delete information: no ip dhcp pool Input mode (config) Parameters Specify the name of the DHCP address pool. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a character string that is no more than 14 characters.
PAGE 505
lease lease Sets the default lease time of the IP addresses distributed to clients. Syntax To set or change information: lease { [ [ []]] | infinite} To delete information: no lease Input mode (dhcp-config) Parameters { [ [ []]] | infinite} Specify the lease time in days, hours, minutes, and seconds. If this information is not set, 10 seconds is set as the initial value for the lease time.
PAGE 506
lease When the change is applied The change is applied immediately after setting values are changed. Notes 1. If a value exceeding the maximum lease time (max-lease) is set as the lease time, the maximum lease time has precedence. 2. The shorter the lease time set, the more frequently a client updates the lease. Therefore, do not specify an extremely short lease time except for a very limited usage such as a temporary IP address.
PAGE 507
max-lease max-lease Sets the maximum allowable lease time when a client specifies the lease time and requests an IP address. Syntax To set or change information: max-lease { [ [ []]] | infinite} To delete information: no max-lease Input mode (dhcp-config) Parameters { [ [ []]] | infinite} By specifying the time in days, hours, minutes, and seconds, the maximum lease time when a client specifies a time can be set.
PAGE 508
max-lease When the change is applied The change is applied immediately after setting values are changed. Notes 1. The shorter the lease time set, the more frequently a client updates the lease. Therefore, do not specify an extremely short lease time except for a very limited usage such as a temporary IP address. Also, make sure the client can operate reliably if a short lease time is set. 2. Enter the lease time in the order indicated by the input format.
PAGE 509
network network Sets the subnet of the network in which IP addresses are dynamically distributed via DHCP. All subnets excluding those in which the host bits in the IP address host part are all 0s or 1s are actually registered in the DHCP address pool. Syntax To set or change information: network [ / ] To delete information: no network Input mode (dhcp-config) Parameters [ / ] Sets the network address of the DHCP address pool.
PAGE 510
network Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. When this command is set, all IP addresses excluding those in which the bits in the host part of the target subnet are all 1s or all 0s are secured as the IP address pool. Therefore, designate IP addresses that should not be distributed in advance by using the ip dhcp excluded-address command. 2.
PAGE 511
service dhcp service dhcp Sets the interface on which a DHCP server is enabled. Only the interface specified by using this command receives DHCP packets. Syntax To set or change information: service dhcp vlan To delete information: no service dhcp vlan Input mode (config) Parameters vlan Sets the VLAN ID of a VLAN for which an IPv4 address is set. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 512
service dhcp 486
PAGE 513
24.
PAGE 514
Correspondence between configuration commands and authentication modes Correspondence between configuration commands and authentication modes The following table describes MAC-based authentication modes in which MAC-based authentication configuration commands can be set.
PAGE 515
Correspondence between configuration commands and authentication modes MAC-based authentication modes Command name F D L mac-authentication static-vlan max-user (interface) Y -- -- mac-authentication static-vlan roaming Y -- -- mac-authentication system-auth-control Y Y Y mac-authentication timeout quiet-period Y Y Y mac-authentication timeout reauth-period Y Y Y mac-authentication vlan -- -- Y mac-authentication vlan-check Y -- -- #3 Legend F: Fixed VLAN mode D: Dynamic V
PAGE 516
aaa accounting mac-authentication aaa accounting mac-authentication Sends accounting information for MAC-based authentication to an accounting server. Syntax To set information: aaa accounting mac-authentication default start-stop group radius To delete information: no aaa accounting mac-authentication default Input mode (config) Parameters default Sets the default accounting method of a Switch.
PAGE 517
aaa authentication mac-authentication aaa authentication mac-authentication Sets an authentication method group for MAC-based authentication. If the first specified method fails, the second specified method is used. If authentication fails, you can change the authentication method by using the aaa authentication mac-authentication end-by-reject command. If default is set, one entry can be set. If an authentication method list name is specified, a maximum of four entries can be set.
PAGE 518
aaa authentication mac-authentication group MAC-based authentication is performed by a RADIUS server. The RADIUS server to use is a RADIUS server group. Specify the group name set by the aaa group server radius command. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify a character string that has no more than 32 characters. For details about the characters that can be specified, see Specifiable values for parameters.
PAGE 519
aaa authentication mac-authentication end-by-reject aaa authentication mac-authentication end-by-reject Terminates authentication if authentication is denied. If authentication fails due to a communication abnormality, such as an unresponsive RADIUS server, the next authentication method specified by the aaa authentication mac-authentication command is used to perform authentication.
PAGE 520
mac-authentication access-group mac-authentication access-group By applying the MAC access list to MAC-based authentication ports, sets whether terminals are to be authenticated or not by using MAC addresses. Syntax To set or change information: mac-authentication access-group To delete information: no mac-authentication access-group Input mode (config) Parameters Specifies the identifier of the MAC access list that is to be set. 1.
PAGE 521
mac-authentication authentication mac-authentication authentication Sets the name of an authentication method list for the port-based authentication method. Syntax To set or change information: mac-authentication authentication To delete information: no mac-authentication authentication Input mode (config-if) Parameters Sets the authentication method list name set by using the aaa authentication mac-authentication command. 1.
PAGE 522
mac-authentication authentication  mac-authentication vlan 4. If the authentication method list name set by using this command does not match the authentication method list name set by using the aaa authentication mac-authentication command, the default settings of the Switch are used. 5. This command can be set only for Ethernet interfaces.
PAGE 523
mac-authentication auto-logout mac-authentication auto-logout The no mac-authentication auto-logout command disables automatic cancellation of authentication if no frames are received from a terminal authenticated by MAC-based authentication for a certain period of time. Setting delay-time changes the time, but the actual operation varies according to the authentication mode.
PAGE 524
mac-authentication auto-logout 2. Range of values: 0, 60 to 86400 Default behavior  Fixed VLAN mode, dynamic VLAN mode After authentication in either of these authentication modes, if no frames are received from a terminal for the applicable MAC-based authentication entry when 3600 seconds has passed, the applicable MAC-based authentication entry is deleted from the MAC table automatically and authentication is canceled.
PAGE 525
mac-authentication force-authorized vlan mac-authentication force-authorized vlan When the RADIUS authentication method is used, if the RADIUS server does not respond or a request to a RADIUS server fails due to route failure, this command forcibly changes the status of a terminal requesting authentication on the applicable port to authenticated and assigns the terminal to a post-authentication VLAN.
PAGE 526
mac-authentication force-authorized vlan 3. Set a VLAN ID for which mac-based (MAC VLAN) has been set in the vlan command. 4. Be especially careful when using this functionality, as it can pose a security problem. 5.
PAGE 527
mac-authentication force-authorized vlan  authentication force-authorized enable  authentication force-authorized vlan Related commands aaa authentication mac-authentication mac-authentication interface mac-authentication port mac-authentication system-auth-control mac-authentication vlan radius-server host or mac-authentication radius-server host switchport mac switchport mode vlan 501
PAGE 528
mac-authentication id-format mac-authentication id-format When using RADIUS authentication, specifies MAC address format for authentication requests to the RADIUS server. Syntax To set or change information: mac-authentication id-format [capitals] To delete information: no mac-authentication id-format Input mode (config) Parameters Sets MAC address format used when an authentication request is sent to the RADIUS server. 1.
PAGE 529
mac-authentication id-format system-auth-control command is set. 2. See Table 24-1 Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable.
PAGE 530
mac-authentication interface mac-authentication interface Sets the applicable interface ports in MAC-based authentication legacy mode.
PAGE 531
mac-authentication interface Related commands mac-authentication system-auth-control 505
PAGE 532
mac-authentication max-timer mac-authentication max-timer Sets the maximum connection time. Syntax To set or change information: mac-authentication max-timer { | infinity } To delete information: no mac-authentication max-timer Input mode (config) Parameters { | infinity } Sets the maximum time (in minutes) an authenticated terminal is allowed to be connected.
PAGE 533
mac-authentication max-user mac-authentication max-user Sets the maximum number of terminals that can be authenticated on a Switch. Syntax To set or change information: mac-authentication max-user To delete information: no mac-authentication max-user Input mode (config) Parameters Sets the maximum number of terminals that can be authenticated on a Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 534
mac-authentication max-user 6. If the port to which an authenticated terminal is connected is moved, the number of actually connected terminals might be different from the number of authenticated terminals. 7. If the DHCP snooping functionality is also used, the maximum number of terminals is limited to 246.
PAGE 535
mac-authentication max-user (interface) mac-authentication max-user (interface) Sets the maximum number of authentication terminals that can be authenticated on the applicable port. Syntax To set or change information: mac-authentication max-user To delete information: no mac-authentication max-user Input mode (config-if) Parameters Sets the maximum number of authentication terminals that can be authenticated on the applicable port. 1.
PAGE 536
mac-authentication max-user (interface) 5. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated. 6. If the port to which an authenticated terminal is connected is moved, the number of actually connected terminals might be different from the number of authenticated terminals. 7.
PAGE 537
mac-authentication password mac-authentication password When the RADIUS authentication method is used, this command sets the password used for sending authentication requests to the RADIUS server. Syntax To set or change information: mac-authentication password To delete information: no mac-authentication password Input mode (config) Parameters Sets the password used when sending authentication requests to the RADIUS server. 1.
PAGE 538
mac-authentication password mac-authentication id-format aaa authentication mac-authentication 512
PAGE 539
mac-authentication port mac-authentication port Sets the authentication mode for ports. Syntax To set information: mac-authentication port To delete information: no mac-authentication port Input mode (config-if) Parameters None Default behavior When MAC-based authentication is valid, the port operates in legacy mode. Impact on communication If a port subject to authentication is deleted by using this command, authentication is canceled on all applicable ports.
PAGE 540
mac-authentication radius-server dead-interval mac-authentication radius-server dead-interval Configures the timer for monitoring automatic restoration to the primary MAC-based authentication RADIUS server from the MAC-based authentication RADIUS server.
PAGE 541
mac-authentication radius-server dead-interval Notes 1. All MAC-based authentication settings take effect when the mac-authentication system-auth-control command is set. 2. See Table 24-1 Configuration commands and MAC-based authentication modes for the authentication mode in which the command's settings are operable. 3.
PAGE 542
mac-authentication radius-server host mac-authentication radius-server host Configures the RADIUS server used for MAC-based authentication. Syntax To set or change information: mac-authentication radius-server host [auth-port ] [acct-port ] [timeout ] [retransmit ] [key ] To delete information: no mac-authentication radius-server host Input mode (config) Parameters Specifies the IPv4 address of the RADIUS server. 1.
PAGE 543
mac-authentication radius-server host retransmit Specifies the number of times an authentication request is resent to the RADIUS server. 1. Default value when this parameter is omitted: The number of times set by using the radius-server retransmit command is used. If no value is set, the initial value is 3. 2. Range of values: 0 to 15 (times) key Specifies the RADIUS key used for encryption or for authentication of communication with the RADIUS server.
PAGE 544
mac-authentication radius-server host displayed first by using the show radius-server operation command is the primary MAC-based authentication RADIUS server. The primary MAC-based authentication RADIUS server is used as the first current server (the destination for RADIUS authentication requests during operation). If a failure occurs on the primary MAC-based authentication RADIUS server, the current server switches to the next effective MAC-based authentication RADIUS server (secondary RADIUS server).
PAGE 545
mac-authentication roaming mac-authentication roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring. Syntax To set or change information: mac-authentication roaming [action trap] To delete information: no mac-authentication roaming Input mode (config) Parameters [action trap] When a change to another port due to roaming is detected, a private trap is issued.
PAGE 546
mac-authentication roaming Related commands mac-authentication system-auth-control mac-authentication port snmp-server host 520
PAGE 547
mac-authentication static-vlan force-authorized mac-authentication static-vlan force-authorized When the RADIUS authentication method is used, this command forcibly changes the status of a terminal that requests authentication on the applicable port to authentication authorized if the RADIUS server does not respond or a request to the RADIUS server fails because of a route failure or other problem.
PAGE 548
mac-authentication static-vlan force-authorized - #3 mac-authentication authentication #1 Specify the same Ethernet port. - The following accounting log data is collected when an authentication request is sent to the RADIUS server: No=21: NOTICE:LOGIN: () Login failed ; Failed to connection to RADIUS server. :MAC, PORT, VLAN The accounting log data can be confirmed by using the show mac-authentication logging operation command.
PAGE 549
mac-authentication static-vlan max-user mac-authentication static-vlan max-user Sets the maximum number of terminals that can be authenticated on a Switch. Syntax To set or change information: mac-authentication static-vlan max-user To delete information: no mac-authentication static-vlan max-user Input mode (config) Parameters Sets the maximum number of terminals that can be authenticated on a Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted.
PAGE 550
mac-authentication static-vlan max-user 6. If the DHCP snooping functionality is also used, the maximum number of terminals is limited to 246.
PAGE 551
mac-authentication static-vlan max-user (interface) mac-authentication static-vlan max-user (interface) Sets the maximum number of authentication terminals that can be authenticated on the applicable port. Syntax To set or change information: mac-authentication static-vlan max-user To delete information: no mac-authentication static-vlan max-user Input mode (config-if) Parameters Sets the maximum number of authentication terminals that can be authenticated on the applicable port. 1.
PAGE 552
mac-authentication static-vlan max-user (interface) 5. If the maximum number of terminals that can be authenticated is changed to a value smaller than the number of terminals currently authenticated, the authenticated terminals can continue communication, but no more terminals can be authenticated. 6. If the DHCP snooping functionality is also used, the maximum number of terminals is limited to 246.
PAGE 553
mac-authentication static-vlan roaming mac-authentication static-vlan roaming Sets communication permissions (roaming) when the port for an authenticated terminal changes to another port connected via a hub or similar means without a link-down event occurring.
PAGE 554
mac-authentication static-vlan roaming Related commands mac-authentication system-auth-control mac-authentication port snmp-server host 528
PAGE 555
mac-authentication system-auth-control mac-authentication system-auth-control Enables MAC-based authentication. Note that if the no mac-authentication system-auth-control command is executed, MAC-based authentication stops. Syntax To set information: mac-authentication system-auth-control To delete information: no mac-authentication system-auth-control Input mode (config) Parameters None Default behavior MAC-based authentication is not performed.
PAGE 556
mac-authentication timeout quiet-period mac-authentication timeout quiet-period Sets the time during which re-authentication will not be attempted (re-authentication delay timer) for the same terminal (MAC address) when authentication fails. No authentication processing is performed during this period.
PAGE 557
mac-authentication timeout quiet-period Related commands mac-authentication system-auth-control 531
PAGE 558
mac-authentication timeout reauth-period mac-authentication timeout reauth-period Sets the interval for re-authenticating terminals after an authentication has been successful. Syntax To set or change information: mac-authentication timeout reauth-period To delete information: no mac-authentication timeout reauth-period Input mode (config) Parameters Specifies the interval (in seconds) for re-authenticating a terminal.
PAGE 559
mac-authentication vlan mac-authentication vlan Sets the VLAN IDs of VLANs to be switched dynamically after legacy mode authentication. If this command is not set, no VLANs are switched after legacy-mode authentication. Syntax To set or change information: mac-authentication vlan To delete information: no mac-authentication vlan Input mode (config) Parameters Sets the VLAN ID list of MAC VLANs to be switched after authentication. 1.
PAGE 560
mac-authentication vlan  web-authentication user-group Related commands mac-authentication system-auth-control switchport mac 534
PAGE 561
mac-authentication vlan-check mac-authentication vlan-check Checks the VLAN ID when checking a MAC address during authentication processing. For the RADIUS authentication method, the MAC address string, the string set by using this command (%VLAN is set by default), and the VLAN ID are combined and used as the user ID for sending an authentication request to the RADIUS server.
PAGE 562
mac-authentication vlan-check Related commands mac-authentication system-auth-control mac-authentication port aaa authentication mac-authentication 536
PAGE 563
25.
PAGE 564
authentication multi-step authentication multi-step Configure a multistep authentication port. Syntax To set or change information: authentication multi-step [{permissive | dot1x}] To delete information: no authentication multi-step Input mode (config-if) Parameters {permissive | dot1x} permissive Permits both Web authentication and IEEE 802.1X authentication for a terminal on which the first step (MAC-based authentication) has failed. 1.
PAGE 565
authentication multi-step 2.  mac-authentication interface  mac-authentication vlan  web-authentication vlan This command can be set only for Ethernet interfaces.
PAGE 566
authentication multi-step 540
PAGE 567
26.
PAGE 568
http-server [OP-WOL] http-server [OP-WOL] Enables the HTTP server functionality. Syntax To set information: http-server To delete information: no http-server Input mode (config) Parameters None Default behavior When the web-authentication system-auth-control command is set: Enabled When the web-authentication system-auth-control command is not set: Disabled Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 542 1.
PAGE 569
http-server [OP-WOL] Configuration settings Secure Wake-on-LAN Web Authentication http-server User authenticatio n screen Login page web-authenticati on system-auth-co ntrol Functionality operate. MethodSet Functionality operate. MethodSet Can be displayed. Operates. Can be displayed. Operates. Not set Can be displayed. Operates. Can be displayed. Does not operate. MethodSet Can be displayed. Operates. Can be displayed. Operates.
PAGE 570
http-server [OP-WOL] 544
PAGE 571
Part 10: High Reliability Based on Redundant Configurations 27.
PAGE 572
switchport backup interface switchport backup interface Specifies the primary or secondary port, and an automatic switch-back time or a timer-based switch-back time.
PAGE 573
switchport backup interface When the change is applied The change is applied immediately after setting values are changed. Notes 1. When the Spanning Tree Protocol is used at the upstream switch, the status will be listening or learning after recovering from the link-down state. Communication cannot be restored immediately. In this case, we recommend that you set the timer-based switch-back time to 30 seconds or longer.
PAGE 574
switchport backup flush request transmit switchport backup flush request transmit Enables the sending of flush control frames to request that the upstream switches clear their MAC address tables. Syntax To set or change information: switchport backup flush request transmit [vlan ] To delete information: no switchport backup flush request transmit Input mode (config-if) Parameters vlan Sets the VLAN Tag value to be added to flush control frames. 1.
PAGE 575
switchport backup mac-address-table update exclude-vlan switchport backup mac-address-table update exclude-vlan Sets the VLAN to be excluded when sending MAC address update frames. Syntax To set or change information: switchport backup mac-address-table update exclude-vlan To delete information: no switchport backup mac-address-table update exclude-vlan Input mode (config-if) Parameters Sets the list of VLANs to be excluded when MAC address update frames are sent.
PAGE 576
switchport backup mac-address-table update retransmit switchport backup mac-address-table update retransmit Specifies the number of re-transmissions of MAC address update frames.
PAGE 577
switchport backup mac-address-table update transmit switchport backup mac-address-table update transmit Enables the sending of MAC address update frames to request that the upstream switches update their MAC address tables. Syntax To set information: switchport backup mac-address-table update transmit To delete information: no switchport backup mac-address-table update transmit Input mode (config-if) Parameters None Default behavior MAC address update frames are not sent.
PAGE 578
switchport-backup startup-active-port-selection switchport-backup startup-active-port-selection Enables active port locking at Switch startup. Syntax To set information: switchport-backup startup-active-port-selection primary-only To delete information: no switchport-backup startup-active-port-selection Input mode (config) Parameters primary-only Sets only the primary port as the active port at Switch startup. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 579
Part 11: High Reliability Based on Network Failure Detection 28. IEEE 802.
PAGE 580
efmoam active efmoam active Sets the port to be monitored by the IEEE 802.3ah/OAM functionality to active mode. Syntax To set or change information: efmoam active [udld] To delete information: no efmoam active Input mode (config-if) Parameters udld Sets the applicable port as the port to be monitored by the IEEE 802.3ah/UDLD functionality and enables the unidirectional link failure detection functionality. 1.
PAGE 581
efmoam disable efmoam disable Enables or disables the IEEE 802.3ah/OAM functionality on a switch. To disable the IEEE 802.3ah/OAM functionality, set the efmoam disable command. To enable the IEEE 802.3ah/OAM functionality again, set the no efmoam disable command. In passive mode, the send process starts when an OAMPDU from the active mode is received. Syntax To set information: efmoam disable To delete information: no efmoam disable Input mode (config) Parameters None Default behavior The IEEE 802.
PAGE 582
efmoam udld-detection-count efmoam udld-detection-count Sets the number of OAMPDU response timeouts that must occur to recognize a failure. (The OAMPDU is a monitoring packet of the IEEE 802.3ah/UDLD functionality.
PAGE 583
29.
PAGE 584
storm-control storm-control Configures the storm control functionality. This functionality sets the threshold of frames to be flooded and received by a Switch. When a broadcast storm or another problem occurs, the flooded frames exceeding the threshold are discarded. As a result, network load and Switch load decrease.
PAGE 585
storm-control 1. Default value when this parameter is omitted: The storm control functionality is not set. multicast Sets multicast frames as subject to storm control. 1. Default value when this parameter is omitted: The storm control functionality is not set. unicast Sets unicast frames as subject to storm control. 1. Default value when this parameter is omitted: The storm control functionality is not set.
PAGE 586
storm-control 1. Default value when this parameter is omitted: Operation log data is not output when a storm is detected. filter-broadcast When the flow rate of broadcast frames has a limit, this parameter sets the limit value (lower threshold) as the number of broadcast frames that can be forwarded. The frames exceeding the flow rate limit value are discarded. If 0 is set, all applicable frames are discarded. 1.
PAGE 587
storm-control When the change is applied The change is applied immediately after setting values are changed. Notes 1. Storm control is controlled by the number of received frames. Frame length is irrelevant. 2. When received frames exceed the storm detection threshold, control frames are also discarded. To prevent necessary control frames from being discarded, do not specify too small a value. 3.
PAGE 588
storm-control 562
PAGE 589
30.
PAGE 590
loop-detection loop-detection Sets the port type for the L2 loop detection functionality. Syntax To set or change information: loop-detection {send-inact-port | send-port | uplink-port | exception-port} To delete information: no loop-detection Input mode (config-if) Parameters {send-inact-port | send-port | uplink-port | exception-port} send-inact-port Sets a port as a detecting and blocking port.
PAGE 591
loop-detection Notes 1. 2. Changing the port type clears the following information:  - The number of L2 loop detections until the port is blocked  - The time from blocking of the port until automatic recovery occurs. If the port type is changed, the statistics for sending and receiving L2 loop detection frames for each port are not cleared.
PAGE 592
loop-detection auto-restore-time loop-detection auto-restore-time Sets the time required for automatic activation of a blocked port. Syntax To set or change information: loop-detection auto-restore-time To delete information: no loop-detection auto-restore-time Input mode (config) Parameters Sets the time (in seconds) required for automatic activation of a blocked port. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 593
loop-detection enable loop-detection enable Enables L2 loop detection. Syntax To set information: loop-detection enable To delete information: no loop-detection enable Input mode (config) Parameters None Default behavior L2 loop detection is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 594
loop-detection hold-time loop-detection hold-time Sets the time for holding the number of L2 loop detections before a port is blocked. If the period of time for holding the number of L2 loop detections elapses without an L2 loop detection frame being received since the last L2 loop detection frame was received, the number of L2 loop detections held on the port is cleared.
PAGE 595
loop-detection interval-time loop-detection interval-time Sets the interval for sending L2 loop detection frames. Syntax To set or change information: loop-detection interval-time To delete information: no loop-detection interval-time Input mode (config) Parameters Sets the interval (in seconds) for sending L2 loop detection frames. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 596
loop-detection threshold loop-detection threshold Sets the number of L2 loop detections before a port is blocked. If the number of detections becomes equal to or greater than the specified number, the port is blocked. Syntax To set or change information: loop-detection threshold To delete information: no loop-detection threshold Input mode (config) Parameters Sets the number of L2 loop detections before a port is blocked. 1.
PAGE 597
31.
PAGE 598
domain name domain name Sets the name used for the applicable domain. Syntax To set or change information: domain name {no-present | str | dns | mac } To delete information: no domain name Input mode (config-ether-cfm) Parameters {no-present | str | dns | mac } Sets the parameter to be used as the domain name. no-present If this parameter is set, the Maintenance Domain Name field in CCM is not used.
PAGE 599
domain name When the change is applied The change is applied immediately after setting values are changed.
PAGE 600
ethernet cfm cc alarm-priority ethernet cfm cc alarm-priority Sets the failure level to be detected by CC. Failure levels equal to or higher than the parameter you set are detected. Syntax To set or change information: ethernet cfm cc level ma alarm-priority To delete information: no ethernet cfm cc level ma alarm-priority Input mode (config) Parameters level Specifies the domain level that has been set by using the ethernet cfm domain command. 1.
PAGE 601
ethernet cfm cc alarm-priority Setting level Failure type Command display Failure description 4 DefErrorCCM ErrorCCM A CCM with an incorrect MEP ID or transmission interval was received. 3 DefRemoteCCM Timeout CCMs are no longer being received. 2 DefMACstatus PortState The port on the target Switch cannot communicate. 1 DefRDICCM RDI A CCM that reported the detection of a failure was received. Remote Defect Indication 0 none - No failure was detected.
PAGE 602
ethernet cfm cc alarm-reset-time ethernet cfm cc alarm-reset-time Sets the time interval for identifying re-detection when CC repeatedly detects failures. If a failure is detected within the time set by using this command after a failure has been detected, the failure is treated as a re-detection and no trap is sent. Note, however, that if a failure with a failure level higher than the currently detected failure level is detected, a trap is sent.
PAGE 603
ethernet cfm cc alarm-reset-time When the change is applied The change is applied immediately after setting values are changed. Notes 1. If higher level MAs are not included as lower level MAs, a communication overload might occur.
PAGE 604
ethernet cfm cc alarm-start-time ethernet cfm cc alarm-start-time Sets the time after CC detects a failure until a trap is sent. Syntax To set or change information: ethernet cfm cc level ma alarm-start-time To delete information: no ethernet cfm cc level ma alarm-start-time Input mode (config) Parameters level Specifies the domain level that has been set by using the ethernet cfm domain command. 1.
PAGE 605
ethernet cfm cc alarm-start-time Notes None Related commands ethernet cfm domain ma name ma vlan-group 579
PAGE 606
ethernet cfm cc enable ethernet cfm cc enable Sets in a domain an MA in which the CC functionality is used. If the ethernet cfm mep command has already been set, the applicable port starts to send CCMs. Syntax To set information: ethernet cfm cc level ma enable To delete information: no ethernet cfm cc level ma enable Input mode (config) Parameters level Specifies the domain level that has been set by using the ethernet cfm domain command. 1.
PAGE 607
ethernet cfm cc enable ma name ma vlan-group 581
PAGE 608
ethernet cfm cc interval ethernet cfm cc interval Sets the CCM transmission interval for a target MA. Syntax To set or change information: ethernet cfm cc level ma interval {1s | 10s | 1min | 10min} To delete information: no ethernet cfm cc level ma interval Input mode (config) Parameters level Specifies the domain level that has been set by using the ethernet cfm domain command. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 609
ethernet cfm cc interval 3. Note on using this parameter: If a value smaller than the default value is set for this parameter, the Switch CPU becomes overloaded with possible adverse effects on communication. Default behavior 1min is used as the interval for sending CCMs. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 610
ethernet cfm domain ethernet cfm domain Sets a domain. Executing this command switches to config-ether-cfm mode in which the domain name and MA can be set. Syntax To set information: ethernet cfm domain level [direction-up] To delete information: no ethernet cfm domain level Input mode (config) Parameters level Sets the domain level. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 611
ethernet cfm domain  ethernet cfm mip Related commands None 585
PAGE 612
ethernet cfm enable (global) ethernet cfm enable (global) Starts CFM. Syntax To set information: ethernet cfm enable To delete information: no ethernet cfm enable Input mode (config) Parameters None Default behavior CFM does not operate even if another CFM command has been set. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 613
ethernet cfm enable (interface) ethernet cfm enable (interface) When no ethernet cfm enable is set, CFM PDU transmission processing on the applicable port or the applicable port channel stops. Syntax To set information: no ethernet cfm enable To delete information: ethernet cfm enable Input mode (config-if) Parameters None Default behavior CFM PDUs can be received. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 614
ethernet cfm mep ethernet cfm mep Sets a MEP used by the CFM functionality. Syntax To set information: ethernet cfm mep level ma mep-id [{down | up}] To delete information: no ethernet cfm mep level ma mep-id Input mode (config-if) Parameters level Specifies the domain level that has been set by using the ethernet cfm domain command. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 615
ethernet cfm mep When direction-up has been set by using the ethernet cfm domain command, Up MEP is used. If it has not been set, Down MEP is used. 2. Range of values: down or up 3. Note on using this parameter: This parameter cannot be changed. If you want to change this parameter, delete this configuration first, and then reset it. Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1.
PAGE 616
ethernet cfm mip ethernet cfm mip Sets a MIP used by the CFM functionality. Syntax To set information: ethernet cfm mip level To delete information: no ethernet cfm mip level Input mode (config-if) Parameters level Specifies the domain level that has been set by using the ethernet cfm domain command. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 617
ma name ma name Sets the name of an MA to be used in the applicable domain. Syntax To set or change information: ma name {str | vlan } To delete information: no ma name Input mode (config-ether-cfm) Parameters Sets the MA ID number. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 0 to 65535 {str | vlan } Specifies the name of an MA by using a character string or a VLAN ID.
PAGE 618
ma name Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 619
ma vlan-group ma vlan-group Sets the VLAN belonging to the MA used in the applicable domain. Syntax To set or change information: ma vlan-group [primary-vlan ] To delete information: no ma vlan-group Input mode (config-ether-cfm) Parameters Sets the MA ID number. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: 0 to 65535 Sets the VLANs to be used in the applicable MA. 1.
PAGE 620
ma vlan-group When the change is applied The change is applied immediately after setting values are changed.
PAGE 621
Part 12: Remote Network Management 32.
PAGE 622
hostname hostname Sets the identification name of a Switch. Syntax To set or change information: hostname To delete information: no hostname Input mode (config) Parameters The identification name of a Switch. Set a name that is unique in the network that will be used. This information can be referenced by using the name set in [sysName] in the system group for enquiries from the SNMP manager. This parameter is equivalent to sysName defined in RFC 1213. 1.
PAGE 623
rmon alarm rmon alarm Sets the control information for the RMON (RFC 1757) alarm group. This command can configure a maximum of 128 entries.
PAGE 624
rmon alarm Table 32-1 The setting range of object identifiers subject to alarm monitoring Object name (setting range from the console) Object ID (setting value from the SNMP manager) ifInOctets.x 1.3.6.1.2.1.2.2.1.10.x ifInUcastPkts.x 1.3.6.1.2.1.2.2.1.11.x ifInNUcastPkts.x 1.3.6.1.2.1.2.2.1.12.x ifInDiscards.x 1.3.6.1.2.1.2.2.1.13.x ifInErrors.x 1.3.6.1.2.1.2.2.1.14.x ifInUnknownProtos.x 1.3.6.1.2.1.2.2.1.15.x ifOutOctets.x 1.3.6.1.2.1.2.2.1.16.x ifOutUcastPkts.x 1.3.6.1.2.1.2.2.1.17.
PAGE 625
rmon alarm Object name (setting range from the console) Object ID (setting value from the SNMP manager) etherStatsPkts1024to1518Octets.x 1.3.6.1.2.1.16.1.1.1.19.x ifInMulticastPkts.x 1.3.6.1.2.1.31.1.1.1.2.x ifInBroadcastPkts.x 1.3.6.1.2.1.31.1.1.1.3.x ifOutMulticastPkts.x 1.3.6.1.2.1.31.1.1.1.4.x ifOutBroadcastPkts.x 1.3.6.1.2.1.31.1.1.1.5.x x: instance number Sets the time interval (in seconds) for checking the threshold.
PAGE 626
rmon alarm falling-threshold Sets the lower threshold value. This parameter is equivalent to alarmFallingThreshold defined in RFC 1757. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: -2147483648 to 2147483647 falling-event-index Sets the identification number of the method for generating an event if a value drops below the lower threshold.
PAGE 627
rmon alarm Notes 1. To access an alarm group from the SNMP manager, you must register the SNMP manager by using the snmp-server community command. 2. As the value for rising-event-index or falling-event-index of an alarm group, set the information identification number that has been set for the corresponding event group. 3. When setting this command from a console, you must use an object name.
PAGE 628
rmon collection history rmon collection history Configures the control information for the RMON (RFC 1757) Ethernet statistics history. This command can configure a maximum of 32 entries.
PAGE 629
rmon collection history 1800 (seconds) 2. Range of values: 1 to 3600 (seconds) Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. To access an Ethernet history group from the SNMP manager, you must register the SNMP manager by using the snmp-server community command.
PAGE 630
rmon event rmon event Sets the control information for an RMON (RFC 1757) event group. This command can configure a maximum of 16 entries. Syntax To set or change information: rmon event [log] [trap ] [description ] [owner ] To delete information: no rmon event Input mode (config) Parameters Sets the control information for an RMON event group. This parameter is equivalent to eventIndex defined in RFC 1757. 1.
PAGE 631
rmon event Blank 2. Range of values: Specify a character string that is no more than 79 characters. For details about the characters that can be specified, see Specifiable values for parameters. owner Sets the identification information of the person who specified this setting. This information is used to identify the person who specified this setting. This parameter is equivalent to eventOwner defined in RFC 1757. 1. Default value when this parameter is omitted: Blank 2.
PAGE 632
snmp-server community snmp-server community Sets the access list for the SNMP community. The command can configure up to 4 entries. Syntax To set or change information: snmp-server community [ {ro|rw} ] [] To delete information: no snmp-server community Input mode (config) Parameters Sets the community name for the SNMP manager. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 633
snmp-server community Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 634
snmp-server contact snmp-server contact Sets the contact information of the Switch. Syntax To set or change information: snmp-server contact To delete information: no snmp-server contact Input mode (config) Parameters Sets the contact information for the Switch used when a failure occurs on the Switch. This information can be referenced by using the name set in [sysContact] of the system group for inquiries from the SNMP manager. 1.
PAGE 635
snmp-server host snmp-server host Registers the network management switch (SNMP manager) to which traps are sent. This command can configure a maximum of 4 entries.
PAGE 636
snmp-server host Table 32-2 Correspondence between parameters and traps Parameter Traps snmp coldStart warmStart linkUp linkDown authenticationFailure rmon risingAlarm fallingAlarm temperature ax2230sTemperatureTrap [AX2200S] ax1250sTemperatureTrap [AX1250S] ax1240sTemperatureTrap [AX1240S] air-fan ax2230sAirFanStopTrap [AX2200S] ax1240sAirFanStopTrap [AX1240S] login ax2230sLoginSuccessTrap [AX2200S] ax1250sLoginSuccessTrap [AX1250S] ax1240sLoginSuccessTrap [AX1240S] ax2230sLoginFailureTrap [AX22
PAGE 637
snmp-server host Parameter Traps ax1240sMulticastStormDetectTrap [AX1240S] ax2230sUnicastStormDetectTrap [AX2200S] ax1250sUnicastStormDetectTrap [AX1250S] ax1240sUnicastStormDetectTrap [AX1240S] ax2230sBroadcastStormPortInactivateTrap [AX2200S] ax1250sBroadcastStormPortInactivateTrap [AX1250S] ax1240sBroadcastStormPortInactivateTrap [AX1240S] ax2230sMulticastStormPortInactivateTrap [AX2200S] ax1250sMulticastStormPortInactivateTrap [AX1250S] ax1240sMulticastStormPortInactivateTrap [AX1240S] ax2230sUnicastS
PAGE 638
snmp-server host Parameter Traps pethMainPowerUsageOnNotification [AX2200S] [AX1240S] pethMainPowerUsageOffNotification [AX2200S] [AX1240S] dot1x ax2230sDot1xFailureTrap [AX2200S] ax1250sDot1xFailureTrap [AX1250S] ax1240sDot1xFailureTrap [AX1240S] ax2230sDot1xEventTrap [AX2200S] ax1250sDot1xEventTrap [AX1250S] ax1240sDot1xEventTrap [AX1240S] web-authentication ax2230sWauthFailureTrap [AX2200S] ax1250sWauthFailureTrap [AX1250S] ax1240sWauthFailureTrap [AX1240S] ax2230sWauthEventTrap [AX2200S] ax1250sWa
PAGE 639
snmp-server host Parameter Traps loop-detection ax2230sL2ldLinkDown [AX2200S] ax1250sL2ldLinkDown [AX1250S] ax1240sL2ldLinkDown [AX1240S] ax2230sL2ldLinkUp [AX2200S] ax1250sL2ldLinkUp [AX1250S] ax1240sL2ldLinkUp [AX1240S] ax2230sL2ldLoopDetection [AX2200S] ax1250sL2ldLoopDetection [AX1250S] ax1240sL2ldLoopDetection [AX1240S] switchport-backup ax2230sUlrChangeSecondary [AX2200S] ax1250sUlrChangeSecondary [AX1250S] ax1240sUlrChangeSecondary [AX1240S] ax2230sUlrChangePrimary [AX2200S] ax1250sUlrChangePri
PAGE 640
snmp-server host poe [AX2200S] [AX1240S] A trap is sent when the power status changes or the total power consumption of a Switch exceeds the threshold. dot1x A trap is sent for specific types of authentication accounting log data during IEEE 802.1X authentication. web-authentication A trap is sent for specific types of authentication accounting log data during Web authentication. mac-authentication A trap is sent for specific types of authentication accounting log data during MAC-based authentication.
PAGE 641
snmp-server location snmp-server location Sets the name of the location where the Switch is installed. Syntax To set or change information: snmp-server location To delete information: no snmp-server location Input mode (config) Parameters Sets the name of the location where the Switch is installed. This information can be referenced by using the name set in [sysLocation] of the system group for inquiries from the SNMP manager. 1.
PAGE 642
snmp-server traps snmp-server traps Sets the timing for issuing a trap.
PAGE 643
snmp-server traps 1. Default value when this parameter is omitted: standard 2. Range of values: private or standard agent-address Sets the IPv4 address to be used for in a trap notification frame in SNMPv1 format. Because only the SNMPv1 frame format can have the field in their Trap-PDUs, the address set by using this command is applied to SNMPv1 traps. 1.
PAGE 644
snmp-server traps failure or all Default behavior The initial values for all parameters of this command are used. Impact on communication None When the change is applied The change is applied immediately after setting values are changed. Notes 1. For the list of supported MIBs and supported traps, see the manual MIB Reference. 2. You cannot omit all of the parameters in this command. You must set at least one.
PAGE 645
snmp trap link-status snmp trap link-status When no snmp trap link-status is set, linkDown and linkUp traps are not transmitted whenever a link-up failure or a link-down failure occurs on a line. Syntax To set information: no snmp trap link-status To delete information: snmp trap link-status Input mode (config-if) Parameters None Default behavior Sending linkDown and linkUp traps is not suppressed.
PAGE 646
snmp trap link-status 620
PAGE 647
33.
PAGE 648
logging event-kind logging event-kind Sets the event type of the log information to be sent to the syslog server. Multiple event types can be set. Syntax To set or change information: logging event-kind To delete information: no logging event-kind Input mode (config) Parameters Specifies the event type of the log information to be output. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 649
logging facility logging facility Sets a facility to which log information is output via the syslog interface. Syntax To set or change information: logging facility To delete information: no logging facility Input mode (config) Parameters Specifies the facility for syslog. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specify local0, local1, local2, local3, local4, local5, local6, or local7.
PAGE 650
logging host logging host Sets the output destination for log information. The command can configure up to 4 entries. Syntax To set or change information: logging host To delete information: no logging host Input mode (config) Parameters Specifies the IPv4 address of the log output destination. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: Specifies the IPv4 address in dot notation. 1.0.0.
PAGE 651
logging syslog-header logging syslog-header Adds HOSTNAME, TIMESTAMP, or a functionality number to the message to be sent to the syslog server. Output from the following commands is not affected:  show dot1x logging  show logging  show web-authentication logging  show mac-authentication logging Syntax To set information: logging syslog-header To delete information: no logging syslog-header Input mode (config) Parameters None Default behavior Operation is the same as in the previous version.
PAGE 652
logging trap logging trap Sets the level of importance for log information to be sent to the syslog server. Syntax To set or change information: logging trap { | } To delete information: no logging trap Input mode (config) Parameters { | } Select either a level or a keyword as the priority of syslog messages. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 653
logging trap Related commands logging host 627
PAGE 654
logging trap 628
PAGE 655
Part 13: Management of Neighboring Device Information 34.
PAGE 656
lldp enable lldp enable Enables operation of LLDP for a port. Syntax To set information: lldp enable To delete information: no lldp enable Input mode (config-if) Parameters None Default behavior None Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 657
lldp hold-count lldp hold-count Sets the time that a neighboring device retains an LLDP frame sent from a Switch. Syntax To set or change information: lldp hold-count To delete information: no lldp hold-count Input mode (config) Parameters Sets the scaling for the value set by the lldp interval-time command as the time that a neighboring device retains the LLDP frame sent from a Switch. If the time exceeds 65535, which is the maximum value, 65535 is used. 1.
PAGE 658
lldp interval-time lldp interval-time Sets the transmission interval between LLDP frames sent from a Switch. Syntax To set or change information: lldp interval-time To delete information: no lldp interval-time Input mode (config) Parameters Sets the transmission interval between LLDP frames sent from a Switch. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2.
PAGE 659
lldp run lldp run Enables the LLDP functionality. Syntax To set information: lldp run To delete information: no lldp run Input mode (config) Parameters None Default behavior The LLDP functionality is disabled. Impact on communication None When the change is applied The change is applied immediately after setting values are changed.
PAGE 660
lldp run 634
PAGE 661
Part 14: Port Mirroring 35.
PAGE 662
monitor session monitor session Configures the port mirroring functionality.
PAGE 663
monitor session [AX1240S] Specifies a mirror port for port mirroring. A port for which Layer 2 information has been set cannot be specified. 1. Default value when this parameter is omitted: This parameter cannot be omitted. 2. Range of values: See Specifiable values for parameters. Default behavior None Impact on communication If a line in use is set as the mirror port, communication is no longer possible on the line. If a line is set as the monitor port, communication is not affected.
PAGE 664
monitor session 638
PAGE 665
Part 15: Configuration Error Messages 36. Error Messages Displayed When Editing the Configuration 36.
PAGE 666
36 Error Messages Displayed When Editing the Configuration 36.1 Error messages displayed when editing the configuration 36.1.1 Common Table 36-1 Common error messages Message Description Access denied. Access was denied. Ambiguous command. The command can be interpreted in two or more ways and therefore cannot be identified uniquely. Ambiguous data. The data cannot be identified uniquely because it can be interpreted in various ways. Ambiguous parameter.
PAGE 667
36 Error Messages Displayed When Editing the Configuration Message Description Log out by the system. You have been logged out by the system. Login incorrect. You are not permitted to log in to the specified host. Missing parameter. A parameter is missing. Missing parameter data. Parameter data is missing. No Access. Access is not provided. No help available. The Help file is invalid. 'no' is not applicable. "no" cannot be entered. No such name. No such name was found.
PAGE 668
36 Error Messages Displayed When Editing the Configuration Message Description Wrong type. The type is incorrect. Wrong value. The value is incorrect. Invalid parameter 'xxx'. The xxx parameter is invalid. Some parameters are insufficient. Some parameters are missing. Cannot set TOS/Precedence and DSCP at the same time. Both TOS/Precedence and DSCP cannot be set at the same time. Set one or the other. 36.1.
PAGE 669
36 Error Messages Displayed When Editing the Configuration Message Description extended-authentication is in use. This setting cannot be changed because at least one of the following is enabled:  Authentication IPv4 access list  IEEE 802.
PAGE 670
36 Error Messages Displayed When Editing the Configuration Message Description port:Relations between media type and configuration are inconsistent. The information cannot be changed because media-type auto is set. : duplex, mdix auto, and speed this command is different from this one in channel-group port. The configured command and the port channel configuration do not match. Match the configuration of the port channel to the configuration of the command. 36.1.
PAGE 671
36 Error Messages Displayed When Editing the Configuration Message Description interface : Relations between the mac-authentication configuration and the channel-group configuration within same port. Participation in the port channel is not possible because the specified port is being used by the MAC-based authentication setting. interface : Relations between the web-authentication configuration and the channel-group configuration within same port.
PAGE 672
36 Error Messages Displayed When Editing the Configuration 36.1.8 MAC address table information Table 36-8 MAC address table error messages Message Description Can't set mac-address-table because of port-channel nothing. mac-address-table cannot be set because no port channels exist. Relations between vlan in mac-address-table static configuration and switchport configuration are inconsistent. The mac-address-table static VLAN specification and the switchport configuration do not match.
PAGE 673
36 Error Messages Displayed When Editing the Configuration Message Description Relations between vlan in dot1q configuration and native configuration are inconsistent. switchport mac dot1q vlan and switchport mac native vlan cannot be set because they are set for the same VLAN. Relations between vlan in ip source binding configuration and switchport configuration are inconsistent. The configurations cannot be changed because ip source binding is using it.
PAGE 674
36 Error Messages Displayed When Editing the Configuration Message Description vlan[] : Can't delete vlan configuration referred by other configuration. The VLAN cannot be deleted because it is being used by another configuration. : VLAN ID vlan[] : Can't set access-vlan which is not configured to use vlan. The access VLAN cannot be set because the VLAN does not exist.
PAGE 675
36 Error Messages Displayed When Editing the Configuration 36.1.10 Spanning Tree information Table 36-10 Spanning Tree error messages Message Description Can not configure spanning-tree when Ring Protocol is configured. The Spanning Tree Protocol cannot be set because the Ring Protocol functionality is set. Cost is over 65535, please set up in 1 to 65535 or set pathcost method to long. The value for cost is equal to or greater than 65535.
PAGE 676
36 Error Messages Displayed When Editing the Configuration Message Description axrp-: maximum number of ring-port are already defined. Set two ring ports for each ring ID. To set another port as a ring port, first delete a ring port that has already been set. : Ring ID axrp-: Relations between uplink redundant and ring protocol are inconsistent. The uplink redundancy functionality has already been set for the specified interface.
PAGE 677
36 Error Messages Displayed When Editing the Configuration Message Description : Ring ID : VLAN ID axrp-: vlan-mapping is already configured in vlan-group of other ring. The specified VLAN mapping has already been set for a VLAN group in another ring. Either delete the VLAN mapping from the other VLAN group or use other VLAN groups.
PAGE 678
36 Error Messages Displayed When Editing the Configuration Message Description Can't delete it vlan configuration referred by other configuration. Deletion is not possible because the ip source binding setting uses the VLAN. First, delete the ip source binding setting that specifies the VLAN you want to delete. Can't set it because snooping is disable. The specified VLAN cannot be set because DHCP snooping for the VLAN is not enabled. Specify a VLAN for which DHCP snooping is enabled.
PAGE 679
36 Error Messages Displayed When Editing the Configuration 36.1.13 IGMP snooping information Table 36-13 IGMP snooping error messages Message Description Maximum number of VLAN are already defined, igmp snooping can not enable. A maximum of 32 VLANs can be set for IGMP snooping and MLD snooping. No more than 32 VLANs can be set. : VLAN ID system function isn't set. The setting is not possible because the system function command has not been set.
PAGE 680
36 Error Messages Displayed When Editing the Configuration Message Description ip[] : Duplicate network address. An IP address of the same network address is defined for another VLAN. Set the IP address so that all network addresses are unique. : VLAN ID An IP address for the same network address is set for the Web authentication IP address. Set the IP address so that it does not duplicate the network address for the Web authentication IP address.
PAGE 681
36 Error Messages Displayed When Editing the Configuration Message Description system function isn't set. The setting is not possible because the system function command has not been set. Use the system function command to specify filter. The sequence number exceeded the maximum value. Try "resequence" Command. The automatic sequence number exceeds the maximum value. Execute the resequence command. This list cannot be set to this port. This access list cannot be applied to this Ethernet interface.
PAGE 682
36 Error Messages Displayed When Editing the Configuration Message Description Cannot attach this list because flow detection mode Layer2-1. If the flow detection mode is Layer 2-1, this QoS flow list cannot be applied. If the flow detection mode is Layer 2-1, a MAC QoS flow list can be applied. To do so, you can use the following command: mac qos-flow-group command Cannot attach this list because flow detection mode Layer2-2.
PAGE 683
36 Error Messages Displayed When Editing the Configuration Message Description This list cannot be set to VLAN. This QoS flow list cannot be applied to VLAN interfaces. If the VLAN ID is set as a flow detection condition in a QoS flow list, the QoS flow list cannot be applied to the VLAN interface. Apply it to an Ethernet interface or delete the VLAN ID from the detection condition. This list name is being used as other protocol type by other definition.
PAGE 684
36 Error Messages Displayed When Editing the Configuration Message Description Relations between individual force-authorized and common force-authorized are inconsistent. The authentication force-authorized enable command cannot be set because force authentication is set for each type of authentication functionality.
PAGE 685
36 Error Messages Displayed When Editing the Configuration Message Description dot1x(vlan dynamic): Cannot set "dot1x vlan dynamic supplicant-detection disable" because ignore-eapol-start is set now. The terminal detection mode cannot be disabled because the functionality for suppressing the re-authentication of requests from a terminal for VLAN-based authentication (dynamic) is set. dot1x(vlan dynamic): Cannot set "no dot1x vlan dynamic reauthentication" because ignore-eapol-start is set now.
PAGE 686
36 Error Messages Displayed When Editing the Configuration Message Description port-channel : Port channel number dot1x(xxxxx): Cannot set "dot1x port-control force" command because sub-mode is multiple-authentication. force-unauthorized or force-authorized mode cannot be set because the xxxxx interface is in terminal authentication mode.
PAGE 687
36 Error Messages Displayed When Editing the Configuration Message Description dot1x(vlan dynamic): Cannot set "dot1x vlan dynamic radius-vlan" because authentication list or user-group is set. The dot1x vlan dynamic radius-vlan command cannot be set because the authentication method for each user ID or the port-based authentication method is set.
PAGE 688
36 Error Messages Displayed When Editing the Configuration Message Description interface : Invalid web-authentication html-fileset configuration. The web-authentication html-fileset command cannot be set because the web-authentication port command is not set on the applicable port. interface : Invalid web-authentication port configuration.
PAGE 689
36 Error Messages Displayed When Editing the Configuration Message Description system function isn't set. The following commands cannot be set because the system function command is not set:  web-authentication ip address  web-authentication port Use the system function command to set extended-authentication. web-auth : Cannot set the command because the specified vlan is not found. The specified VLAN cannot be set because it is not a MAC VLAN.
PAGE 690
36 Error Messages Displayed When Editing the Configuration Message Description ip []: Can't delete IP configuration with dhcp configuration. The IP cannot be deleted or changed because it is being used by the DHCP server configuration. : VLAN ID It exceeded maximum number of IP-address pool. The maximum number of IP address pools has been exceeded. Revise the network configuration and excluded address settings. Maximum number of entries are already defined.
PAGE 691
36 Error Messages Displayed When Editing the Configuration Message Description interface : Relations between individual force-authorized and common force-authorized are inconsistent.
PAGE 692
36 Error Messages Displayed When Editing the Configuration Message Description system function isn't set. The mac-authentication port command cannot be set because the system function command is not set. Set system function extended-authentication. 36.1.23 Multistep authentication information Table 36-24 Multistep authentication error messages Message Description interface : Relations between multi-step configuration and legacy mode configuration(s) are inconsistent.
PAGE 693
36 Error Messages Displayed When Editing the Configuration Message Description this command is different from this one in channel-group port. Participation in the port channel is not possible because the configuration is different. Too many parameters (exclude-VLAN ). The number of input parameters exceeds the maximum number (200). Set a value equal to or smaller than the maximum number. 36.1.
PAGE 694
36 Error Messages Displayed When Editing the Configuration Message Description ethernet : Maximum number of entries are already defined. An attempt is being made to set a configuration that is larger than the capacity limit or to change a configuration in an environment already at the maximum capacity limit. Delete configurations that are no longer used, and then set the configuration again. ethernet : Not found . The specified domain level cannot be found.
PAGE 695
36 Error Messages Displayed When Editing the Configuration Message Description interface : Maximum number of entries are already defined. An attempt is being made to set a configuration that is larger than the capacity limit or to change a configuration in an environment already at the maximum capacity limit. Delete configurations that are no longer used, and then set the configuration again. interface : MEP ID is already configured in cfm mep.
PAGE 696
36 Error Messages Displayed When Editing the Configuration Message Description rmon : Not supported . An object that is not supported or an instance number that is not in the specifiable range is set for variable. Check the object and the instance number again. rmon : RMON alarm rising threshold is less than falling threshold. The lower threshold is greater than the upper threshold. Set a value smaller than the upper threshold as the lower threshold.
PAGE 697
Index A aaa accounting dot1x, 373 aaa accounting mac-authentication, 502 aaa accounting web-authentication, 428 aaa authentication dot1x, 374 aaa authentication login, 46 aaa authentication login end-by-reject, 48 aaa authentication mac-authentication, 503 aaa authentication mac-authentication end-by-reject, 505 aaa authentication web-authentication, 429 aaa authentication web-authentication end-by-reject, 431 aaa authorization network default, 376 aaa group server radius, 44 access lists names that can be
PAGE 698
Index F L flow detection mode, 279 flowcontrol, 105 forwarding-shift-time, 233 ftp-server, 33 l2protocol-tunnel eap, 146 l2protocol-tunnel stp, 147 lacp port-priority, 136 lacp system-priority, 138 lease, 492 limit-queue-length, 337 line vty, 34 link debounce, 109 linkscan-mode, 110 lldp enable, 637 lldp hold-count, 638 lldp interval-time, 639 lldp run, 640 logging event-kind, 630 logging facility, 631 logging host, 632 logging syslog-header, 633 logging trap, 634 loop-detection, 573 loop-detection auto
PAGE 699
Index force-authorized, 533 mac-authentication static-vlan max-user, 535 mac-authentication static-vlan max-user (interface), 537 mac-authentication static-vlan roaming, 539 mac-authentication system-auth-control, 541 mac-authentication timeout quiet-period, 542 mac-authentication timeout reauth-period, 544 mac-authentication vlan, 545 mac-authentication vlan-check, 547 max-lease, 494 mdix auto, 111 media-type, 112 mode, 234 monitor session, 642 mtu, 114 multi-fault-detection mode, 235 multi-fault-detectio
PAGE 700
Index spanning-tree single port-priority, 207 spanning-tree single priority, 208 spanning-tree single transmission-limit, 209 spanning-tree vlan, 210 spanning-tree vlan cost, 211 spanning-tree vlan forward-time, 213 spanning-tree vlan hello-time, 215 spanning-tree vlan max-age, 216 spanning-tree vlan mode, 217 spanning-tree vlan pathcost method, 218 spanning-tree vlan port-priority, 220 spanning-tree vlan priority, 221 spanning-tree vlan transmission-limit, 222 speed [Ethernet], 123 state, 151 storm-contro