ECS2110-26T 26-Port Web-smart Pro 10G Ethernet Switch ECS2100-52T 52-Port Web-smart Pro Gigabit Ethernet Switch CLI Reference Guide Software Release v1.2.71.204 www.edge-core.
CLI Reference Guide ECS2110-26T Gigabit Ethernet Switch Web-smart Pro 10G Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports and 2 10G SFP Ports ECS2100-52T Gigabit Ethernet Switch Web-smart Pro Gigabit Ethernet Switch with 48 10/100/1000BASE-T (RJ-45) Ports and 4 Gigabit SFP Ports E012021-CS-R05
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
Contents Section I How to Use This Guide 3 Contents 5 Tables 31 Getting Started 37 1 Initial Switch Configuration Connecting to the Switch 39 39 Configuration Options 39 Connecting to the Console Port 40 Logging Onto the Command Line Interface 41 Setting Passwords 41 Remote Connections 42 Configuring the Switch for Remote Management 42 Using the Network Interface 42 Setting an IP Address 42 Configuring the Switch for Cloud Management 48 Enabling SNMP Management Access 48 Mana
Contents Section II Configuring SNTP 63 Configuring NTP 63 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 65 67 67 Console Connection 67 Telnet Connection 68 Entering Commands 69 Keywords and Arguments 69 Minimum Abbreviation 69 Command Completion 69 Getting Help on Commands 70 Partial Keyword Lookup 71 Negating the Effect of Commands 72 Using Command History 72 Understanding Command Modes 72 Exec Commands 72 Configuration Commands 73 Command Li
Contents exit 85 4 System Management Commands Cloud Management 87 87 mgmt 88 mgmt loglevel 88 mgmt setoption 89 mgmt property 91 mgmt upgrade 91 show mgmt status 92 show mgmt version 92 show mgmt log 92 show mgmt option 93 Device Designation 93 hostname 93 System Status 94 show access-list tcam-utilization 95 show memory 96 show process cpu 97 show process cpu guard 97 show process cpu task 98 show running-config 100 show startup-config 101 show system 102 show t
Contents General Commands 109 boot system 109 copy 110 delete 114 dir 115 whichboot 116 Automatic Code Upgrade Commands 116 upgrade opcode auto 116 upgrade opcode path 117 upgrade opcode reload 118 show upgrade 119 TFTP Configuration Commands 119 ip tftp retry 119 ip tftp timeout 120 show ip tftp 120 Line 121 line 122 databits 122 exec-timeout 123 login 124 parity 125 password 125 password-thresh 126 silent-time 127 speed 128 stopbits 128 timeout login res
Contents logging on 135 logging trap 136 clear log 136 show log 137 show logging 138 SMTP Alerts 139 logging sendmail 140 logging sendmail destination-email 140 logging sendmail host 141 logging sendmail level 141 logging sendmail source-email 142 show logging sendmail 143 Time 143 SNTP Commands 144 sntp client 144 sntp poll 145 sntp server 145 show sntp 146 NTP Commands 147 ntp authenticate 147 ntp authentication-key 147 ntp client 148 ntp server 149 show ntp
Contents time-range 158 absolute 159 periodic 160 show time-range 161 Switch Clustering 161 cluster 162 cluster commander 163 cluster ip-pool 164 cluster member 164 rcommand 165 show cluster 166 show cluster members 166 show cluster candidates 166 5 SNMP Commands 169 General SNMP Commands 171 snmp-server 171 snmp-server community 171 snmp-server contact 172 snmp-server location 173 show snmp 173 SNMP Target Host Commands 174 snmp-server enable traps 174 snmp-serv
Contents show snmp view 187 Notification Log Commands 187 nlm 187 snmp-server notify-filter 188 show nlm oper-status 190 show snmp notify-filter 190 Additional Trap Commands 190 memory 190 process cpu 191 process cpu guard 192 6 Remote Monitoring Commands 195 rmon alarm 196 rmon event 197 rmon collection history 198 rmon collection rmon1 199 show rmon alarms 200 show rmon events 200 show rmon history 201 show rmon statistics 201 7 Flow Sampling Commands 203 sflow own
Contents RADIUS Client 216 radius-server acct-port 216 radius-server auth-port 217 radius-server host 217 radius-server key 218 radius-server retransmit 219 radius-server timeout 219 show radius-server 220 TACACS+ Client 220 tacacs-server host 221 tacacs-server key 221 tacacs-server port 222 tacacs-server retransmit 222 tacacs-server timeout 223 show tacacs-server 223 AAA 224 aaa accounting commands 225 aaa accounting dot1x 226 aaa accounting exec 227 aaa accounting upd
Contents ip http secure-port 238 ip http secure-server 239 Telnet Server 240 ip telnet max-sessions 241 ip telnet port 241 ip telnet server 242 telnet (client) 242 show ip telnet 243 Secure Shell 243 ip ssh authentication-retries 245 ip ssh server 246 ip ssh timeout 247 delete public-key 247 ip ssh crypto host-key generate 248 ip ssh crypto zeroize 248 ip ssh save host-key 249 show ip ssh 249 show public-key 250 show ssh 250 802.
Contents Supplicant Commands 260 dot1x timeout auth-period 260 dot1x timeout held-period 260 Information Display Commands show dot1x 261 261 Management IP Filter 263 management 263 show management 264 9 General Security Measures Port Security 267 268 mac-learning 268 port security 269 show port security 271 Network Access (MAC Address Authentication) 273 network-access aging 273 network-access mac-filter 274 mac-authentication reauth-time 275 network-access dynamic-qos 276
Contents web-auth 287 web-auth re-authenticate (Port) 288 web-auth re-authenticate (IP) 288 show web-auth 289 show web-auth interface 289 show web-auth summary 290 DHCPv4 Snooping 290 ip dhcp snooping 291 ip dhcp snooping information option 293 ip dhcp snooping information option encode no-subtype 294 ip dhcp snooping information option remote-id 296 ip dhcp snooping information option tr101 board-id 297 ip dhcp snooping information policy 297 ip dhcp snooping verify mac-address
Contents ip arp inspection validate 317 ip arp inspection vlan 318 ip arp inspection limit 319 ip arp inspection trust 319 show ip arp inspection configuration 320 show ip arp inspection interface 320 show ip arp inspection log 321 show ip arp inspection statistics 321 show ip arp inspection vlan 321 Denial of Service Protection 322 dos-protection echo-chargen 322 dos-protection smurf 323 dos-protection tcp-flooding 323 dos-protection tcp-null-scan 324 dos-protection tcp-syn-fin
Contents access-list ipv6 340 permit, deny (Standard IPv6 ACL) 341 permit, deny (Extended IPv6 ACL) 342 ipv6 access-group 345 show ipv6 access-group 345 show ipv6 access-list 346 MAC ACLs 346 access-list mac 347 permit, deny (MAC ACL) 347 mac access-group 350 show mac access-group 351 show mac access-list 351 ARP ACLs 352 access-list arp 352 permit, deny (ARP ACL) 353 show access-list arp 354 ACL Information 354 clear access-list hardware counters 355 show access-group
Contents show interfaces history 370 show interfaces status 372 show interfaces switchport 373 Transceiver Threshold Configuration 374 transceiver-monitor 374 transceiver-threshold-auto 375 transceiver-threshold current 375 transceiver-threshold rx-power 376 transceiver-threshold temperature 377 transceiver-threshold tx-power 378 transceiver-threshold voltage 379 show interfaces transceiver 380 show interfaces transceiver-threshold 381 Cable Diagnostics 382 test cable-diagnostic
Contents Local Port Mirroring Commands 401 port monitor 401 show port monitor 402 RSPAN Mirroring Commands 403 rspan source 405 rspan destination 406 rspan remote vlan 407 no rspan session 408 show rspan 409 14 Congestion Control Commands Rate Limit Commands 411 411 rate-limit 412 Storm Control Commands 413 switchport packet-rate 15 Loopback Detection Commands 413 415 loopback-detection 416 loopback-detection action 416 loopback-detection recover-time 417 loopback-detectio
Contents smart-pair 427 smart-pair restore 428 primary-port 429 backup-port 430 wtr-delay 431 show smart-pair 431 18 Spanning Tree Commands 433 spanning-tree 434 spanning-tree cisco-prestandard 435 spanning-tree forward-time 435 spanning-tree hello-time 436 spanning-tree max-age 437 spanning-tree mode 437 spanning-tree mst configuration 439 spanning-tree pathcost method 439 spanning-tree priority 440 spanning-tree system-bpdu-flooding 441 spanning-tree tc-prop 441 spanni
Contents spanning-tree mst port-priority 454 spanning-tree port-bpdu-flooding 455 spanning-tree port-priority 455 spanning-tree root-guard 456 spanning-tree spanning-disabled 457 spanning-tree tc-prop-stop 457 spanning-tree loopback-detection release 458 spanning-tree protocol-migration 459 show spanning-tree 459 show spanning-tree mst configuration 462 show spanning-tree tc-prop 462 19 VLAN Commands 463 Editing VLAN Groups 463 vlan database 464 vlan 464 Configuring VLAN Inter
Contents show protocol-vlan protocol-group 482 show interfaces protocol-vlan protocol-group 483 Configuring MAC Based VLANs 483 mac-vlan 484 show mac-vlan 485 Configuring Voice VLANs 485 voice vlan 486 voice vlan aging 487 voice vlan mac-address 488 switchport voice vlan 489 switchport voice vlan priority 489 switchport voice vlan rule 490 switchport voice vlan security 491 show voice vlan 491 20 Class of Service Commands 493 Priority Commands (Layer 2) 493 queue mode 494
Contents class 510 police rate 511 set cos 512 service-policy 513 show class-map 513 show policy-map 514 show policy-map interface 515 22 Multicast Filtering Commands 517 IGMP Snooping 517 ip igmp snooping 519 ip igmp snooping priority 520 ip igmp snooping proxy-reporting 520 ip igmp snooping querier 521 ip igmp snooping router-alert-option-check 522 ip igmp snooping router-port-expire-time 522 ip igmp snooping tcn-flood 523 ip igmp snooping tcn-query-solicit 524 ip igmp s
Contents show ip igmp snooping mrouter 538 show ip igmp snooping statistics 538 Static Multicast Routing 541 ip igmp snooping vlan mrouter IGMP Filtering and Throttling 541 542 ip igmp filter (Global Configuration) 543 ip igmp profile 543 permit, deny 544 range 544 ip igmp filter (Interface Configuration) 545 ip igmp max-groups 546 ip igmp max-groups action 546 ip igmp query-drop 547 ip multicast-data-drop 547 show ip igmp filter 548 show ip igmp profile 549 show ip igmp query
Contents show ipv6 mld snooping 561 show ipv6 mld snooping group 562 show ipv6 mld snooping group source-list 563 show ipv6 mld snooping mrouter 563 show ipv6 mld snooping statistics 564 MLD Filtering and Throttling 568 ipv6 mld filter (Global Configuration) 568 ipv6 mld profile 569 permit, deny 570 range 570 ipv6 mld filter (Interface Configuration) 571 ipv6 mld max-groups 571 ipv6 mld max-groups action 572 ipv6 mld query-drop 573 show ipv6 mld filter 573 show ipv6 mld profil
Contents lldp dot1-tlv pvid 587 lldp dot1-tlv vlan-name 587 lldp dot3-tlv link-agg 588 lldp dot3-tlv mac-phy 588 lldp dot3-tlv max-frame 589 lldp med-location civic-addr 590 lldp med-notification 591 lldp med-tlv inventory 592 lldp med-tlv location 593 lldp med-tlv med-cap 593 lldp med-tlv network-policy 594 lldp notification 594 show lldp config 595 show lldp info local-device 596 show lldp info remote-device 597 show lldp info statistics 599 24 Domain Name Service Commands
Contents DHCP for IPv4 612 ip dhcp dynamic-provision 612 ip dhcp client class-id 613 ip dhcp restart client 615 show ip dhcp dynamic-provision 615 DHCP for IPv6 616 ipv6 dhcp client rapid-commit vlan 616 ipv6 dhcp restart client vlan 616 show ipv6 dhcp duid 618 show ipv6 dhcp vlan 618 DHCP Relay 619 ip dhcp relay server 619 ip dhcp restart relay 620 26 IP Interface Commands IPv4 Interface 623 623 Basic IPv4 Configuration 624 ip address 624 ip default-gateway 626 show ip de
Contents ipv6 address link-local 641 ipv6 enable 642 ipv6 mtu 643 show ipv6 default-gateway 644 show ipv6 interface 644 show ipv6 mtu 647 show ipv6 traffic 647 clear ipv6 traffic 652 ping6 652 traceroute6 653 Neighbor Discovery 655 ipv6 nd dad attempts 655 ipv6 nd ns-interval 656 ipv6 nd reachable-time 658 clear ipv6 neighbors 659 show ipv6 neighbors 659 28 IP Routing Commands Global Routing Configuration 661 661 IPv4 Commands 662 ip route 662 show ip route 663 show
Contents Section III version 674 ip rip authentication mode 675 ip rip authentication string 676 ip rip receive version 676 ip rip receive-packet 677 ip rip send version 678 ip rip send-packet 679 ip rip split-horizon 679 clear ip rip route 680 show ip protocols rip 681 show ip rip 681 Appendices 683 A Troubleshooting 685 Problems Accessing the Management Interface 685 Using System Logs 686 B License Information 687 The GNU General Public License 687 Glossary 691 Comman
Contents – 30 –
Tables Table 1: Options 60, 66 and 67 Statements 60 Table 2: Options 55 and 124 Statements 61 Table 3: General Command Modes 72 Table 4: Configuration Command Modes 74 Table 5: Keystroke Commands 75 Table 6: Command Group Index 76 Table 7: General Commands 79 Table 8: System Management Commands 87 Table 9: Cloud Management Commands 87 Table 10: Cloud Management Agent Options 89 Table 11: Device Designation Commands 93 Table 12: System Status Commands 94 Table 13: show access-list tc
Tables Table 30: Switch Cluster Commands 161 Table 31: SNMP Commands 169 Table 32: show snmp engine-id - display description 184 Table 33: show snmp group - display description 185 Table 34: show snmp user - display description 186 Table 35: show snmp view - display description 187 Table 36: RMON Commands 195 Table 37: sFlow Commands 203 Table 38: Authentication Commands 209 Table 39: User Access Commands 210 Table 40: Default Login Settings 212 Table 41: Authentication Sequence Comma
Tables Table 65: Traffic Segmentation Forwarding 328 Table 66: Access Control List Commands 333 Table 67: IPv4 ACL Commands 333 Table 68: IPv6 ACL Commands 340 Table 69: MAC ACL Commands 346 Table 70: ARP ACL Commands 352 Table 71: ACL Information Commands 354 Table 72: Interface Commands 357 Table 73: show interfaces counters - display description 368 Table 74: show interfaces switchport - display description 374 Table 75: Link Aggregation Commands 387 Table 76: show lacp counters -
Tables Table 100: Priority Commands 493 Table 101: Priority Commands (Layer 2) 493 Table 102: Priority Commands (Layer 3 and 4) 498 Table 103: Default Mapping of CoS/CFI Values to Queue/CFI 499 Table 104: Default Mapping of DSCP/CFI Values to Queue 500 Table 105: Quality of Service Commands 505 Table 106: Multicast Filtering Commands 517 Table 107: IGMP Snooping Commands 517 Table 108: show ip igmp snooping statistics input - display description 539 Table 109: show ip igmp snooping statis
Tables Table 135: show ipv6 mtu - display description 647 Table 136: show ipv6 traffic - display description 648 Table 137: show ipv6 neighbors - display description 659 Table 160: IP Routing Commands 661 Table 161: Global Routing Configuration Commands 661 Table 162: Routing Information Protocol Commands 665 Table 163: Troubleshooting Chart 685 – 35 –
Tables – 36 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 38 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec). The commands Interface available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ECS2110-26T and the ECS2100-52T Gigabit Ethernet switch. Other than the difference in port types, there are no significant differences.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router. To configure this device as the default gateway, use the ip default-gateway command.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator: ◆ Prefix for this network ◆ IP address for the switch ◆ Default gateway for the network For netw
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Global unicast address(es): 2001:db8:2222:7272::/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::1:ff00:0 ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startupconfig.” Enter the startup file name and press .
Chapter 1 | Initial Switch Configuration Configuring the Switch for Cloud Management ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Configuring the Switch for Cloud Management The Edgecore ecCLOUD Controller is a cloud-based network service available from anywhere through a web-browser interface. The switch can be managed by the ecCLOUD controller once you have set up an account and registered the device on the system.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
Chapter 1 | Initial Switch Configuration Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
Chapter 1 | Initial Switch Configuration Managing System Files Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server. Note that “anonymous” is set as the default user name. File names on the switch are case-sensitive.
Chapter 1 | Initial Switch Configuration Installing a Port License File The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press . 2. Enter the name of the start-up file. Press .
Chapter 1 | Initial Switch Configuration Installing a Port License File license limits the number of usable ports, whereas a valid license provides full access to all ports.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Download the corresponding license file as shown in the following example using the file type number “21”. Note that the license file is named according to the device MAC address. The network ports will be automatically activated within two minutes after successful installation. Console#copy tftp file TFTP server IP address: 192.168.1.9 Choose file type: 1. config; 2.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/” to indicate this (e.g., ftp://192.168.0.1/). ◆ The file name must not be included in the upgrade file location URL. The file name of the code stored on the remote server must be ECS2110-series.bix (using lower case letters as indicated).
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings To enable automatic upgrade, enter the following commands: 1. Specify the TFTP or FTP server to check for new operation code. ■ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings c. It sets the new version as the startup image. d. It then restarts the system to start using the new image. Console(config)#upgrade opcode auto Console(config)# 4. Display the automatic upgrade settings. Console#show upgrade Auto Image Upgrade Global Settings: Status : Enabled Reload Status : Enabled Path : File Name : ECS2110-series.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server startup1.cfg Config Y 2015-07-13 04:03:49 1707 ---------------------------------------------------------------------------Free space for compressed user config files: 1310720 Total space: 32 MB Console# Specifying a DHCP DHCP servers index their database of address bindings using the client’s Media Client Identifier Access Control (MAC) Address or a unique client identifier.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server Note the following DHCP client behavior: ◆ To enable dynamic provisioning via a DHCP server, this feature must be enabled using the ip dhcp dynamic-provision command. ◆ The bootup configuration file received from a TFTP server is stored on the switch with the original file name. If this file name already exists in the switch, the file is overwritten.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server Table 2: Options 55 and 124 Statements Statement Option Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by a comma ', ' 124 vendor-class-identifier a string indicating the vendor class identifier The following configuration example is provided for a Linux-based DHCP daemon (dhcpd.conf file).
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the System Clock Simple Network Time Protocol (SNTP) or Network Time Protocol (NTP) can be used to set the switch’s internal clock based on periodic updates from a time server. Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring SNTP Setting the clock based on an SNTP server can provide more accurate clock synchronization across network switches than manually-configured time. To configure SNTP, set the switch as an SNTP client, and then set the polling interval, and specify a time server as shown in the following example. Console(config)#sntp client Console(config)#sntp poll 60 Console(config)#sntp server 10.1.0.
Chapter 1 | Initial Switch Configuration Setting the System Clock Last Update Time : Apr 2 16:00:00 2013 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.5.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “Spanning Tree Commands” on page 433 ◆ “VLAN Commands” on page 463 ◆ “Class of Service Commands” on page 493 ◆ “Quality of Service Commands” on page 505 ◆ “Multicast Filtering Commands” on page 517 ◆ “LLDP Commands” on page 577 ◆ “Domain Name Service Commands” on page 601 ◆ “DHCP Commands” on page 611 ◆ “IP Interface Commands” on page 623 ◆ “IP Routing Commands” on page 661 – 66 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan voice watchdog web-auth Console#show RADIUS server information Shows the reload settings Remote monitoring information Display status of the current RSPAN configuration Information on the running configuration Shows the sflow informat
Chapter 2 | Using the Command Line Interface Entering Commands Negating the Effect of For many configuration commands you can enter the prefix keyword “no” to cancel Commands the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
Chapter 2 | Using the Command Line Interface Entering Commands system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.” To enter Privileged Exec mode, enter the following user names and passwords: Username: admin Password: [admin login password] CLI session with the ECS2110-26T is opened. To end the CLI session, enter [Exit].
Chapter 2 | Using the Command Line Interface Entering Commands ◆ Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance. ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. ◆ Time Range - Sets a time range for use by other functions, such as Access Control Lists. ◆ VLAN Configuration - Includes the command to create VLAN groups.
Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
Chapter 2 | Using the Command Line Interface CLI Command Groups Console(config)#ip igmp snooping Console(config)#end Console#show ip igmp snooping mrouter VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static Console# CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page Address Table Configures the address table for filtering specified addresses, 421 displays current entries, clears the table, or sets the aging time Spanning Tree Configures Spanning Tree settings for the switch 433 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, an
Chapter 2 | Using the Command Line Interface CLI Command Groups – 78 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval.
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 110).
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (84) enable password (210) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 72. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 86 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Cloud Management Table 9: Cloud Management Commands Command Function Mode show mgmt status Displays the cloud management agent status PE show mgmt version Displays the cloud management agent code version PE show mgmt log Displays log messages from the cloud management agent PE show mgmt option Displays the cloud management agent configuration options PE mgmt This command enables or disables the cloud management agent for the switch.
Chapter 4 | System Management Commands Cloud Management Command Mode Global Configuration Command Usage ◆ The logging levels from minimum severity to maximum severity are: Trace, Debug, Info, Warn, Error. ◆ This command configures messages logged by the cloud management agent based on severity. Messages from the configured level up to the maximum level are logged. Therefore, if Info is the configured level, all messages for Info, Warn, and Error are logged.
Chapter 4 | System Management Commands Cloud Management Table 10: Cloud Management Agent Options (Continued) Name Type Required Default Notes acn.mgmt.loglevel string no “info” Various logging levels for mgmtd. Possible values in lowering order: error, warn, info, debug, trace. acn.mgmt.hb_interval int no 60 Heartbeat message sending interval. acn.mgmt.hb_ack_timeout int no 57 Heartbeat acknowledgement timeout (to consider connection problem is present) acn.mgmt.
Chapter 4 | System Management Commands Cloud Management Example Console(config)#mgmt setoption acn.mgmt.status_interval=600 Console(config)# mgmt property This command sets the cloud management agent properties to their default values. Syntax mgmt property default Default Setting None Command Mode Global Configuration Example Console(config)#mgmt property default Console(config)# mgmt upgrade This command upgrades the cloud management agent software from a file on a TFTP server.
Chapter 4 | System Management Commands Cloud Management show mgmt status This command displays the status of the cloud management agent. Syntax show mgmt status Command Mode Privileged Exec Example Console#show mgmt status Console# show mgmt version This command displays the version of the cloud management agent. Syntax show mgmt version Command Mode Privileged Exec Example Console#show mgmt version Mgmtd version: 1.4.
Chapter 4 | System Management Commands Device Designation 2020-10-26 10:19:39 [info]: mgmtd status set to REG_FAILED 2020-10-26 10:19:39 [error]: Error: Unable to contact registration service! (Empty response) Console# show mgmt option This command displays the cloud management agent options. Syntax show mgmt option Command Mode Privileged Exec Example Console#show mgmt option Mgmtd Option: acn.mgmt=acn acn.mgmt.loglevel=info acn.mgmt.enabled=0 acn.register=register acn.register.state=0 acn.register.
Chapter 4 | System Management Commands System Status name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page. ◆ This command and the prompt command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Chapter 4 | System Management Commands System Status Table 12: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly PE show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, and the number
Chapter 4 | System Management Commands System Status 1 1 1 1 0 0 0 0 14 15 16 17 128 64 128 128 0 0 0 0 128 64 128 128 AEM DE6S DE6E DE4 DEM QINQ Console# Table 13: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List. Unit Stack unit identifier. Device Memory chip used for indicated pools. Pool Rule slice (or call group).
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 14: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status FS HTTP_TD HW_WTDOG_TD IML_TX IP_SERVICE_GROU KEYGEN_TD L2_L4_PROCESS L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_PROC NSM_TD OSPF6_TD OSPF_TD PIM_GROUP PIM_PROC PIM_SM_TD POE_PROC RIP_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage Use the interface keyword to display configuration data for the specified interface.
Chapter 4 | System Management Commands System Status enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet ! spanning-tree mst configuration ! interface ethernet 1/1 no negotiation ...
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (100) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS2110-26T System OID String : 1.3.6.1.4.1.259.10.1.44.102 System Information System Up Time : 0 days, 2 hours, 25 minutes, and 27.
Chapter 4 | System Management Commands System Status Table 15: show system – display description (Continued) Parameter Description System Name Name assigned to the switch system. System Location Specifies the system location. System Contact Administrator responsible for the system. MAC Address MAC address assigned to this switch. Web Server/Port Shows administrative status of web server and UDP port number.
Chapter 4 | System Management Commands System Status startup1.cfg Config Y 2015-07-01 07:24:22 1343 ---------------------------------------------------------------------------Free space for compressed user config files: 24018944 Total space: 32 MB show arp: ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------192.168.2.
Chapter 4 | System Management Commands System Status show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Example Console#show version Unit 1 Serial Number Hardware Version Number of Ports Main Power Status Role Loader Version Linux Kernel Version Operation Code Version : : : : : : : : S123456 R01 28 Up Master 0.1.1.6 2.6.19 1.2.0.
Chapter 4 | System Management Commands Fan Control watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly. Syntax watchdog software {disable | enable} Default Setting Disabled Command Mode Privileged Exec Example Console#watchdog software disable Console# Fan Control This section describes the command used to force fan speed for the ECS2100-52T.
Chapter 4 | System Management Commands Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 18: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it.
Chapter 4 | System Management Commands File Management File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/SFTP/TFTP server. By saving runtime code to a file on an FTP/SFTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Chapter 4 | System Management Commands File Management Table 19: Flash/File Commands (Continued) Command Function Mode TFTP Configuration Commands ip tftp retry Specifies the number of times the switch can retry transmitting a request to a TFTP server ip tftp timeout Specifies the time the switch can wait for a response from a GC TFTP server before retransmitting a request or timing out for the last retry show ip tftp Displays information about TFTP settings General Commands boot system This comm
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/SFTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/SFTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/SFTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ SFTP/TFTP server.
Chapter 4 | System Management Commands File Management Destination file name: m360.bix \Write to FLASH Programming. -Write to FLASH finish. Success. Console# The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success.
Chapter 4 | System Management Commands File Management Success. Console#reload System will be restarted, continue ? y This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success.
Chapter 4 | System Management Commands File Management delete This command deletes a file or image. Syntax delete {file name filename | https-certificate | public-key username [dsa | rsa]} file - Keyword that allows you to delete a file. name - Keyword indicating a file. filename - Name of configuration file or code image. https-certificate - Keyword that allows you to delete the HTTPS secure site certificate. You must reboot the switch to load the default certificate.
Chapter 4 | System Management Commands File Management dir This command displays a list of files in flash memory. Syntax dir {config | opcode}: [filename]} config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: ECS2110_V1.1.10.171.bix startup1.
Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3. It sets the new version as the startup image. 4.
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS2100series.bix. However, note that file name is not to be included in this command.
Chapter 4 | System Management Commands File Management Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS2110-series.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (127) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (250) show users (104) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Chapter 4 | System Management Commands Event Logging Table 23: Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g.
Chapter 4 | System Management Commands Event Logging Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Chapter 4 | System Management Commands Event Logging logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level level] no logging trap [level] level - One of the syslog severity levels listed in the table on page 133.
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (137) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {command | flash | ram | sendmail | trap} command - Stores CLI command execution records in syslog RAM and flash. flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Chapter 4 | System Management Commands SMTP Alerts The following example displays settings for the trap function. Console#show logging trap Global Configuration: Syslog Logging : Enabled Remote Logging Configuration: Status : Disabled Facility Type : Local use 7 (23) Level Type : Debugging messages (7) Console# Table 25: show logging trap - display description Field Description Global Configuration Syslog logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server. Syntax [no] logging sendmail host ip-address ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling. Default Setting None Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing.
Chapter 4 | System Management Commands SMTP Alerts Command Mode Global Configuration Command Usage The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) Example This example will send email alerts for system errors from level 3 through 0.
Chapter 4 | System Management Commands Time show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec Example Console#show logging sendmail SMTP Servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.com SMTP Source E-mail Address: bill@this-company.
Chapter 4 | System Management Commands Time Table 27: Time Commands (Continued) Command Function Mode show ntp Shows the status of connections to NTP peers PE Manual Configuration Commands clock summer-time (date) Configures summer time* for the switch’s internal clock GC clock summer-time (predefined) Configures summer time* for the switch’s internal clock GC clock summer-time (recurring) Configures summer time* for the switch’s internal clock GC clock timezone Sets the time zone for the s
Chapter 4 | System Management Commands Time Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.80 Console# Related Commands sntp server (145) sntp poll (145) show sntp (146) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Chapter 4 | System Management Commands Time Default Setting None Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
Chapter 4 | System Management Commands Time NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication. Syntax [no] ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch. Re-enter this command for each server you want to configure. ◆ Note that NTP authentication key numbers and values must match on both the server and client. ◆ NTP authentication is optional.
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command. Example Console(config)#ntp client Console(config)# Related Commands sntp client (144) ntp server (149) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued.
Chapter 4 | System Management Commands Time Example Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)# Related Commands ntp client (148) show ntp (150) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated from an NTP server.
Chapter 4 | System Management Commands Time Root Dispersion : 0.948900 seconds Reference ID : 192.168.125.88 Reference Time : e0c697a3.6b04c19f Console# Wed, Jul 3 2019 2:55:31.418 show ntp statistics This command displays the statistics from an NTP peer. peer Syntax show ntp statistics peer {ip-address | ipv6-address | hostname} ip-address - IP address of an NTP peer. ipv6-address - IPv6 address of an NTP peer. hostname - Host name of an NTP peer.
Chapter 4 | System Management Commands Time Example Console#show ntp * : system peer Remote Host ---------------1.1.1.1 192.168.1.10 *192.168.125.88 Console# peer-status Local Interface --------------0.0.0.0 0.0.0.0 192.168.125.138 St Poll Reach Delay Offset Dispersion -- ------ ----- -------- -------- ---------16 1024 0 0.000000 0.00000 3.99217010 16 1024 0 0.000000 0.00000 3.99217010 13 1024 1 0.001160 -0.00011 0.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time relative to the configured time zone.
Chapter 4 | System Management Commands Time b-day - The day of the week when summer time will begin. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin. (Range: 0-23 hours) b-minute - The minute when summer time will begin.
Chapter 4 | System Management Commands Time Related Commands show sntp (146) clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC.
Chapter 4 | System Management Commands Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
Chapter 4 | System Management Commands Time Range Summer Time in Effect : No Console# Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering can use either Telnet or the web interface to communicate directly with the Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes. Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Chapter 4 | System Management Commands Switch Clustering show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster members This command shows the current switch cluster members.
Chapter 4 | System Management Commands Switch Clustering – 167 –
Chapter 4 | System Management Commands Switch Clustering – 168 –
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 31: SNMP Commands (Continued) Command Function Mode show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter
Chapter 5 | SNMP Commands General SNMP Commands Table 31: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization GC alarm process cpu guard Sets the CPU utilization watermark and threshold GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters NE, PE show process cpu guard Shows the CPU utilizat
Chapter 5 | SNMP Commands General SNMP Commands ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. ◆ The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Chapter 5 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. port - Host UDP port to use.
Chapter 5 | SNMP Commands SNMP Target Host Commands 4. Allow the switch to send SNMP traps; i.e., notifications (page 174). 5. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 171). 2. Create a remote SNMPv3 user to use in the message exchange process 3. 4. 5. 6. (page 181). Create a view with the required notification messages (page 183).
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands port-channel channel-id (Range: 1-8) Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. ◆ For additional information on the notification messages supported by this switch, see table for “Supported Notification Messages” in the Web Management Guide.
Chapter 5 | SNMP Commands SNMPv3 Commands auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password.
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 33: show snmp group - display description (Continued) Field Description Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 34: show snmp user - display description (Continued) Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (96) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 194 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 202 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector. A full IPv6 address including the network prefix and host address bits. An IPv6 address consists of 8 colon-separated 16-bit hexadecimal values.
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# sflow polling instance This command enables an sFlow polling data source, for a specified interface, that polls periodically based on a specified time interval. Use the no form to remove the polling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands sflow sampling This command enables an sFlow data source instance for a specific interface that instance takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# show sflow This command shows the global and interface settings for the sFlow process. Syntax show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Unit identifier.
Chapter 7 | Flow Sampling Commands – 208 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 121), user authentication via a remote authentication server (page 209), and host access authentication for specific ports (page 251).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 72 and “Configuration Commands” on page 73.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the accounting of Exec mode commands. Use the no form commands to disable the accounting service. Syntax aaa accounting commands level {default | method-name} start-stop group {tacacs+ | server-group} no aaa accounting commands level {default | method-name} level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting dot1x This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service. Syntax aaa accounting dot1x {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting dot1x {default | method-name} default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the sending of periodic updates to the accounting server. update Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands AAA server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage The authorization of Exec mode commands is only supported by TACACS+ servers.
Chapter 8 | Authentication Commands AAA Command Mode Global Configuration Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled.
Chapter 8 | Authentication Commands AAA server This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group. Syntax [no] server {index | ip-address} index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
Chapter 8 | Authentication Commands AAA Example Console(config)#interface ethernet 1/2 Console(config-if)#accounting dot1x tps Console(config-if)# accounting This command applies an accounting method to entered CLI commands. Use the commands no form to disable accounting for entered CLI commands. Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands.
Chapter 8 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the commands no form to disable authorization for entered CLI commands.
Chapter 8 | Authentication Commands AAA authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec default - Specifies the default method list created with the aaa authorization exec command. list-name - Specifies a method list created with the aaa authorization exec command.
Chapter 8 | Authentication Commands AAA interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) Default Setting None Command Mode Privileged Exec Example Console#show accounting Accounting Type : dot1x Method List : default Group List : radius Interface : Eth 1/1 Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type Method List Group List Interface : : : : EXEC default tacacs+ vty Accounting Type Method List Group List Interface . . .
Chapter 8 | Authentication Commands Web Server Default Setting None Command Mode Privileged Exec Example Console#show authorization Authorization Type : EXEC Method List : default Group List : tacacs+ Interface : vty Authorization Type : Commands 0 Method List : default Group List : tacacs+ Interface : . . .
Chapter 8 | Authentication Commands Web Server ip http authentication This command specifies the method list for EXEC authorization for starting an EXEC session used by the web browser interface. Use the no form to use the default port. Syntax ip http authentication aaa exec-authorization {default | list-name} no ip http authentication aaa exec-authorization default - Specifies the default method list used for authorization requests.
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (238) show system (102) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Chapter 8 | Authentication Commands Web Server Command Usage ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
Chapter 8 | Authentication Commands Telnet Server ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions.
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet max-sessions This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting.
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# telnet (client) This command accesses a remote device using a Telnet connection.
Chapter 8 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# Secure Shell This section describes the commands used to configure the SSH server.
Chapter 8 | Authentication Commands Secure Shell Configuration Guidelines The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command.
Chapter 8 | Authentication Commands Secure Shell Password Authentication (for SSH V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed. Note: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
Chapter 8 | Authentication Commands Secure Shell count – The number of authentication attempts permitted after which the interface is reset. (Range: 1-5) Default Setting 3 Command Mode Global Configuration Example Console(config)#ip ssh authentication-retires 2 Console(config)# Related Commands show ip ssh (249) ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service.
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (248) show ssh (250) ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
Chapter 8 | Authentication Commands Secure Shell Example Console#delete public-key admin Console# ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate Default Setting Generates the RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses RSA for SSHv2 clients. ◆ This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-32 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage If no parameters are entered, all keys are displayed.
Chapter 8 | Authentication Commands 802.1X Port Authentication stoc aes128-cbc-hmac-md5 Console# Table 49: show ssh - display description Field Description Connection The session number. (Range: 1-8) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X Port Authentication The switch supports IEEE 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 50: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x system- This command enables IEEE 802.1X port authentication globally on the switch. auth-control Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAPrequest/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an tx-period authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting. Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
Chapter 8 | Authentication Commands Management IP Filter Reauth Max Retries Max Request Operation Mode Port Control Intrusion Action Supplicant : : : : : 2 2 Multi-host Auto Block traffic : 00-e0-29-94-34-65 Authenticator PAE State Machine State : Authenticated Reauth Count : 0 Current Identifier : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configur
Chapter 8 | Authentication Commands Management IP Filter Default Setting All addresses Command Mode Global Configuration Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Chapter 8 | Authentication Commands Management IP Filter Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
Chapter 8 | Authentication Commands Management IP Filter – 266 –
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Related Commands show interfaces status (372) shutdown (364) mac-address-table static (422) show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Port Security Table 54: show port security - display description (Continued) Field Description MaxMacCnt The maximum number of addresses which can be stored in the address table for this interface (either dynamic or static). CurrMacCnt The current number of secure entries in the address table. The following example shows the port security settings and number of secure addresses for a specific port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Global Configuration Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ This command is different from configuring static addresses with the macaddress-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access mac-filter command. ◆ Up to 64 filter tables can be defined. ◆ There is no limitation on the number of entries that can entered in a filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. dynamic-qos Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Console# : : : : : : : : Disabled Block traffic 1024 1024 Enabled Disabled Disabled D
Chapter 9 | General Security Measures Web Authentication Example Console#show network-access Interface MAC Address --------- ----------------1/1 00-00-01-02-03-04 1/1 00-00-01-02-03-05 1/1 00-00-01-02-03-06 1/3 00-00-01-02-03-07 mac-address-table RADIUS Server Time --------------- ------------------------172.155.120.17 00d06h32m50s 172.155.120.17 00d06h33m20s 172.155.120.17 00d06h35m10s 172.155.120.
Chapter 9 | General Security Measures Web Authentication Note: Web authentication cannot be configured on trunk ports. Table 57: Web Authentication Command Function Mode web-auth login-attempts Defines the limit for failed web authentication login attempts GC web-auth quiet-period Defines the amount of time to wait after the limit for failed login attempts is exceeded.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 9 | General Security Measures Web Authentication web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters and interface statistics.
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 9 | General Security Measures DHCPv4 Snooping Table 58: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping maxnumber configures the maximum number of DHCP clients which IC can be supported per interface ip dhcp snooping trust Configures the specified interface as trusted IC ip dhcp snooping information Enables or disables the use of DHCP Option 82 option circuit-id information circuit-id suboption IC ip dhcp snooping trust Configures the specified interface as trus
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded.
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Enabled Command Mode Global Configuration Command Usage ◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below: Table 59: Option 82 information 82 3-69 1 1-67 opt82 opt-len sub-opt1 string-len x1 x2 x3 x4 x5 x63 R-124 string The circuit identifier used by this switch starts at sub-option1 and goes to the end of the R-124 string.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, or information option arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from the end remote-id of the TR101 field. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the remote ID to the switch’s IP address. Console(config)#ip dhcp snooping information option remote-id tr101 node-identifier ip Console(config)# ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id {string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command configures the maximum number of DHCP clients which can be max-number supported per interface. Use the no form to restore the default setting. Syntax ip dhcp snooping max-number max-number no dhcp snooping max-number max-number - Maximum number of DHCP clients.
Chapter 9 | General Security Measures DHCPv4 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#clear ip dhcp snooping database flash Console# ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Chapter 9 | General Security Measures IPv4 Source Guard show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry. Syntax ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port-list no ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id mode - Specifies the binding mode. acl - Adds binding to ACL table. mac - Adds binding to MAC address table.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ Static bindings are processed as follows: ■ ■ ◆ A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true: ■ If there is no binding entry with the same VLAN ID and MAC address, a new entry will be added to the binding table using the type of static IP source guard binding.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures ARP Inspection ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection globally on the switch. Use the no form to disable this function. Syntax [no] ip arp inspection Default Setting Disabled Command Mode Global Configuration Command Usage When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and log-buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection echo-chargen bit-rate-in-kilo 65 Console(config)# dos-protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.
Chapter 9 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP NULL tcp-null-scan scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-syn-fin-scan Console(config)# dos-protection This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS tcp-xmas-scan scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection udp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems.
Chapter 9 | General Security Measures Port-based Traffic Segmentation WinNuke Attack Console# : Disabled, 1000 kilobits per second Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Default Setting None Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field. ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
Chapter 9 | General Security Measures Port-based Traffic Segmentation – 332 –
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Standard IPv4 ACL Command Usage ◆ New rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
Chapter 10 | Access Control Lists IPv4 ACLs no {permit | deny} [protocol-number | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [dscp dscp] [precedence precedence] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} tcp {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [dscp dscp] [precedence precedence] [source-port sport [bitmask]] [destination-port dport [port-bi
Chapter 10 | Access Control Lists IPv4 ACLs Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The bit mask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Chapter 10 | Access Control Lists IPv4 ACLs This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2 Console(config-ext-acl)# Related Commands access-list ip (334) Time Range (158) ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (341) permit, deny (Extended IPv6 ACL) (342) ipv6 access-group (345) show ipv6 access-list (346) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (340) Time Range (158) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-128 for destination prefix) dscp – DSCP traffic class. (Range: 0-63) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) sport – Protocol5 source port number. (Range: 0-65535) dport – Protocol4 destination port number.
Chapter 10 | Access Control Lists IPv6 ACLs This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.” Console(config-ext-ipv6-acl)#permit any any next-header 43 Console(config-ext-ipv6-acl)# Here is a more detailed example for setting the CPU rate limit for SNMP packets.
Chapter 10 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds an IPv6 ACL to a port. Use the no form to remove the port. Syntax ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-32 characters) counter – Enables counter for ACL statistics.
Chapter 10 | Access Control Lists MAC ACLs show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists MAC ACLs access-list mac This command enters MAC ACL configuration mode. Rules can be added to filter packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also be used to filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl-name acl-name – Name of the ACL.
Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [cos cos cos-bitmask] [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] Note: The default is for Ethernet II packets.
Chapter 10 | Access Control Lists MAC ACLs tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets. any – Any MAC, IPv4 or IPv6 source or destination address. host – A specific MAC, IPv4 or IPv6 address. source – Source MAC, IPv4 or IPv6 address. destination – Destination MAC, IPv4 or IPv6 address. address-bitmask6 – Bitmask for MAC address (in hexadecimal format). network-mask – Network mask for IP subnet.
Chapter 10 | Access Control Lists MAC ACLs Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (347) Time Range (158) mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (350) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 10 | Access Control Lists ACL Information Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (352) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ACL Information clear access-list This command clears the hit counter for the rules in all ACLs, or for the rules in a hardware counters specified ACL. Syntax clear access-list hardware counters [direction in [interface interface]] | [interface interface] | [name acl-name] in – Clears counter for ingress rules. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs.8 ip extended – Shows ingress or egress rules for Extended IPv4 ACLs.
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 72: Interface Commands (Continued) Command Function Mode transceiver-threshold rx-power Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message IC transceiver-threshold temperature Sets thresholds for the transceiver temperature which can IC be used to trigger an alarm or warning message transceiver-threshold tx-power Sets thresholds for the transceiver power level
Chapter 11 | Interface Commands Interface Configuration Command Mode Global Configuration Example To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)# capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands Interface Configuration Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (363) speed-duplex (364) flowcontrol (361) description This command adds a description to an interface.
Chapter 11 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 11 | Interface Commands Interface Configuration history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history name name - A symbolic name for this entry in the sampling table. (Range: 1-32 characters) interval - The interval for sampling statistics. (Range: 1-1440 minutes. buckets - The number of samples to take.
Chapter 11 | Interface Commands Interface Configuration Command Usage Available sfp-forced modes include: ECS2110-26T: ECS2001-52T: Ports 25-26 (1000BASE SFP) support 1000sfp Ports 49-52 (1000BASE SFP) support 1000sfp Example This forces the switch to use the 1000sfp mode for SFP port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)# negotiation This command enables auto-negotiation for a given interface.
Chapter 11 | Interface Commands Interface Configuration Related Commands capabilities (359) speed-duplex (364) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved.
Chapter 11 | Interface Commands Interface Configuration ◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
Chapter 11 | Interface Commands Interface Configuration Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) port-channel channel-id (Range: 1-8) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Interface Configuration 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 5271 Packet Size <= 64 Octets 3589 Packet Size 65 to 127 Octets 222 Packet Size 128 to 255 Octets 313 Packet Size 256 to 511 Octets 190 Packet Size 512 to 1023 Octets 444 Packet Size 1024 to 1518 Octets ===== Port Utilization ===== 111 Octets Input in kbits per second 0 Packets Input per second 0.
Chapter 11 | Interface Commands Interface Configuration Table 73: show interfaces counters - display description (Continued) Parameter Description Etherlike Statistics FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-tooshort error.
Chapter 11 | Interface Commands Interface Configuration Table 73: show interfaces counters - display description (Continued) Parameter Description Fragments The total number of frames received that were less than 64 octets in length (excluding framing bits, but including FCS octets) and had either an FCS or alignment error. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error.
Chapter 11 | Interface Commands Interface Configuration previous - Statistics recorded in previous intervals. index - An index into the buckets containing previous samples. (Range: 1-96) count - The number of historical samples to display. (Range: 1-96) input - Ingress traffic. output - Egress traffic. Default Setting Shows the historical settings and status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Interface Configuration Start Time Discards ------------ ------------00d 00:00:03 0 Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Chapter 11 | Interface Commands Interface Configuration Operation Speed-duplex Up Time Flow Control Type Max Frame Size MAC Learning Status Console# : : : : : 100full 0w 0d 1h 11m 2s (4262 seconds) None 1518 bytes (1522 bytes for tagged frames) Enabled show interfaces This command displays the administrative and operational status of the specified switchport interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Table 74: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 413). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 413).
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-monitor Console# transceiver-threshold- This command uses default threshold settings obtained from the transceiver to auto determine when an alarm or warning message should be sent. Use the no form to disable this feature.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Command Mode Interface Configuration (SFP+ Ports) Command Usage ◆ If trap messages are enabled with the transceiver-monitor command, and a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Default Setting High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm Command Mode Interface Configuration (SFP+ Ports) Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Low Alarm: -123.00 C Low Warning: 0.00 C Command Mode Interface Configuration (SFP+ Ports) Command Usage ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Vendor Rev Vendor SN Date Code DDM Info Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : Z : SE08T712Z00006 : 10-09-14 : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.
Chapter 11 | Interface Commands Cable Diagnostics DDM Thresholds Transceiver-monitor : Disabled Transceiver-threshold-auto : Enabled Low Alarm Low Warning ---------------------- -----------Temperature(Celsius) -123.00 0.00 Voltage(Volts) 3.10 3.15 Current(mA) 6.00 7.00 TxPower(dBm) -12.00 -11.50 RxPower(dBm) -21.50 -21.00 Console# High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.
Chapter 11 | Interface Commands Cable Diagnostics Example Console#test cable-diagnostics interface ethernet 1/24 Console# show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics dsp interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature. Syntax [no] power-save Default Setting Enabled Command Mode Interface Configuration (Ethernet ports 1-22/48) Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Chapter 11 | Interface Commands Power Savings determine whether or not it can reduce the signal amplitude used on a particular link. Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Chapter 11 | Interface Commands Power Savings – 386 –
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 16 trunks.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-dst-ip - Load balancing based on source and destination IP address. src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. Default Setting src-dst-mac Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands ■ src-mac: All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. Example Console(config)#port channel load-balance dst-ip Console(config)# channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Storm Threshold Resolution : 1 packets/second Flow Control : Disabled MAC Learning : Enabled Link-up-down Trap : Enabled Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation Speed-duplex : 1000full Up Time : 0w 0d 0h 0m 53s (53 seconds) Flow Control Type
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. Note: Configuring the partner admin-key does not affect remote or local switch operation. The local switch just records the partner admin-key for user reference.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. Use the (Port Channel) no form to restore the default setting. Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout long - Specifies a slow timeout of 90 seconds. short - Specifies a fast timeout of 3 seconds.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-8) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 76: show lacp counters - display description (Continued) Field Description Unknown Packet Received Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 77: show lacp internal - display description (Continued) Field Description Admin State, Oper State (continued) ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands . . . 4 5 6 7 8 9 10 11 12 32768 32768 32768 32768 32768 32768 32768 32768 32768 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 Table 79: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch.
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4094) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 is prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. rspan source Use this command to specify the source port and traffic type to be mirrored remotely.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1-3) Three sessions are allowed, including both local and remote mirroring, using different VLANs for RSPAN sessions.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands – 410 –
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 83: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Storm Control Commands Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# Related Commands show interfaces switchport (373) – 414 –
15 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 15 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands Command Usage ◆ When a port receives a control frame sent by itself, this means that the port is in looped state, and the VLAN in the frame payload is also in looped state with the wrong VLAN tag. The looped port is therefore shut down. ◆ Use the loopback-detection recover-time command to set the time to wait before re-enabling an interface shut down by the loopback detection process.
Chapter 15 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Chapter 15 | Loopback Detection Commands Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled . . .
16 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear collision-mac- This command removes all entries from the collision MAC address table. address-table Default Setting None Command Mode Privileged Exec Example Console#clear collision-mac-address-table Console# clear mac-address- This command removes any learned entries from the forwarding database.
Chapter 16 | Address Table Commands Example Console#show collision-mac-address-table MAC Address VLAN Collision Count ----------------- ----- ---------------90-e6-ba-cb-cd-d6 1 2 Total collision mac number: 1 Console# show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address.
Chapter 16 | Address Table Commands Example Console#show mac-address-table Interface MAC Address VLAN --------- ----------------- ---CPU 00-E0-00-00-00-01 1 Eth 1/ 1 00-E0-0C-10-90-09 1 Eth 1/ 1 00-E0-29-94-34-64 1 Console# Type -------CPU Learn Learn Life Time ----------------Delete on Reset Delete on Timeout Delete on Timeout show mac-address- This command shows the aging time for entries in the address table.
Chapter 16 | Address Table Commands Example Console#show mac-address-table count interface ethernet 1/1 MAC Entries for Eth 1/1 Total Address Count Static Address Count Dynamic Address Count :0 :0 :0 Console#show mac-address-table count Compute the number of MAC Address...
17 Smart Pair Commands Smart Pair Concept A smart pair consists of two ports which are paired to provide layer 2 link redundancy, The pair consists of a primary port and a backup port. All traffic is forwarded through the primary port and the backup port will be set to standby. If the primary port link goes down, the backup port is activated and all traffic is forwarded through it. If the primary port recovers, all traffic will again be forwarded through the primary port after a configured delay.
Chapter 17 | Smart Pair Commands Smart Pair Concept Command Mode Global Configuration Command Usage Use the command to create a new smart pair or to enter the smart-pair configuration mode of an existing smart pair. Example Console(config)#smart-pair 1 Console(config-smart-pair)# smart-pair restore Use the smart-pair restore command to manually restore traffic to the primary port of a specified smart pair. Syntax smart-pair restore ID ID - Identification Number.
Chapter 17 | Smart Pair Commands Smart Pair Concept primary-port This command configures the primary port of a specified smart pair. Use the no form of the command to remove the configured primary port from the smart pair. Syntax primary-port interface no primary-port interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Smart Pair Commands Smart Pair Concept backup-port This command configures the backup port of a specified smart pair. Use the no form of the command to remove the configured backup port from the smart pair. Syntax backup-port interface no backup interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Smart Pair Commands Smart Pair Concept wtr-delay This command sets the wait-to-restore delay for a smart pair. Use the no form of the command to set the delay to the default value. Syntax wtr-delay seconds seconds - delay in seconds (Range:0, 5-3600) Default Setting None Command Mode Smart Pair Configuration Mode Command Usage ◆ If the wtr-delay parameter is set to 0, traffic will not be restored after a failed port is recovered.
Chapter 17 | Smart Pair Commands Smart Pair Concept – 432 –
18 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 18 | Spanning Tree Commands Table 89: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in th
Chapter 18 | Spanning Tree Commands allows the switch to interact with other bridging devices (that is, an STAcompliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. ◆ When spanning tree is enabled globally by this command or enabled on an interface (spanning-tree spanning-disabled command), loopback detection is disabled.
Chapter 18 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 18 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 18 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 18 | Spanning Tree Commands ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP. Example Console(config)#spanning-tree pathcost method long Console(config)# spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on the system-bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
Chapter 18 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group. When a TCN BPDU or BPDU with the TC flag set is received on an interface, that interface will only notify members in same group to propagate this topology change.
Chapter 18 | Spanning Tree Commands max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed.
Chapter 18 | Spanning Tree Commands Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 18 | Spanning Tree Commands Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of multiple spanning tree region.
Chapter 18 | Spanning Tree Commands Command Usage The MST region name (page 445) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 18 | Spanning Tree Commands spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]] auto-recovery - Automatically re-enables an interface after the specified interval.
Chapter 18 | Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method)9 Table 90: Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.
Chapter 18 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 439) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port. Use the no form to restore the edge-port default.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
Chapter 18 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the loopback-detection discarding state because a loopback BPDU was received. Use the no form to restore release-mode the default. Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
Chapter 18 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections. Use the no form to restore the default.
Chapter 18 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority.
Chapter 18 | Spanning Tree Commands Related Commands spanning-tree mst cost (453) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled globally port-bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting.
Chapter 18 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Chapter 18 | Spanning Tree Commands could also be used to form a border around part of the network where the root bridge is allowed. ◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Chapter 18 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Chapter 18 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface. Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | Spanning Tree Commands stp-enabled-only - Displays global settings, and settings for interfaces for which STP is enabled. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree.
Chapter 18 | Spanning Tree Commands State External Admin Path Cost Internal Admin Path Cost External Oper Path Cost Internal Oper Path Cost Priority Designated Cost Designated Port Designated Root Designated Bridge Forward Transitions Admin Edge Port Oper Edge Port Admin Link Type Oper Link Type Flooding Behavior Spanning-Tree Status Loopback Detection Status Loopback Detection Release Mode Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU G
Chapter 18 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree.
19 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 19 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 403.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Table 94: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport native vlan Configures the PVID (native VLAN) of an interface IC switchport priority default Sets a port priority for incoming untagged frames IC interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094). add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained. remove vlan-list - List of VLAN identifiers to remove. Default Setting All ports are assigned to VLAN 1 by default.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default. Syntax [no] switchport ingress-filtering Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Ingress filtering only affects tagged frames.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. Default Setting Hybrid mode, with the PVID set to VLAN 1.
Chapter 19 | VLAN Commands Displaying VLAN Information Example The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S) Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S) Eth1/26(S) Console# Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling 5. Configure the QinQ tunnel access port to join the SPVLAN as an untagged member (switchport allowed vlan). 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan).
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show dot1q-tunnel (478) show interfaces switchport (373) switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command copies the inner tag priority to the outer tag priority. Use the no tunnel priority map form to disable this feature. Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel. ◆ Rather than relying on standard service paths and priority queuing, QinQ VLAN mapping can be used to further enhance service by defining a set of differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling 4. Configures port 1 as an untagged member of VLANs 100, 200 and 300 using access mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 100,200,300 untagged Console(config-if)#switchport dot1q-tunnel mode access 5. Configure the following selective QinQ mapping entries.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Use the switchport dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames. For example, 0x1234 is set as the custom 802.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel 802.1Q Tunnel Status : Enabled Port Mode TPID (hex) -------- ------ ---------Eth 1/ 1 Access 8100 Eth 1/ 2 Uplink 8100 Eth 1/ 3 Normal 8100 . . .
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Table 97: Protocol-based VLAN Commands Command Function Mode protocol-vlan protocol-group Create a protocol group, specifying the supported protocols GC protocol-vlan protocol-group Maps a protocol group to a VLAN IC show protocol-vlan protocol-group Shows the configuration of protocol groups PE show interfaces protocol-vlan protocol-group Shows the interfaces mapped to a protocol group and the PE corresponding VLAN To configure prot
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Command Mode Global Configuration Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan This command maps a protocol group to a VLAN for the current interface.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs ■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. ■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
Chapter 19 | VLAN Commands Configuring MAC Based VLANs show interfaces This command shows the mapping from protocol groups to VLANs for the selected protocol-vlan interfaces. protocol-group Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) port-channel channel-id (Range: 1-8) Default Setting The mapping for all interfaces is displayed.
Chapter 19 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address [mask mask-address] vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address [mask mask-address] | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example assigns traffic from source MAC address 00-00-00-11-22-33 to VLAN 10. Console(config)#mac-vlan mac-address 00-00-00-11-22-33 mask FF-FF-FF-FF-00-00 vlan 10 Console(config)# show mac-vlan This command displays MAC address-to-VLAN assignments. Command Mode Privileged Exec Command Usage Use this command to display MAC address-to-VLAN mappings. Example The following example displays all configured MAC address-based VLANs.
Chapter 19 | VLAN Commands Configuring Voice VLANs Table 99: Voice VLAN Commands (Continued) Command Function Mode switchport voice vlan security Enables Voice VLAN security on ports IC show voice vlan Displays Voice VLAN settings PE voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID.
Chapter 19 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
Chapter 19 | VLAN Commands Configuring Voice VLANs voice vlan This command specifies MAC address ranges to add to the OUI Telephony list. Use mac-address the no form to remove an entry from the list. Syntax voice vlan mac-address mac-address mask mask-address [description description] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the network.
Chapter 19 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. auto - The port will be added as a tagged member to the Voice VLAN when VoIP traffic is detected on the port.
Chapter 19 | VLAN Commands Configuring Voice VLANs Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port. Example The following example sets the CoS priority to 5 on port 1.
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# switchport voice vlan This command enables security filtering for VoIP traffic on a port. Use the no form security to disable filtering on a port.
Chapter 19 | VLAN Commands Configuring Voice VLANs Default Setting None Command Mode Privileged Exec Command Usage When the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed (or “Not Start” will be displayed). Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.
20 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue weight 1 2 3 4 5 6 7 8 Console(config-if)# Related Commands queue mode (494) show queue weight (497) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) port. (Note that if the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 103: Default Mapping of CoS/CFI Values to Queue/CFI CFI 0 1 0 (2,0) (2,0) 1 (0,0) (0,0) 2 (1,0) (1,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The default mapping of CoS/CFI to Queue/CFI values shown in Table 103 is based on the recommended settings in IEEE 802.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-queue This command maps DSCP values in incoming packets to per-hop behavior for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-queue dscp-queue from dscp0 ... dscp7 no qos map dscp-queue dscp0 ... dscp7 dscp-queue - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) dscp - DSCP value in ingress packets.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3. Console(config)#interface ethernet 1/2 Console(config-if)#qos map dscp-queue 3 from 1 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface 1/1 Console(config-if)#qos map trust-mode cos Console(config-if)# show qos map cos- This command shows the ingress CoS to eqress queue map. queue Syntax show qos map cos-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to eqress queue map. queue Syntax show qos map dscp-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) Command Mode Privileged Exec Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example The following shows that the trust mode is set to CoS: Console#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 CoS Map Mode: CoS mode Console# – 504 –
21 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 21 | Quality of Service Commands CoS value. Note that a class map can include match settings for both IP values and a VLAN. 3. Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode. 4. Use the class command to identify the class map, and enter Policy Map Class configuration mode. A policy map can contain up to 16 class maps. 5.
Chapter 21 | Quality of Service Commands Example This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd-class Console(config-cmap)#match cos 3 Console(config-cmap)# Related Commands show class-map (513) description This command specifies the description of a class map or policy map. Syntax description string string - Description of the class map or policy map.
Chapter 21 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 21 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Chapter 21 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 509) before assigning it to a Policy Map.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set cos 3 Console(config-pmap-c)# police rate This command defines an enforcer for classified traffic based on the metered flow rate.
Chapter 21 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else the packet is red and Tc is not decremented.
Chapter 21 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 21 | Quality of Service Commands Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for ingress or egress traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] policy-map-name - Name of the policy map.
Chapter 21 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface [interface input] interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | Quality of Service Commands – 516 –
22 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 107: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs GC ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into the attached VLAN GC ip igmp snooping unsolicited-report-interval Specifies how often the upstream interface should GC transmit unsolicited IGMP reports (when proxy reporting is
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 107: IGMP Snooping Commands (Continued) Command Function Mode show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statistics for the specified interface PE ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore priority the default setting. Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router router-alert-option- Alert option. Use the no form to ignore the Router Alert Option when receiving check IGMP messages. Syntax [no] ip igmp snooping router-alert-option-check Default Setting Disabled Command Mode Global Configuration Command Usage As described in Section 9.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following shows how to configure the timeout to 400 seconds: Console(config)#ip igmp snooping router-port-expire-time 400 Console(config)# ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs. Use the no form to disable flooding.
Chapter 22 | Multicast Filtering Commands IGMP Snooping The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the unregistered-data- no form to drop unregistered multicast traffic. flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol version-exclusive packets) which use a version different to that currently configured by the ip igmp snooping version command. Use the no form to disable this feature.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ◆ This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default. intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or groupand-source-specific query message.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541. The switch also uses a null address in IGMP reports sent to upstream ports.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 521), or as a proxy host when IGMP snooping proxy reporting is enabled (page 520). Example Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20 Console(config)# ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the static port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears multicast group information dynamically learned through snooping groups IGMP snooping. dynamic Syntax clear ip igmp snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though IGMP snooping. Statically configured multicast address are not cleared.
Chapter 22 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings. snooping Syntax show ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings.
Chapter 22 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified. Syntax show ip igmp snooping group [host-ip-addr ip-address interface | igmpsnp | sort-by-port | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Snooping show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Example The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 14 5 Console# Table 108: show ip igmp snooping statistics input - display description Field Description Interfac
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 109: show ip igmp snooping statistics output - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed. Group The number of multicast groups active on this interface.
Chapter 22 | Multicast Filtering Commands Static Multicast Routing Table 110: show ip igmp snooping statistics vlan query - display description Field Description V2 Warning Count The number of times the query version received (Version 2) does not match the version configured for this interface. V3 Warning Count The number of times the query version received (Version 3) does not match the version configured for this interface.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling trunk) on this switch, that interface can be manually configured to join all the current multicast groups. ◆ IGMP Snooping must be enabled globally on the switch (using the ip igmp snooping command) before a multicast router port can take effect. Example The following shows how to configure port 10 as a multicast router port within VLAN 1.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command).
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping show ip This command shows if the specified interface is configured to drop multicast data multicast-data-drop packets. Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-26/52) port-channel channel-id (Range: 1-8) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces.
Chapter 22 | Multicast Filtering Commands MLD Snooping Table 113: MLD Snooping Commands Command Function Mode ipv6 mld snooping Enables MLD Snooping globally GC ipv6 mld snooping proxy-reporting Enables MLD Snooping with Proxy Reporting GC ipv6 mld snooping querier Allows the switch to act as the querier for MLD snooping GC ipv6 mld snooping query-interval Configures the interval between sending MLD general query messages GC ipv6 mld snooping querymax-response-time Configures the maximum re
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping. Syntax [no] ipv6 mld snooping Default Setting Disabled Command Mode Global Configuration Example The following example enables MLD Snooping: Console(config)#ipv6 mld snooping Console(config)# ipv6 mld snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command allows the switch to act as the querier for MLDv2 snooping. Use the querier no form to disable this feature. Syntax [no] ipv6 mld snooping querier Default Setting Disabled Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Chapter 22 | Multicast Filtering Commands MLD Snooping ◆ An MLD general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an MLD report for the multicast groups they have joined. Example Console(config)#ipv6 mld snooping query-interval 150 Console(config)# ipv6 mld snooping This command configures the maximum response time advertised in MLD general query-max-response- queries.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage A port will be removed from the receiver list for a multicast service when no MLD reports are detected in response to a number of MLD queries. The robustness variable sets the number of queries on ports for which there is no report. Example Console(config)#ipv6 mld snooping robustness 2 Console(config)# ipv6 mld snooping This command configures the MLD query timeout.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default. mode Syntax ipv6 mld snooping unknown-multicast mode {flood | to-router-port} no ipv6 mld snooping unknown-multicast mode flood - Floods the unknown multicast data packets to all ports. to-router-port - Forwards the unknown multicast data packets to router ports.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream interface. ◆ This command only applies when proxy reporting is enabled (see page 553). Example Console(config)#ipv6 mld snooping unsolicited-report-interval 5 Console(config)# ipv6 mld snooping This command configures the MLD snooping version.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping configuration information Console#show ipv6 mld snooping Service Status : Proxy Reporting : Querier Status : Robustness : Query Interval : Query Max Response Time : Router Port Expiry Time : Unsolicit Report Interval : Immediate Leave : Immediate Leave By Host : Unknown Flood Behavior : MLD Snooping Version : Disabled Disabled Disabled 2 125 sec 10 sec 300 sec 400 sec Disabled on all VLAN Disabled on all VLAN T
Chapter 22 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list. source-list Syntax show ipv6 mld snooping group source-list [ipv6-address | vlan vlan-id] ipv6-address - An IPv6 address of a multicast group.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type Expire ---- --------------------- --------- -----1 Eth 1/ 2 Static Console# show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface.
Chapter 22 | Multicast Filtering Commands MLD Snooping Table 114: show ipv6 MLD snooping statistics input - display description Field Description Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped.
Chapter 22 | Multicast Filtering Commands MLD Snooping Specific Query Received Specific Query Sent Console# : 0 : 0 Table 116: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired. Other Querier Uptime Time remote querier has been up. Self Querier IP address of local querier on this interface.
Chapter 22 | Multicast Filtering Commands MLD Snooping Others Drop : 0 Console# Table 117: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit General The number of general queries sent from this interface. Group Specific The number of group specific queries sent from this interface.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The MLD filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and MLD throttling limits the number of simultaneous multicast groups a port can join.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling can be assigned to a port. When enabled, MLD join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the MLD join report is forwarded as normal. If a requested multicast group is denied, the MLD join report is dropped. ◆ MLD filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling permit, deny This command sets the access mode for an MLD filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting deny Command Mode MLD Profile Configuration Command Usage ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config-mld-profile)#range ff01::0101 ff01::0202 Console(config-mld-profile)# ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax [no] ipv6 mld filter profile-number profile-number - An MLD filter profile number.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new MLD join reports will be dropped.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups action replace Console(config-if)# ipv6 mld query-drop This command drops any received MLD query packets. Use the no form to restore the default setting.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Example Console#show ipv6 mld filter MLD filter Enabled Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling. interface Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling – 576 –
23 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 23 | LLDP Commands Table 119: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port- IC based protocol related VLAN information
Chapter 23 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 23 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Chapter 23 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 23 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 23 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 23 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols.
Chapter 23 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 479). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 467 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 481. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 23 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 23 | LLDP Commands Table 120: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 charact
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command.
Chapter 23 | LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 23 | LLDP Commands lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature. Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
Chapter 23 | LLDP Commands therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary.
Chapter 23 | LLDP Commands Admin Status Notification Enabled Basic TLVs Advertised : Tx-Rx : True : port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised : port-vid vlan-name proto-vlan proto-ident 802.
Chapter 23 | LLDP Commands System Description : ECS2110-26T System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.
Chapter 23 | LLDP Commands Console#show lldp info remote-device detail ethernet 1/1 LLDP Remote Devices Information Detail --------------------------------------------------------------Index : 2 Chassis Type : MAC Address Chassis ID : 70-72-CF-91-1C-B2 Port ID Type : MAC Address Port ID : 70-72-CF-91-1C-B4 Time To Live : 120 seconds Port Description : Ethernet Port on unit 1, port 2 System Description : ECS2100-28PP System Capabilities : Bridge Enabled Capabilities : Bridge Management Address : 192.168.0.
Chapter 23 | LLDP Commands Inventory Location Identification : Location Data Format Country Name What Extended Power via MDI : Power Type Power Source Power Priority Power Value Inventory : Hardware Revision Firmware Revision Software Revision Serial Number Manufacture Name Model Name Asset ID Console# : Civic Address LCI : TW : 2 : : : : PSE Unknown Unknown 0 Watts : : : : : : : R0A 1.2.6.0 1.2.6.
Chapter 23 | LLDP Commands . .
24 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 24 | Domain Name Service Commands DNS Commands DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 24 | Domain Name Service Commands DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled.
Chapter 24 | Domain Name Service Commands DNS Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 24 | Domain Name Service Commands DNS Commands Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No. Flag Type IP Address TTL Domain ---- ---- ------- -------------------- ----- -----------------------------0 2 Address 192.168.1.
Chapter 24 | Domain Name Service Commands DNS Commands sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (604) ip domain-lookup (603) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address.
Chapter 24 | Domain Name Service Commands DNS Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No. Flag Type IP Address TTL Host ------- ------- ------- --------------- ------- -------Console# clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-127 characters) * - Removes all entries.
Chapter 24 | Domain Name Service Commands DNS Commands show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No.
Chapter 24 | Domain Name Service Commands Multicast DNS Commands show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 3 4 Address 209.131.36.
Chapter 24 | Domain Name Service Commands Multicast DNS Commands Command Mode Global Configuration Command Usage Use this command to enable multicast DNS host name-to-address mapping on the local network without the need for a dedicated DNS server. For more information on this command refer to the Web Management Guide. Example Console(config)#ip mdns Console(config)# show ip mdns This command displays the configuration state multicast DNS service.
25 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 25 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 25 | DHCP Commands DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edge-core"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 25 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 25 | DHCP Commands DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 25 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 25 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 25 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (637) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 25 | DHCP Commands DHCP Relay List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# RELATED COMMANDS ipv6 address (636) DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 25 | DHCP Commands DHCP Relay packet to a DHCP server on another network. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then passes the DHCP response received from the server to the client. ◆ You must specify the IP address for at least one active DHCP server.
Chapter 25 | DHCP Commands DHCP Relay Example In the following example, the device is reassigned the same address. Console#ip dhcp restart relay Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-00-E8-93-82-A0 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 10.1.0.254 Mask: 255.255.255.
Chapter 25 | DHCP Commands DHCP Relay – 622 –
26 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 26 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 26 | IP Interface Commands IPv4 Interface Command Usage ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything other than this format is not be accepted by the configuration program.
Chapter 26 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established. Command Mode Global Configuration Command Usage ◆ The default gateway can also be defined using the following Global configuration command: ip route 0.
Chapter 26 | IP Interface Commands IPv4 Interface show ip This command shows the IPv4 default gateway configured for this device. default-gateway Default Setting None Command Mode Privileged Exec Example Console#show ip default-gateway IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (626) show ipv6 default-gateway (644) show ip interface This command displays the settings of an IPv4 interface.
Chapter 26 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 26 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 26 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 Hop Packet 1 Packet 2 Packet 3 --- -------- -------- -------1 20 ms <10 ms <10 ms hops max, timeout is 3 seconds IP Address --------------192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 26 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 605) and host name-to-address translation enabled (page 603). If necessary, local devices can also be specified in the DNS static host table (page 604). Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.
Chapter 26 | IP Interface Commands IPv4 Interface Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128. ◆ A static entry may need to be used if there is no response to an ARP broadcast message.
Chapter 26 | IP Interface Commands IPv4 Interface ◆ Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables. Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache.
Chapter 26 | IP Interface Commands IPv6 Interface Example This example displays all entries in the ARP cache. Console#show arp ARP Cache Timeout: 1200 (seconds) IP Address --------------10.1.0.0 10.1.0.254 10.1.0.255 145.30.20.
Chapter 26 | IP Interface Commands IPv6 Interface Table 133: IPv6 Configuration Commands (Continued) Command Function Mode traceroute6 Shows the route packets take to the specified host PE Neighbor Discovery ipv6 nd dad attempts Configures the number of consecutive neighbor IC solicitation messages sent on an interface during duplicate address detection ipv6 nd ns-interval Configures the interval between IPv6 neighbor solicitation IC retransmissions on an interface ipv6 nd reachable-time Configu
Chapter 26 | IP Interface Commands IPv6 Interface ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Chapter 26 | IP Interface Commands IPv6 Interface made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) ◆ If a duplicate address is detected, a warning message is sent to the console. Example This example specifies a full IPv6 address and prefix length.
Chapter 26 | IP Interface Commands IPv6 Interface Command Usage ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
Chapter 26 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 26 | IP Interface Commands IPv6 Interface globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35. ◆ This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
Chapter 26 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 26 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 26 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 26 | IP Interface Commands IPv6 Interface ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set. Example The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# Related Commands show ipv6 mtu (647) jumbo frame (107) show ipv6 This command displays the current IPv6 default gateway.
Chapter 26 | IP Interface Commands IPv6 Interface prefix-length - A decimal value indicating how many of the contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). Command Mode Privileged Exec Example This example displays all the IPv6 addresses configured for the switch.
Chapter 26 | IP Interface Commands IPv6 Interface Table 134: show ipv6 interface - display description (Continued) Field Description Joined group address(es) In addition to the unicast addresses assigned to an interface, a node is required to join the all-nodes multicast addresses FF01::1 and FF02::1 for all IPv6 nodes within scope 1 (interface-local) and scope 2 (link-local), respectively.
Chapter 26 | IP Interface Commands IPv6 Interface show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 26 | IP Interface Commands IPv6 Interface IPv6 sent forwards datagrams 6 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages router solicit messages router advertisement messages neighbor solicit messages neighbor advertisement messages redirect messages group membership quer
Chapter 26 | IP Interface Commands IPv6 Interface Table 136: show ipv6 traffic - display description (Continued) Field Description too big errors The number of input datagrams that could not be forwarded because their size exceeded the link MTU of outgoing interface. no routes The number of input datagrams discarded because no route could be found to transmit them to their destination.
Chapter 26 | IP Interface Commands IPv6 Interface Table 136: show ipv6 traffic - display description (Continued) Field Description discards The number of output IPv6 datagrams for which no problem was encountered to prevent their transmission to their destination, but which were discarded (e.g., for lack of buffer space). Note that this counter would include datagrams counted in ipv6IfStatsOutForwDatagrams if any such packets met this (discretionary) discard criterion.
Chapter 26 | IP Interface Commands IPv6 Interface Table 136: show ipv6 traffic - display description (Continued) Field Description multicast listener discovery The number of MLDv2 reports received by the interface. version 2 reports ICMPv6 sent output The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors. destination unreachable messages The number of ICMP Destination Unreachable messages sent by the interface.
Chapter 26 | IP Interface Commands IPv6 Interface clear ipv6 traffic This command resets IPv6 traffic counters. Command Mode Privileged Exec Command Usage This command resets all of the counters displayed by the show ipv6 traffic command. Example Console#clear ipv6 traffic Console# ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device.
Chapter 26 | IP Interface Commands IPv6 Interface For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent. ◆ When pinging a host name, be sure the DNS server has been enabled (see page 603). If necessary, local devices can also be specified in the DNS static host table (see page 604). ◆ When using ping6 with a host name, the switch first attempts to resolve the alias into an IPv6 address before trying to resolve it into an IPv4 address.
Chapter 26 | IP Interface Commands IPv6 Interface Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
Chapter 26 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
Chapter 26 | IP Interface Commands IPv6 Interface Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going.
Chapter 26 | IP Interface Commands IPv6 Interface Command Usage ◆ When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations.
Chapter 26 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
Chapter 26 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache.
Chapter 26 | IP Interface Commands IPv6 Interface Table 137: show ipv6 neighbors - display description (Continued) Field Description Link-layer Addr Physical layer MAC address. State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
28 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 28 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | rip | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. rip – Displays all entries learned through the Routing Information Protocol (RIP). static – Displays all static entries.
Chapter 28 | IP Routing Commands Global Routing Configuration The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) C *> 192.168.1.0/24 is directly connected, VLAN1 Console# show ip route This command displays summary information for the routing table. summary Command Mode Privileged Exec Example In the following example, the numeric identifier following the routing table name (0) indicates the Forwarding Information Base (FIB) identifier.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Table 162: Routing Information Protocol Commands (Continued) Command Function Mode ip rip authentication string Enables authentication for RIP2 packets and specifies keys IC ip rip receive version Sets the RIP receive version to use on a network interface IC ip rip receive-packet Configures the interface to receive of RIP packets IC ip rip send version Sets the RIP send version to use on a network interface IC ip rip send-pac
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) default-information This command generates a default external route into the local RIP autonomous originate system. Use the no form to disable this feature. Syntax [no] default-information originate Default Setting Disabled Command Mode Router Configuration Command Usage This command sets a default route for every Layer 3 interface where RIP is enabled.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ◆ The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. ◆ It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols. A smaller administrative distance indicates a more reliable protocol. ◆ The administrative distance is applied to all routes learned for the specified network. Example Console(config-router)#distance 2 192.168.3.0 255.255.255.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Default Setting No neighbors are defined. Command Mode Router Configuration Command Usage ◆ This command can be used to configure a static neighbor (specifically for pointto-point links) with which this router will exchange routing information, rather than relying on broadcast or multicast messages generated by the RIP protocol.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ◆ Subnet addresses are interpreted as class A, B or C, based on the first field in the specified address. In other words, if a subnet address nnn.xxx.xxx.xxx is entered, the first field (nnn) determines the class: 0 - 127 is class A, and only the first field in the network address is used. 128 - 191 is class B, and the first two fields in the network address are used.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) redistribute This command imports external routing information from other routing domains (that is, directly connected routes, protocols, or static routes) into the autonomous system. Use the no form to disable this feature. Syntax [no] redistribute (connected | static} [metric metric-value] connected - Imports routes that are established automatically just by enabling IP on an interface.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Related Commands default-metric (667) timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults. Syntax timers basic update timeout garbage no timers basic update – Sets the update timer to the specified value. (Range: 5-2147483647 seconds) timeout – Sets the timeout timer to the specified value.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Console(config-router)#timers basic 15 Console(config-router)# version This command specifies a RIP version used globally by the router. Use the no form to restore the default value. Syntax version {1 | 2} no version 1 - RIP Version 1 2 - RIP Version 2 Default Setting Receive: Accepts RIPv1 or RIPv2 packets Send: Route information is broadcast to other routers with RIPv2.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets. Use the no form to restore the default value. Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key. Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface. Example Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# Related Commands ip rip send-packet (679) ip rip send version This command specifies a RIP version to send on an interface.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (674) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Interface Configuration (VLAN) Default Setting split-horizon poisoned Command Usage ◆ Split horizon never propagates routes back to an interface from which they have been acquired. ◆ Poison reverse propagates routes back to an interface port from which they have been acquired, but sets the distance-vector metrics to infinity. (This provides faster convergence.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Using this command with the “all” parameter clears the RIP table of all routes. To avoid deleting the entire RIP network, use the redistribute connected command to make the RIP network a connected route. To delete the RIP routes learned from neighbors and also keep the RIP network intact, use the “rip” parameter with this command (clear ip rip route rip). Example This example clears one specific route.
Chapter 28 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Privileged Exec Example Console#show ip rip Codes: R - RIP, Rc - RIP connected, Rs - RIP static, C - Connected, S - Static, O - OSPF Network Next Hop Metric From Rc 192.168.0.
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 685 ◆ “License Information” on page 687 – 683 –
Section III | Appendices – 684 –
A Troubleshooting Problems Accessing the Management Interface Table 163: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs.
Glossary QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping.
Glossary STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network. TACACS+ Terminal Access Controller Access Control System Plus. TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACScompliant devices on the network.
Glossary – 698 –
Commands aaa accounting commands 225 aaa accounting dot1x 226 aaa accounting exec 227 aaa accounting update 228 aaa authorization commands 228 aaa authorization exec 229 aaa group server 230 absolute 159 access-list arp 352 access-list ip 334 access-list ipv6 340 access-list mac 347 accounting commands 232 accounting dot1x 231 accounting exec 232 arp 631 authentication enable 214 authentication login 215 authorization commands 233 authorization exec 234 backup-port 430 boot system 109 calendar set 157 capa
Commands enable password 210 end 85 exec-timeout 123 exit 85 fan-speed force-full 106 flowcontrol 361 history 362 hostname 93 interface 358 interface vlan 466 ip access-group 338 ip address 624 ip arp inspection 314 ip arp inspection filter 315 ip arp inspection limit 319 ip arp inspection log-buffer logs 316 ip arp inspection trust 319 ip arp inspection validate 317 ip arp inspection vlan 318 ip default-gateway 626 ip dhcp client class-id 613 ip dhcp dynamic-provision 612 ip dhcp relay server 619 ip dhcp
Commands ipv6 dhcp client rapid-commit vlan 616 ipv6 dhcp restart client vlan 616 ipv6 enable 642 ipv6 host 606 ipv6 mld filter (Global Configuration) 568 ipv6 mld filter (Interface Configuration) 571 ipv6 mld max-groups 571 ipv6 mld max-groups action 572 ipv6 mld profile 569 ipv6 mld query-drop 573 ipv6 mld snooping 553 ipv6 mld snooping proxy-reporting 553 ipv6 mld snooping querier 554 ipv6 mld snooping query-interval 554 ipv6 mld snooping query-max-response-time 555 ipv6 mld snooping robustness 555 ipv6
Commands network-access guest-vlan 278 network-access mac-filter 274 network-access max-mac-count 278 network-access mode mac-authentication 279 network-access port-mac-filter 280 nlm 187 no rspan session 408 ntp authenticate 147 ntp authentication-key 147 ntp client 148 ntp server 149 parity 125 passive-interface 671 password 125 password-thresh 126 periodic 160 permit, deny 544 permit, deny 570 permit, deny (ARP ACL) 353 permit, deny (Extended IPv4 ACL) 335 permit, deny (Extended IPv6 ACL) 342 permit, de
Commands show ip arp inspection statistics 321 show ip arp inspection vlan 321 show ip default-gateway 627 show ip dhcp dynamic-provision 615 show ip dhcp snooping 304 show ip dhcp snooping binding 305 show ip igmp filter 548 show ip igmp profile 549 show ip igmp query-drop 549 show ip igmp snooping 536 show ip igmp snooping group 537 show ip igmp snooping mrouter 538 show ip igmp snooping statistics 538 show ip igmp throttle interface 550 show ip interface 627 show ip mdns 610 show ip multicast-data-drop
Commands show snmp view 187 show snmp-server enable port-traps 178 show sntp 146 show spanning-tree 459 show spanning-tree mst configuration 462 show spanning-tree tc-prop 462 show ssh 250 show startup-config 101 show system 102 show tacacs-server 223 show tech-support 103 show time-range 161 show traffic-segmentation 331 show upgrade 119 show users 104 show version 105 show vlan 471 show voice vlan 491 show watchdog 105 show web-auth 289 show web-auth interface 289 show web-auth summary 290 shutdown 364 s
Commands transceiver-threshold current 375 transceiver-threshold rx-power 376 transceiver-threshold temperature 377 transceiver-threshold tx-power 378 transceiver-threshold voltage 379 transceiver-threshold-auto 375 upgrade opcode auto 116 upgrade opcode path 117 upgrade opcode reload 118 username 211 version 674 vlan 464 vlan database 464 voice vlan 486 voice vlan aging 487 voice vlan mac-address 488 watchdog software 106 web-auth 287 web-auth login-attempts 285 web-auth quiet-period 286 web-auth re-authe
Commands – 706 –
Index Numerics 802.1Q tunnel 472 access 474 CVID to SVID map 475 ethernet type 477 interface configuration 474–477 mode selection 474 status, configuring 473 TPID 477 uplink 474 802.1X authenticator, configuring 253–259 global settings 252–253 port authentication 251, 253 port authentication accounting 231 A AAA accounting 802.
Index clustering switches, management access 162 command line interface See CLI committed information rate, QoS policy 511 community string 49, 171 configuration file, DHCP download reference 59 configuration files, restoring defaults 108 configuration settings restoring 52, 108, 110 saving 52, 108, 110 configuration settings, automatic installation 59 console port, required connections 40 CoS 501 configuring 493 enabling 501 layer 3/4 priorities 498 queue mode 494 queue weights, assigning 495 CPU status 9
Index upgrading 110 upgrading automatically 116 upgrading with FTP or TFP 116 version, displaying 105 forwarding information base See FIB G gateway, IPv4 default 626 gateway, IPv6 default 635 general security measures 267 GNU license 687 H hardware version, displaying 105 HTTP, web server 238 HTTPS 239 configuring 238, 239 replacing SSL certificate 110, 114 secure-site certificate 110, 114 HTTPS, secure server 239 I IEEE 802.1D 437 IEEE 802.1s 437 IEEE 802.1w 437 IEEE 802.
Index global unicast 636 link-local 638 manual configuration (global unicast) 44, 636 manual configuration (link-local) 44, 641 setting 42, 636 J jumbo frame 107 K key private 243 public 243 user public, importing 110, 114 key pair host 243 host, generating 248 L LACP configuration 387 group attributes, configuring 395 group members, configuring 391 local parameters 397 partner parameters 397 protocol message statistics 397 protocol parameters 387 timeout, for LACPDU 396 last member query count, IGMP sn
Index filtering & throttling, status 568 MLD snooping 551 configuring 552 enabling 553 immediate leave 558 immediate leave, status 558 multicast static router port 559 querier 554 querier, enabling 554 query interval 554 query, maximum response time 555 robustness value 555 static port assignment 560 static router port 559 unknown multicast, handling 557 version 558 MSTP 437 global settings, configuring 433 global settings, displaying 460 interface settings, configuring 434, 446–457 interface settings, dis
Index proxy reporting, IGMP snooping 520, 553 public key 243 PVID, port native VLAN 470 Q QoS 505 configuration guidelines 505 configuring 505 dynamic assignment 276 matching class settings 508 selecting DSCP, CoS 501 QoS policy, committed information rate 511 queue weight, assigning to CoS 495 R RADIUS logon authentication 216 settings 216 rate limit port 412 setting 411 remote engine ID 179 remote logging 136 Remote Monitoring See RMON rename, DiffServ 509 restarting the system 80, 84 at scheduled times
Index engine identifier, remote 179 groups 180 local users, configuring 181 remote users, configuring 181 user configuration 181 views 183 SNTP setting the system clock 144–146 specifying servers 145 software displaying version 105 downloading 110 version, displaying 105 SSH 243 authentication retries 245 configuring 244 downloading public keys for clients 110, 114 generating host key pair 248 server, configuring 246 timeout 247 STA 433 BPDU filter 446 BPDU flooding 455 BPDU shutdown 447 cisco-prestandard,
Index U unicast routing 661 unknown unicast storm, threshold 413 unregistered data flooding, IGMP snooping 525 upgrading software 110, 116 user account 210, 211 user password 210, 211 V VLANs 463–491 802.
E012021-CS-R05
