2/28-Port Gigabit Ethernet Layer 2 Switch ECS4210-12P ECS4210-12T ECS4210-28P ECS4210-28T CLI Reference Guide Software Release v1.0.0.24 www.edge-core.
CLI Reference Guide ECS4210-12P Layer 2 Managed PoE Switch with 8 10/100/1000BASE-T (RJ-45) PoE Ports, 2 10/100/1000BASE-T (RJ-45) Ports, and 2 Gigabit SFP Uplink Ports ECS4210-12T Layer 2 Managed Switch with 8 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Uplink Ports ECS4210-28P Layer 2 Managed PoE Switch with 24 10/100/1000BASE-T (RJ-45) PoE Ports, and 4 Gigabit SFP Uplink Ports ECS4210-28T Layer 2 Managed Switch with 24 10/100/1000BASE-T (RJ-45) Ports, and 4 Gigabit SFP Uplink Ports ECS4210-12P
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Warning: Alerts you to a potential hazard that could cause personal injury. Revision History This section summarizes the changes in each revision of this guide.
How to Use This Guide ◆ Added global command "ipv6 access-group" on page 329. ◆ Added global command "mac access-group" on page 335. ◆ Added mask parameter to the command "mac-vlan" on page 496. ◆ Documented new syntax for "set cos" on page 531. ◆ Documented new syntax for "set ip dscp" on page 532. ◆ Added description for "ip igmp authentication" on page 566. April 2013 Revision This is the first version of this guide. This guide is valid for software release v1.0.0.12.
How to Use This Guide – 6 –
Contents Section I How to Use This Guide 3 Contents 7 Figures 33 Tables 35 Getting Started 41 1 Initial Switch Configuration Connecting to the Switch 43 Configuration Options 43 Required Connections 44 Remote Connections 45 Basic Configuration 45 Console Connection 45 Setting Passwords 46 Setting an IP Address 46 Downloading a Configuration File Referenced by a DHCP Server 53 Enabling SNMP Management Access 55 Managing System Files 57 Saving or Restoring Configuration Setti
Contents Entering Commands 65 Keywords and Arguments 65 Minimum Abbreviation 65 Command Completion 65 Getting Help on Commands 66 Partial Keyword Lookup 68 Negating the Effect of Commands 68 Using Command History 68 Understanding Command Modes 68 Exec Commands 69 Configuration Commands 69 Command Line Processing 71 CLI Command Groups 72 3 General Commands 75 prompt 75 reload (Global Configuration) 76 enable 77 quit 78 show history 78 configure 79 disable 80 reload
Contents banner configure equipment-location 89 banner configure ip-lan 89 banner configure lp-number 90 banner configure manager-info 91 banner configure mux 91 banner configure note 92 show banner 93 System Status 93 show access-list tcam-utilization 94 show memory 94 show process cpu 95 show running-config 96 show startup-config 97 show system 98 show tech-support 99 show users 100 show version 100 show watchdog 101 watchdog software 101 Frame Size 102 jumbo frame
Contents databits 115 exec-timeout 115 login 116 parity 117 password 118 password-thresh 119 silent-time 119 speed 120 stopbits 121 timeout login response 121 disconnect 122 terminal 122 show line 123 Event Logging 124 logging facility 125 logging history 125 logging host 126 logging on 127 logging trap 128 clear log 128 show log 129 show logging 130 Time 132 SNTP Commands 132 sntp client 132 sntp poll 133 sntp server 134 show sntp 134 NTP Commands 1
Contents Manual Configuration Commands 139 clock timezone 139 calendar set 140 show calendar 140 Time Range 141 time-range 141 absolute 142 periodic 143 show time-range 144 Switch Clustering 144 cluster 145 cluster commander 146 cluster ip-pool 146 cluster member 147 rcommand 148 show cluster 148 show cluster members 149 show cluster candidates 149 5 SNMP Commands 151 General SNMP Commands 153 snmp-server 153 snmp-server community 153 snmp-server contact 154 sn
Contents show snmp group 165 show snmp user 166 show snmp view 167 Notification Log Commands 167 nlm 167 snmp-server notify-filter 168 show nlm oper-status 169 show snmp notify-filter 170 Additional Trap Commands 170 memory 170 process cpu 171 6 Remote Monitoring Commands 173 rmon alarm 174 rmon event 175 rmon collection history 176 rmon collection rmon1 177 show rmon alarms 178 show rmon events 178 show rmon history 179 show rmon statistics 179 7 Authentication Comm
Contents radius-server retransmit 190 radius-server timeout 191 show radius-server 191 TACACS+ Client 192 tacacs-server host 192 tacacs-server key 193 tacacs-server port 194 tacacs-server retransmit 194 tacacs-server timeout 195 show tacacs-server 195 AAA 196 aaa accounting dot1x 196 aaa accounting exec 197 aaa accounting update 198 aaa authorization exec 199 aaa group server 200 server 200 accounting dot1x 201 accounting exec 201 authorization exec 202 show accountin
Contents ip ssh timeout 214 delete public-key 214 ip ssh crypto host-key generate 215 ip ssh crypto zeroize 216 ip ssh save host-key 216 show ip ssh 217 show public-key 217 show ssh 218 802.
Contents Management IP Filter 234 management 234 show management 235 PPPoE Intermediate Agent 236 pppoe intermediate-agent 237 pppoe intermediate-agent format-type 237 pppoe intermediate-agent port-enable 238 pppoe intermediate-agent port-format-type 239 pppoe intermediate-agent trust 240 pppoe intermediate-agent vendor-tag strip 240 clear pppoe intermediate-agent statistics 241 show pppoe intermediate-agent info 241 show pppoe intermediate-agent statistics 242 8 General Security
Contents show network-access 261 show network-access mac-address-table 262 show network-access mac-filter 263 Web Authentication 263 web-auth login-attempts 264 web-auth quiet-period 265 web-auth session-timeout 265 web-auth system-auth-control 266 web-auth 266 web-auth re-authenticate (Port) 267 web-auth re-authenticate (IP) 267 show web-auth 268 show web-auth interface 268 show web-auth summary 269 DHCP Snooping 269 ip dhcp snooping 270 ip dhcp snooping information option
Contents ip arp inspection filter 287 ip arp inspection log-buffer logs 288 ip arp inspection validate 289 ip arp inspection vlan 289 ip arp inspection limit 290 ip arp inspection trust 291 show ip arp inspection configuration 292 show ip arp inspection interface 292 show ip arp inspection log 293 show ip arp inspection statistics 293 show ip arp inspection vlan 293 Denial of Service Protection Global Protection 294 295 dos-protection 295 Protection for ICMP 296 dos-protection i
Contents dos-protection tcp syn-flood 305 dos-protection tcp syn-psh-block 305 dos-protection tcp syn-rst-scan 306 dos-protection tcp syn-urg-block 306 dos-protection tcp xmas-scan 307 Protection for UDP 307 dos-protection udp blat-block 307 dos-protection udp flood 308 dos-protection udp invalid-header-length 308 Other Protection Commands dos-protection echo-chargen 309 309 DoS Configuration Information 309 show dos-protection 309 Port Isolation 310 port-isolation 310 port-is
Contents IPv6 ACLs 327 access-list ipv6 328 ipv6 access-group 329 permit, deny (Standard IPv6 ACL) 329 permit, deny (Extended IPv6 ACL) 330 ipv6 access-group 332 show ipv6 access-group 333 show ipv6 access-list 333 MAC ACLs 334 access-list mac 334 mac access-group 335 permit, deny (MAC ACL) 336 mac access-group 338 show mac access-group 338 show mac access-list 339 ARP ACLs 339 access-list arp 339 permit, deny (ARP ACL) 340 show arp access-list 341 ACL Information 342
Contents show interfaces brief 353 show interfaces counters 353 show interfaces status 357 show interfaces transceiver 358 Cable Diagnostics 359 test cable-diagnostics 359 show cable-diagnostics 360 11 Link Aggregation Commands 363 Manual Configuration Commands 364 port channel load-balance 364 channel-group 366 Dynamic Configuration Commands 366 lacp 366 lacp admin-key (Ethernet Interface) 368 lacp port-priority 368 lacp system-priority 369 lacp admin-key (Port Channel) 37
Contents rspan destination 387 rspan remote vlan 388 no rspan session 389 show rspan 390 14 Congestion Control Commands Rate Limit Commands 391 391 rate-limit 392 Storm Control Commands 393 switchport packet-rate 393 show interfaces switchport 394 Automatic Traffic Control Commands Threshold Commands 396 399 auto-traffic-control apply-timer 399 auto-traffic-control release-timer 400 auto-traffic-control 401 auto-traffic-control action 401 auto-traffic-control alarm-clear-thresho
Contents udld aggressive 412 udld port 413 show udld 414 16 Loopback Detection Commands 417 loopback-detection 418 loopback-detection mode 418 loopback-detection recover-time 419 loopback-detection transmit-interval 420 loopback-detection release 420 show loopback-detection 421 17 Address Table Commands 423 mac-address-table action 424 mac-address-table aging-time 425 mac-address-table mac-isolation 425 mac-address-table max-mac-count 426 mac-address-table movable-static 427
Contents spanning-tree pathcost method 443 spanning-tree priority 443 spanning-tree mst configuration 444 spanning-tree system-bpdu-flooding 445 spanning-tree transmission-limit 445 max-hops 446 mst priority 446 mst vlan 447 name 448 revision 448 spanning-tree bpdu-filter 449 spanning-tree bpdu-guard 450 spanning-tree cost 451 spanning-tree edge-port 452 spanning-tree link-type 453 spanning-tree loopback-detection 454 spanning-tree loopback-detection action 454 spanning-tr
Contents switchport gvrp 468 show bridge-ext 469 show garp timer 470 show gvrp configuration 471 Editing VLAN Groups 472 vlan database 472 vlan 473 Configuring VLAN Interfaces 474 interface vlan 474 switchport acceptable-frame-types 475 switchport allowed vlan 476 switchport ingress-filtering 477 switchport mode 477 switchport native vlan 478 vlan-trunking 479 Displaying VLAN Information 480 show vlan 480 Configuring IEEE 802.
Contents Configuring MAC Based VLANs 495 mac-vlan 496 show mac-vlan 497 Configuring Voice VLANs 497 voice vlan 498 voice vlan aging 499 voice vlan mac-address 499 switchport voice vlan 500 switchport voice vlan priority 501 switchport voice vlan rule 502 switchport voice vlan security 502 show voice vlan 503 20 Class of Service Commands 505 Priority Commands (Layer 2) 505 queue mode 506 queue weight 507 switchport priority default 508 show queue mode 509 show queue weigh
Contents class 524 police flow 525 police srtcm-color 526 police trtcm-color 529 set cos 531 set ip dscp 532 set phb 533 service-policy 534 show class-map 535 show policy-map 535 show policy-map interface 536 22 Multicast Filtering Commands 537 IGMP Snooping 537 ip igmp snooping 539 ip igmp snooping proxy-reporting 540 ip igmp snooping querier 540 ip igmp snooping router-alert-option-check 541 ip igmp snooping router-port-expire-time 542 ip igmp snooping tcn-flood 542
Contents clear ip igmp snooping statistics 554 show ip igmp snooping 555 show ip igmp snooping group 556 show ip igmp snooping mrouter 557 show ip igmp snooping statistics 557 Static Multicast Routing 559 ip igmp snooping vlan mrouter IGMP Filtering and Throttling 560 561 ip igmp filter (Global Configuration) 561 ip igmp profile 562 permit, deny 563 range 563 ip igmp filter (Interface Configuration) 564 ip igmp max-groups 564 ip igmp max-groups action 565 ip igmp query-drop 566
Contents show ipv6 mld snooping group source-list 578 show ipv6 mld snooping mrouter 579 Multicast VLAN Registration 579 mvr 581 mvr associated-profile 581 mvr domain 582 mvr profile 582 mvr proxy-query-interval 583 mvr proxy-switching 584 mvr robustness-value 585 mvr source-port-mode dynamic 586 mvr upstream-source-ip 586 mvr vlan 587 mvr immediate-leave 588 mvr type 589 mvr vlan group 590 show mvr 591 show mvr associated-profile 592 show mvr interface 592 show mvr me
Contents lldp basic-tlv system-description 607 lldp basic-tlv system-name 607 lldp dot1-tlv proto-ident 608 lldp dot1-tlv proto-vid 608 lldp dot1-tlv pvid 609 lldp dot1-tlv vlan-name 609 lldp dot3-tlv link-agg 610 lldp dot3-tlv mac-phy 610 lldp dot3-tlv max-frame 611 lldp dot3-tlv poe 611 lldp med-location civic-addr 612 lldp med-notification 614 lldp med-tlv ext-poe 614 lldp med-tlv inventory 615 lldp med-tlv location 615 lldp med-tlv med-cap 616 lldp med-tlv network-policy
Contents show hosts 631 show ip mdns 631 25 DHCP Commands 633 DHCP Client 633 DHCP for IPv4 634 ip dhcp client class-id 634 ip dhcp restart client 635 DHCP for IPv6 635 ipv6 dhcp client rapid-commit vlan 635 ipv6 dhcp restart client vlan 636 show ipv6 dhcp duid 637 show ipv6 dhcp vlan 638 DHCP Relay Option 82 639 ip dhcp relay server 639 ip dhcp relay information option 640 ip dhcp relay information policy 643 show ip dhcp relay 644 26 IP Interface Commands 645 IPv4 Inte
Contents ipv6 address 657 ipv6 address autoconfig 658 ipv6 address eui-64 660 ipv6 address link-local 662 ipv6 enable 663 ipv6 mtu 664 show ipv6 default-gateway 665 show ipv6 interface 665 show ipv6 mtu 667 show ipv6 traffic 668 clear ipv6 traffic 672 ping6 672 traceroute6 674 Neighbor Discovery Section III 675 ipv6 nd dad attempts 675 ipv6 nd ns-interval 676 ipv6 nd raguard 677 ipv6 nd reachable-time 678 clear ipv6 neighbors 679 show ipv6 nd raguard 679 show ipv6 n
Contents – 32 –
Figures Figure 1: Storm Control by Limiting the Traffic Rate 398 Figure 2: Storm Control by Shutting Down a Port 399 Figure 3: Configuring VLAN Trunking 479 – 33 –
Figures – 34 –
Tables Table 1: Options 60, 66 and 67 Statements 54 Table 2: Options 55 and 124 Statements 54 Table 3: General Command Modes 68 Table 4: Configuration Command Modes 70 Table 5: Keystroke Commands 71 Table 6: Command Group Index 72 Table 7: General Commands 75 Table 8: System Management Commands 83 Table 9: Device Designation Commands 83 Table 10: Banner Commands 84 Table 11: System Status Commands 93 Table 12: show system – display description 98 Table 13: show version – display de
Tables Table 30: RMON Commands 173 Table 31: Authentication Commands 181 Table 32: User Access Commands 182 Table 33: Default Login Settings 183 Table 34: Authentication Sequence Commands 185 Table 35: RADIUS Client Commands 188 Table 36: TACACS+ Client Commands 192 Table 37: AAA Commands 196 Table 38: Web Server Commands 203 Table 39: HTTPS System Support 206 Table 40: Telnet Server Commands 207 Table 41: Secure Shell Commands 209 Table 42: show ssh - display description 218 Tabl
Tables Table 65: ARP ACL Commands 339 Table 66: ACL Information Commands 342 Table 67: Interface Commands 345 Table 68: show interfaces counters - display description 354 Table 69: Link Aggregation Commands 363 Table 70: show lacp counters - display description 372 Table 71: show lacp internal - display description 372 Table 72: show lacp neighbors - display description 373 Table 73: show lacp sysid - display description 374 Table 74: PoE Commands 375 Table 75: show power inline status
Tables Table 100: L2 Protocol Tunnel Commands 485 Table 101: Protocol-based VLAN Commands 490 Table 102: IP Subnet VLAN Commands 493 Table 103: MAC Based VLAN Commands 495 Table 104: Voice VLAN Commands 497 Table 105: Priority Commands 505 Table 106: Priority Commands (Layer 2) 505 Table 107: Priority Commands (Layer 3 and 4) 510 Table 108: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence 511 Table 109: Default Mapping of DSCP Values to Internal PHB/Drop Values 512 Table 110:
Tables Table 135: DHCP Relay Option 82 Commands 639 Table 136: IP Interface Commands 645 Table 137: IPv4 Interface Commands 645 Table 138: Basic IP Configuration Commands 646 Table 139: Address Resolution Protocol Commands 653 Table 140: IPv6 Configuration Commands 655 Table 141: show ipv6 interface - display description 666 Table 142: show ipv6 mtu - display description 667 Table 143: show ipv6 traffic - display description 669 Table 144: show ipv6 neighbors - display description 680 T
Tables – 40 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 42 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 256 IEEE 802.
Chapter 1 | Initial Switch Configuration Basic Configuration For a description of how to use the CLI, see “Using the Command Line Interface” on page 63. For a list of all the CLI commands and detailed information on using the CLI, refer to “CLI Command Groups” on page 72. Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, or DHCP protocol.
Chapter 1 | Initial Switch Configuration Basic Configuration 3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.) 4. The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level. Setting Passwords If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place.
Chapter 1 | Initial Switch Configuration Basic Configuration ◆ Auto IP — The switch randomly selects an IPv4 link-local address from the range 169.254.0.1 – 169.254.255.254. Before starting to use it, the switch tests to see if the address is already in use.
Chapter 1 | Initial Switch Configuration Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
Chapter 1 | Initial Switch Configuration Basic Configuration Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator: ◆ Prefix for this network ◆ IP address for the switch ◆ Default gateway for the network For networks that encompass several different subnets, you must define the full address, including a network prefix and the host address
Chapter 1 | Initial Switch Configuration Basic Configuration Console#show ipv6 default-gateway ipv6 default gateway: 2001:DB8:2222:7272::254 Console# Dynamic Configuration Obtaining an IPv4 Address Using Auto IP If you select the “autoip” option, randomly selects an IPv4 link-local address from 169.254.0.1~169.254.255.254. Before starting to use it, the switch tests to see if the address is already in use.
Chapter 1 | Initial Switch Configuration Basic Configuration BOOTP or DHCP server. BOOTP and DHCP values can include the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is slow to respond, you may need to use the “ip dhcp restart client” command to re-start broadcasting service requests. Note that the “ip dhcp restart client” command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP.
Chapter 1 | Initial Switch Configuration Basic Configuration Obtaining an IPv6 Address Link Local Address — There are several ways to configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix in the range of FE80~FEBF). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. To generate an IPv6 link local address for the switch, complete the following steps: 1.
Chapter 1 | Initial Switch Configuration Basic Configuration Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::212:CFFF:FE0B:4600/64 Global unicast address(es): 2001:DB8:2222:7272:2E0:CFF:FE00:FD/64, subnet is 2001:DB8:2222:7272::/ 64[AUTOCONFIG] valid lifetime 2591978 preferred lifetime 604778 Joined group address(es): FF02::1:FF00:FD FF02::1:FF11:6700 FF02::1 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 1.
Chapter 1 | Initial Switch Configuration Basic Configuration To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information: ◆ Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Chapter 1 | Initial Switch Configuration Basic Configuration subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 } class "Option66,67_1" { #DHCP Option 60 Vendor class match if option vendor-class-identifier = "ECS4210-Series.cfg"; option tftp-server-name "192.168.255.101"; option bootfile-name "test"; } Note: Use “ECS4210-Series.
Chapter 1 | Initial Switch Configuration Basic Configuration To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmpserver community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press .
Chapter 1 | Initial Switch Configuration Managing System Files Configuring Access for SNMP Version 3 Clients To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB.
Chapter 1 | Initial Switch Configuration Managing System Files ◆ Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.
Chapter 1 | Initial Switch Configuration Managing System Files Console# To restore configuration settings from a backup server, enter the following command: 1. From the Privileged Exec mode prompt, type “copy tftp startup-config” and press . 2. Enter the address of the TFTP server. Press . 3. Enter the name of the startup file stored on the server. Press . 4. Enter the name for the startup file on the switch. Press .
Chapter 1 | Initial Switch Configuration Managing System Files – 60 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “VLAN Commands” on page 465 ◆ “Class of Service Commands” on page 505 ◆ “Quality of Service Commands” on page 519 ◆ “Multicast Filtering Commands” on page 537 ◆ “LLDP Commands” on page 599 ◆ “Domain Name Service Commands” on page 623 ◆ “DHCP Commands” on page 633 ◆ “IP Interface Commands” on page 645 – 62 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Chapter 2 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Chapter 2 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands public-key qos queue radius-server reload rmon rspan running-config snmp sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Public key information Quality of Service Priority queue information RADIUS server information Shows the reload settings Remote Monitoring Protocol Display status of the cu
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes. Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode.
Chapter 2 | Using the Command Line Interface Entering Commands ◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode. ◆ Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. ◆ Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits.
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling 465 Class of Service Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue, also sets priority for DSCP 505 Quality of Servi
Chapter 2 | Using the Command Line Interface CLI Command Groups – 74 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command.
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (80) enable password (182) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 68. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 82 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by GC banner under the
Chapter 4 | System Management Commands Banner Information The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Sample Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS4210-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer EdgeCore Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner EdgeCore WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis EdgeCore - ECS4210-28T Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly PE show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory),
Chapter 4 | System Management Commands System Status Example Console#show memory Status Bytes % ------ ---------- --Free 17321984 12 Used 116895744 88 Total 134217728 Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands memory (170) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm configuration.
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/28) port-channel channel-id (Range: 1-8/12) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage ◆ Use the interface keyword to display configuration data for the specified interface.
Chapter 4 | System Management Commands System Status username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database vlan 1 name DefaultVlan media ethernet state active ! spanning-tree mst configuration ! interface ethernet 1/1 . . .
Chapter 4 | System Management Commands System Status Related Commands show running-config (96) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : Managed 24G+4GSFP Switch System OID String : 1.3.6.1.4.1.259.10.1.42.101 System Information System Up Time : 0 days, 0 hours, 5 minutes, and 21.
Chapter 4 | System Management Commands System Status Table 12: show system – display description (Continued) Parameter Description Telnet Server/Port Shows administrative status of Telnet server and TCP port number. Jumbo Frame Shows if jumbo frames are enabled or disabled. EEE Enables or disables Energy Efficient Ethernet. When supported by devices on both ends of a link, each side of the link can disable portions of system functionality and save power during periods of low link utilization.
Chapter 4 | System Management Commands System Status show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Boot ROM Version : 0.0.0.1 Operation Code Version : 1.0.0.10 Console# Table 13: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. EPLD Version Version number of Erasable Programmable Logic Device. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply.
Chapter 4 | System Management Commands Frame Size Command Mode Privileged Exec Example Console#watchdog Console# Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 14: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
Chapter 4 | System Management Commands File Management Example Console(config)#jumbo frame Console(config)# File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Chapter 4 | System Management Commands File Management Table 15: Flash/File Commands (Continued) Command Function upgrade opcode reload Reloads the switch automatically after the opcode upgrade GC is completed show upgrade Shows the opcode upgrade configuration settings. General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. ◆ For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” in the Web Management Guide. For information on configuring the switch to use HTTPS for a secure connection, see the ip http secure-server command.
Chapter 4 | System Management Commands File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Chapter 4 | System Management Commands File Management Destination file name: BLANC.BIX Console# delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage If the file type is used for system startup, then this file cannot be deleted. ◆ ◆ “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory.
Chapter 4 | System Management Commands File Management Default Setting None Command Mode Privileged Exec Command Usage ◆ If you enter the command dir without any parameters, the system displays all files. File information is shown below: Table 16: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started.
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ---------Unit 1: ECS4210-series_V1.0.0.5.bix OpCode Y 2012-12-28 10:48:45 8924092 startup1.
Chapter 4 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.0.1.
Chapter 4 | System Management Commands File Management ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection.
Chapter 4 | System Management Commands Line show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4210-Series.bix Console# Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
Chapter 4 | System Management Commands Line Table 17: Line Commands (Continued) Command Function Mode terminal Configures terminal settings, including escape-character, line length, terminal type, and width PE show line Displays a terminal line's parameters NE, PE * These commands only apply to the serial port. line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line.
Chapter 4 | System Management Commands Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. Syntax databits {7 | 8} no databits 7 - Seven data bits per character. 8 - Eight data bits per character.
Chapter 4 | System Management Commands Line Command Usage ◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
Chapter 4 | System Management Commands Line ◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. Example Console(config-line)#login local Console(config-line)# Related Commands username (183) password (118) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Line password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting No password is specified.
Chapter 4 | System Management Commands Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
Chapter 4 | System Management Commands Line Command Mode Line Configuration Example To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# Related Commands password-thresh (119) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Chapter 4 | System Management Commands Line stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} no stopbits 1 - One stop bit 2 - Two stop bits Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# timeout login This command sets the interval that the system waits for a user to log into the CLI.
Chapter 4 | System Management Commands Line ◆ Using the command without specifying a timeout restores the default setting. Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
Chapter 4 | System Management Commands Line history - The number of lines stored in the command buffer, and recalled using the arrow keys. (Range: 0-256) length - The number of lines displayed on the screen. (Range: 0-512, where 0 means not to pause) terminal-type - The type of terminal emulation used. ansi-bbs - ANSI-BBS vt-100 - VT-100 vt-102 - VT-102 width - The number of character columns displayed on the terminal.
Chapter 4 | System Management Commands Event Logging Example To show all lines, enter this command: Console#show line Terminal Configuration for this Length Width History Size Escape Character(ASCII-number) Terminal Type session: : 24 : 80 : 10 : 27 : VT100 Console Configuration: Password Threshold : 3 times EXEC Timeout : 600 seconds Login Timeout : 300 seconds Silent Time : Disabled Baud Rate : 115200 Data Bits : 8 Parity : None Stop Bits : 1 VTY Configuration: Password Threshold EXEC Timeout Login Tim
Chapter 4 | System Management Commands Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Chapter 4 | System Management Commands Event Logging Table 19: Logging Levels (Continued) Level Severity Name Description 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g.
Chapter 4 | System Management Commands Event Logging ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Chapter 4 | System Management Commands Event Logging logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level level] no logging trap [level] level - One of the syslog severity levels listed in the table on page 125.
Chapter 4 | System Management Commands Event Logging Example Console#clear log Console# Related Commands show log (129) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset). trap - Displays settings for the trap function.
Chapter 4 | System Management Commands Event Logging Remote Log Server IP Address : 0.0.0.0 Console# Table 21: show logging trap - display description Field Description Remote Log Status Shows if remote logging has been enabled via the logging trap command. Remote Log Facility Type The facility type for remote logging of syslog messages as specified in the logging facility command.
Chapter 4 | System Management Commands Time Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Chapter 4 | System Management Commands Time Command Usage ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). ◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command.
Chapter 4 | System Management Commands Time Related Commands sntp client (132) sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IP address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Mar 19 08:41:00 2013 Poll Interval : 60 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 192.168.0.88 Current Server : 192.168.0.88 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
Chapter 4 | System Management Commands Time NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 19 00:44:59 2013 UTC NTP Server 192.168.0.88 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console# Manual Configuration Commands clock timezone This command sets the time zone for the switch’s internal clock.
Chapter 4 | System Management Commands Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
Chapter 4 | System Management Commands Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander. Syntax [no] cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID. Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36. ◆ Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet.
Chapter 4 | System Management Commands Switch Clustering rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch. (Range: 1-36) Command Mode Privileged Exec Command Usage This command only operates through a Telnet connection to the Commander switch. Managing cluster Members using the local console CLI on the Commander is not supported.
Chapter 4 | System Management Commands Switch Clustering show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID : 1 Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : ECS4210-28T 24G+4GSFP Console# show cluster This command shows the discovered Candidate switches in the network.
Chapter 4 | System Management Commands Switch Clustering – 150 –
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 25: SNMP Commands (Continued) Command Function Mode nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE Notification Log Commands ATC Trap Commands snmp-server enable porttraps atc broadcast-alarmclear Sends a trap when broadcast traf
Chapter 5 | SNMP Commands General SNMP Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3). Use the no form to disable the server. Syntax [no] snmp-server Default Setting Enabled Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server community alpha rw Console(config)# snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (154) show snmp This command can be used to check the status of SNMP communications.
Chapter 5 | SNMP Commands SNMP Target Host Commands SNMP Target Host Commands snmp-server enable This command enables this device to send Simple Network Management Protocol traps traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | link-up-down] authentication - Keyword to issue authentication failure notifications. link-up-down - Keyword to issue link-up or link-down notifications.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
Chapter 5 | SNMP Commands SNMPv3 Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (156) SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 162).
Chapter 5 | SNMP Commands SNMPv3 Commands Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption. ◆ For additional information on the notification messages supported by this switch, see the table for "Supported Notification Messages" in the Web Management Guide.
Chapter 5 | SNMP Commands SNMPv3 Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} username - Name of user connecting to the SNMP agent.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/privacy digests from the user’s password.
Chapter 5 | SNMP Commands SNMPv3 Commands Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 27: show snmp group - display description (Continued) Field Description Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 29: show snmp view - display description Field Description View Name Name of an SNMP view.
Chapter 5 | SNMP Commands Notification Log Commands Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands ◆ If notification logging is not configured and enabled, when the switch reboots, some SNMP traps (such as warm start) cannot be logged. ◆ To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and nlm command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
Chapter 5 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 Console# Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization.
Chapter 5 | SNMP Commands Additional Trap Commands Related Commands show memory (94) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands – 172 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 180 –
7 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 7 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 113), user authentication via a remote authentication server (page 181), and host access authentication for specific ports (page 219).
Chapter 7 | Authentication Commands User Accounts and Privilege Levels ◆ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords.
Chapter 7 | Authentication Commands User Accounts and Privilege Levels Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how the set the access level and password for a user.
Chapter 7 | Authentication Commands Authentication Sequence Example This example sets the privilege level for the ping command to Privileged Exec. Console(config)#privilege exec level 15 ping Console(config)# show privilege This command shows the privilege level for the current user, or the privilege level for commands modified by the privilege command. Syntax show privilege [command] command - Displays the privilege level for all commands modified by the privilege command.
Chapter 7 | Authentication Commands Authentication Sequence authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command. Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable local - Use local password only. radius - Use RADIUS server password only. tacacs - Use TACACS server password.
Chapter 7 | Authentication Commands Authentication Sequence authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. Syntax authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password. Default Setting Local Command Mode Global Configuration Command Usage ◆ RADIUS uses UDP while TACACS+ uses TCP.
Chapter 7 | Authentication Commands RADIUS Client RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUSaware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Chapter 7 | Authentication Commands RADIUS Client radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 7 | Authentication Commands RADIUS Client Default Setting auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default.
Chapter 7 | Authentication Commands RADIUS Client Default Setting 2 Command Mode Global Configuration Example Console(config)#radius-server retransmit 5 Console(config)# radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 7 | Authentication Commands TACACS+ Client Accounting Port Number Retransmit Times Request Timeout Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : 1813 : 2 : 5 : : : : : 192.168.1.
Chapter 7 | Authentication Commands TACACS+ Client port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Chapter 7 | Authentication Commands TACACS+ Client tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting 49 Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries.
Chapter 7 | Authentication Commands TACACS+ Client tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 7 | Authentication Commands AAA AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 37: AAA Commands Command Function Mode aaa accounting dot1x Enables accounting of 802.
Chapter 7 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 7 | Authentication Commands AAA Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Chapter 7 | Authentication Commands AAA Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Chapter 7 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
Chapter 7 | Authentication Commands AAA Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
Chapter 7 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
Chapter 7 | Authentication Commands Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 7 | Authentication Commands Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 7 | Authentication Commands Web Server ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS. (Range: 1-65535) Default Setting 443 Command Mode Global Configuration Command Usage You cannot configure the HTTP and HTTPS servers to use the same port.
Chapter 7 | Authentication Commands Web Server Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆ When you start HTTPS, the connection is established in this way: ◆ ■ The client authenticates the server using the server’s digital certificate.
Chapter 7 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 7 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 7 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 8 Console# Secure Shell This section describes the commands used to configure the SSH server.
Chapter 7 | Authentication Commands Secure Shell Table 41: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions PE show users Shows SSH users, including privilege level and public key type PE Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Chapter 7 | Authentication Commands Secure Shell 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
Chapter 7 | Authentication Commands Secure Shell d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 7 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 7 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
Chapter 7 | Authentication Commands Secure Shell Example Console#delete public-key admin dsa Console# ip ssh crypto host-key This command generates the host key pair (i.e., public and private). generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.
Chapter 7 | Authentication Commands Secure Shell ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
Chapter 7 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (215) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
Chapter 7 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7
Chapter 7 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 43: 802.
Chapter 7 | Authentication Commands 802.1X Port Authentication Table 43: 802.
Chapter 7 | Authentication Commands 802.1X Port Authentication Example This example instructs the switch to pass all EAPOL frame through to any ports in STP forwarding state. Console(config)#dot1x eapol-pass-through Console(config)# dot1x This command enables IEEE 802.1X port authentication globally on the switch. system-auth-control Use the no form to restore the default.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Usage For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 7 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Chapter 7 | Authentication Commands 802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
Chapter 7 | Authentication Commands 802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an tx-period authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Chapter 7 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
Chapter 7 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting. Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending an start-period EAPOL start frame to the authenticator. Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 220). ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 228). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.
Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Backend State Machine ■ ■ ■ ◆ State – Current state (including request, response, success, fail, timeout, idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Chapter 7 | Authentication Commands Management IP Filter Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 7 | Authentication Commands Management IP Filter Command Usage ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent pppoe This command enables the PPPoE Intermediate Agent globally on the switch. Use intermediate-agent the no form to disable this feature.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent Default Setting ◆ Access Node Identifier: IP address of the management interface. ◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command sets the circuit-id or remote-id for an interface. Use the no form to agent port-format- restore the default settings. type Syntax pppoe intermediate-agent port-format-type {circuit-id | remote-id} id-string circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command sets an interface to trusted mode to indicate that it is connected to a agent trust PPPoE server. Use the no form to set an interface to untrusted mode. Syntax [no] pppoe intermediate-agent trust Default Setting Untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Set any interfaces connecting the switch to a PPPoE Server as trusted.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# clear pppoe This command clears statistical counters for the PPPoE Intermediate Agent. intermediate-agent statistics Syntax clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent PPPoE Intermediate Agent Admin Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added. PPPoE Intermediate Agent Oper Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent Table 46: show pppoe intermediate-agent statistics - display description Field Description PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted. Request towards untrusted Request sent to an interface which not been configured as trusted. Malformed Corrupted PPPoE message.
Chapter 7 | Authentication Commands PPPoE Intermediate Agent – 244 –
8 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Chapter 8 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Chapter 8 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 8 | General Security Measures Port Security Related Commands show interfaces status (357) shutdown (350) mac-address-table static isolation (430) show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
Chapter 8 | General Security Measures Port Security Table 49: show port security - display description (Continued) Field Description MaxMacCnt The maximum number of addresses which can be stored in the address table for this interface (either dynamic or static). CurrMacCnt The current number of secure entries in the address table. The following example shows the port security settings and number of secure addresses for a specific port.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access aging Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to disable address aging.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage ◆ Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the macaddress-table static isolation command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. dynamic-qos Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature. Syntax network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link- Use this command to detect link-up and link-down events. When either event is detection link-up- detected, the switch can shut down the port, send an SNMP trap, or both. Use the down no form of this command to disable this feature.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disabl
Chapter 8 | General Security Measures Web Authentication 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.
Chapter 8 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 185). Note: Web authentication cannot be configured on trunk ports.
Chapter 8 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 8 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth This command globally enables web authentication for the switch. Use the no form system-auth-control to restore the default.
Chapter 8 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth This command ends all web authentication sessions connected to the port and re-authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters.
Chapter 8 | General Security Measures DHCP Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 8 | General Security Measures DHCP Snooping Table 53: DHCP Snooping Commands (Continued) Command Function Mode show ip dhcp snooping Shows the DHCP snooping configuration settings PE show ip dhcp snooping binding Shows the DHCP snooping binding table entries PE ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting.
Chapter 8 | General Security Measures DHCP Snooping ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: ■ If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped. ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table.
Chapter 8 | General Security Measures DHCP Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 8 | General Security Measures DHCP Snooping ◆ When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets.
Chapter 8 | General Security Measures DHCP Snooping Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 8 | General Security Measures DHCP Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 8 | General Security Measures DHCP Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information circuit-id information option suboption. Use the no form to disable this feature. circuit-id Syntax ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id string - An arbitrary string inserted into the circuit identifier field.
Chapter 8 | General Security Measures DHCP Snooping ■ vlan - Tag of the VLAN which received the DHCP request. Note that the sub-type and sub-length fields can be enabled or disabled using the ip dhcp snooping information option command. ■ The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above. Example This example sets the DHCP Snooping Information circuit-id suboption string.
Chapter 8 | General Security Measures DHCP Snooping Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# Related Commands ip dhcp snooping (270) ip dhcp snooping vlan (275) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table.
Chapter 8 | General Security Measures DHCP Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Chapter 8 | General Security Measures IP Source Guard show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
Chapter 8 | General Security Measures IP Source Guard ip-address - A valid unicast IP address, including classful types A, B or C. unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/28) Default Setting No configured entries Command Mode Global Configuration Command Usage Table entries include a MAC address, IP address, lease time, entry type (Static-IPSG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier.
Chapter 8 | General Security Measures IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 8 | General Security Measures IP Source Guard sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 8 | General Security Measures IP Source Guard discovered by DHCP snooping and static entries set by the ip source-guard command. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard max-binding 1 Console(config-if)# show ip source-guard This command shows whether source guard is enabled or disabled on each interface.
Chapter 8 | General Security Measures ARP Inspection Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5 Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets.
Chapter 8 | General Security Measures ARP Inspection Table 56: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection statistics Shows statistics about the number of ARP packets processed, or dropped for various reasons PE show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is completed PE ip arp inspection This command enables ARP Inspection glo
Chapter 8 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and log-buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses.
Chapter 8 | General Security Measures ARP Inspection Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command. ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
Chapter 8 | General Security Measures ARP Inspection Default Setting 15 Command Mode Interface Configuration (Port) Command Usage ◆ This command only applies to untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 8 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Chapter 8 | General Security Measures Denial of Service Protection Table 57: DoS Protection Commands (Continued) Command Function Mode dos-protection ipv6 invalid-ipaddress Protects against attacks in which hackers replace the source or destination IP address GC dos-protection ipv6 invalidsource-ip-address Protects against spoofing with an invalid IPv6 address GC Protection for TCP GC dos-protection tcp blat-block Protects against TCP blat attacks GC dos-protection tcp invalid-header- Protect
Chapter 8 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection Console(config)# Protection for ICMP dos-protection icmp This command protects against flooding attacks in which large amounts of (or just flood over-sized) ICMP packets are sent to a host in order to attempt to crash the TCP/IP stack on the host. An ICMP flood can consist of any type of ICMP message, including smurf, ping-flood, or ping-of-death attacks.
Chapter 8 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection icmp nuke Console(config)# dos-protection icmp This command protects against ping-of-death attacks in which an attacker ping-of-death deliberately sends an IP packet larger than the maximum length allowed by the IPv4 or IPv6 protocol, or by using fragmentation in which a packet broken down into fragments could add up to more than the allowed maximum length.
Chapter 8 | General Security Measures Denial of Service Protection Command Mode Global Configuration Example Console(config)#dos-protection icmp smurf Console(config)# Protection for IPv4 dos-protection ip This command protects against invalid IP destination address attacks. When a invalid-destination-ip- stream such packets are received, this can indicate a denial-of-service (DoS) address attempt or just a packet generator using RAW sockets on the network.
Chapter 8 | General Security Measures Denial of Service Protection Command Usage These packets may have any of the following attributes: ◆ Header length is less than 4 bytes ◆ Raw IP data length is less than header length * 4 Example Console(config)#dos-protection ip invalid-header-length Console(config)# dos-protection ip This command protects against attacks in which the source IP address and the invalid-ip-address destination IP address are the same.
Chapter 8 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Command Usage These packets may have any of the following attributes: ◆ 224.0.0.0 ≤ source IP address ≤ 240.0.0.0 ◆ Source IP address is 127.*.*.* ◆ Source IP address is 255.255.255.
Chapter 8 | General Security Measures Denial of Service Protection dos-protection ipv6 This command protects against attacks which send IP packets with an incorrect invalid-header-length header length. Such packets are not allowed by the system, but their abundant number can cause computer crashes and other system errors.
Chapter 8 | General Security Measures Denial of Service Protection Syntax [no] dos-protection ip invalid-source-ip-address Default Setting Disabled Command Mode Global Configuration Command Usage These packets may have any of the following attributes: ◆ Source IP address is ::1 ◆ Source IP address is 0xFF00::/8 Example Console(config)#dos-protection ip invalid-source-ip-address Console(config)# Protection for TCP dos-protection tcp This command protects against attacks in which a specially crafted pa
Chapter 8 | General Security Measures Denial of Service Protection dos-protection tcp This command protects against attacks which send TCP packets with an incorrect invalid-header-length header length. Such packets are not allowed by the system, but their abundant number can cause computer crashes and other system errors.
Chapter 8 | General Security Measures Denial of Service Protection dos-protection tcp This command protects against attacks in which a TCP SYN/ACK/PSH message syn-ack-psh-block sequence is used to cause problems for some operating systems which do not acknowledge this as a valid sequence. Syntax [no] dos-protection syn-ack-psh-block Default Setting Disabled Command Mode Global Configuration Command Usage In these packets, SYN=1, ACK=1 and PSH=1.
Chapter 8 | General Security Measures Denial of Service Protection dos-protection tcp This command protects against flooding attacks in which a perpetrator sends a syn-flood succession of TCP synchronization requests (with or without a spoofed source IP address) to a target and never returns ACK packets. These half-open connections will bind up resources on the target, and no new connections can be made, resulting in denial of service.
Chapter 8 | General Security Measures Denial of Service Protection dos-protection tcp This command protects against SYN/RST-scan attacks in which a TCP SYN/RST scan syn-rst-scan message is used to stop an ongoing TCP session. An attacker can forge a set of Synchronize (SYN) and Reset (RST) packets in an attempt to guess a TCP sequence number within a narrow range (or TCP window) of values. Successful exploitation of this issue results in a termination of the TCP session.
Chapter 8 | General Security Measures Denial of Service Protection dos-protection tcp This command protects against TCP Xmas-scan in which a so-called TCP Xmas scan xmas-scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet. If the target TCP port is open, it simply discards the TCP Xmas scan.
Chapter 8 | General Security Measures Denial of Service Protection dos-protection udp This command protects against UDP-flooding attacks in which a perpetrator sends flood a large number of UDP packets (with or without a spoofed-Source IP) to random ports on a remote host. The target will determine that an application is listening at that port, and reply with an ICMP Destination Unreachable packet. It will be forced to send many ICMP packets, eventually leading it to be unreachable by other clients.
Chapter 8 | General Security Measures Denial of Service Protection Other Protection Commands dos-protection This command protects against Echo/Chargen attacks in which the echo service echo-chargen repeats anything sent to it, and the chargen (character generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in denial-of-service.
Chapter 8 | General Security Measures Port Isolation IPv6 IPv6 TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP ICMP ICMP ICMP ICMP Other Console# Invalid Source IP Address Invalid Destination IP Address Invalid Header Length Blat Block SYN URG Block SYN PSH Block SYN ACK PSH Block XMAS Scan NULL Scan SYN FIN Scan SYN RST Scan SYN Flood Invalid Header Length Blat Block Flood Smurf Ping of death Nuke Flood Echo/chargen Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Dis
Chapter 8 | General Security Measures Port Isolation Example Console(config)#port-isolation Console(config)# port-isolation join This command assigns a profile to an uplink or downlink port. Use the no form to remove a profile assignment. Syntax [no] port-isolation join profile-id {{isolated interface} | {uplink interface}} profile-id - Profile identifier. (Range: 1-26) interface ethernet unit/port-list unit - Unit identifier. (Range: 1) port-list – One or more ports.
Chapter 8 | General Security Measures Port Isolation Example Console(config)#port-isolation join profile 1 bridge ipv4 dhcp Console(config)# port-isolation profile This command sets the traffic type or protocol type to include in a profile. Use the no form to remove a profile or to remove an attribute from a profile.
Chapter 8 | General Security Measures Port-based Traffic Segmentation Console# Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 8 | General Security Measures Port-based Traffic Segmentation ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 8 | General Security Measures Port-based Traffic Segmentation DEFAULT SETTING None COMMAND MODE Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 8 | General Security Measures Port-based Traffic Segmentation ◆ A port can only be assigned to one traffic-segmentation session. ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field. ◆ A downlink port can only communicate with an uplink port in the same session.
Chapter 8 | General Security Measures Port-based Traffic Segmentation show traffic- This command displays the configured traffic segments.
Chapter 8 | General Security Measures Port-based Traffic Segmentation – 318 –
9 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 9 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 9 | Access Control Lists IPv4 ACLs ip access-group This command binds an IPv4 ACL to all ports. Use the no form to remove the binding. Syntax ip access-group acl-name in [time-range time-range-name] [counter] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-16 characters) counter – Enables counter for ACL statistics.
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 9 | Access Control Lists IPv4 ACLs sport – Protocol4 source port number. (Range: 0-65535) dport – Protocol4 destination port number. (Range: 0-65535) port-bitmask5 – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask5 – Decimal number representing the code bits to match. (Range: 0-63) vid – VLAN ID.
Chapter 9 | Access Control Lists IPv4 ACLs For example, use the code value and mask below to catch packets with the following flags set: ■ ■ ■ SYN flag valid, use “control-code 2 2” Both SYN and ACK valid, use “control-code 18 18” SYN valid and ACK invalid, use “control-code 2 18” Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.
Chapter 9 | Access Control Lists IPv4 ACLs ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port. Syntax ip access-group acl-name {in | out} [time-range time-range-name] [counter] no ip access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range.
Chapter 9 | Access Control Lists IPv6 ACLs Related Commands ip access-group (326) show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.
Chapter 9 | Access Control Lists IPv6 ACLs Table 63: IPv4 ACL Commands (Continued) Command Function Mode show ipv6 access-group Shows port assignments for IPv6 ACLs PE show ipv6 access-list Displays the rules for configured IPv6 ACLs PE access-list ipv6 This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL.
Chapter 9 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds all ports to an IPv6 ACL. Use the no form to remove the binding. Syntax ipv6 access-group acl-name in [time-range time-range-name] [counter] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range. (Range: 1-16 characters) counter – Enables counter for ACL statistics.
Chapter 9 | Access Control Lists IPv6 ACLs source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e.
Chapter 9 | Access Control Lists IPv6 ACLs any – Any IP address (an abbreviation for the IPv6 prefix ::/0). host – Keyword followed by a specific source IP address. source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 9 | Access Control Lists IPv6 ACLs Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.
Chapter 9 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (333) Time Range (141) show ipv6 This command shows the ports assigned to IPv6 ACLs.
Chapter 9 | Access Control Lists MAC ACLs Example Console#show ipv6 access-list standard IPv6 standard access-list david: permit host 2009:DB9:2229::79 permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (Standard IPv6 ACL) (329) permit, deny (Extended IPv6 ACL) (330) ipv6 access-group (332) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
Chapter 9 | Access Control Lists MAC ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ A MAC ACL can contain up to 45 rules.
Chapter 9 | Access Control Lists MAC ACLs Related Commands show mac access-group (338) Time Range (141) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Chapter 9 | Access Control Lists MAC ACLs eth2 – Ethernet II packets. llc-other – LLC and other packets. snap – SNAP packets. any – Any MAC source or destination address. host – A specific MAC address. source – Source MAC address. destination – Destination MAC address range with bitmask. address-bitmask6 – Bitmask for MAC address (in hexadecimal format). vid – VLAN ID. (Range: 1-4094) vid-bitmask6 – VLAN bitmask. (Range: 1-4095) protocol – A specific Ethernet protocol number. (Range: 0-ffff hex.
Chapter 9 | Access Control Lists MAC ACLs mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. Syntax mac access-group acl-name {in | out} [time-range time-range-name] [counter] acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range. (Range: 1-30 characters) counter – Enables counter for ACL statistics.
Chapter 9 | Access Control Lists ARP ACLs show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 9 | Access Control Lists ARP ACLs Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ARP ACL can contain up to 119 rules.
Chapter 9 | Access Control Lists ARP ACLs ip-address-bitmask7 – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask. mac-address-bitmask7 – Bitmask for MAC address (in hexadecimal format). log - Logs a packet when it matches the access control entry. Default Setting None Command Mode ARP ACL Command Usage New rules are added to the end of the list.
Chapter 9 | Access Control Lists ACL Information Related Commands permit, deny (340) ACL Information This section describes commands used to display ACL information. Table 66: ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
Chapter 9 | Access Control Lists ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs. ip extended – Shows ingress or egress rules for Extended IPv4 ACLs.
Chapter 9 | Access Control Lists ACL Information – 344 –
10 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 10 | Interface Commands Interface Configuration Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Syntax [no] interface interface-list interface-list – One or more ports. Use a hyphen to indicate a consecutive list of ports or a comma between non-consecutive ports. ethernet unit/port-list unit - Unit identifier.
Chapter 10 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the (Telco's) circuit number/identifier of the interface. Example The following example adds an alias to port 4.
Chapter 10 | Interface Commands Interface Configuration ◆ When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to include 100half and 100full.
Chapter 10 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 10 | Interface Commands Interface Configuration negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation. Syntax [no] negotiation Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 10 | Interface Commands Interface Configuration Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
Chapter 10 | Interface Commands Interface Configuration ◆ When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To set the speed/ duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. Example The following example configures port 5 to 100 Mbps, half-duplex operation.
Chapter 10 | Interface Commands Interface Configuration show interfaces brief This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
Chapter 10 | Interface Commands Interface Configuration 0 0 0 0 0 Discard Output Error Input Error Output Unknown Protocols Input QLen Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Recei
Chapter 10 | Interface Commands Interface Configuration Table 68: show interfaces counters - display description (Continued) Parameter Description Unicast Input The number of subnetwork-unicast packets delivered to a higher-layer protocol. Unicast Output The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Chapter 10 | Interface Commands Interface Configuration Table 68: show interfaces counters - display description (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
Chapter 10 | Interface Commands Interface Configuration Table 68: show interfaces counters - display description (Continued) Parameter Description 64 Octets The total number of packets (including bad packets) received and transmitted that were less than 64 octets in length (excluding framing bits but including FCS octets).
Chapter 10 | Interface Commands Interface Configuration Example Console#show interfaces status ethernet 1/21 Information of Eth 1/21 Basic Information: Port Type : 1000BASE-T MAC Address : 00-00-00-00-00-17 Configuration: Name : Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 64 Kbits/second Multicast Storm : Disabled Multicast Storm Limit : 64 Kbits/second Unknown Unicast Storm : Disabled Unknown Unicast Storm
Chapter 10 | Interface Commands Cable Diagnostics devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, and received optical power.
Chapter 10 | Interface Commands Cable Diagnostics ◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length of each cable pair.
Chapter 10 | Interface Commands Cable Diagnostics Example Console#show cable-diagnostics interface ethernet 1/23 Port Type Link Status Pair A (meters) Pair B (meters) Pair C (meters) Pair D (meters) Last Update -------- ---- ----------- ---------------- ---------------- ---------------- ---------------- ---------------Eth 1/ 1 GE Up OK (1) OK (1) OK (1) OK (1) 2012-12-28 11:45:57 Console# – 361 –
Chapter 10 | Interface Commands Cable Diagnostics – 362 –
11 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
Chapter 11 | Link Aggregation Commands Manual Configuration Commands ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Chapter 11 | Link Aggregation Commands Manual Configuration Commands Default Setting src-dst-ip Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-8/12) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no form to (Ethernet Interface) restore the default setting. Syntax lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link. (Range: 0-65535) Default Setting 32768 Command Mode Interface Configuration (Ethernet) Command Usage Setting a lower value indicates a higher effective priority. ◆ ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Default Setting 32768 Command Mode Interface Configuration (Ethernet) Command Usage ◆ Port must be configured with the same system priority to join the same LAG. ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group. Note that when the LAG is no longer used, the port channel admin key is reset to 0. Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# Trunk Status Display Commands show lacp This command displays LACP information.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 70: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 71: show lacp internal - display description (Continued) Field Description Admin State, Oper State (continued) ◆ ◆ ◆ ◆ Synchronization – The System considers this link to be IN_SYNC; i.e.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 7 32768 00-30-F1-D4-73-A0 8 32768 00-30-F1-D4-73-A0 9 32768 00-30-F1-D4-73-A0 10 32768 00-30-F1-D4-73-A0 11 32768 00-30-F1-D4-73-A0 12 32768 0
12 Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-12 on the ECS4210-12P and 1-24 on the ECS4210-28P. The switch’s power management allows individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Chapter 12 | Power over Ethernet Commands Command Usage ◆ The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Ethernet copper-media ports. When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device. When the power inline compatible command is used, this switch can detect IEEE 802.3af or 802.
Chapter 12 | Power over Ethernet Commands Command Usage ◆ The switch only provides power to the Gigabit Ethernet copper-media ports. ◆ When detection is enabled for PoE-compliant devices, power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the port’s power budget or the switch’s power budget. ◆ Use the power inline priority command to set the priority for power supplied to specific ports.
Chapter 12 | Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000 Console(config-if)# power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Chapter 12 | Power over Ethernet Commands ◆ If a device is connected to a switch port after bootup and the switch detects that it requires more than the power budget set for the port or for the overall switch, no power is supplied to the device regardless of its priority setting. Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline priority 2 Console(config-if)# show power inline This command displays the current power status for all ports or for specific ports.
Chapter 12 | Power over Ethernet Commands Table 75: show power inline status - display description (Continued) Field Description Power (mWatt) The maximum power allocated to this port (see power inline maximum allocation) Power (used) The current power consumption on the port in milliwatts Priority The port’s power priority setting (see power inline priority) show power Use this command to display the current power status for the switch.
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands rx - Mirror received packets. tx - Mirror transmitted packets. both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) Default Setting No mirror session is defined.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands ◆ You can create multiple mirror sessions, but all sessions must share the same destination port. ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command (page 319) to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN uplink ports cannot be configured to use IEEE 802.1X Port Authentication, but RSPAN source ports and destination ports can be configured to use it ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then no session can be configured for RSPAN.
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 80: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Storm Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port.
Chapter 14 | Congestion Control Commands Storm Control Commands Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the configuration setting for port 21.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 83: show interfaces switchport - display description (Continued) Field Description Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only (page 475). Native VLAN Indicates the default Port VLAN ID (page 478). Priority for Untagged Traffic Indicates the default priority for untagged frames (page 508).
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 84: ATC Commands (Continued) Command Function Mode auto-traffic-control auto- Automatically releases a control response control-release IC (Port) auto-traffic-control control-release Manually releases a control response IC (Port) snmp-server enable port-traps atc broadcast-alarm-clear Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered IC (Port) sn
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage ◆ When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for enable port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release timer broadcast-control- expires. Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for enable port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release timer expires. multicast-control- Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
15 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 15 | UniDirectional Link Detection Commands If the link is deemed anything other than bidirectional at the end of the detection phase, this curve becomes a flat line with a fixed value of Mfast (7 seconds). If the link is instead deemed bidirectional, the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady-state transmissions. Mslow is the value configured by this command.
Chapter 15 | UniDirectional Link Detection Commands this mode is optional and is recommended only in certain scenarios (typically only on point-to-point links where no communication failure between two neighbors is admissible). Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on an interface. Use the no form to disable UDLD on an interface.
Chapter 15 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 15 | UniDirectional Link Detection Commands Table 86: show udld - display description (Continued) Field Description Port State Shows the UDLD port state (Unknown, Bidirectional, Unidirectional, Transmitto-receive loop, Mismatch with neighbor state reported, Neighbor's echo is empty) The state is Unknown if the link is down or not connected to a UDLD-capable device. The state is Bidirectional if the link has a normal two-way connection to a UDLD-capable device.
Chapter 15 | UniDirectional Link Detection Commands – 416 –
16 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 16 | Loopback Detection Commands Command Usage ◆ When using vlan-based mode, loopback detection control frames are untagged or tagged depending on the port’s VLAN membership type. ◆ When using vlan-based mode, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command. The port’s original setting for ingress filtering will be restored when loopback detection is disabled.
Chapter 16 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds [no] loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 16 | Loopback Detection Commands show This command shows loopback detection configuration settings for the switch or loopback-detection for a specified interface. Syntax show loopback-detection [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Loopback Detection Commands – 422 –
17 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 17 | Address Table Commands mac-address-table This command sends a trap if an ingress packet violates the configured settings for action the mac-address-table max-mac-count, mac-address-table movable-static, or macaddress-table sticky-dynamic functions. Use the no form to disable a trap.
Chapter 17 | Address Table Commands mac-address-table This command sets the aging time for entries in the address table. Use the no form aging-time to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 6-7200 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information.
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table mac-isolation Console(config)# mac-address-table This command sets the maximum number of MAC addresses which can be learned max-mac-count on an interface. Use the no form to restore the default setting. Syntax mac-address-table max-mac-count count {interface interface | vlan vlan-id} count - The maximum number of MAC addresses which can be learned on an interface.
Chapter 17 | Address Table Commands mac-address-table This command specifies an interface to which a static MAC address can be moved. movable-static Use the no form to prevent static MAC addresses from being moved to an interface. Syntax mac-address-table movable-static {interface interface | vlan vlan-id} interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table static 00-01-02-03-04-05 interface ethernet 1/1 vlan 1 Console(config)#mac-address-table movable-static interface ethernet 1/1 Console(config)# mac-address-table This command maps a static address to a port in a VLAN, and optionally designates static the address as permanent, to be deleted on reset, or movable-static. Use the no form to remove an address.
Chapter 17 | Address Table Commands ◆ Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table. ◆ A static address cannot be learned on another port until the address is removed with the no form of this command.
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table sticky-dynamic interface ethernet 1/3 Console(config)# mac-address-table This command maps a static address to a port in a VLAN, and sets the isolation static isolation mode. Syntax mac-address-table static mac-address interface interface vlan vlan-id isolation {community-1 | community-2 | isolated | promiscuous} mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands ◆ The MAC address isolation profiles defined by this command only take effect when MAC isolation is enabled globally by the mac-address-table mac-isolation command. ◆ If the MAC address for a packet is found during source address lookup and an isolation profile is assigned to that address, then that profile is used as the source address isolation profile.
Chapter 17 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands Eth 1/ 2 00-E0-29-94-34-64 Console# 1 Learn Delete on Timeout NA show mac-address- This command shows the aging time for entries in the address table. table aging-time Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec.
Chapter 17 | Address Table Commands show mac-address- This command shows the maximum number of MAC addresses which can be table max-mac-count learned on an interface. Syntax show mac-address-table max-mac-count [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands Command Mode Privileged Exec Example Console#show mac-address-table movable-static Interface Movable Static MAC Movable Static Action --------- ------------------ --------------------Eth 1/ 1 Disabled None Eth 1/ 2 Enabled None Eth 1/ 3 Enabled None Eth 1/ 4 Enabled None Eth 1/ 5 Enabled None . . . show mac-address- This command shows the sticky-dynamic configuration settings.
Chapter 17 | Address Table Commands – 436 –
18 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 18 | Spanning Tree Commands Table 90: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopbackdetection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the
Chapter 18 | Spanning Tree Commands between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with Cisco cisco-prestandard prestandard versions. Use the no form to restore the default setting.
Chapter 18 | Spanning Tree Commands Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 18 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning Tree and pathcost method Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
Chapter 18 | Spanning Tree Commands Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 18 | Spanning Tree Commands spanning-tree system- This command configures the system to flood BPDUs to all other ports on the bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
Chapter 18 | Spanning Tree Commands Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols.
Chapter 18 | Spanning Tree Commands Default Setting 32768 Command Mode MST Configuration Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 18 | Spanning Tree Commands within the same MSTI Region (page 448) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name.
Chapter 18 | Spanning Tree Commands Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 448) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 18 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# Related Commands spanning-tree edge-port (452) spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
Chapter 18 | Spanning Tree Commands Console(config-if)#spanning-tree bpdu-guard Console(config-if)# Related Commands spanning-tree edge-port (452) spanning-tree spanning-disabled (460) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Chapter 18 | Spanning Tree Commands Command Usage ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 443) is set to short, the maximum value for path cost is 65,535.
Chapter 18 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link.
Chapter 18 | Spanning Tree Commands spanning-tree This command enables the detection and response to Spanning Tree loopback loopback-detection BPDU packets on the port. Use the no form to disable this feature. Syntax [no] spanning-tree loopback-detection Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.
Chapter 18 | Spanning Tree Commands selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanning-tree loopbackdetection release command.
Chapter 18 | Spanning Tree Commands ◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections.
Chapter 18 | Spanning Tree Commands standard exceeds 65,535, the default is set to 65,535. The default path costs are listed in Table 92 on page 451. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Each spanning-tree instance is associated with a unique set of VLAN IDs. ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices.
Chapter 18 | Spanning Tree Commands interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the priority for the specified interface. Use the no form to port-priority restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command defines the priority for the use of a port in the Spanning Tree Algorithm.
Chapter 18 | Spanning Tree Commands Command Usage ◆ A port connecting a LAN through the bridge to the root bridge is known as a designated port. A bridge with a designated port and a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period.
Chapter 18 | Spanning Tree Commands spanning-tree This command manually releases a port placed in discarding state by loopbackloopback-detection detection. release Syntax spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | Spanning Tree Commands migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible). Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST).
Chapter 18 | Spanning Tree Commands ◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces.
Chapter 18 | Spanning Tree Commands . . This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : Spanning Tree Enabled/Disabled : Designated Root : Current Root Port : Current Root Cost : RSTP Enabled 32768.0000E89382A0 0 0 Interface Pri Designated Designated Oper STP Role State Oper Bridge ID Port ID Cost Status Edge --------- --- --------------------- ---------- -------- ------ ---- ----- --Eth 1/ 1 128 32768.
19 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands Table 95: show bridge-ext - display description (Continued) Field Description Traffic Classes This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Commands” on page 505.) Global GVRP Status GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/28) port-channel channel-id (Range: 1-8/12) Default Setting Shows both global and interface-specific configuration.
Chapter 19 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 96: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Chapter 19 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Example The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (350) interface (346) vlan (473) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form vlan to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Ingress filtering only affects tagged frames.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. Default Setting Access mode, with the PVID set to VLAN 1.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces the PVID for an interface can be set to any VLAN for which it is an untagged member. ◆ If acceptable frame types is set to all or switchport mode is set to hybrid, the PVID will be inserted into all untagged frames entering the ingress port.
Chapter 19 | VLAN Commands Displaying VLAN Information you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see the switchport mode command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling name - Keyword to be followed by the VLAN name. vlan-name - ASCII string from 1 to 32 characters. Default Setting Shows all VLANs.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling General Configuration Guidelines for QinQ 1. Configure the switch to QinQ mode (dot1q-tunnel system-tunnel-control). 2. Create a SPVLAN (vlan). 3. Configure the QinQ tunnel access port to dot1Q-tunnel access mode (switchport dot1q-tunnel mode). 4. Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Command Mode Global Configuration Command Usage QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (485) show interfaces switchport (394) switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)# Related Commands show dot1q-tunnel (485) show interfaces switchport (394) switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the dot1q-tunnel tpid no form to restore the default setting.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel tpid 9100 Console(config-if)# Related Commands show interfaces switchport (394) show dot1q-tunnel This command displays information about QinQ tunnel ports.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling l2protocol-tunnel This command configures the destination address for Layer 2 Protocol Tunneling tunnel-dmac (L2PT). Use the no form to restore the default setting. Syntax l2protocol-tunnel tunnel-dmac mac-address mac-address – The switch rewrites the destination MAC address in all upstream L2PT protocol packets (i.e, STP BPDUs) to this value, and forwards them on to uplink ports.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling Processing protocol packets defined in IEEE 802.1ad – Provider Bridges ◆ ◆ When an IEEE 802.1ad protocol packet is received on an uplink port (i.e., an 802.1Q tunnel ingress port connecting the edge switch to the service provider network) ■ with the destination address 01-80-C2-00-00-00,0B~0F (C-VLAN tag), it is forwarded to all QinQ uplink ports and QinQ access ports in the same SVLAN for which L2PT is enabled for that protocol.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling ◆ When a Cisco-compatible L2PT packet is received on an access port, and ■ ■ ◆ recognized as a CDP/VTP/STP/PVST+ protocol packet, and ■ L2PT is enabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is enabled, and (b) uplink ports after rewriting the destination address to make it a GBPT protocol packet (i.e., setting the destination address to 01-00-0CCD-CD-D0).
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Refer to the Command Usage section for the l2protocol-tunnel tunnel-dmac command. ◆ For L2PT to function properly, QinQ must be enabled on the switch using the dot1q-tunnel system-tunnel-control command, and the interface configured to 802.1Q tunnel mode using the switchport dot1q-tunnel mode command.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs .
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Command Mode Global Configuration Example The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan This command maps a protocol group to a VLAN for the current interface.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs ◆ When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: ■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. ■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN.
Chapter 19 | VLAN Commands Configuring IP Subnet VLANs show interfaces This command shows the mapping from protocol groups to VLANs for the selected protocol-vlan interfaces. protocol-group Syntax show interfaces protocol-vlan protocol-group [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/28) port-channel channel-id (Range: 1-8/12) Default Setting The mapping for all interfaces is displayed.
Chapter 19 | VLAN Commands Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. Syntax subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
Chapter 19 | VLAN Commands Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. Command Mode Privileged Exec Command Usage ◆ Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. Example The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask --------------- --------------192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.
Chapter 19 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address [mask mask-address] vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address [mask mask-address] | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 19 | VLAN Commands Configuring Voice VLANs show mac-vlan This command displays MAC address-to-VLAN assignments. Command Mode Privileged Exec Command Usage Use this command to display MAC address-to-VLAN mappings. Example The following example displays all configured MAC address-based VLANs.
Chapter 19 | VLAN Commands Configuring Voice VLANs voice vlan This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN. Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode Global Configuration Command Usage When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic.
Chapter 19 | VLAN Commands Configuring Voice VLANs voice vlan aging This command sets the Voice VLAN ID time out. Use the no form to restore the default. Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out. (Range: 5-43200 minutes) Default Setting 1440 minutes Command Mode Global Configuration Command Usage The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port.
Chapter 19 | VLAN Commands Configuring Voice VLANs description - User-defined text that identifies the VoIP devices. (Range: 1-32 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ VoIP devices attached to the switch can be identified by the manufacturer’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses.
Chapter 19 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When auto is selected, you must select the method to use for detecting VoIP traffic, either OUI or 802.1ab (LLDP) using the switchport voice vlan rule command. When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac-address command. ◆ All ports are set to VLAN access mode by default.
Chapter 19 | VLAN Commands Configuring Voice VLANs switchport This command selects a method for detecting VoIP traffic on a port. Use the no voice vlan rule form to disable the detection method on the port. Syntax [no] switchport voice vlan rule {oui | lldp} oui - Traffic from VoIP devices is detected by the Organizationally Unique Identifier (OUI) of the source MAC address. lldp - Uses LLDP to discover VoIP devices attached to the port.
Chapter 19 | VLAN Commands Configuring Voice VLANs Command Usage ◆ Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped.
Chapter 19 | VLAN Commands Configuring Voice VLANs Eth 1/ 9 Disabled Disabled OUI Eth 1/10 Disabled Disabled OUI Console#show voice vlan oui OUI Address Mask ----------------- ----------------00-12-34-56-78-9A FF-FF-FF-00-00-00 00-11-22-33-44-55 FF-FF-FF-00-00-00 00-98-76-54-32-10 FF-FF-FF-FF-FF-FF Console# – 504 – 6 NA 6 NA Description -----------------------------old phones new phones Chris' phone
20 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (506) show queue weight (509) switchport This command sets a priority for incoming untagged frames. Use the no form to priority default restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (394) show queue mode This command shows the current queue mode.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) DEFAULT SETTING. Table 108: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ The default mapping of CoS to PHB values shown in Table 108 is based on the recommended settings in IEEE 802.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. Example This example changes the priority for all packets entering port 1 which contain a DSCP value of 1 to a per-hop behavior of 3 and a drop precedence of 1.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp} no qos map trust-mode cos - Sets the QoS mapping mode to CoS. dscp - Sets the QoS mapping mode to DSCP.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12/28) port-channel channel-id (Range: 1-8/12) Command Mode Privileged Exec Example Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP Map.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example The ingress DSCP is composed of “d1” (most significant digit in the left column) and “d2” (least significant digit in the top row (in other words, ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table. Console#show qos map dscp-mutation interface ethernet 1/5 Information of Eth 1/5 DSCP mutation map.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the QoS mapping mode. trust-mode Syntax show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) – 518 –
21 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 21 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN. 3.
Chapter 21 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 523). The policy map is then bound by a service policy to an interface (page 534). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the match or set commands.
Chapter 21 | Quality of Service Commands dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration Command Usage First enter the class-map command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map.
Chapter 21 | Quality of Service Commands This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Chapter 21 | Quality of Service Commands ◆ Create a Class Map (page 523) before assigning it to a Policy Map. Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands ◆ Up to 16 classes can be included in a policy map. Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands ◆ Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698.
Chapter 21 | Quality of Service Commands committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes. (Range: 1-2147000 at a granularity of 4k bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 1-2147000 at a granularity of 4k bytes) conform-action - Action to take when rate is within the CIR and BC.
Chapter 21 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: ■ ■ ■ If Tc is less than BC, Tc is incremented by one, else if Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented.
Chapter 21 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
Chapter 21 | Quality of Service Commands Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR.
Chapter 21 | Quality of Service Commands that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
Chapter 21 | Quality of Service Commands Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
22 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 113: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs GC ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into the attached VLAN GC ip igmp snooping unsolicited-report-interval Specifies how often the upstream interface should GC transmit unsolicited IGMP reports (when proxy reporting is e
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 113: IGMP Snooping Commands (Continued) Command Function Mode show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statistics for the specified interface PE ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router router-alert-option- Alert option.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier time out. Use the no form to restore the router-port-expire- default. time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a time out mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command suppresses general queries except for ports attached to vlan general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping currently defined by Last Member Query Interval (fixed at one second) * Robustness Variable (fixed at 2) as defined in RFC 2236. ◆ If immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the last-member-query interval. Use the no form to vlan last-memb- restore the default. query-intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or groupand-source-specific query message.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541. The switch also uses a null address in IGMP reports sent to upstream ports.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the interval between sending IGMP general queries. Use vlan query-interval the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 540), or as a proxy host when IGMP snooping proxy reporting is enabled (page 540). Example Console(config)#ip igmp snooping vlan 1 proxy-query-resp-intvl 20 Console(config)# ip igmp snooping This command adds a port to a multicast group. Use the no form to remove the vlan static port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears multicast group information dynamically learned through snooping groups IGMP snooping or MVR. dynamic Syntax clear ip igmp snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though IGMP snooping or MVR. Statically configured multicast address are not cleared.
Chapter 22 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings. snooping Syntax show ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings.
Chapter 22 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified. Syntax show ip igmp snooping group [host-ip-addr ip-address interface | igmpsnp | sort-by-port | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Snooping show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs. Command Mode Privileged Exec Command Usage Multicast router port types displayed include Static or Dynamic.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Example The following shows IGMP protocol statistics input: Console#show ip igmp snooping statistics input interface ethernet 1/1 Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 14 5 Console# Table 114: show ip igmp snooping statistics input - display description Field Description Interface Shows interface
Chapter 22 | Multicast Filtering Commands Static Multicast Routing The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Querier IP Address : 192.168.1.
Chapter 22 | Multicast Filtering Commands Static Multicast Routing ip igmp snooping This command statically configures a (Layer 2) multicast router port on the vlan mrouter specified VLAN. Use the no form to remove the configuration. Syntax [no] ip igmp snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the IGMP join report is forwarded as normal. If a requested multicast group is denied, the IGMP join report is dropped.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting 1023 Command Mode Interface Configuration (Ethernet) Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# ip igmp query-drop This command drops any received IGMP query packets. Use the no form to restore the default setting.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ◆ When receiving an IGMPv3 report message, the switch will send the access request to the RADIUS server only when the record type is IS_EX (MODE_IS_EXCLUDE) which excludes a source list, or TO_EX (CHANGE_TO_EXCLUDE_MODE), and the source list is empty. Other type of packets will not be authenticated.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console#show ip igmp filter IGMP filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling port-channel channel-id (Range: 1-8/12) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ip igmp This command displays the interface settings for IGMP throttling.
Chapter 22 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping. Syntax [no] ipv6 mld snooping Default Setting Disabled Command Mode Global Configuration Example The following example enables MLD Snooping: Console(config)#ipv6 mld snooping Console(config)# ipv6 mld snooping This command allows the switch to act as the querier for MLDv2 snooping. Use the querier no form to disable this feature.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries. (Range: 60-125 seconds) Default Setting 125 seconds Command Mode Global Configuration Command Usage This command applies when the switch is serving as the querier.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD snooping version. Use the no form to restore version the default. Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1. 2 - MLD version 2. Default Setting Version 2 Command Mode Global Configuration Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command statically configures an IPv6 multicast router port.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
Chapter 22 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, and the means by snooping group which each group was learned.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Option: Filter Mode: Include, Exclude Console# show ipv6 mld This command shows MLD Snooping multicast router information. snooping mrouter Syntax show ipv6 mld snooping mrouter vlan vlan-id vlan-id - A VLAN identification number.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Table 121: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function mvr proxy-switching Enables MVR proxy switching, where the source port acts GC as a host, and the receiver port acts as an MVR router with querier service enabled mvr robustness-value Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries GC mvr source-port-mode dynamic Configures the sw
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration mvr This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR. Syntax [no] mvr Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Related Commands mvr profile (582) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain. (Range: 1-5) Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Command Mode Global Configuration Command Usage ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Example This example sets the proxy query interval for MVR proxy switching. Console(config)#mvr proxy-query-interval 250 Console(config)# mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Example The following example enable MVR proxy switching. Console(config)#mvr proxy-switching Console(config)# Related Commands mvr robustness-value (585) mvr robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration mvr source-port- This command configures the switch to only forward multicast streams which the mode dynamic source port has dynamically joined. Use the no form to restore the default setting. Syntax [no] mvr source-port-mode dynamic Default Setting Forwards all multicast streams which have been specified in a profile and bound to a domain.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Command Mode Global Configuration Example Console(config)#mvr domain 1 upstream-source-ip 192.168.0.3 Console(config)# mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration mvr immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] immediate-leave domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain. (Range: 1-5) receiver - Configures the interface as a subscriber port that can receive multicast data.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Console(config-if)#mvr domain 1 type receiver Console(config-if)# mvr vlan group This command statically binds a multicast group to a port which will receive longterm multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] vlan vlan-id group ip-address domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all MVR domains.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Table 122: show mvr - display description (Continued) Field Description MVR Current Learned Groups The current number of MVR group addresses MVR Upstream Source IP The source IP address assigned to all upstream control packets. show mvr This command shows the profiles bound the specified domain. associated-profile Syntax show mvr [domain domain-id] associated-profile domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Example The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr domain 1 interface MVR Domain : 1 Port Type Status Immediate Static Group Address -----------------------------------------------------Eth 1/ 1 Source Active/Forwarding Eth 1/ 2 Receiver Inactive/Discarding Disabled 234.5.6.8(VLAN2) Eth1/ 3 Source Inactive/Discarding Eth1/ 1 Receiver Active/Forwarding Disabled 225.0.0.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port). P - Port counts (number of ports joined to group). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration show mvr statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr statistics {input | output} [interface interface] show mvr domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Table 125: show mvr statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
Chapter 22 | Multicast Filtering Commands Multicast VLAN Registration Table 127: show mvr statistics query - display description Field Description Querier IP Address The IP address of the querier on this interface. Querier Expire Time The time after which this querier is assumed to have expired. General Query Received The number of general queries received on this interface. General Query Sent The number of general queries sent from this interface.
23 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 23 | LLDP Commands Table 128: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port related VLAN information IC lldp dot1-tlv
Chapter 23 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 23 | LLDP Commands lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during count the activation process of the LLDP-MED Fast Start mechanism. Syntax lldp med-fast-start-count packets seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets) Default Setting 4 packets Command Mode Global Configuration Command Usage This parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port.
Chapter 23 | LLDP Commands notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#lldp notification-interval 30 Console(config)# lldp refresh-interval This command configures the periodic transmit interval for LLDP advertisements. Use the no form to restore the default setting.
Chapter 23 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 23 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 23 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols.
Chapter 23 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 489). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See the switchport allowed vlan command and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 491. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Chapter 23 | LLDP Commands defined in RFC 4776. The following table describes some of the CA type numbers and provides examples.
Chapter 23 | LLDP Commands lldp med-notification This command enables the transmission of SNMP trap notifications about LLDPMED changes. Use the no form to disable LLDP-MED notifications. Syntax [no] lldp med-notification Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command.
Chapter 23 | LLDP Commands Command Usage This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode). Note that this device does not support PoE capabilities.
Chapter 23 | LLDP Commands Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 23 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | LLDP Commands 802.
Chapter 23 | LLDP Commands LLDP Port Information Port PortID Type PortID Port Description -------- ---------------- ----------------- -------------------------------Eth 1/1 MAC Address 00-1A-7E-AC-2B-13 Ethernet Port on unit 1, port 1 Eth 1/2 MAC Address 00-1A-7E-AC-2B-14 Ethernet Port on unit 1, port 2 Eth 1/3 MAC Address 00-1A-7E-AC-2B-15 Ethernet Port on unit 1, port 3 Eth 1/4 MAC Address 00-1A-7E-AC-2B-16 Ethernet Port on unit 1, port 4 . . .
Chapter 23 | LLDP Commands Example Note that an IP phone or other end-node device which advertises LLDP-MED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
Chapter 23 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
24 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 24 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
Chapter 24 | Domain Name Service Commands Command Usage ◆ At least one name server must be specified before DNS can be enabled. ◆ If all name servers are deleted, DNS will automatically be disabled. Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
Chapter 24 | Domain Name Service Commands Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (623) ip name-server (627) ip domain-lookup (624) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
Chapter 24 | Domain Name Service Commands Default Setting Enabled Command Mode Global Configuration Command Usage ◆ mDNS allows a network device to choose a domain name in the local DNS name space and announce it using a special multicast IP address. This allows any user to give their computers a link-local mDNS host name of the form “single-dns-label.local.” Any name ending in “.local.” is therefore link-local, and names within this domain are meaningful only on the link where they originate.
Chapter 24 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.
Chapter 24 | Domain Name Service Commands Command Mode Global Configuration Example This example maps an IPv6 address to a host name. Console(config)#ipv6 host rd6 2001:0db8:1::12 Console(config)#end Console#show hosts No. Flag Type IP Address TTL ---- ---- ------- -------------------- ----0 2 Address 192.168.1.55 1 2 Address 2001:DB8:1::12 Console# Domain ------------------------------rd5 rd6 clear dns cache This command clears all entries in the DNS cache.
Chapter 24 | Domain Name Service Commands Example This example clears all dynamic entries from the DNS table. Console(config)#clear host * Console(config)# show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Chapter 24 | Domain Name Service Commands Table 131: show dns cache - display description (Continued) Field Description IP Address The IP address associated with this record. TTL The time to live reported by the name server. Domain The host name associated with this record. show hosts This command displays the static host name-to-address mapping table.
Chapter 24 | Domain Name Service Commands Example Console#show ip mdns Multicast DNS Status : Enabled Console# – 632 –
25 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 25 | DHCP Commands DHCP for IPv4 DHCP for IPv4 ip dhcp client class-id This command specifies the DCHP client vendor class identifier for the current interface. Use the no form to remove the class identifier from the DHCP packet. Syntax ip dhcp client class-id [text text | hex hex] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value.
Chapter 25 | DHCP Commands DHCP for IPv6 ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 25 | DHCP Commands DHCP for IPv6 Default Setting Disabled Command Mode Global Configuration Command Usage ◆ DHCPv6 clients can obtain configuration parameters from a server through a normal four-message exchange (solicit, advertise, request, reply), or through a rapid two-message exchange (solicit, reply). The rapid-commit option must be enabled on both client and server for the two-message exchange to be used. ◆ This command allows two-message exchange method for prefix delegation.
Chapter 25 | DHCP Commands DHCP for IPv6 messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below. ■ Both M and O flags are set to 1: DHCPv6 is used for both address and other configuration settings. This combination is known as DHCPv6 stateful, in which a DHCPv6 server assigns stateful addresses to IPv6 hosts. ■ The M flag is set to 0, and the O flag is set to 1: DHCPv6 is used only for other configuration settings.
Chapter 25 | DHCP Commands DHCP for IPv6 ◆ To display the DUID assigned to this device, first enter the ipv6 address autoconfig command. Example Console(config-if)#ipv6 address autoconfig Console(config-if)#end Console#show ipv6 dhcp duid DHCPv6 Unique Identifier (DUID): 0001-0001-4A8158B4-00E00C0000FD Console# show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface(s).
Chapter 25 | DHCP Commands DHCP Relay Option 82 DHCP Relay Option 82 This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 25 | DHCP Commands DHCP Relay Option 82 ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. Up to five DHCP servers can be specified in order of preference.
Chapter 25 | DHCP Commands DHCP Relay Option 82 DHCP server (with the ip dhcp relay server command). Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. ◆ DHCP provides a relay agent information option for sending information about its DHCP clients or the relay agent itself to the DHCP server.
Chapter 25 | DHCP Commands DHCP Relay Option 82 ◆ DHCP reply packets received by the relay agent are handled as follows: When the relay agent receives a DHCP reply packet with Option 82 information over the management VLAN, it first ensures that the packet is destined for itself. ◆ ■ If the RID in the DHCP reply packet is not identical with that configured on the switch, the option 82 information is retained, and the packet is flooded onto the VLAN through which it was received.
Chapter 25 | DHCP Commands DHCP Relay Option 82 Example This example enables Option 82, and sets the frame format of the remote ID for the option to use the MAC address of the switch’s CPU.
Chapter 25 | DHCP Commands DHCP Relay Option 82 Example This example sets the Option 82 policy to keep the client information in the request packet received by the relay agent, and forward this packet on to the DHCP server. Console(config)#ip dhcp relay information policy keep Console(config)# Related Commands ip dhcp relay information option (640) ip dhcp relay server (639) ip dhcp snooping (270) show ip dhcp relay This command displays the configuration settings for DHCP relay service.
26 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address using Auto IP, or from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 26 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 26 | IP Interface Commands IPv4 Interface Command Usage ◆ An IP address must be assigned to this device to gain management access over the network or to connect the switch to existing IP subnets. A specific IP address can be manually configured, or the switch can be directed to obtain an address using Auto IP, or from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything other than this format will not be accepted by the configuration program.
Chapter 26 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (635) ip default-gateway (648) ipv6 address (657) ip default-gateway This command specifies the default gateway through which this switch can reach other subnetworks. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 26 | IP Interface Commands IPv4 Interface Example Console#show ip redirects ip default gateway 10.1.0.254 Console# Related Commands ip default-gateway (648) show ipv6 default-gateway (665) show ip interface This command displays the settings of an IPv4 interface. Command Mode Privileged Exec Example Console#show ip interface Vlan 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.3 Mask: 255.255.255.
Chapter 26 | IP Interface Commands IPv4 Interface generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages paramet
Chapter 26 | IP Interface Commands IPv4 Interface Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum time out (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message.
Chapter 26 | IP Interface Commands IPv4 Interface Default Setting count: 5 size: 32 bytes Command Mode Normal Exec, Privileged Exec Command Usage ◆ Use the ping command to see if another site on the network can be reached. ◆ ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds.
Chapter 26 | IP Interface Commands IPv4 Interface ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
Chapter 26 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 26 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Table 140: IPv6 Configuration Commands (Continued) Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard PE show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use when the destination is located in a different network segment.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Example The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780 Console(config)# Related Commands show ipv6 default-gateway (665) ip default-gateway (648) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities ◆ If a duplicate address is detected, a warning message is sent to the console. Example This example specifies a full IPv6 address and prefix length.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities address in modified EUI-64 format. It will also generate a global unicast address if a global prefix is included in received router advertisements. ◆ If a duplicate address is detected, a warning message is sent to the console. ◆ When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Related Commands ipv6 enable (663) show ipv6 interface (665) ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Example The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# Related Commands show ipv6 mtu (667) jumbo frame (102) show ipv6 This command displays the current IPv6 default gateway.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Example This example displays all the IPv6 addresses configured for the switch. Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Table 141: show ipv6 interface - display description (Continued) Field Description ND retransmit interval The interval between IPv6 neighbor solicitation retransmissions sent on an interface during duplicate address detection.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities neighbor solicit messages neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages multicast listener discovery version 2 reports UDP Statistics: input no port errors other errors output Console# Table 143: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 recived total received The total number of i
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Table 143: show ipv6 traffic - display description (Continued) Field Description reassembly succeeded The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Table 143: show ipv6 traffic - display description (Continued) Field Description parameter problem message The number of ICMP Parameter Problem messages received by the interface. echo request messages The number of ICMP Echo (request) messages received by the interface. echo reply messages The number of ICMP Echo Reply messages received by the interface.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities Table 143: show ipv6 traffic - display description (Continued) Field Description group membership response messages The number of ICMPv6 Group Membership Response messages sent. group membership reduction messages The number of ICMPv6 Group Membership Reduction messages sent. multicast listener discovery The number of MLDv2 reports sent by the interface.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities size - Number of bytes in a packet. (Range: 48-18024 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting count: 5 size: 100 bytes Command Mode Privileged Exec Command Usage Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path.
Chapter 26 | IP Interface Commands Interface Address Configuration and Utilities traceroute6 This command shows the route packets take to the specified destination. Syntax traceroute {ipv6-address | host-name} ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 26 | IP Interface Commands Neighbor Discovery Hop Packet 1 Packet 2 Packet 3 IPv6 Address --- -------- -------- -------- -------------------------------------------1 <10 ms <10 ms <10 ms FE80::2E0:CFF:FE9C:CA10%1/64 Trace completed. Console# Neighbor Discovery ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting.
Chapter 26 | IP Interface Commands Neighbor Discovery ◆ If the link-local address for an interface is changed, duplicate address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface. Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going.
Chapter 26 | IP Interface Commands Neighbor Discovery Command Usage This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations.
Chapter 26 | IP Interface Commands Neighbor Discovery malicious attacks on the network, may lead to bogus RAs being sent, which in turn can cause operational problems for hosts on the network. ◆ This command can be used to block RAs and Router Redirect (RR) messages on the specified interface. Determine which interfaces are connected to known routers, and enable RA Guard on all other untrusted interfaces.
Chapter 26 | IP Interface Commands Neighbor Discovery clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 nd raguard This command displays the configuration setting for RA Guard. Syntax show ipv6 nd raguard [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 26 | IP Interface Commands Neighbor Discovery show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 26 | IP Interface Commands Neighbor Discovery Table 144: show ipv6 neighbors - display description (Continued) Field Description State (continued) D (Delay) - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. A packet was sent within the last DELAY_FIRST_PROBE_TIME interval.
Chapter 26 | IP Interface Commands Neighbor Discovery – 682 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 685 – 683 –
Section III | Appendices – 684 –
A Troubleshooting Problems Accessing the Management Interface Table 145: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Cannot access the onboard configuration program via a serial port connection ◆ Forgot or lost the password ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DNS Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. EAPOL Extensible Authentication Protocol over LAN.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group.
Glossary RADIUS Remote Authentication Dial-in User Service. RADIUS is a logon authentication protocol that uses software running on a central server to control access to RADIUS-compliant devices on the network. RMON Remote Monitoring. RMON provides comprehensive network monitoring capabilities. It eliminates the polling required in standard SNMP, and can set alarms on a variety of traffic conditions, including specific error types. RSTP Rapid Spanning Tree Protocol.
Glossary TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. UDP User Datagram Protocol. UDP provides a datagram mode for packet-switched communications. It uses IP as the underlying transport mechanism to provide access to IPlike services. UDP packets are delivered just like IP packets – connection-less datagrams that may be discarded before reaching their targets. UDP is useful when TCP would be too complex, too slow, or just unnecessary.
Glossary – 694 –
Index of CLI Commands A aaa accounting dot1x 196 aaa accounting exec 197 aaa accounting update 198 aaa authorization exec 199 aaa group server 200 absolute 142 access-list arp 339 access-list ip 320 access-list ipv6 328 access-list mac 334 accounting dot1x 201 accounting exec 201 alias 346 arp timeout 653 authentication enable 186 authentication login 187 authorization exec 202 auto-traffic-control 401 auto-traffic-control action 401 auto-traffic-control alarm-clear-threshold 402 auto-traffic-control alarm
Index of CLI Commands dos-protection tcp null-scan 303 dos-protection tcp syn-ack-psh-block 304 dos-protection tcp syn-fin-scan 304 dos-protection tcp syn-flood 305 dos-protection tcp syn-psh-block 305 dos-protection tcp syn-rst-scan 306 dos-protection tcp syn-urg-block 306 dos-protection tcp xmas-scan 307 dos-protection udp blat-block 307 dos-protection udp flood 308 dos-protection udp invalid-header-length 308 dot1q-tunnel system-tunnel-control 482 dot1x default 220 dot1x eapol-pass-through 220 dot1x ide
Index of CLI Commands ip mdns 626 ip name-server 627 ip source-guard 282 ip source-guard binding 280 ip source-guard max-binding 283 ip ssh authentication-retries 212 ip ssh crypto host-key generate 215 ip ssh crypto zeroize 216 ip ssh save host-key 216 ip ssh server 212 ip ssh server-key size 213 ip ssh timeout 214 ip telnet max-sessions 207 ip telnet port 208 ip telnet server 208 ipv6 access-group 329 ipv6 access-group 332 ipv6 address 657 ipv6 address autoconfig 658 ipv6 address eui-64 660 ipv6 address
Index of CLI Commands mst vlan 447 mvr 581 mvr associated-profile 581 mvr domain 582 mvr immediate-leave 588 mvr profile 582 mvr proxy-query-interval 583 mvr proxy-switching 584 mvr robustness-value 585 mvr source-port-mode dynamic mvr type 589 mvr upstream-source-ip 586 mvr vlan 587 mvr vlan group 590 586 N name 448 negotiation 350 network-access aging 251 network-access dynamic-qos 253 network-access dynamic-vlan 254 network-access guest-vlan 255 network-access link-detection 255 network-access link-de
Index of CLI Commands set cos 531 set ip dscp 532 set phb 533 show access-group 342 show access-list 343 show access-list tcam-utilization 94 show accounting 202 show arp 654 show arp access-list 341 show auto-traffic-control 409 show auto-traffic-control interface 410 show banner 93 show bridge-ext 469 show cable-diagnostics 360 show calendar 140 show class-map 535 show cluster 148 show cluster candidates 149 show cluster members 149 show dns 630 show dns cache 630 show dos-protection 309 show dot1q-tunne
Index of CLI Commands show protocol-vlan protocol-group 492 show public-key 217 show qos map cos-dscp 515 show qos map dscp-mutation 515 show qos map phb-queue 516 show qos map trust-mode 517 show queue mode 509 show queue weight 509 show radius-server 191 show reload 81 show rmon alarms 178 show rmon events 178 show rmon history 179 show rmon statistics 179 show rspan 390 show running-config 96 show snmp 155 show snmp engine-id 164 show snmp group 165 show snmp notify-filter 170 show snmp user 166 show sn
Index of CLI Commands switchport switchport switchport switchport switchport priority default 508 voice vlan 500 voice vlan priority 501 voice vlan rule 502 voice vlan security 502 udld message-interval 411 udld port 413 upgrade opcode auto 110 upgrade opcode path 111 upgrade opcode reload 112 username 183 T tacacs-server host 192 tacacs-server key 193 tacacs-server port 194 tacacs-server retransmit 194 tacacs-server timeout 195 terminal 122 test cable-diagnostics 359 timeout login response 121 time-ran
Index of CLI Commands – 702 –
Index Numerics 802.1Q tunnel 481 access 483 configuration, guidelines 482 configuration, limitations 482 ethernet type 484 interface configuration 483–484 mode selection 483 status, configuring 482 TPID 484 uplink 483 802.1X authenticator, configuring 221–227 global settings 220–221 port authentication 219, 221 port authentication accounting 201 supplicant, configuring 228–231 A AAA accounting 802.
Index BPDU filter 449 flooding when STA disabled on VLAN 458 flooding when STA globally disabled 445 guard 450 ignoring superior BPDUs 459 selecting protocol based on message format 461 shut down port on receipt 450 bridge extension capabilities, displaying 469 broadcast storm, threshold 393 C cable diagnostics 359 class map description 521 DiffServ 520 CLI command modes 68 showing commands 66 clustering switches, management access 145 command line interface See CLI committed burst size, QoS policy 525, 5
Index DNS default domain name 625 displaying the cache 630 domain name list 626 enabling lookup 624 multicast address mapping 626 name server list 627 static entries, IPv4 626 static entries, IPv6 628 Domain Name Service See DNS DoS protection 294 downloading software 105 automatically 110 using FTP or TFTP 105 drop precedence CoS priority mapping 510, 531, 532 DSCP ingress map 512 DSA encryption 215 DSCP 514 enabling 514 mapping to internal values 512 DSCP ingress map, drop precedence 512 DSCP to PHB/drop
Index immediate leave, status 547 interface attached to multicast router 557, 560 last member query count 548 last member query interval 549 proxy query address 550 proxy reporting 540 querier timeout 542 querier, enabling 540 query interval 552 query response interval 552 router alert option, checking for 541 router port expire time 542 static host interface 553 static multicast routing 559, 560 static port assignment 553 static router interface 560 static router port, configuring 560 statistics, displayi
Index TLV, system capabilities 606 TLV, system description 607 TLV, system name 607 LLDP-MED 599 notification, status 614 TLV 599 TLV, extended PoE 614 TLV, inventory 615 TLV, location 612, 615 TLV, MED capabilities 616 TLV, network policy 616 TLV, PoE 614 local engine ID 159 logging messages, displaying 129 syslog traps 128 to syslog servers 126 logon authentication 181 encryption keys 190, 193 RADIUS client 188 RADIUS server 188 sequence 186, 187 settings 187 TACACS+ client 192 TACACS+ server 192 logon a
Index specifying a domain 582 specifying a profile name 581 specifying a VLAN 581, 587 static binding 582, 590 static binding, group to port 590 statistics, displaying 596 using immediate leave 588 N network access authentication 250 dynamic QoS assignment 253 dynamic VLAN assignment 254 guest VLAN 255 MAC address filter 251 port configuration 258 reauthentication 252 secure MAC information 262, 263 NTP authentication keys, specifying 136 client, enabling 137 specifying servers 137 NTP, setting the system
Index queue mode, setting 506 queue weight, assigning to CoS 507 R RADIUS logon authentication 188 settings 188 rate limit port 392 setting 391 remote engine ID 159 remote logging 128 Remote Monitoring See RMON rename, DiffServ 523 restarting the system 76, 80, 81 at scheduled times 76 RMON 173 alarm, displaying settings 178 alarm, setting thresholds 174 commands 173 event settings, displaying 178 response to alarm setting 175 statistics history, collection 176 statistics history, displaying 179 statistic
Index UDP 649 statistics, port 353 STP 441 Also see STA summary, accounting 202 switch clustering, for management 144 switch settings restoring 103 saving 103 system clock setting 132 setting manually 140 setting the time zone 139 setting with NTP 135–138 setting with SNTP 132–134 system logs 127 system software, downloading from server 105 T TACACS+ logon authentication 192 settings 192 TCN flood 542 general query solicitation 543 Telnet configuring 207 server, enabling 208 telnet connection, configuring
Index ports, re-authenticating 267 – 711 –
ECS4210-12P ECS4210-12T ECS4210-28P ECS4210-28T 149100000219A 149100000241A 149100000217H 149100000217H E032014/ST-R03
