Enterasys® SecureStack™ B2 Stackable Switches Configuration Guide Firmware Version 4.02.xx.
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
ENTERASYS NETWORKS, INC. FIRMWARE LICENSE AGREEMENT BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
Moldova, Mongolia, North Korea, the People’s Republic of China, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Program or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S.
13. SEVERABILITY. In the event any provision of this Agreement is found to be invalid, illegal or unenforceable, the validity, legality and enforceability of any of the remaining provisions shall not in any way be affected or impaired thereby, and that provision shall be reformed, construed and enforced to the maximum extent permissible. Any such invalidity, illegality, or unenforceability in any jurisdiction shall not invalidate or render illegal or unenforceable such provision in any other jurisdiction.
Contents About This Guide Using This Guide ............................................................................................................................................ xxv Structure of This Guide ................................................................................................................................... xxv Related Documents .......................................................................................................................................
set system password history .............................................................................................................. 3-7 show system lockout .......................................................................................................................... 3-7 set system lockout .............................................................................................................................. 3-8 Setting Basic Switch Properties ........................................
Purpose .................................................................................................................................................. 3-38 Commands ............................................................................................................................................. 3-38 show snmp persistmode ................................................................................................................... 3-38 set snmp persistmode ................................
set port inlinepower ............................................................................................................................ 5-5 Chapter 6: Discovery Protocol Configuration Configuring CDP ............................................................................................................................................. 6-1 Purpose ...................................................................................................................................................
Reviewing Port Status .................................................................................................................................... 7-3 Purpose .................................................................................................................................................... 7-3 Commands ............................................................................................................................................... 7-3 show port .........................
Commands ............................................................................................................................................. 7-30 show port broadcast ......................................................................................................................... 7-30 set port broadcast............................................................................................................................. 7-31 clear port broadcast........................................
set snmp user ..................................................................................................................................... 8-9 clear snmp user ................................................................................................................................ 8-10 show snmp group ............................................................................................................................. 8-11 set snmp group ................................................
Loop Protect ............................................................................................................................................. 9-2 Configuring Spanning Tree Bridge Parameters .............................................................................................. 9-3 Purpose .................................................................................................................................................... 9-3 Commands ........................................
set spantree portadmin..................................................................................................................... 9-33 clear spantree portadmin.................................................................................................................. 9-34 show spantree portadmin ................................................................................................................. 9-34 show spantree portpri ..........................................................
show port vlan .................................................................................................................................. 10-8 set port vlan ...................................................................................................................................... 10-9 clear port vlan ................................................................................................................................... 10-9 show port ingress filter..............................
set diffserv policy police action conform ......................................................................................... 11-13 set diffserv policy police action nonconform ...................................................................................11-13 set diffserv policy rename ............................................................................................................... 11-14 Assigning Policies to Service Ports ...........................................................
show cos port-type ......................................................................................................................... 12-35 Chapter 13: Port Priority and Rate Limiting Configuration Port Priority Configuration Summary ............................................................................................................ 13-1 Configuring Port Priority ...............................................................................................................................
show logging default......................................................................................................................... 15-4 set logging default ............................................................................................................................ 15-5 clear logging default ......................................................................................................................... 15-6 show logging application .........................................
show nodealias config .................................................................................................................... 15-35 set nodealias .................................................................................................................................. 15-36 clear nodealias config ..................................................................................................................... 15-37 Chapter 16: RMON Configuration RMON Monitoring Group Functions .....
set dhcp ............................................................................................................................................ 17-3 set dhcp bootp .................................................................................................................................. 17-4 set dhcp conflict logging ................................................................................................................... 17-4 show dhcp conflict ........................................
DHCP Snooping Commands ........................................................................................................................ 18-4 set dhcpsnooping ............................................................................................................................. 18-5 set dhcpsnooping vlan...................................................................................................................... 18-5 set dhcpsnooping database write-delay ................................
set dot1x ......................................................................................................................................... 19-14 set dot1x auth-config ...................................................................................................................... 19-15 clear dot1x auth-config ................................................................................................................... 19-16 show eapol ......................................................
Configuring MAC Locking ........................................................................................................................... 19-50 Purpose ................................................................................................................................................ 19-50 Commands ........................................................................................................................................... 19-50 show maclock ...............................
10-1 Example of VLAN Propagation via GVRP ...................................................................................... 10-21 Tables 1-1 1-2 3-1 3-2 3-3 3-4 3-5 5-1 6-2 6-3 6-4 6-5 6-6 7-7 7-8 7-9 7-10 7-11 7-12 8-13 8-14 8-15 8-16 8-17 8-18 8-19 8-20 8-21 8-22 8-23 9-24 10-25 10-26 10-27 11-28 12-29 12-30 12-31 13-32 15-33 15-34 15-35 15-36 15-37 15-38 15-39 15-40 16-41 16-42 16-43 19-1 19-2 Default Settings for Basic Switch Operation ............................................................
19-3 19-4 19-5 19-6 19-7 19-8 xxiv show macauthentication Output Details ......................................................................................... 19-22 show macauthentication session Output Details ............................................................................ 19-23 show vlanauthorization Output Details ........................................................................................... 19-49 show maclock Output Details ................................................
About This Guide Welcome to the Enterasys® SecureStack™ B2 Configuration Guide. This manual explains how to access the device’s Command Line Interface (CLI) and how to use it to configure SecureStack B2 switch devices. Important Notice Depending on the firmware version used in your SecureStack device, some features described in this document may not be supported. Refer to the Release Notes shipped with your device to determine which features are supported.
Related Documents Chapter 7, Port Configuration, describes how to review and configure console port settings, and how to enable or disable switch ports and configure switch port settings, including port speed, duplex mode, auto‐negotiation, flow control, port mirroring, link aggegation and broadcast suppression. Chapter 8, SNMP Configuration, describes how to configure SNMP users and user groups, access rights, target addresses, and notification parameters.
Conventions Used in This Guide • Enterasys Firmware Feature Guides • SecureStack B2 Installation Guide(s) • SecureStack Redundant Power System Installation Guide Documents listed above, can be obtained from the World Wide Web in Adobe Acrobat Portable Document Format (PDF) at the following web site: http://www.enterasys.
Getting Help Internet mail support@enterasys.com To expedite your message, type [SWITCHING] in the subject line. To send comments or suggestions concerning this document to the Technical Publications Department: techpubs@enterasys.com Make sure to include the document Part Number in the email message.
1 Introduction This chapter provides an overview of the SecureStack B2’s unique features and functionality, an overview of the tasks that may be accomplished using the CLI interface, an overview of ways to manage the switch, factory default settings, and information about how to use the Command Line Interface to configure the switch. For information about... Refer to page...
Factory Default Settings • Remotely using WebView™, Enterasys Networks’ embedded web server application. The Installation Guide for your SecureStack B2 device provides setup instructions for connecting a terminal or modem to the switch. Factory Default Settings The following tables list factory default settings available on the SecureStack B2 switch. Table 1-1 Default Settings for Basic Switch Operation Feature Default Setting Switch Mode Defaults CDP discovery protocol Auto enabled on all ports.
Factory Default Settings Table 1-1 Default Settings for Basic Switch Operation (Continued) Feature Default Setting Link aggregation admin key Set to 32768 for all ports. Link aggregation flow regeneration Disabled. Link aggregation system priority Set to 32768 for all ports. Link aggregation outport algorithm Set to DIP-SIP. Lockout Set to disable Read-Write and Read-Only users, and to lockout the default admin (Super User) account for 15 minutes, after 3 failed login attempts.
Factory Default Settings Table 1-1 1-4 Introduction Default Settings for Basic Switch Operation (Continued) Feature Default Setting SNTP Disabled. Spanning Tree Globally enabled and enabled on all ports. Spanning Tree edge port administrative status Edge port administrative status begins with the value set to false initially after the device is powered up. If a Spanning Tree BDPU is not received on the port within a few seconds, the status setting changes to true.
Using the Command Line Interface Using the Command Line Interface Starting a CLI Session Connecting Using the Console Port Connect a terminal to the local console port as described in your SecureStack B2 Installation Guide. The startup screen, Figure 1‐1, will display on the terminal.
Using the Command Line Interface Refer to the instructions included with the Telnet application for information about establishing a Telnet session. Logging In By default, the SecureStack B2 switch is configured with three user login accounts—ro for Read‐Only access, rw for Read‐Write access, and admin for super‐user access to all modifiable parameters. The default password is set to a blank string.
Using the Command Line Interface Figure 1-2 Sample CLI Defaults Description Syntax show port status [port-string] Defaults If port‐string is not specified, status information for all ports will be displayed. CLI Command Modes Each command description in this guide includes a section entitled “Mode” which states whether the command is executable in Admin (Super User), Read‐Write, or Read‐Only mode. Users with Read‐Only access will only be permitted to view Read‐Only (show) commands.
Using the Command Line Interface Displaying Scrolling Screens If the CLI screen length has been set using the set length command as described on page 3‐28, CLI output requiring more than one screen will display --More-- to indicate continuing screens. To display additional screen output: • Press any key other than ENTER to advance the output one screen at a time. • Press ENTER to advance the output one line at a time.
Using the Command Line Interface Basic Line Editing Commands The CLI supports EMACs‐like line editing commands. Table 1‐2 lists some commonly used commands. Table 1-2 Basic Line Editing Commands Key Sequence Command Ctrl+A Move cursor to beginning of line. Ctrl+B Move cursor back one character. Ctrl+D Delete a character. Ctrl+E Move cursor to end of line. Ctrl+F Move cursor forward one character. Ctrl+H Delete character to left of cursor. Ctrl+I or TAB Complete word.
Using the Command Line Interface 1-10 Introduction
2 Configuring Switches in a Stack This chapter provides information about configuring SecureStack B2 switches in a stack. For information about ... Refer to page ...
Installing a New Stackable System of Up to Eight Units • The console port on the manager switch remains active for out‐of‐band (local) switch management, but the console port on each member switch is deactivated. This enables you to set the IP address and system password using a single console port. Now each switch can be configured locally using only the manager’s console port, or inband using a remote device and the CLI set of commands described in this section.
Installing Previously-Configured Systems in a Stack Installing Previously-Configured Systems in a Stack If member units in a stack have been previous members of a different stack, you may need to configure the renumbering of the stack as follows: 1. Stack the units in the method desired, and connect the stack cables. 2. Power up only the unit you wish to be manager. 3.
Considerations About Using Clear Config in a Stack To create a virtual switch configuration in a stack environment: 1. Display the types of switches supported in the stack, using the show switch switchtype command (page 2‐7). 2. Using the output of the show switch switchtype command, determine the switch index (SID) of the model of switch being configured. 3. Add the virtual switch to the stack using the set switch member command (page 2‐11).
Issues Related to Mixed Type Stacks • Use clear config all when it is necessary to clear all config parameters, including stack unit IDs and switch priority values. This command will not clear the IP address nor will it remove an applied advanced feature license. • Use clear ip address to remove the IP address of the stack. • Use clear license to remove an applied license from a switch.
show switch For information about... Refer to page... show switch stack-ports 2-8 set switch 2-9 set switch copy-fw 2-9 set switch description 2-10 set switch movemanagement 2-10 set switch member 2-11 clear switch member 2-11 show switch Use this command to display information about one or more units in the stack. Syntax show switch [status] [unit] Parameters status (Optional) Displays power and administrative status information for one or more units in the stack.
show switch switchtype 8 Stack Member B2G124-24 B2G124-24 OK 04.02.
show switch stack-ports SID --1 2 3 4 5 Switch Model ID -------------------------------B2G124-24 B2G124-48 B2G124-48P B2H124-48 B2H124-48P Mgmt Pref ---1 1 1 1 1 Code Version --------0xa08245 0xa08245 0xa08245 0xa08245 0xa08245 This example shows how to display switch type information about SID1: B2(rw)->show switch switchtype 1 Switch Type....................... 0x56950200 Model Identifier.................. B2G124-24 Switch Description................ Enterasys Networks, Inc.
set switch set switch Use this command to assign a switch ID, to set a switch’s priority for becoming the management switch if the previous management switch fails, or to change the switch unit ID for a switch in the stack. Syntax set switch {unit [priority value | renumber newunit]} Parameters unit Specifies a unit number for the switch. Value can range from 1 to 8. priority value Specifies a priority value for the unit. Valid values are 1 to 15 with higher values assigning higher priority.
set switch description Mode Switch command, read‐write. Example This example shows how to replicate the management image file to all switches in the stack: B2(su)->set switch copy-fw Are you sure you want to copy firmware? (y/n) y Code transfer completed successfully. set switch description Use this command to assign a name to a switch in the stack. Syntax set switch description unit description Parameters unit Specifies a unit number for the switch.
set switch member Mode Switch command, read‐write. Example This example shows how to move management functionality from switch 1 to switch 2: B2(su)->set switch movemenagement 1 2 Moving stack management will unconfigure entire stack including all interfaces. Are you sure you want to move stack management? (y/n) y set switch member Use this command to add a virtual member to a stack. This allows you to preconfigure a switch before the physical device is actually added to the stack.
clear switch member Defaults None. Mode Switch command, read‐write.
3 Basic Configuration At startup, the SecureStack B2 switch is configured with many defaults and standard features. This chapter describes how to customize basic system settings to adapt to your work environment. For information about... Refer to page...
Setting User Accounts and Passwords Table 3-2 Optional CLI Setup Commands Refer to page... Task CLI commands Save the active configuration. save config 3-39 Enable or disable SSH. set ssh enable | disable 19-73 Enable or disable Telnet. set telnet {enable | disable} [inbound | outbound | all] 3-36 Enable or disable HTTP management (WebView). set webview {enable | disable} 3-51 Enable or disable SNMP port link traps.
show system login show system login Use this command to display user login account information. Syntax show system login Parameters None. Defaults None. Mode Switch command, super user. Example This example shows how to display login account information.
set system login set system login Use this command to create a new user login account, or to disable or enable an existing account. The SecureStack B2 switch supports up to 16 user accounts, including the admin account, which cannot be deleted. Syntax set system login username {super-user | read-write | read-only} {enable | disable} Parameters username Specifies a login name for a new or existing user.
set password Parameters username Specifies the login name of the account to be cleared. Note: The default admin (su) account cannot be deleted. Defaults None. Mode Switch command, super user. Example This example shows how to remove the “netops” user account: B2(su)->clear system login netops set password Use this command to change system default passwords or to set a new login password on the CLI. Syntax set password [username] Parameters username (Only available to users with super‐user access.
set system password length Examples This example shows how a super‐user would change the Read‐Write password from the system default (blank string): B2(su)->set password rw Please enter new password: ******** Please re-enter new password: ******** Password changed. B2(su)-> This example shows how a user with Read‐Write access would change his password: B2(su)->set password Please enter old password: ******** Please enter new password: ******** Please re-enter new password: ******** Password changed.
set system password history Parameters days Specifies the number of days user passwords will remain valid before aging out. Valid values are 1 to 365. disable Disables password aging. Defaults None. Mode Switch command, super user. Example This example shows how to set the system password age time to 45 days: B2(su)->set system password aging 45 set system password history Use this command to set the number of previously used user login passwords that will be checked for password duplication.
set system lockout Parameters None. Defaults None. Mode Switch command, super user. Example This example shows how to display user lockout settings. In this case, switch defaults have not been changed: B2(su)->show system lockout Lockout attempts: 3 Lockout time: 15 minutes. Table 3‐3 provides an explanation of the command output. These settings are configured with the set system lockout command (“set system lockout” on page 3‐8).
Setting Basic Switch Properties Usage Once a user account is locked out, it can only be re‐enabled by a super user with the set system login command (page 3‐4). If the default admin super user account has been locked out, you can wait until the lock out time has expired or you can reset the switch in order to re‐enable the admin account.
show ip address For information about... Refer to page... show banner motd 3-23 set banner motd 3-24 clear banner motd 3-24 show version 3-25 set system name 3-26 set system location 3-26 set system contact 3-27 set width 3-27 set length 3-28 show logout 3-28 set logout 3-29 show console 3-29 set console baud 3-30 show ip address Use this command to display the system IP address and subnet mask. Syntax show ip address Parameters None. Defaults None.
set ip address set ip address Use this command to set the system IP address, subnet mask and default gateway. Note: The B2 does not support the ability for a user to configure the host's gateway to be a local routed interface IP. The host's gateway must exist on a different device in the network if one is configured. Syntax set ip address ip-address [mask ip-mask] [gateway ip-gateway] Parameters ip‐address Sets the IP address for the system.
show ip protocol Mode Switch command, read‐write. Example This example shows how to clear the system IP address: B2(rw)->clear ip address show ip protocol Use this command to display the method used to acquire a network IP address for switch management. Syntax show ip protocol Parameters None. Defaults None. Mode Switch command, read‐only.
show system Mode Switch command, read‐write. Example This example shows how to set the method used to acquire a network IP address to DHCP. B2(su)->set ip protocol dhcp show system Use this command to display system information, including contact information, power and fan tray status and uptime. Syntax show system Parameters None. Defaults None. Mode Switch command, read‐only.
show system hardware The following table provides an explanation of the command output. Table 3-4 show system Output Details Output What It Displays... System contact Contact person for the system. Default of a blank string can be changed with the set system contact command (“set system contact” on page 3-27). System location Where the system is located. Default of a blank string can be changed with the set system location command (“set system location” on page 3-26).
show system utilization Mode Switch command, read‐only. Example This example shows how to display the system’s hardware configuration. Please note that the information you see displayed may differ from this example. B2(su)->show system hardware SLOT 1 HARDWARE INFORMATION --------------------------Model: Serial Number: Vendor ID: Base MAC Address: Hardware Version: FirmWare Version: Boot Code Version: 777777777777 0xbc00 00:11:88:B1:76:C0 BCM56514 REV 1 01.00.00.0052 01.00.
show system enhancedbuffermode Type Description Size(Kb) Available (Kb) --------------------------------------------------------------RAM RAM device 262144 97173 Flash Images, Config, Other 31095 8094 This example shows how to display information about the processes running on the system. Only partial output is shown. B2(ro)->show system utilization process Switch:1 CPU:1 TID Name 5Sec 1Min 5Min ---------------------------------------------------------c157930 ipMapForwardingTask 3.60% 3.02% 3.
set system temperature switches.. Executing this command will reset the switch, so the system prompts you to confirm whether you want to proceed. Syntax set system enhancedbuffermode {enable | disable} Parameters enable | disable Enables or disables enhanced buffer mode. Defaults None. Mode Switch command, read‐write. Example This example shows how to enable enhanced buffer mode: B2(su)->set system enhancedbuffermode enable Changes in the enhanced buffer mode will require resetting this unit.
clear system temperature Usage On the platforms that support this feature, temperature sensors are located in several different locations within the device. Threshold calibrations have been calculated separately for each platform. The thermal overtemp threshold is the high‐water mark that, when reached, triggers an alert to warn the system administrator that the device is operating at high temperatures. The values set with this command can be viewed with the show system command.
show time show time Use this command to display the current time of day in the system clock. Syntax show time Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current time. The output shows the day of the week, month, day, and the time of day in hours, minutes, and seconds and the year: B2(su)->show time THU SEP 05 09:21:57 2002 set time Use this command to change the time of day on the system clock.
show summertime show summertime Use this command to display daylight savings time settings. Syntax show summertime Parameters None. Defaults None. Mode Switch command, read‐only.
set summertime date set summertime date Use this command to configure specific dates to start and stop daylight savings time. These settings will be non‐recurring and will have to be reset annually. Syntax set summertime date start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min [offset_minutes] Parameters start_month Specifies the month of the year to start daylight savings time. start_date Specifies the day of the month to start daylight savings time.
clear summertime Parameters start_week Specifies the week of the month to restart daylight savings time. Valid values are: first, second, third, fourth, and last. start_day Specifies the day of the week to restart daylight savings time. start_hr_min Specifies the time of day to restart daylight savings time. Format is hh:mm. end_week Specifies the week of the month to end daylight savings time. end_day Specifies the day of the week to end daylight savings time.
set prompt set prompt Use this command to modify the command prompt. Syntax set prompt prompt_string Parameters prompt_string Specifies a text string for the command prompt. Note: A prompt string containing a space in the text must be enclosed in quotes as shown in the example below. Defaults None. Mode Switch command, read‐write.
set banner motd set banner motd Use this command to set the banner message of the day displayed at session login. Note: Banner message text must be enclosed in beginning and ending double quotation marks. The message itself cannot contain any additional double quotation marks. Syntax set banner motd message Parameters message Specifies a message of the day. This is a text string that needs to be in double quotes if any spaces are used. Use a \n for a new line and \t for a tab (eight spaces).
show version Example This example shows how to clear the message of the day banner to a blank string: B2(rw)->clear banner motd show version Use this command to display hardware and firmware information. Refer to “Downloading a Firmware Image” on page 3‐30 for instructions on how to download a firmware image. Syntax show version Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display version information.
set system name set system name Use this command to configure a name for the system. Syntax set system name [string] Parameters string (Optional) Specifies a text string that identifies the system. Note: A name string containing a space in the text must be enclosed in quotes as shown in the example below. Defaults If string is not specified, the system name will be cleared. Mode Switch command, read‐write.
set system contact set system contact Use this command to identify a contact person for the system. Syntax set system contact [string] Parameters string (Optional) Specifies a text string that contains the name of the person to contact for system administration. Note: A contact string containing a space in the text must be enclosed in quotes as shown in the example below. Defaults If string is not specified, the contact name will be cleared. Mode Switch command, read‐write.
set length Example This example shows how to set the terminal columns to 50: B2(su)->set width 50 set length Use this command to set the number of lines the CLI will display. This command is persistent (written to NV‐RAM). Syntax set length screenlength Parameters screenlength Sets the number of lines in the CLI display. Valid values are 0, which disables the scrolling screen feature described in “Displaying Scrolling Screens” on page 1‐8, and from 5 to 512. Defaults None.
set logout Example This example shows how to display the CLI logout setting: B2(su)->show logout Logout currently set to: 10 minutes. set logout Use this command to set the time (in minutes) an idle console or Telnet CLI session will remain connected before timing out. Syntax set logout timeout Parameters timeout Sets the number of minutes the system will remain idle before timing out. Defaults None. Mode Switch command, read‐write.
set console baud Mode Switch command, read‐only. Example This example shows how to display all console settings: B2(su)->show console Baud Flow Bits ------ ------- ---9600 Disable 8 StopBits ---------1 Parity -----none set console baud Use this command to set the console port baud rate. Syntax set console baud rate Parameters rate Sets the console baud rate. Valid values are: 300, 600, 1200, 2400, 4800, 5760, 9600, 14400, 19200, 38400, and 115200. Defaults None. Mode Switch command, read‐write.
Downloading a Firmware Image – Tera Term Pro Version 2.3 Any other terminal applications may work but are not explicitly supported. The B2 switch allows you to download and store dual images. The backup image can be downloaded and selected as the startup image by using the commands described in this section. Downloading from a TFTP Server To perform a TFTP download, proceed as follows: 1.
Downloading a Firmware Image 3. Type 2. The following baud rate selection screen displays: 1 2 3 4 5 6 7 8 0 4. - 1200 2400 4800 9600 19200 38400 57600 115200 no change Type 8 to set the switch baud rate to 115200. The following message displays: Setting baud rate to 115200, you must change your terminal baud rate. 5. Set the terminal baud rate to 115200 and press ENTER. 6. From the boot menu options screen, type 4 to load new operational code using XMODEM.
Reviewing and Selecting a Boot Firmware Image Reverting to a Previous Image In the event that you need to downgrade to a previous version of code, you can do so by completing the following steps as described in this chapter. Caution: Before reverting to a previous image, always back up your configuration by saving it to a file (show config outfile on page 3-41). You can then copy the file to a remote location (copy on page 3-43).
show boot system show boot system Use this command to display the firmware image the switch loads at startup. Syntax show boot system Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the switch’s boot firmware image: B2(su)->show boot system Current system image to boot: bootfile set boot system Use this command to set the firmware image the switch loads at startup.
Starting and Configuring Telnet Example This example shows how to set the boot firmware image file and reset the system. B2(su)->set boot system b2_04.02.01.0005 This command requires resetting the entire system. Do you want to continue (y/n) [n]?y Checking firmware version Saving Configuration This example shows how to set the boot firmware image file to be used at the next reboot of the system, by answering “n” to the prompt. The dir command is then executed to display the Active and Boot images.
show telnet show telnet Use this command to display the status of Telnet on the switch. Syntax show telnet Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display Telnet status: B2(su)->show telnet Telnet inbound is currently: ENABLED Telnet outbound is currently: ENABLED set telnet Use this command to enable or disable Telnet on the switch.
telnet telnet Use this command to start a Telnet connection to a remote host. The SecureStack B2 switch allows a total of four inbound and / or outbound Telnet session to run simultaneously. Syntax telnet host [port] Parameters host Specifies the name or IP address of the remote host. port (Optional) Specifies the server port number. Defaults If not specified, the default port number 23 will be used. Mode Switch command, read‐write.
show snmp persistmode Purpose To set and view the persistence mode for CLI configuration commands, manually save the running configuration, view, manage, and execute configuration files and image files, and set and view TFTP parameters. Commands For information about... Refer to page...
set snmp persistmode saved. In order to make configuration changes persistent when the mode is manual, the save config command must be issued as described in “Configuration Persistence Mode” on page 3‐37. Example This example shows how to display the configuration persistence mode setting. In this case, persistence mode is set to “manual”, which means configuration changes are not being automatically saved.
dir Defaults None. Mode Switch command, read‐write. Example This example shows how to save the running configuration: B2(su)->save config dir Use this command to list configuration and image files stored in the file system. Syntax dir [filename] Parameters filename (Optional) Specifies the file name or directory to list. Defaults If filename is not specified, all files in the system will be displayed. Mode Switch command, read‐only.
show file base_may base_apr base_july base_june logs: current.log 22629 22629 20581 20581 2065 show file Use this command to display the contents of a file. Syntax show file filename Parameters filename Specifies the name of the file to display. Defaults None. Mode Switch command, read‐only. Example This example shows how to display a text file named “mypolicy” in the configs/ directory. Note that only a portion of the file is shown in this example.
configure Parameters all (Optional) Displays default and non‐default configuration settings. facility (Optional) Specifies the exact name of one facility for which to show configuration. For example, enter “router” to show only router configuration. outfile (Optional) Specifies that the current configuration will be written to a text file in the configs/ directory. configs/filename Specifies a filename in the configs/ directory to display.
copy Parameters filename Specifies the path and file name of the configuration file to execute. append (Optional) Appends the configuration file contents to the current configuration. This is equivalent to typing the contents of the config file directly into the CLI and can be used, for example, to make incremental adjustments to the current configuration.
delete delete Use this command to remove an image or a CLI configuration file from the switch. Syntax delete filename Parameters filename Specifies the local path name to the file. Valid directories are /images and /configs.44. Defaults None. Mode Switch command, read‐write. Usage Use the dir command (page 3‐40) to display current image and configuration file names. Example This example shows how to delete the “Jan1_2004.cfg” configuration file: B2(su)->delete configs/Jan1_2004.
set tftp timeout Example This example shows the output of this command. B2(ro)->show tftp settings TFTP packet timeout (seconds): 2 TFTP max retry: 5 set tftp timeout Use this command to configure how long TFTP will wait for a reply of either an acknowledgement packet or a data packet during a data transfer. Syntax set tftp timeout seconds Parameters seconds Specifies the number of seconds to wait for a reply. The valid range is from 1 to 30 seconds. Default value is 2 seconds. Defaults None.
set tftp retry Example This example shows how to clear the timeout value to the default of 2 seconds. B2(rw)-> clear tftp timeout set tftp retry Use this command to configure how many times TFTP will resend a packet, either an acknowledgement packet or a data packet. Syntax set tftp retry retry Parameters retry Specifies the number of times a packet will be resent. The valid range is from 1 to 1000. Default value is 5 retries. Defaults None. Mode Switch command, read‐write.
Clearing and Closing the CLI Clearing and Closing the CLI Purpose To clear the CLI screen or to close your CLI session. Commands For information about... Refer to page... cls 3-47 exit 3-47 cls (clear screen) Use this command to clear the screen for the current CLI session. Syntax cls Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to clear the CLI screen: B2(su)->cls exit Use either of these commands to leave a CLI session.
Resetting the Switch Mode Switch command, read‐only. Usage By default, switch timeout occurs after 15 minutes of user inactivity, automatically closing your CLI session. Use the set logout command (page 3‐29) to change this default. Example This example shows how to exit a CLI session: B2(su)->exit Resetting the Switch Purpose To reset one or more switches, and to clear the user‐defined configuration parameters. Commands For information about... Refer to page...
clear config Examples This example shows how to reset the system: B2(su)->reset Are you sure you want to reload the stack? (y/n) y Saving Configuration to stacking members Reloading all switches. This example shows how to reset unit 1: B2(su)->reset 1 Are you sure you want to reload the switch? (y/n) y Reloading switch 1. This switch is manager of the stack. STACK: detach 3 units clear config Use this command to clear the user‐defined configuration parameters.
Using and Configuring WebView Example This example shows how to clear configuration parameters (including stacking parameters, if applicable): B2(su)->clear config all Using and Configuring WebView Purpose By default, WebView (The Enterasys Networks embedded web server for switch configuration and management tasks) is enabled on TCP port number 80 on the SecureStack B2 switch. You can verify WebView status, and enable or disable WebView using the commands described in this section.
set webview Example This example shows how to display WebView status: B2(rw)->show webview WebView is Enabled. set webview Use this command to enable or disable WebView on the switch. Syntax set webview {enable | disable} Parameters enable | disable Enable or disable WebView on the switch. Defaults None. Mode Switch command, read‐write.
set ssl Example This example shows how to display SSL status: B2(rw)->show ssl SSL status: Enabled set ssl Use this command to enable or disable the use of WebView over SSL port 443. By default, SSL is disabled on the switch. This command can also be used to reinitialize the hostkey that is used for encryption. Syntax set ssl {enabled | disabled | reinitialize | hostkey reinitialize} Parameters enabled | disabled Enable or disable the ability to use WebView over SSL.
show support show support Use this command to display switch information for troubleshooting. Syntax show support Parameters None. Defaults None. Mode Switch command, read‐only. Usage This command initiates a number of show commands to easily gather basic information from an installed device. To use this command, set your console to capture the output to a file first, before executing the command, since the output is extensive.
show support 3-54 Basic Configuration
4 Activating Licensed Features In order to enable the B2 advanced features, such as Policy, you must purchase and activate a license key. If you have purchased a license, you can proceed to activate your license as described in this section. If you wish to obtain a permanent or evaluation license, use the Enterasys Customer Portal or contact the Enterasys Networks Sales Department. Note: All members of a stack must be licensed in order to support licensed features in a stack environment.
Clearing, Showing, and Applying Licenses 2. Optionally, note the serial numbers of the switches in the stack. You can use the show system hardware command (page 3‐14) to display the switch serial numbers. Note: Since license keys are applied to the correct stack member switch automatically, based on the switch serial number that is part of the license string, you should know the serial numbers of the switches in order to enable the licenses of the member switches first, before the master unit. 3.
set license set license Use this command to activate the SecureStack B2 licensed features. Syntax set license type feature DBV expiration key hostid Parameters type Specifies the type of license. For the SecureStack B2, the value in this field is always INCREMENT. feature The name of the feature being licensed. DBV A date‐related string generated as part of the license. expiration Indicates whether the license is a permanent or an evaluation license.
show license show license Use this command to display license key information for switches with activated licenses. Syntax show license [unit number] Parameters unit number (Optional) Specifies the switch for which to display license information. Refer to Chapter 2, Configuring Switches in a Stack, for more information about stack unit IDs, or numbers. Defaults If no unit number is specified, license key information for all switches in the stack is displayed. Mode Switch command, read‐only.
clear license Example This example shows how to clear the Policy licensed feature : B2(rw)->clear license featureId b2Policy SecureStack B2 Configuration Guide 4-5
clear license 4-6 Activating Licensed Features
5 Configuring System Power and PoE Important Notice The commands in this section apply only to PoE-equipped devices. Consult the Installation Guide for your product to determine if it is PoE-equipped. The commands in this chapter allow you to review and set system power and PoE (Power over Ethernet) parameters, including the power available to the system, the usage threshold for each module, whether or not SNMP trap messages will be sent when power status changes, and per‐ port PoE settings.
set inlinepower threshold Example This example shows how to display system power properties: B2(su)->show inlinepower Detection Mode : auto Unit ---1 Status -----auto Power(W) -------480 Consumption(W) -------------0.00 Usage(%) -------0.00 Threshold(%) -----------80 Trap ---enable Table 5‐1 provides an explanation of the command output. Table 5-1 show inlinepower Output Details Output What It Displays... Detection Mode Displays the PD detection mode used by the switch.
set inlinepower trap Usage The threshold is expressed as a percentage of the available PoE power. When this threshold is reached, a trap will be sent if traps are enabled with the set inlinepower trap command.
show port inlinepower Parameters auto Specifies that the switch will use the standard 802.3af detection method first. If that fails, then the swtich will use the legacy (pre 802.3af standard) capacitance method of detection. ieee Specifies that the switch will only the standard 802.3af detection method. Defaults Default detection mode is auto. Mode Switch command, read‐write. Usage This command is used to specify how the switch should detect PDs connected to its ports.
set port inlinepower B2(su)->show port inlinepower fe.2.1 Port ---fe.2.1 Type ---wireless Admin ----auto Oper ---searching Priority -------low Class ----0 Power(W) -------15.4 set port inlinepower Use this command to configure PoE parameters on one or more ports. Syntax set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]} Parameters port‐string Specifies the port(s) on which to configure PoE.
set port inlinepower 5-6 Configuring System Power and PoE
6 Discovery Protocol Configuration This chapter describes how to configure discovery protocols. For information about... Refer to page... Configuring CDP 6-1 Configuring Cisco Discovery Protocol 6-7 Configuring Link Layer Discovery Protocol and LLDP-MED 6-13 Configuring CDP Purpose To review and configure the Enterasys CDP discovery protocol. This protocol is used to discover network topology.
show cdp show cdp Use this command to display the status of the CDP discovery protocol and message interval on one or more ports. Syntax show cdp [port-string] Parameters port‐string (Optional) Displays CDP status for a specific port. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If port‐string is not specified, all CDP information will be displayed. Mode Switch command, read‐only.
set cdp state Table 6-2 show cdp Output Details (Continued) Output Field What It Displays... CDP Authentication Code Authentication code for CDP discovery protocol. The default of 00-00-00-00-00-0000-00 can be reset using the set cdp auth command. For details, refer to “set cdp auth” on page 6-4. CDP Transmit Frequency Frequency (in seconds) at which CDP messages can be transmitted. The default of 60 seconds can be reset with the set cdp interval command.
set cdp auth set cdp auth Use this command to set a global CDP authentication code. Syntax set cdp auth auth-code Parameters auth‐code Specifies an authentication code for the CDP protocol. This can be up to 16 hexadecimal values separated by commas. Defaults None. Mode Switch command, read‐write. Usage The authentication code value determines a switch’s CDP domain. If two or more switches have the same CDP authentication code, they will be entered into each other’s CDP neighbor tables.
set cdp hold-time Example This example shows how to set the CDP interval frequency to 15 seconds: B2(su)->set cdp interval 15 set cdp hold-time Use this command to set the hold time value for CDP discovery protocol configuration messages. Syntax set cdp hold-time hold-time Parameters hold‐time Specifies the hold time value for CDP messages in seconds.Valid values are from 15 to 600. Defaults None. Mode Switch command, read‐write.
show neighbors Mode Switch command, read‐write. Example This example shows how to reset the CDP state to auto‐enabled: B2(su)->clear cdp state show neighbors This command displays Neighbor Discovery information for either the CDP or Cisco DP protocols. Syntax show neighbors [port-string] Parameters port‐string (Optional) Specifies the port or ports for which to display Neighbor Discovery information. Defaults If no port is specified, all Neighbor Discovery information is displayed.
Configuring Cisco Discovery Protocol Configuring Cisco Discovery Protocol Purpose To review and configure the Cisco discovery protocol. Discovery protocols are used to discover network topology. When enabled, they allow Cisco devices to send periodic PDUs about themselves to neighboring devices. Specifically, this feature enables recognizing PDUs from Cisco phones. A table of information about detected phones is kept by the switch and can be queried by the network administrator.
show ciscodp port info Device ID : 001188554A60 Last Change : WED NOV 08 13:19:56 2006 Table 6‐3 provides an explanation of the command output. Table 6-3 show ciscodp Output Details Output Field What It Displays... CiscoDP Whether Cisco DP is globally enabled or disabled. Auto indicates that Cisco DP will be globally enabled only if Cisco DP PDUs are received. Default setting of auto-enabled can be reset with the set ciscodp status command.
set ciscodp status Table 6-4 show ciscodp port info Output Details Output Field What It Displays... Port Port designation. For a detailed description of possible port-string values, refer to “Port String Syntax Used in the CLI” on page 7-2. State Whether Cisco DP is enabled, disabled or auto-enabled on the port. Default state of enabled can be changed using the set ciscodp port command. vvid Whether a voice VLAN ID has been set on this port.
set ciscodp holdtime Parameters seconds Specifies the number of seconds between Cisco DP PDU transmissions. Valid values are from 5 to 254 seconds. Defaults None. Mode Switch command, read‐write. Example This example shows how to set the Cisco DP timer to 120 seconds. B2(su)->set ciscodp timer 120 set ciscodp holdtime Use this command to set the time to live (TTL) for Cisco discovery protocol PDUs.
set ciscodp port Parameters status Sets the CiscoDP port operational status. disable Does not transmit or process CiscoDP PDUs. enable Transmits and processes CiscoDP PDUs. vvid Sets the port voice VLAN for CiscoDP PDU transmission. vlan‐id Specifies the VLAN ID, range 1‐4094. none No voice VLAN will be used in CiscoDP PDUs. This is the default. dot1p Instructs attached phone to send 802.1p tagged frames. untagged Instructs attached phone to send untagged frames.
clear ciscodp • If the switch port is configured to a Cisco DP trust state of untrusted (trusted no), this setting is communicated to the Cisco IP phone instructing it to overwrite the 802.1p tag of traffic transmitted by the device connected to it to 0, by default, or to the value specified by the cos parameter of this command. • There is a one‐to‐one correlation between the value set with the cos parameter and the 802.1p value assigned to ingressed traffic by the Cisco IP phone.
Configuring Link Layer Discovery Protocol and LLDP-MED Examples This example shows how to clear all the Cisco DP parameters back to the default settings. B2(rw)->clear ciscodp This example shows how to clear the Cisco DP status on port fe.1.5. B2(rw)->clear ciscodp port status fe.1.
show lldp For information about... Refer to page...
show lldp port status Syntax show lldp Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display LLDP configuration information. B2(ro)->show lldp Message Tx Interval Message Tx Hold Multiplier Notification Tx Interval MED Fast Start Count : : : : Tx-Enabled Ports Rx-Enabled Ports : fe.1.1-60; fe.2.1-24; fe.3.1-30; fe.4.1-12; : fe.1.1-60; fe.2.1-24; fe.3.1-30; fe.4.1-12; Trap-Enabled Ports MED Trap-Enabled Ports : fe.1.1-60; fe.2.1-24; fe.3.1-30; fe.
show lldp port trap Tx-Enabled Ports : fe.1.1-60; fe.2.1-24; fe.3.1-30; fe.4.1-12 Rx-Enabled Ports : fe.1.1-60; fe.2.1-24; fe.3.1-30; fe.4.1-12 show lldp port trap Use this command to display the ports that are enabled to send an LLDP notification when a remote system change has been detected or an LLDP‐MED notification when a change in the topology has been sensed.
show lldp port location-info Mode Switch command, read‐only. Example This example shows how to display transmit TLV information for three ports. B2(ro)->show lldp port tx-tlv fe.1.1-3 * Means TLV is supported and enabled on this port o Means TLV is supported on this port Means TLV is not supported on this port Column Pro Id uses letter notation for enable: s-stp, l-lacp, g-gvrp Ports ------fe.1.1 fe.1.2 fe.1.
show lldp port local-info show lldp port local-info Use this command to display the local system information stored for one or more ports. You can use this information to detect misconfigurations or incompatibilities between the local port and the attached endpoint device (remote port). Syntax show lldp port local-info [port-string] Parameters port‐string (Optional) Displays local system information for one or a range of ports.
show lldp port local-info Table 6‐5 describes the information displayed by the show lldp port local‐info command. Table 6-5 show lldp port local-info Output Details Output Field What it Displays... Local Port Identifies the port for which local system information is displayed. Local Port Id Mandatory basic LLDP TLV that identifies the port transmitting the LLDPDU. Value is ifName object defined in RFC 2863. Port Desc Optional basic LLDP TLV. Value is ifDescr object defined in RFC 2863.
show lldp port remote-info Table 6-5 show lldp port local-info Output Details (Continued) Output Field What it Displays... PoE Pair Controllable/Used IEEE 802.3 Extensions Power via MDI TLV. Displayed only when a port has PoE capabilities. Indicates whether pair selection can be controlled on the given port (refer to RFC 3621). Value for Controllable can be true or false. Value of Used can be signal (signal pairs only are in use) or spare (spare pairs only are in use). PoE Power Class IEEE 802.
show lldp port remote-info Example This example shows how to display the remote system information stored for port fe.3.1. The remote system information was received from an IP phone, which is an LLDP‐MED‐enabled device. Table 6‐6 describes the output fields that are unique to the remote system information displayed for a MED‐enabled device. B2(ro)->show lldp port remote-info fe.3.1 Local Port : fe.3.1 Remote Port Id : 00-09-6e-0e-14-3d --------------------Mgmt Addr : 0.0.0.0 Chassis ID : 0.0.0.
set lldp tx-interval set lldp tx-interval Use this command to set the time, in seconds, between successive LLDP frame transmissions initiated by changes in the LLDP local system information. Syntax set lldp tx-interval frequency Parameters frequency Specifies the number of seconds between transmissions of LLDP frames. Value can range from 5 to 32,768 seconds. The default is 30 seconds. Defaults None. Mode Switch command, read‐write. Example This example sets the transmit interval to 20 seconds.
set lldp trap-interval set lldp trap-interval Use this command to set the minimum interval between LLDP notifications sent by this device. LLDP notifications are sent when a remote system change has been detected. Syntax set lldp trap-interval frequency Parameters frequency Specifies the minimum time between LLDP trap transmissions, in seconds. The value can range from 5 to 3600 seconds. The default value is 5 seconds. Defaults None. Mode Switch command, read‐write.
set lldp port status Example This example sets the number of fast start LLDPDUs to be sent to 4. B2(rw)->set lldp med-fast-repeat 4 set lldp port status Use this command to enable or disable transmitting and processing received LLDPDUs on a port or range of ports. Syntax set lldp port status {tx-enable | rx-enable | both | disable} port-string Parameters tx‐enable Enables transmitting LLDPDUs on the specified ports.
set lldp port med-trap Defaults None. Mode Switch command, read‐write. Example This example enables transmitting LLDP traps on ports fe.1.1 through fe.1.6. B2(rw)->set lldp port trap enable fe.1.1-6 set lldp port med-trap Use this command to enable or disable sending an LLDP‐MED notification when a change in the topology has been sensed on the port (that is, a remote endpoint device has been attached or removed from the port).
set lldp port tx-tlv Parameters 6-26 all Adds all optional TLVs to transmitted LLDPDUs. port‐desc Port Description optional basic LLDP TLV. Value sent is ifDescr object defined in RFC 2863. sys‐name System Name optional basic LLDP TLV. Value sent is the administratively assigned name for the system. sys‐desc System Description optional basic LLDP TLV. Value sent is sysDescr object defined in RFC 3418. sys‐cap System Capabilities optional basic LLDP TLV.
clear lldp Defaults None. Mode Switch command, read‐write. Example This example configures the management address, MED capability, and MED location identification TLVs to be sent in LLDPDUs by port fe.1.1. B2(rw)->set lldp port tx-tlv mgmt-addr med-cap med-loc fe.1.1 clear lldp Use this command to return LLDP parameters to their default values.
clear lldp port trap Syntax clear lldp port status port-string Parameters port‐string Specifies the port or range of ports to be affected. Defaults None. Mode Switch command, read‐write. Example This example returns port fe.1.1 to the default state of enabled for both transmitting and processing received LLDPDUs. B2(rw)->clear lldp port status fe.1.1 clear lldp port trap Use this command to return the port LLDP trap setting to the default value of disabled.
clear lldp port tx-tlv Parameters port‐string Specifies the port or range of ports to be affected. Defaults None. Mode Switch command, read‐write. Example This example returns port fe.1.1 to the default LLDP‐MED trap state of disabled. B2(rw)->clear lldp port med-trap fe.1.1 clear lldp port tx-tlv Use this command to clear the optional LLDP and LLDP‐MED TLVs to be transmitted in LLDPDUs by the specified port or ports to the default value of disabled.
clear lldp port tx-tlv poe Disables the Power via MDI IEEE 802.3 Extensions TLV from being transmitted in LLDPDUs. Only valid for PoE‐enabled ports. link‐aggr Disables the Link Aggregation IEEE 802.3 Extensions TLV from being transmitted in LLDPDUs. max‐frame Disables the Maximum Frame Size IEEE 802.3 Extensions TLV from being transmitted in LLDPDUs. med‐cap Disables the LLDP‐MED Capabilities TLV from being transmitted in LLDPDUs.
7 Port Configuration This chapter describes the Port Configuration set of commands and how to use them. For information about... Refer to page...
Port Configuration Summary • 4 SFP slots (labeled ports 21 through 24 or ports 45 through 48) that provide the option of installing Small Form Pluggable (SFP) Mini‐GBICs for 1000BASE‐T compliant copper connections or 1000BASE‐SX\LX\ELX fiber‐optic connections. Important Notice About B2Gxxx-xx 10/100/100 and SFP Mini-GBIC Ports SFP Mini-GBIC uplink ports are used in an either / or configuration with their corresponding RJ45 10/100/ 1000 Mbps 1000BASE-T Gigabit Ethernet copper ports.
Reviewing Port Status Reviewing Port Status Purpose To display operating status, duplex mode, speed, port type, and statistical information about traffic received and transmitted through one or all switch ports on the device. Commands For information about... Refer to page... show port 7-3 show port status 7-4 show port counters 7-5 show port Use this command to display whether or not one or more ports are enabled for switching.
show port status show port status Use this command to display operating and admin status, speed, duplex mode and port type for one or more ports on the device. Syntax show port status [port-string] Parameters port‐string (Optional) Displays status for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If port‐string is not specified, status information for all ports will be displayed.
show port counters show port counters Use this command to display port counter statistics detailing traffic through the device and through all MIB2 network devices. Syntax show port counters [port-string] [switch | mib2] Parameters port‐string (Optional) Displays counter statistics for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. switch | mib2 (Optional) Displays switch or MIB2 statistics.
Disabling / Enabling and Naming Ports This example shows how to display all fe.3.1 port counter statistics related to traffic through the device. B2(su)->show port counters fe.3.1 switch Port: fe.3.1 Bridge Port: 2 802.1Q Switch Counters ----------------------Frames Received 0 Frames Transmitted 0 Table 7‐8 provides an explanation of the command output. Table 7-8 show port counters Output Details Output Field What It Displays... Port Port designation.
set port disable set port disable Use this command to administratively disable one or more ports. When this command is executed, in addition to disabling the physical Ethernet link, the port will no longer learn entries in the forwarding database. Syntax set port disable port-string Parameters port‐string Specifies the port(s) to disable. For a detailed description of possible port‐ string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None.
show port alias show port alias Use this command to display the alias name for one or more ports. Syntax show port alias [port-string] Parameters port‐string (Optional) Displays alias name(s) for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If port‐string is not specified, aliases for all ports will be displayed. Mode Switch command, read‐only.
set port alias Examples This example shows how to assign the alias “Admin” to fe.3.3: B2(rw)->set port alias fe.3.3 Admin This example shows how to clear the alias for fe.3.3: B2(rw)->set port alias fe.3.
Setting Speed and Duplex Mode Setting Speed and Duplex Mode Purpose To review and set the operational speed in Mbps and the default duplex mode: Half, for half duplex, or Full, for full duplex for one or more ports. Note: These settings only take effect on ports that have auto-negotiation disabled. Commands For information about... Refer to page...
set port speed set port speed Use this command to set the default speed of one or more ports. This setting only takes effect on ports that have auto‐negotiation disabled. Syntax set port speed port-string {10 | 100 | 1000} Parameters port‐string Specifies the port(s) for which to a speed value will be set. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. 10 | 100 | 1000 Specifies the port speed.
set port duplex Example This example shows how to display the default duplex setting for Ethernet port 14 in slot 3: B2(su)->show port duplex fe.3.14 default duplex mode is full on port fe.3.14. set port duplex Use this command to set the default duplex type for one or more ports. This command will only take effect on ports that have auto‐negotiation disabled. Syntax set port duplex port-string {full | half} Parameters port‐string Specifies the port(s) for which duplex type will be set.
Enabling / Disabling Jumbo Frame Support Enabling / Disabling Jumbo Frame Support Purpose To review, enable, and disable jumbo frame support on one or more ports. This allows Gigabit Ethernet ports to transmit frames up to 10 KB in size. Commands For information about... Refer to page... show port jumbo 7-13 set port jumbo 7-14 clear port jumbo 7-14 show port jumbo Use this command to display the status of jumbo frame support and maximum transmission units (MTU) on one or more ports.
set port jumbo set port jumbo Use this command to enable or disable jumbo frame support on one or more ports. Syntax set port jumbo {enable | disable}[port-string] Parameters enable | disable Enables or disables jumbo frame support. port‐string (Optional) Specifies the port(s) on which to disable or enable jumbo frame support. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
Setting Auto-Negotiation and Advertised Ability Setting Auto-Negotiation and Advertised Ability Purpose To review, disable or enable auto‐negotiation, and to configure port advertisement for speed and duplex. During auto‐negotiation, the port “tells” the device at the other end of the segment what its capabilities and mode of operation are. If auto‐negotiation is disabled, the port reverts to the values specified by default speed, default duplex, and the port flow control commands.
set port negotiation Example This example shows how to display auto‐negotiation status for 1‐Gigabit Ethernet port 14 in slot 3: B2(su)->show port negotiation fe.3.14 auto-negotiation is enabled on port fe.3.14. set port negotiation Use this command to enable or disable auto‐negotiation on one or more ports. Syntax set port negotiation port-string {enable | disable} Parameters port‐string Specifies the port(s) for which to enable or disable auto‐negotiation.
set port advertise Example This example shows how to display advertisement status for Gigabit ports 13 and 14: B2(su)->show port advertise fe.1.13-14 fe.1.13 capability advertised remote ------------------------------------------------10BASE-T yes yes yes 10BASE-TFD yes yes yes 100BASE-TX yes yes yes 100BASE-TXFD yes yes yes 1000BASE-T no no no 1000BASE-TFD yes yes yes pause yes yes no fe.1.
clear port advertise Example This example shows how to configure port 1 to advertise 1000BASE‐T full duplex: B2(su)->set port advertise fe.1.1 1000tfd clear port advertise Use this command to configure a port to not advertise a specific speed/duplex capability when auto‐negotiating with another port. Syntax clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause} Parameters port‐string Clear advertisements for specific port(s).
Setting Flow Control Setting Flow Control Purpose To review, enable or disable port flow control. Flow control is used to manage the transmission between two devices as specified by IEEE 802.3x to prevent receiving ports from being overwhelmed by frames from transmitting devices. Commands For information about... Refer to page... show flowcontrol 7-19 set flowcontrol 7-19 show flowcontrol Use this command to display the flow control state. Syntax show flowcontrol Parameters None. Defaults None.
set flowcontrol Defaults None. Mode Switch command, read‐write.
Setting Port Link Traps and Link Flap Detection Setting Port Link Traps and Link Flap Detection Purpose To disable or re‐enable link traps, display link trap status, and to configure the link flapping detection function. By default, all ports are enabled to send SNMP trap messages indicating changes to their link status (up or down).
set port trap Defaults If port‐string is not specified, the trap status for all ports will be displayed. Mode Switch command, read‐write. Example This example shows how to display link trap status for fe.3.1 through 4: B2(su)->show port trap fe.3.1-4 Link traps enabled on port fe.3.1. Link traps enabled on port fe.3.2. Link traps enabled on port fe.3.3. Link traps enabled on port fe.3.4.
show linkflap Parameters globalstate Displays the global enable state of link flap detection. portstate Displays the port enable state of link flap detection. parameters Displays the current value of settable link flap detection parameters. metrics Displays linkflap detection metrics. portsupported Displays ports which can support the link flap detection function. actsupported Displays link flap detection actions supported by system hardware.
show linkflap Examples This example shows how to display the global status of the link trap detection function: B2(rw)->show linkflap globalstate Linkflap feature globally disabled This example shows how to display ports disabled by link flap detection due to a violation: B2(rw)->show linkflap downports Ports currently held DOWN for Linkflap violations: None.
set linkflap globalstate Table 7-10 show linkflap metrics Output Details (Continued) Output Field What it displays... TimeElapsed Time (in seconds) since the last link down event. Violations Number of link flap violations on listed ports since system start. set linkflap globalstate Use this command to globally enable or disable the link flap detection function.
set linkflap interval Mode Switch command, read‐write. Example This example shows how to enable the link trap monitoring on all ports. B2(rw)->set linkflap portstate enable set linkflap interval Use this command to set the time interval (in seconds) for accumulating link down transitions. Syntax set linkflap interval port-string interval-value Parameters port‐string Specifies the port(s) on which to set the link flap interval. interval‐value Specifies an interval in seconds.
clear linkflap action Defaults None. Mode Switch mode, read‐write. Example This example shows how to set the link flap violation action on port fe.1.4 to generating a Syslog entry. B2(rw)->set linkflap action fe.1.4 gensyslogentry clear linkflap action Use this command to clear reactions to a link flap violation. Syntax clear linkflap action [port-string] {disableInterface | gensyslogentry | gentrap | all} Parameters port‐string (Optional) Specifies the port(s) on which to clear the link flap action.
set linkflap downtime Parameters port‐string Specifies the port(s) on which to set the link flap action trigger count. threshold‐value Specifies the number of link down transitions necessary to trigger the link flap action. A minimum of 1 must be configured. Defaults None. Mode Switch mode, read‐write. Example This example shows how to set the link flap threshold on port fe.1.4 to 5. B2(rw)->set linkflap threshold fe.1.
clear linkflap Parameters port‐string (Optional) Specifies the ports to make operational. Defaults If port‐string is not specified, all ports disabled by a link flap violation will be made operational. Mode Switch mode, read‐write. Example This example shows how to make disabled port fe.1.4 operational. B2(rw)->clear linkflap down fe.1.4 clear linkflap Use this command to clear all link flap options and / or statistics on one or more ports.
Configuring Broadcast Suppression Configuring Broadcast Suppression Purpose To review and set the broadcast suppression threshold for one or more ports. This feature limits the number of received broadcast frames the switch will accept per port. Broadcast suppression thresholds apply only to broadcast traffic—multicast traffic is not affected. By default, a broadcast suppression threshold of 14881 packets per second (pps) will be used, regardless of actual port speed.
set port broadcast set port broadcast Use this command to set the broadcast suppression threshold, in packets per second, on one or more ports. This sets a threshold on the broadcast traffic that is received and switched out to other ports. Syntax set port broadcast port-string threshold-val Parameters port‐string Select the ports for which to configure broadcast suppression thresholds. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
clear port broadcast Defaults None. Mode Switch command, read‐write. Example This example clears the broadcast threshold limit to 14881 pps for ports 1 through 5: B2(su)->clear port broadcast fe.1.
Port Mirroring Port Mirroring Caution: Port mirroring configuration should be performed only by personnel who are knowledgeable about the effects of port mirroring and its impact on network operation. The SecureStack B2 device allows you to mirror (or redirect) the traffic being switched on a port for the purposes of network traffic analysis and connection assurance. When port mirroring is enabled, one port becomes a monitor port for another port within the device.
Port Mirroring 5. Enter MIB option 4 (createAndGo) and perform an SNMP Set operation. 6. (Optional) Use the CLI to verify the port mirroring instance has been created and enabled as shown in the following example: B2(su)->show port mirroring Port Mirroring ============== Source Port = fe.1.3 Target Port = fe.1.2 Frames Mirrored = Rx and Tx Port Mirroring status enabled To create a port mirroring instance without automatically enabling it: 1. Complete steps 1‐4 above. 2.
show port mirroring show port mirroring Use this command to display the source and target ports for mirroring, and whether mirroring is currently enabled or disabled for those ports. Syntax show port mirroring Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display port mirroring information. In this case, fe.1.4 is configured as a source port and fe.1.
clear port mirroring Parameters create | disable | enable Creates, disables or enables mirroring settings on the specified ports. source Specifies the source port designation. This is the port on which the traffic will be monitored. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. destination Specifies the target port designation. This is the port that will duplicate or “mirror” all the traffic on the monitored port.
clear port mirroring Example This example shows how to clear port mirroring between source port fe.1.4 and target port fe.1.11: B2(su)->clear port mirroring fe.1.4 fe.1.
Link Aggregation Control Protocol (LACP) Link Aggregation Control Protocol (LACP) Caution: Link aggregation configuration should only be performed by personnel who are knowledgeable about Spanning Tree and Link Aggregation, and fully understand the ramifications of modifications beyond device defaults. Otherwise, the proper operation of the network could be at risk.
Link Aggregation Control Protocol (LACP) • A means of identifying the set of capabilities associated with each port and with each aggregator, as understood by a given device. • A means of identifying a LAG and its associated aggregator. Note: The path cost of a LAG port will be displayed as zero when it is not an active link. LACP Terminology Table 7‐11 defines key terminology used in LACP configuration.
Link Aggregation Control Protocol (LACP) is, will block redundant paths). For information about building static aggregations, refer to set lacp static (page 7‐44). Each SecureStack B2 module provides six virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6. Each LAG can have up to eight associated physical ports. Once underlying physical ports (for example, fe.x.x, or ge.x.
show lacp For information about... Refer to page... set lacp singleportlag 7-46 clear lacp singleportlag 7-45 show port lacp 7-47 set port lacp 7-48 clear port lacp 7-50 show lacp Use this command to display information about one or more aggregator ports. Syntax show lacp [port-string] Parameters port‐string (Optional) Displays LACP information for specific LAG port(s). Valid port designations are lag.0.1 ‐ 6.
set lacp Table 7-12 show lacp Output Details Output Field What It Displays... Global Link Aggregation state Shows if LACP is enabled or disabled on the switch. Single Port LAGs Displays if the single port LAG feature has been enabled on the switch. See “set lacp singleportlag” on page 7-46 for more about single port LAG. Aggregator LAG port designation. Each SecureStack B2 module provides 6 virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6.
set lacp asyspri set lacp asyspri Use this command to set the LACP system priority. Syntax set lacp asyspri value Parameters asyspri Sets the system priority to be used in creating a LAG (Link Aggregation Group) ID. Valid values are 0 to 65535. value Specifies a system priority value. Valid values are 0 to 65535, with precedence given to lower values. Defaults None. Mode Switch command, read‐write. Usage LACP uses this value to determine aggregation precedence.
clear lacp Usage LACP will use this value to form an oper key. Only underlying physical ports with oper keys matching those of their aggregators will be allowed to aggregate. The default admin key value for all LAG ports is 32768. Example This example shows how to set the LACP admin key to 2000 for LAG port 6: B2(su)->set lacp aadminkey lag.0.6 2000 clear lacp Use this command to clear LACP system priority or admin key settings.
clear lacp static key (Optional) Specifies the new member port and LAG port aggregator admin key value. Only ports with matching keys are allowed to aggregate. Valid values are 0 ‐ 65535. Note: This key value must be unique. If ports other than the desired underlying physical ports share the same admin key value, aggregation will fail or undesired aggregations will form. port‐string Specifies the member port(s) to add to the LAG.
set lacp singleportlag set lacp singleportlag Use this command to enable or disable the formation of single port LAGs. Syntax set lacp singleportlag {enable | disable} Parameters disable | enable Enables or disables the formation of single port LAGs. Defaults None. Mode Switch command, read‐write. Usage When single port LAGs are enabled, Link Aggregration Groups can be formed when only one port is receiving protocol transmissions from a partner.
show port lacp Example This example shows how to reset the single port LAG function back to disabled: B2(su)->clear lacp singleportlag show port lacp Use this command to display link aggregation information for one or more underlying physical ports. Syntax show port lacp port port-string {[status {detail | summary}] | [counters]} Parameters port port‐string Displays LACP information for specific port(s).
set port lacp Port Instance: fe.1.
set port lacp aadminstate lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire Sets the port’s actor LACP administrative state to allow for: lacpactive ‐ Transmitting LACP PDUs. lacptimeout ‐ Transmitting LACP PDUs every 1 sec. vs 30 sec. (default). lacpagg ‐ Aggregation on this port. lacpsync ‐ Transition to synchronization state. lacpcollect ‐ Transition to collection state. lacpdist ‐ Transition to distribution state. lacpdef ‐ Transition to defaulted state.
clear port lacp Mode Switch command, read‐write. Usage LACP commands and parameters beginning with an “a” (such as aadminkey) set actor values. Corresponding commands and parameters beginning with a “p” (such as padminkey) set corresponding partner values. Actor refers to the local device participating in LACP negotiation, while partner refers to its remote device partner at the other end of the negotiation.
clear port lacp padminport Deletes a partner port from the LACP configuration. padminstate lacpactive | lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all Clears the port’s specific partner admin state, or all partner admin state(s). Defaults None. Mode Switch command, read‐write.
Configuring Protected Ports Configuring Protected Ports The Protected Port feature is used to prevent ports from forwarding traffic to each other, even when they are on the same VLAN. Ports may be designated as either protected or unprotected. Ports are unprotected by default. Multiple groups of protected ports are supported. Protected Port Operation Ports that are configured to be protected cannot forward traffic to other protected ports in the same group, regardless of having the same VLAN membership.
show port protected Example This example shows how to assign ports fe.1.1 through fe.1.3 to protected port group 1: B2(rw)->set port protected fe.1.1-3 1 show port protected Use this command to display information about the ports configured for protected mode. Syntax show port protected [port-string] | [group-id] Parameters port‐string (Optional) Specifies the port or ports for which to display information. group‐id (Optional) Specifies the id of the group for which to display information.
set port protected name Mode Switch command, read‐write. Example This example shows how to clear protected ports fe.1.1 through fe.1.3: B2(rw)->clear port protected fe.1.1-3 set port protected name Use this command to assign a name to a protected port group id. Syntax set port protected name group-id name Parameters group‐id Specifies the id of this group. Id can range from 0 to 2. name Specifies a name for the group. The name can be up to 32 characters in length. Defaults None.
clear port protected name Example This example shows how to show the name of protected port group 1: B2(ro)->show port protected name 1 Group ID Group Name ----------------------------1 group1 clear port protected name Use this command to clear the name of a protected group. Syntax clear port protected name group-id Parameters group‐id Specifies the id of the group for which to clear the name. Id can range from 0 to 2. Defaults None. Mode Switch command, read‐write.
clear port protected name 7-56 Port Configuration
8 SNMP Configuration This chapter describes the Simple Network Management Protocol (SNMP) set of commands and how to use them. For information about... Refer to page...
SNMP Configuration Summary • SNMP network management applications, such as the Enterasys NetSight application, which communicate with agents to get statistics and alerts from the managed devices. SNMPv3 SNMPv3 is an interoperable standards‐based protocol that provides secure access to devices by authenticating and encrypting frames over the network. The advanced security features provided in SNMPv3 are as follows: – Message integrity — Collects data securely without being tampered with or corrupted.
Reviewing SNMP Statistics Table 8-13 SNMP Security Levels (Continued) Model Security Level Authentication Encryption How It Works v3 NoAuthNoPriv User name None Uses a user name match for authentication. AuthNoPriv MD5 or SHA None Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. authPriv MD5 or SHA DES Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.
show snmp engineid Commands For information about... Refer to page... show snmp engineid 8-4 show snmp counters 8-5 show snmp engineid Use this command to display the SNMP local engine ID. This is the SNMP v3 engine’s administratively unique identifier. Syntax show snmp engineid Parameters None. Defaults None. Mode Switch command, read‐only.
show snmp counters show snmp counters Use this command to display SNMP traffic counter values. Syntax show snmp counters Parameters None. Defaults None. Mode Switch command, read‐only.
show snmp counters usmStatsUnknownEngineIDs usmStatsWrongDigests usmStatsDecryptionErrors = 0 = 0 = 0 Table 8‐15 provides an explanation of the command output. Table 8-15 8-6 show snmp counters Output Details Output Field What It Displays... snmpInPkts Number of messages delivered to the SNMP entity from the transport service. snmpOutPkts Number of SNMP messages passed from the SNMP protocol entity to the transport service.
show snmp counters Table 8-15 show snmp counters Output Details (Continued) Output Field What It Displays... snmpOutBadValues Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "badValue." snmpOutGenErrs Number of SNMP PDUs generated by the SNMP protocol entity with the value of the error-status field as "genErr." snmpOutGetRequests Number of SNMP Get-Request PDUs generated by the SNMP protocol entity.
Configuring SNMP Users, Groups, and Communities Configuring SNMP Users, Groups, and Communities Purpose To review and configure SNMP users, groups, and v1 and v2 communities. These are defined as follows: • User — A person registered in SNMPv3 to access SNMP management. • Group — A collection of users who share the same SNMP access privileges. • Community — A name used to authenticate SNMPv1 and v2 users. Commands For information about... Refer to page...
set snmp user If user is not specified, information about all SNMP users will be displayed. If remote is not specified, user information about the local SNMP engine will be displayed. If not specified, user information for all storage types will be displayed. Mode Switch command, read‐only.
clear snmp user Parameters user Specifies a name for the SNMPv3 user. remote remoteid (Optional) Registers the user on a specific remote SNMP engine. authentication md5 | sha (Optional) Specifies the authentication type required for this user as MD5 or SHA. authpassword (Optional) Specifies a password for this user when authentication is required. Minimum of 8 characters. privacy privpassword (Optional) Applies encryption and specifies an encryption password. Minimum of 8 characters.
show snmp group Example This example shows how to remove the SNMP user named “bill”: B2(su)->clear snmp user bill show snmp group Use this command to display an SNMP group configuration. An SNMP group is a collection of SNMPv3 users who share the same access privileges. Syntax show snmp group [groupname groupname] [user user] [security-model {v1 | v2c | usm}] [volatile | nonvolatile | read-only] Parameters groupname groupname (Optional) Displays information for a specific SNMP group.
set snmp group Table 8‐17 provides an explanation of the command output. Table 8-17 show snmp group Output Details Output Field What It Displays... Security model SNMP version associated with this group. Security/user name User belonging to the SNMP group. Group name Name of SNMP group. Storage type Whether entry is stored in volatile, nonvolatile or read-only memory. Row status Status of this entry: active, notInService, or notReady. set snmp group Use this command to create an SNMP group.
show snmp community Parameters groupname Specifies the SNMP group to be cleared. user Specifies the SNMP user to be cleared. security‐model v1 | v2c | usm (Optional) Clears the settings associated with a specific security model. Defaults If not specified, settings related to all security models will be cleared. Mode Switch command, read‐write.
set snmp community set snmp community Use this command to configure an SNMP community group. Syntax set snmp community community [securityname securityname] [context context] [transport transport] [volatile | nonvolatile] Parameters community Specifies a community group name. securityname securityname (Optional) Specifies an SNMP security name to associate with this community. context context (Optional) Specifies a subset of management information this community will be allowed to access.
Configuring SNMP Access Rights Defaults None. Mode Switch command, read‐write. Example This example shows how to delete the community name “vip.” B2(su)->clear snmp community vip Configuring SNMP Access Rights Purpose To review and configure SNMP access rights, assigning viewing privileges and security levels to SNMP user groups. Commands For information about... Refer to page...
show snmp access context context (Optional) Displays access information for a specific context. For a description of how to specify SNMP contexts, refer to “Using SNMP Contexts to Access Specific MIBs” on page 8‐3. volatile | nonvolatile | read‐ only (Optional) Displays access entries for a specific storage type. Defaults If groupname is not specified, access information for all SNMP groups will be displayed.
set snmp access Table 8-18 show snmp access Output Details (Continued) Output Field What It Displays... Security level Security level applied to this group. Valid levels are: • noAuthNoPrivacy (no authentication required) • AuthNoPrivacy (authentication required) • authPriv (privacy -- most secure level) Read View Name of the view that allows this group to view SNMP MIB objects. Write View Name of the view that allows this group to configure the contents of the SNMP agent.
clear snmp access Defaults If security level is not specified, no authentication will be applied. If context is not specified, access will be enabled for the default context. If context is specified without a context match, exact match will be applied. If read view is not specified none will be applied. If write view is not specified, none will be applied. If notify view is not specified, none will be applied.
Configuring SNMP MIB Views Example This example shows how to clear SNMP version 3 access for the “mis‐group” via the authentication protocol: B2(su)->clear snmp access mis-group security-model usm authentication Configuring SNMP MIB Views Purpose To review and configure SNMP MIB views. SNMP views map SNMP objects to access rights. Commands For information about... Refer to page...
show snmp context Example This example shows how to display SNMP MIB view configuration information: B2(su)->show snmp view --- SNMP MIB View information --View Name = All Subtree OID = 1 Subtree mask = View Type = included Storage type = nonVolatile Row status = active View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = All 0.0 View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = Network 1.3.6.1.2.
set snmp view Mode Switch command, read‐only. Usage An SNMP context is a collection of management information that can be accessed by an SNMP agent or entity. The default context allows all SNMP agents to access all management information (MIBs). When created using the set snmp access command (“set snmp access” on page 8‐17), other contexts can be applied to limit access to a subset of management information.
clear snmp view clear snmp view Use this command to delete an SNMPv3 MIB view. Syntax clear snmp view viewname subtree Parameters viewname Specifies the MIB view name to be deleted. subtree Specifies the subtree name of the MIB view to be deleted. Defaults None. Mode Switch command, read‐write. Example This example shows how to delete SNMP MIB view “public”: B2(su)->clear snmp view public 1.3.6.1 Configuring SNMP Target Parameters Purpose To review and configure SNMP target parameters.
show snmp targetparams Parameters targetParams (Optional) Displays entries for a specific target parameter. volatile | nonvolatile | read‐only (Optional) Displays target parameter entries for a specific storage type. Defaults If targetParams is not specified, entries associated with all target parameters will be displayed. If not specified, entries of all storage types will be displayed. Mode Switch command, read‐only.
set snmp targetparams set snmp targetparams Use this command to set SNMP target parameters, a named set of security/authorization criteria used to generate a message to a target. Syntax set snmp targetparams paramsname user user security-model {v1 | v2c | usm} messageprocessing {v1 | v2c | v3} [noauthentication | authentication | privacy] [volatile | nonvolatile] Parameters paramsname Specifies a name identifying parameters used to generate SNMP messages to a particular target.
Configuring SNMP Target Addresses Parameters targetParams Specifies the name of the parameter in the SNMP target parameters table to be cleared. Defaults None. Mode Switch command, read‐write. Example This example shows how to clear SNMP target parameters named “v1ExampleParams”: B2(su)->clear snmp targetparams v1ExampleParams Configuring SNMP Target Addresses Purpose To review and configure SNMP target addresses which will receive SNMP notification messages.
set snmp targetaddr If not specified, entries of all storage types will be displayed for a target address. Mode Switch command, read‐only. Example This example shows how to display SNMP target address information: B2(su)->show snmp targetaddr Target Address Name = labmachine Tag List = v2cTrap IP Address = 10.2.3.116 UDP Port# = 162 Target Mask = 255.255.255.
set snmp targetaddr Parameters targetaddr Specifies a unique identifier to index the snmpTargetAddrTable. Maximum length is 32 bytes. ipaddr Specifies the IP address of the target. param param Specifies an entry in the SNMP target parameters table, which is used when generating a message to the target. Maximum length is 32 bytes. udpport udpport (Optional) Specifies which UDP port of the target host to use. mask mask (Optional) Specifies the IP mask of the target.
clear snmp targetaddr clear snmp targetaddr Use this command to delete an SNMP target address entry. Syntax clear snmp targetaddr targetAddr Parameters targetAddr Specifies the target address entry to delete. Defaults None. Mode Switch command, read‐write.
show newaddrtrap Commands For information about... Refer to page... show newaddrtrap 8-29 set newaddrtrap 8-30 show snmp notify 8-30 set snmp notify 8-31 clear snmp notify 8-32 show snmp notifyfilter 8-33 set snmp notifyfilter 8-34 clear snmp notifyfilter 8-34 show snmp notifyprofile 8-35 set snmp notifyprofile 8-36 clear snmp notifyprofile 8-36 show newaddrtrap Use this command to display the global and port‐specific status of the SNMP new MAC addresses trap function.
set newaddrtrap ge.1.1 ge.1.2 ge.1.3 ge.1.4 ge.1.5 disabled disabled disabled disabled disabled set newaddrtrap Use this command to enable or disable SNMP trap messaging, globally or on one or more ports, when new source MAC addresses are detected. Syntax set newaddrtrap [port-string] {enable | disable} Parameters port‐string (Optional) Enable or disable the new MAC addresses trap function on specific ports. enable | disable Enable or disable the new MAC addresses trap function.
set snmp notify Parameters notify (Optional) Displays notify entries for a specific notify name. volatile | nonvolatile | read‐ only (Optional) Displays notify entries for a specific storage type. Defaults If a notify name is not specified, all entries will be displayed. If volatile, nonvolatile, or read‐only are not specified, all storage type entries will be displayed. Mode Switch command, read‐only.
clear snmp notify command’s tag parameter can be used to bind each entry to a target address using the set snmp targetaddr command (“set snmp targetaddr” on page 8‐26). Syntax set snmp notify notify tag tag [trap | inform] [volatile | nonvolatile] Parameters notify Specifies an SNMP notify name. tag tag Specifies an SNMP notify tag. This binds the notify name to the SNMP target address table. trap | inform (Optional) Specifies SNMPv1 or v2 Trap messages (default) or SNMP v3 InformRequest messages.
show snmp notifyfilter Example This example shows how to clear the SNMP notify configuration for “hello”: B2(su)->clear snmp notify hello show snmp notifyfilter Use this command to display SNMP notify filter information, identifying which profiles will not receive SNMP notifications. Syntax show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only] Parameters profile (Optional) Displays a specific notify filter.
set snmp notifyfilter set snmp notifyfilter Use this command to create an SNMP notify filter configuration. This identifies which management targets should NOT receive notification messages, which is useful for fine‐tuning the amount of SNMP traffic generated. Syntax set snmp notifyfilter profile subtree oid-or-mibobject [mask mask] [included | excluded] [volatile | nonvolatile] Parameters profile Specifies an SNMP filter notify name.
show snmp notifyprofile Parameters profile Specifies an SNMP filter notify name to delete. subtree oid‐or‐ mibobject Specifies a MIB subtree ID containing the filter to be deleted. Defaults None. Mode Switch command, read‐write. Example This example shows how to delete the SNMP notify filter “pilot1”: B2(su)->clear snmp notifyfilter pilot1 subtree 1.3.6 show snmp notifyprofile Use this command to display SNMP notify profile information.
set snmp notifyprofile Row status = active set snmp notifyprofile Use this command to create an SNMP notify filter profile configuration. This associates a notification filter, created with the set snmp notifyfilter command (“set snmp notifyfilter” on page 8‐34), to a set of SNMP target parameters to determine which management targets should not receive SNMP notifications.
Creating a Basic SNMP Trap Configuration Mode Switch command, read‐write.
Creating a Basic SNMP Trap Configuration Example This example shows how to: • Create an SNMP community called mgmt. • Configure a trap notification called TrapSink. This trap notification will be sent with the community name mgmt to the workstation 192.168.190.80 (which is target address tr). It will use security and authorization criteria contained in a target parameters entry called v2cExampleParams.
9 Spanning Tree Configuration This chapter describes the Spanning Tree Configuration set of commands and how to use them. For information about... Refer to page...
Spanning Tree Configuration Summary blocking for all traffic flowing between the two switches. The blocking links are effectively used only if the forwarding link goes down. MSTP assigns each VLAN present on the network to a particular Spanning Tree instance, allowing each switch port to be in a distinct state for each such instance: blocking for one Spanning Tree while forwarding for another.
Configuring Spanning Tree Bridge Parameters learning and the priority vector is worse than that already held by the port. If a disputed BPDU is received, the port is forced to the listening state. When an inferior designated BPDU with the learning bit set is received on a designated port, its state is set to discarding to prevent loop formation. Note that the Dispute mechanism is always active regardless of the configuration setting of Loop Protection.
Configuring Spanning Tree Bridge Parameters Commands For information about... 9-4 Refer to page...
show spantree stats For information about... Refer to page...
show spantree stats Example This example shows how to display the device’s Spanning Tree configuration: B2(su)->show spantree stats Spanning tree status Spanning tree instance Designated Root MacAddr Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Topology Change Count Time Since Top Change Max Hops - enabled 0 00-e0-63-9d-c1-c8 0 10000 lag.0.
set spantree Table 9-24 show spantree Output Details (Continued) Output What It Displays... Bridge Forward Delay Amount of time (in seconds) the bridge spends in listening or learning mode. This is a default value, or is assigned using the set spantree fwddelay command. For details, refer to “set spantree fwddelay” on page 9-20. Topology Change Count Number of times topology has changed on the bridge.
set spantree version Mode Switch command, read‐only. Example This example shows how to display Spanning Tree version information for the device: B2(su)->show spantree version Force Version is mstp set spantree version Use this command to set the version of the Spanning Tree protocol to MSTP (Multiple Spanning Tree Protocol), RSTP (Rapid Spanning Tree Protocol) or to STP 802.1D‐compatible. Syntax set spantree version {mstp | stpcompatible | rstp} Parameters mstp Sets the version to STP 802.
show spantree bpdu-forwarding Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Spanning Tree version: B2(su)->clear spantree version show spantree bpdu-forwarding Use this command to display the Spanning Tree BPDU forwarding mode. Syntax show spantree bpdu-forwarding Parameters None. Defaults None. Mode Switch command, read‐only.
show spantree bridgeprioritymode Defaults By default BPDU forwarding is disabled. Mode Switch command, read‐write. Usage The Spanning Tree protocol must be disabled (set spantree disable) for this feature to take effect. Example This example shows how to enable BPDU forwarding: B2(rw)-> set spantree bpdu-forwarding enable show spantree bridgeprioritymode Use this command to display the Spanning Tree bridge priority mode setting. Syntax show spantree bridgeprioritymode Parameters None. Defaults None.
clear spantree bridgeprioritymode Parameters 8021d Sets the bridge priority mode to use 802.1D (legacy) values, which are 0 ‐ 65535. 8021t Sets the bridge priority mode to use 802.1t values, which are 0 to 61440, in increments of 4096. Values will automatically be rounded up or down, depending on the 802.1t value to which the entered value is closest. This is the default bridge priority mode. Defaults None Mode Switch command, read‐write.
show spantree mstilist show spantree mstilist Use this command to display a list of Multiple Spanning Tree (MST) instances configured on the device. Syntax show spantree mstilist Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display a list of MST instances.
clear spantree msti clear spantree msti Use this command to delete one or more Multiple Spanning Tree instances. Syntax clear spantree msti [sid sid] Parameters sid sid (Optional) Deletes a specific multiple Spanning Tree ID. Defaults If sid is not specified, all MST instances will be cleared. Mode Switch command, read‐write.
set spantree mstmap set spantree mstmap Use this command to map one or more filtering database IDs (FIDs) to a SID. Since VLANs are mapped to FIDs, this essentially maps one or more VLAN IDs to a Spanning Tree (SID). Note: Since any MST maps that are associated with GVRP-generated VLANs will be removed from the configuration if GVRP communication is lost, it is recommended that you only create MST maps on statically-created VLANs.
show spantree vlanlist B2(su)->clear spantree mstmap 2 show spantree vlanlist Use this command to display the Spanning Tree ID(s) assigned to one or more VLANs. Syntax show spantree vlanlist [vlan-list] Parameters vlan‐list (Optional) Displays SIDs assigned to specific VLAN(s). Defaults If not specified, SID assignment will be displayed for all VLANs. Mode Switch command, read‐only. Example This example shows how to display the SIDs mapped to VLAN 1.
set spantree mstcfgid MAC address) have not been changed. For information on using the set spantree mstcfgid command to change these settings, refer to “set spantree mstcfgid” on page 9‐16: B2(su)->show spantree mstcfgid MST Configuration Identifier: Format Selector: 0 Configuration Name: 00:01:f4:89:51:94 Revision Level: 0 Configuration Digest: ac:36:17:7f:50:28:3c:d4:b8:38:21:d8:ab:26:de:62 set spantree mstcfgid Use this command to set the MST configuration name and/or revision level.
set spantree priority Example This example shows how to reset the MST configuration identifier elements to default values: B2(su)->clear spantree mstcfgid set spantree priority Use this command to set the device’s Spanning Tree priority. Syntax set spantree priority priority [sid] Parameters priority Specifies the priority of the bridge. Valid values are from 0 to 61440 (in increments of 4096), with 0 indicating highest priority and 61440 lowest priority.
set spantree hello Defaults If sid is not specified, priority will be reset on Spanning Tree 0. Mode Switch command, read‐write. Example This example shows how to reset the bridge priority on SID 1: B2(su)->clear spantree priority 1 set spantree hello Use this command to set the device’s Spanning Tree hello time, This is the time interval (in seconds) the device will transmit BPDUs indicating it is active.
set spantree maxage Mode Switch command, read‐write. Example This example shows how to globally reset the Spanning Tree hello time: B2(su)->clear spantree hello set spantree maxage Use this command to set the bridge maximum aging time. Syntax set spantree maxage agingtime Parameters agingtime Specifies the maximum number of seconds that the system retains the information received from other bridges through STP. Valid values are 6 ‐ 40. Defaults None. Mode Switch command, read‐write.
set spantree fwddelay Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to globally reset the maximum aging time: B2(su)->clear spantree maxage set spantree fwddelay Use this command to set the Spanning Tree forward delay. Syntax set spantree fwddelay delay Parameters delay Specifies the number of seconds for the bridge forward delay. Valid values are 4 ‐ 30. Defaults None. Mode Switch command, read‐write.
clear spantree fwddelay clear spantree fwddelay Use this command to reset the Spanning Tree forward delay to the default setting of 15 seconds. Syntax clear spantree fwddelay Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to globally reset the bridge forward delay: B2(su)->clear spantree fwddelay show spantree backuproot Use this command to display the backup root status for an MST instance.
set spantree backuproot set spantree backuproot Use this command to enable or disable the Spanning Tree backup root function on the switch. Syntax set spantree backuproot sid {disable | enable} Parameters sid Specifies the Spanning Tree instance on which to enable or disable the backup root function.Valid values are 0 ‐ 4094. disable | enable Enables or disables the backup root function. Defaults None. Mode Switch command, read‐write.
show spantree tctrapsuppress Example This example shows how to reset the backup root function to disabled on SID 2: B2(rw)->clear spantree backuproot 2 show spantree tctrapsuppress Use this command to display the status of topology change trap suppression on Rapid Spanning Tree edge ports. Syntax show spantree tctrapsuppress Parameters None. Defaults None. Mode Switch command, read‐only.
clear spantree tctrapsuppress Usage By default, RSTP non‐edge (bridge) ports that transition to forwarding or blocking cause the switch to issue a topology change trap. When topology change trap suppression is enabled, which is the device default, edge ports (such as end station PCs) are prevented from sending topology change traps. This is because there is usually no need for network management to monitor edge port STP transition states, such as when PCs are powered on.
show spantree spanguard Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the protocol state migration machine on port 20: B2(su)->set spantree protomigration fe.1.20 show spantree spanguard Use this command to display the status of the Spanning Tree SpanGuard function. Syntax show spantree spanguard Parameters None. Defaults None. Mode Switch command, read‐only.
clear spantree spanguard Mode Switch command, read‐write. Usage SpanGuard is designed to disable, or lock out an “edge” port when an unexpected BPDU is received. The port can be configured to be re‐enabled after a set time period, or only after manual intervention. A port can be defined as an edge (user) port using the set spantree adminedge command, described in “set spantree adminedge” on page 9‐39.
show spantree spanguardtimeout show spantree spanguardtimeout Use this command to display the Spanning Tree SpanGuard timeout setting. Syntax show spantree spanguardtimeout Parameters None. Defaults None. Mode Switch command, read‐only.
clear spantree spanguardtimeout clear spantree spanguardtimeout Use this command to reset the Spanning Tree SpanGuard timeout to the default value of 300 seconds. Syntax clear spantree spanguardtimeout Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the SpanGuard timeout to 300 seconds: B2(rw)->clear spantree spanguardtimeout show spantree spanguardlock Use this command to display the SpanGuard lock status of one or more ports.
clear / set spantree spanguardlock clear / set spantree spanguardlock Use either of these commands to unlock one or more ports locked by the Spanning Tree SpanGuard function. When SpanGuard is enabled, it locks ports that receive BPDUs when those ports have been defined as edge (user) ports (as described in “set spantree adminedge” on page 9‐39). Syntax clear spantree spanguardlock port-string set spantree spanguardlock port-string Parameters port‐string Specifies port(s) to unlock.
set spantree spanguardtrapenable set spantree spanguardtrapenable Use this command to enable or disable the sending of an SNMP trap message when SpanGuard has locked a port. Syntax set spantree spanguardtrapenable {disable | enable} Parameters disable | enable Disables or enables sending SpanGuard traps. By default, sending traps is enabled. Defaults None. Mode Switch command, read‐write.
show spantree legacypathcost show spantree legacypathcost Use this command to display the default Spanning Tree path cost setting. Syntax show spantree legacypathcost Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the default Spanning Tree path cost setting. B2(su)->show spantree legacypathcost Legacy Path Cost is disabled. set spantree legacypathcost Use this command to enable or disable legacy (802.1D) path cost values.
clear spantree legacypathcost clear spantree legacypathcost Use this command to set the Spanning Tree default value for legacy path cost to 802.1t values. Syntax clear spantree legacypathcost Defaults None. Mode Switch command, read‐write. Example This example clears the legacy path cost to 802.1t values.
Configuring Spanning Tree Port Parameters Configuring Spanning Tree Port Parameters Purpose To display and set Spanning Tree port parameters. Commands For information about... Refer to page...
clear spantree portadmin Example This example shows how to disable Spanning Tree on fe.1.5: B2(rw)->set spantree portadmin fe.1.5 disable clear spantree portadmin Use this command to reset the default Spanning Tree admin status to enable on one or more ports. Syntax clear spantree portadmin port-string Parameters port‐string Resets the default admin status on specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
show spantree portpri Example This example shows how to display port admin status for fe.1.1: B2(ro)->show spantree portadmin port fe.1.1 Port fe.1.1 has portadmin set to enabled show spantree portpri Use this command to show the Spanning Tree priority for one or more ports. Port priority is a component of the port ID, which is one element used in determining Spanning Tree port roles.
clear spantree portpri Parameters port‐string Specifies the port(s) for which to set Spanning Tree port priority. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. priority Specifies a number that represents the priority of a link in a Spanning Tree bridge. Valid values are from 0 to 240 (in increments of 16) with 0 indicating high priority. sid sid (Optional) Sets port priority for a specific Spanning Tree identifier.
show spantree adminpathcost show spantree adminpathcost Use this command to display the admin path cost for a port on one or more Spanning Trees. Syntax show spantree adminpathcost [port port-string] [sid sid] Parameters port port‐string (Optional) Displays the admin path cost value for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
clear spantree adminpathcost Example This example shows how to set the admin path cost to 200 for fe.3.2 on SID 1: B2(su)->set spantree adminpathcost fe.3.2 200 sid 1 clear spantree adminpathcost Use this command to reset the Spanning Tree default value for port admin path cost to 0. Syntax clear spantree adminpathcost port-string [sid sid] Parameters port‐string Specifies the port(s) for which to reset admin path cost.
set spantree adminedge Mode Switch command, read‐only. Example This example shows how to display the edge port status for fe.3.2: B2(su)->show spantree adminedge port fe.3.2 Port fe.3.2 has a Port Admin Edge of Edge-Port set spantree adminedge Use this command to set the edge port administrative status on a Spanning Tree port. Syntax set spantree adminedge port-string {true | false} Parameters port‐string Specifies the edge port.
clear spantree adminedge Parameters port‐string Specifies port(s) on which to reset edge port status. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset fe.1.11 as a non‐edge port: B2(su)->clear spantree adminedge fe.1.
Configuring Spanning Tree Loop Protect Parameters Configuring Spanning Tree Loop Protect Parameters Purpose To display and set Spanning Tree Loop Protect parameters, including the global parameters of Loop Protect threshold, window, enabling traps, and disputed BPDU threshold, as well as per port and port/SID parameters. See “Loop Protect” on page 9‐2 for more information about the Loop Protect feature. Commands For information about... Refer to page...
set spantree lp set spantree lp Use this command to enable or disable the Loop Protect feature per port and optionally, per SID. The Loop Protect feature is disabled by default. See “Loop Protect” on page 2. for more information. Syntax set spantree lp port-string {enable | disable} [sid sid] Parameters port‐string Specifies port(s) on which to enable or disable the Loop Protect feature. enable | disable Enables or disables the feature on the specified port.
clear spantree lp Defaults If no port‐string is specified, status is displayed for all ports. If no SID is specified, SID 0 is assumed. Mode Switch command, read‐only. Example This example shows how to display Loop Protect status on fe.2.3: B2(su)->show spantree lp port fe.2.3 LoopProtect is disabled on port fe.2.3 , SI clear spantree lp Use this command to return the Loop Protect status per port and optionally, per SID, to its default state of disabled.
clear spantree lplock Parameters port‐string (Optional) Specifies port(s) for which to display the Loop Protect lock status. sid sid (Optional) Specifies the specific Spanning Tree(s) for which to display the Loop Protect lock status. Valid values are 0 ‐ 4094. If not specified, SID 0 is assumed. Defaults If no port‐string is specified, status is displayed for all ports. If no SID is specified, SID 0 is assumed. Mode Switch command, read‐only.
set spantree lpcapablepartner set spantree lpcapablepartner Use this command to specify per port whether the link partner is Loop Protect capable. See “Loop Protect” on page 2. for more information. Syntax set spantree lpcapablepartner port-string {true | false} Parameters port‐string Specifies port(s) for which to configure a Loop Protect capable link partner. true | false Specifies whether the link partner is capable (true) or not (false). Defaults None. Mode Switch command, read‐write.
clear spantree lpcapablepartner Defaults If no port‐string is specified, Loop Protect capability for link partners is displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display the Loop Protect partner capability for fe.1.1: B2(rw)->show spantree lpcapablepartner port fe.1.1 Link partner of port fe.1.
show spantree lpthreshold Defaults None. The default event threshold is 3. Mode Switch command, read‐write. Usage The LoopProtect event threshold is a global integer variable that provides protection in the case of intermittent failures. The default value is 3. If the event counter reaches the threshold within a given period (the event window), then the port, for the given SID, becomes locked (that is, held indefinitely in the blocking state). If the threshold is 0, the ports are never locked.
set spantree lpwindow Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Loop Protect event threshold to the default of 3: B2(rw)->clear spantree lpthreshold set spantree lpwindow Use this command to set the Loop Protect event window value in seconds. Syntax set spantree lpwindow value Parameters value Specifies the number of seconds that comprise the period during which Loop Protect events are counted. The default event window is 180 seconds. Defaults None.
clear spantree lpwindow Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the current Loop Protect window value: B2(rw)->show spantree lpwindow The Loop Protect event window is set to 120 seconds clear spantree lpwindow Use this command to reset the Loop Protect event window to the default value of 180 seconds. Syntax clear spantree lpwindow Parameters None. Defaults None. Mode Switch command, read‐write.
show spantree lptrapenable Defaults None. Mode Switch command, read‐write. Usage Loop Protect traps are sent when a Loop Protect event occurs, that is, when a port goes to listening due to not receiving BPDUs. The trap indicates port, SID and loop protection status. Example This example shows how to enable sending of Loop Protect traps: B2(rw)->set spantree lptrapenable enable show spantree lptrapenable Use this command to display the current status of Loop Protect event notification.
set spantree disputedbpduthreshold Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the Loop Protect event notification state to the default of disabled. B2(rw)->clear spantree lptrapenable set spantree disputedbpduthreshold Use this command to set the disputed BPDU threshold, which is the number of disputed BPDUs that must be received on a given port/SID until a disputed BPDU trap is sent.
show spantree disputedbpduthreshold Example This example shows how to set the disputed BPDU threshold value to 5: B2(rw)->set spantree disputedbpduthreshold 5 show spantree disputedbpduthreshold Use this command to display the current value of the disputed BPDU threshold. Syntax show spantree disputedbpduthreshold Parameters None. Defaults None. Mode Switch command, read‐only.
show spantree nonforwardingreason show spantree nonforwardingreason Use this command to display the reason for placing a port in a non‐forwarding state due to an exceptional condition. Syntax show spantree nonforwardingreason port-string [sid sid] Parameters port‐string Specifies port(s) for which to display the non‐forwarding reason. sid sid (Optional) Specifies the specific Spanning Tree(s) for which to display the non‐forwarding reason. Valid values are 0 ‐ 4094. If not specified, SID 0 is assumed.
show spantree nonforwardingreason 9-54 Spanning Tree Configuration
10 802.1Q VLAN Configuration This chapter describes the SecureStack B2 system’s capabilities to implement 802.1Q virtual LANs (VLANs). For information about... Refer to page...
Viewing VLANs If the SecureStack B2 device is to be configured for multiple VLANs, it may be desirable to configure a management‐only VLAN. This allows a station connected to the management VLAN to manage the device. It also makes management secure by preventing configuration via ports assigned to other VLANs. To create a secure management VLAN, you must: Step Task Refer to page... 1. Create a new VLAN. 10-5 2. Set the PVID for the desired switch port to the VLAN created in Step 1. 10-9 3.
show vlan Command For information about... Refer to page... show vlan 10-3 show vlan Use this command to display all information related to one or more VLANs. Syntax show vlan [static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port portstring]] Parameters static (Optional) Displays information related to static VLANs. Static VLANs are manually created using the set vlan command (“set vlan” on page 10‐5), SNMP MIBs, or the WebView management application.
show vlan Table 10-26 10-4 show vlan Output Details Output Field What It Displays... VLAN VLAN ID. NAME Name assigned to the VLAN. Status Whether it is enabled or disabled. VLAN Type Whether it is permanent (static) or dynamic. Egress Ports Ports configured to transmit frames for this VLAN. Forbidden Egress Ports Ports prevented from transmitting frames for this VLAN. Untagged Ports Ports configured to transmit untagged frames for this VLAN. 802.
Creating and Naming Static VLANs Creating and Naming Static VLANs Purpose To create a new static VLAN, or to enable or disable existing VLAN(s). Commands For information about... Refer to page... set vlan 10-5 set vlan name 10-6 clear vlan 10-6 clear vlan name 10-7 set vlan Use this command to create a new static IEEE 802.1Q VLAN, or to enable or disable an existing VLAN.
set vlan name set vlan name Use this command to set or change the ASCII name for a new or existing VLAN. Syntax set vlan name vlan-list vlan-name Parameters vlan‐list Specifies the VLAN ID of the VLAN(s) to be named. vlan‐name Specifies the string used as the name of the VLAN (1 to 32 characters). Defaults None. Mode Switch command, read‐write.
clear vlan name clear vlan name Use this command to remove the name of a VLAN from the VLAN list. Syntax clear vlan name vlan-list Parameters vlan‐list Specifies the VLAN ID of the VLAN(s) for which the name will be cleared. Defaults None. Mode Switch command, read‐write.
Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Purpose To assign default VLAN IDs to untagged frames on one or more ports, to configure VLAN ingress filtering and constraints, and to set the frame discard mode. Commands For information about... Refer to page...
set port vlan fe.2.5 is set to 1 fe.2.6 is set to 1 set port vlan Use this command to configure the PVID (port VLAN identifier) for one or more ports. Syntax set port vlan port-string pvid [modify-egress | no-modify-egress] Parameters port‐string Specifies the port(s) for which to configure a VLAN identifier. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. pvid Specifies the VLAN ID of the VLAN to which port(s) will be added.
show port ingress filter Parameters port‐string Specifies the port(s) to be reset to the host VLAN ID 1. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset ports fe.1.3 through 11 to a VLAN ID of 1 (Host VLAN): B2(su)->clear port vlan fe.1.
set port ingress filter set port ingress filter Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. Syntax set port ingress-filter port-string {disable | enable} Parameters port‐string Specifies the port(s) on which to enable of disable ingress filtering. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. disable | enable Disables or enables ingress filtering. Defaults None.
set port discard Mode Switch command, read‐only. Example This example shows how to display the frame discard mode for fe.2.7. In this case, the port has been set to discard all tagged frames: B2(su)->show port discard fe.2.7 Port Discard Mode ------------ ------------fe.2.7 tagged set port discard Use this command to set the frame discard mode on one or more ports.
Configuring the VLAN Egress List Configuring the VLAN Egress List Purpose To assign or remove ports on the egress list of a particular VLAN. This determines which ports on the switch will be eligible to transmit frames for a particular VLAN. For example, ports 1, 5, 7, 8 could be allowed to transmit frames belonging to VLAN 20 and ports 7,8, 9, 10 could be allowed to transmit frames tagged with VLAN 30 (a port can belong to multiple VLAN Egress lists).
set vlan forbidden Mode Switch command, read‐write. Example This example shows you how to show VLAN egress information for fe.1.1 through 3. In this case, all three ports are allowed to transmit VLAN 1 frames as tagged and VLAN 10 frames as untagged. Both are static VLANs: B2(su)->show port egress fe.1.1-3 Port Vlan Egress Registration Number Id Status Status ------------------------------------------------------fe.1.1 1 tagged static fe.1.1 10 untagged static fe.1.2 1 tagged static fe.1.
set vlan egress set vlan egress Use this command to add ports to the VLAN egress list for the device, or to prevent one or more ports from participating in a VLAN. This determines which ports will transmit frames for a particular VLAN. Syntax set vlan egress vlan-list port-string [untagged | forbidden | tagged] Parameters vlan‐list Specifies the VLAN where a port(s) will be added to the egress list. port‐string Specifies one or more ports to add to the VLAN egress list of the specified vlan‐list.
show vlan dynamicegress Syntax clear vlan egress vlan-list port-string [forbidden] Parameters vlan‐list Specifies the number of the VLAN from which a port(s) will be removed from the egress list. port‐string Specifies one or more ports to be removed from the VLAN egress list of the specified vlan‐list. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
set vlan dynamicegress Example This example shows how to display the dynamic egress status for VLANs 50‐55: B2(rw)->show vlan dynamicegress 50-55 VLAN 50 is disabled VLAN 51 is disabled VLAN 52 is disabled VLAN 53 is enabled VLAN 54 is enabled VLAN 55 is enabled set vlan dynamicegress Use this command to administratively set the dynamic egress status for one or more VLANs.
Setting the Host VLAN Setting the Host VLAN Purpose To configure a host VLAN that only select devices are allowed to access. This secures the host port for management‐only tasks. Note: The host port is the management entity of the device. Refer to “Creating a Secure Management VLAN” on page 10-1 for more information. Commands For information about... show host vlan 10-18 set host vlan 10-18 clear host vlan 10-19 show host vlan Use this command to display the current host VLAN.
clear host vlan Parameters vlan‐id Specifies the number of the VLAN to set as the host VLAN. Defaults None. Mode Switch command, read‐write. Usage The host VLAN should be a secure VLAN where only designated users are allowed access. For example, a host VLAN could be specifically created for device management. This would allow a management station connected to the management VLAN to manage all ports on the device and make management secure by preventing management via ports assigned to other VLANs.
Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Enabling/Disabling GVRP (GARP VLAN Registration Protocol) About GARP VLAN Registration Protocol (GVRP) The following sections describe the device operation when its ports are operating under the Generic Attribute Registration Protocol (GARP) application – GARP VLAN Registration Protocol (GVRP). Overview The purpose of GVRP is to dynamically create VLANs across a switched network.
Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Figure 10-1 Example of VLAN Propagation via GVRP Switch 3 Switch 2 R 2D 1 3 1 D R Switch 1 1 R 2 End Station A D 3 D 1 R D Switch 4 1 R Switch 5 R = Port registered as a member of VLAN Blue = Port declaring VLAN Blue Purpose To dynamically create VLANs across a switched network.
show gvrp show gvrp Use this command to display GVRP configuration information. Syntax show gvrp [port-string] Parameters port‐string (Optional) Displays GVRP configuration information for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If port‐string is not specified, GVRP configuration information will be displayed for all ports and the device. Mode Switch command, read‐only.
set gvrp Example This example shows how to display GARP timer information on ports 1 through 10 in slot 1: Note: For a functional description of the terms join, leave, and leaveall timers, refer to the standard IEEE 802.1Q documentation, which is not supplied with this device. B2(su)->show garp timer fe.1.1-10 Port based GARP Configuration: (Timer units are centiseconds) Port Number Join Leave Leaveall ----------- ---------- ---------- ---------fe.1.1 20 60 1000 fe.1.2 20 60 1000 fe.1.3 20 60 1000 fe.1.
clear gvrp Mode Switch command, read‐write. Examples This example shows how to enable GVRP globally on the device: B2(su)->set gvrp enable This example shows how to disable GVRP globally on the device: B2(su)->set gvrp disable This example shows how to enable GVRP on fe.1.3: B2(su)->set gvrp enable fe.1.3 clear gvrp Use this command to clear GVRP status or on one or more ports. Syntax clear gvrp [port-string] Parameters port‐string (Optional) Clears GVRP status on specific port(s).
set garp timer leaveall timer‐ value Sets the GARP leaveall timer in centiseconds (Refer to 802.1Q standard.) port‐string Specifies the port(s) on which to configure GARP timer settings. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write. Usage The setting of these timers is critical and should only be changed by personnel familiar with the 802.
set garp timer 10-26 802.
11 Differentiated Services Configuration This chapter describes the Differentiated Services (Diffserv) set of commands and how to use them. Note: Diffserv will not be available if a Policy License is activated on the SecureStack B2. When a Policy License is activated, it enables Policy that takes the place of Diffserv. Refer to the chapter entitiled “Activating Licensed Features” for more information on Licensing.
Globally Enabling or Disabling Diffserv Globally Enabling or Disabling Diffserv Purpose To globally enable or disable Diffserv on the device. Command For information about... set diffserv adminmode Refer to page... 11‐2 set diffserv adminmode Use this command to globally enable or disable Diffserv on the device. By default, this function is disabled at device startup. Syntax set diffserv adminmode {enable | disable} Parameters enable | disable Enables or disables Diffserv. Defaults None.
Creating Diffserv Classes and Matching Conditions Creating Diffserv Classes and Matching Conditions Purpose To review, create, and configure Diffserv classes and matching conditions. Commands For information about... Refer to page... show diffserv info 11-3 show diffserv class 11-4 set diffserv class create 11-4 set diffserv class delete 11-5 set diffserv class match 11-5 set diffserv class rename 11-8 show diffserv info Use this command to display general Diffserv status information.
show diffserv class show diffserv class Use this command to display information about Diffserv classes. Syntax show diffserv class {summary | detailed classname} Parameters summary Displays a summary of Diffserv class information. detailed classname Displays detailed Diffserv information for a specific class. Defaults None. Mode Switch command, read‐only. Example This example shows how to display a summary of Diffserv class information.
set diffserv class delete Example This example shows how to create a Diffserv class called “admin”: B2(rw)->set diffserv class create all admin set diffserv class delete Use this command to delete a Diffserv class and remove any match assigned to the class. Syntax set diffserv class delete classname Parameters classname Specifies the class name to be deleted. Defaults None. Mode Switch command, read‐write. Usage You cannot use this command to delete a class that has been assigned to a policy.
set diffserv class match Parameters every classname Matches all packets to a specific class. dstmac | scrmac classname macaddr macmask Matches to a specific class based on destination or source MAC address. dstip | srcip classname ipaddr ipmask Matches to a specific class based on destination or source IP address. dstl4port | srcl4port keyword classname keyword | number classname portnumber Matches to a specific class based on destination or source layer 4 port number or keyword.
set diffserv class match Table 11-28 Valid IP DSCP Numeric and Keyword Values Code Point Map Numeric Value Keyword (Usage) b'000000 0 be (best effort) b'xxx000 0,8,16,24,32,40,48,56 cs0 - cs7 (Class Selector PHB) b'001xx0 10,12,14 af11, af12, af13 (Assured Forwarding) b'010xx0 18,20,22 af21, af22, af23 (Assured Forwarding) b'011xx0 26,28,30 af31, af32, af33 (Assured Forwarding) b'100xx0 34,36,38 af41, af42, af43 (Assured Forwarding) b'101110 46 ef (Expedited Forwarding) Defaults N
set diffserv class rename – Destination IP address (dstip) – VLAN ID (vlan) Note: The match type every will work with any group. You cannot create and add a class to a policy before adding any rules (match conditions) to the class. Once a class is added to a policy, you cannot add any more rules (match conditions) to the class. You cannot create outbound policies. You can only add rules that fit into the same category (shown in the groupings above) to a class.
Configuring Diffserv Policies and Assigning Classes Example This example shows how to rename the Diffserv “admin” class to “system”: B2(rw)->set diffserv class rename admin system Configuring Diffserv Policies and Assigning Classes Purpose To review, create, and configure Diffserv policies and assign classes. Commands For information about... Refer to page...
set diffserv policy create Example This example shows how to display a summary of Diffserv policy information. In this case, there is one policy named “admin”, to which members of the “admin” class have been assigned.
set diffserv policy class Mode Switch command, read‐write. Usage In order to delete a policy you must first remove the service port(s) assigned to the policy using the set diffserv service remove command as described in “set diffserv service” on page 11‐16. Example This example shows how to delete the Diffserv “admin” policy: B2(rw)->set diffserv policy delete admin set diffserv policy class Use this command to add or remove a Diffserv class to a specified policy.
set diffserv policy police style simple Parameters ipdscp | ipprecedence Specifies that packets will be marked with either an IP DSCP or precedence value. policyname Specifies the policy name being configured. classname Specifies a Diffserv class to associate to this policy. value Specifies an IP DSCP or precedence value. Valid numeric or keyword DCSP values can be entered as listed in Section 11‐28. Valid precedence values are: 0 ‐ 7. Defaults None. Mode Switch command, read‐write.
set diffserv policy police action conform set diffserv policy police action conform Use this command to configure traffic policing actions for packets that conform to associated Diffserv classifications. Syntax set diffserv policy police action conform {drop | send policyname classname} | {markdscp | markprec policyname classname value} Parameters drop | send Specifies whether the policing action for packets conforming to the classification parameters will be to drop or send packets.
set diffserv policy rename policyname Specifies the policy name being configured. classname Specifies a Diffserv class to associate to this policing action. markdscp | markprec Specifies a policing action based on IP DHCP or precedence. value Specifies an IP DHCP or precedence value set with the set diffserv policy mark command (page 11‐11). Defaults None. Mode Switch command, read‐write.
show diffserv service info Commands For information about... Refer to page... show diffserv service info 11-15 show diffserv service stats 11-15 set diffserv service 11-16 show diffserv service info Use this command to display information about Diffserv service ports. Syntax show diffserv service info {summary | detailed port-string} {in} Parameters summary Displays Diffserv service port summary information. detailed port‐string Displays detailed information for a specific port(s).
set diffserv service Parameters summary Displays Diffserv a summary of service statistics. detailed port‐string Displays detailed statistics for a specific port. in Displays information about incoming traffic. Defaults None. Mode Switch command, read‐only. Example This example shows how to display a detailed incoming traffic statistics about service port ge.1.1: B2(rw)->show diffserv service stats detailed ge.1.1 in Interface...................................... ge.1.1 Direction...................
DiffServ Configuration Examples DiffServ Configuration Examples Typically, you would use the Diffserv command set to complete configuration tasks in the following order: 1. Enable DiffServ. 2. Create a Class. 3. Create one or more classification rules within the Class. 4. Create a Policy. 5. Add one or more Classes to the Policy. 6. Add Policing (Conforming/Non‐conforming, Drop/Forward, Rate Limit, Precedence/DSCP Rewrite) actions or just Marking (Precedence/DSCP Rewrite) actions to the Policy.
DiffServ Configuration Examples 11-18 Differentiated Services Configuration
12 Policy Classification Configuration This chapter describes the Policy Classification set of commands and how to use them. Note: A license is required to enable Policy on the SecureStack B2 switch. Refer to the chapter entitled “Activating Licensed Features” for more information. However, configuring CoS-based flood control does not require a policy license. For information about... Refer to page...
show policy profile Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are configured on mixed stacks containing B3 and C3 devices. Commands For information about... Refer to page... show policy profile 12-2 set policy profile 12-3 clear policy profile 12-4 show policy profile Use this command to display policy profile information.
set policy profile Admin Profile Usage Oper Profile Usage Dynamic Profile Usage :IPDest(13),IPFrag(14),UDPSrcPort(15), :UDPDestPort(16),TCPSrcPort(17),TCPDestPort(18), :ICMPType(19),Unknown(20),IPTOS(21), :IPProto(22),Unknown(23),Unknown(24), :Ether(25),Unknown(26),VLANTag(27), :Unknown(28),Unknown(29),Unknown(30), :port(31) : none : none : none Table 12‐29 provides an explanation of the command output. Table 12-29 show policy profile Output Details Output Field What It Displays...
clear policy profile Parameters profile‐index Specifies an index number for the policy profile. Valid values are 1 ‐ 255. name name (Optional) Specifies a name for the policy profile. This is a string from 1 to 64 characters. pvid‐status enable | disable (Optional) Enables or disables PVID override for this profile. If all classification rules associated with this profile are missed, then this parameter, if specified, determines default behavior.
clear policy profile Defaults None. Mode Switch command, read‐write.
Configuring Classification Rules Configuring Classification Rules Purpose To review, create, assign, and unassign classification rules to policy profiles. This maps user profiles to protocol‐based frame filtering policies. Note: B3, C3, and G3 devices support profile-based CoS traffic rate limiting only. Policy rules specifying CoS will only rate limit on D2, C2 and B2 devices, including when C2 and B2 devices are configured on mixed stacks containing B3 and C3 devices. Commands For information about...
show policy rule tcpdestport Displays TCP destination port rules. tcpsourceport Displays TCP source port rules. udpdestport Displays UDP destination port rules. udpsourceport Displays UDP source port rules. data Displays rules for a predefined classifier. This value is dependent on the classification type entered. Refer to Table 12‐31 for valid values for each classification type. mask mask (Optional) Displays rules for a specific data mask.
show policy capability |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |admin|Port |fe.1.1 |fe.1.2 |fe.1.3 |fe.1.4 |fe.1.5 |fe.1.6 |fe.1.7 |fe.1.8 |fe.1.9 |fe.1.10 |fe.1.11 |fe.1.12 |16|fe.1.1 |16|fe.1.2 |16|fe.1.3 |16|fe.1.4 |16|fe.1.5 |16|fe.1.6 |16|fe.1.7 |16|fe.1.8 |16|fe.1.9 |16|fe.1.10 |16|fe.1.11 |16|fe.1.
show policy capability Mode Switch command, read‐only. Usage Use this command to display detailed policy classification capabilities supported by your SecureStack B2 device. The output of this command shows a table listing classifiable traffic attributes and the type of actions, by rule type, that can be executed relative to each attribute. Above the table is a list of all the actions possible on this device. The left‐most column of the table lists all possible classifiable traffic attributes.
set policy rule |Ether II packet type | | | X | X | X | X | | | |LLC DSAP/SSAP/CTRL | | | | | | | | | |VLAN tag | | | | | | | | | |Replace tci | | | | | | | | | |Port string | X | X | X | X | X | X | | | ============================================================= | | | | | set policy rule Use this command to assign incoming untagged frames to a specific policy profile and to VLAN or Class‐of‐Service classification rules.
set policy rule profile‐index Specifies a policy profile number to which this rule will be assigned. Policy profiles are configured with the set policy profile command as described in “set policy profile” on page 12‐3. Valid profile‐index values are 1‐ 255. ether Specifies that the rule should apply to traffic with the specified type field in Ethernet II packet. icmptype Classifies based on ICMP type.
set policy rule Usage An admin rule can be used to map incoming tagged frames to a policy role (profile). There can be only one admin rule configured per system (stack). Typically, this rule is used to implement the “User + IP phone” feature. Refer to “Configuring Multi‐User Authentication (User + IP phone)” on page 19‐33 for more information.
clear policy rule This example shows how to use Table 12‐31 to assign a rule to policy profile 1 that will drop IP source traffic from IP address 1.2.3.4. If mask 32 is not specified as shown, a default mask of 48 bits (IP address + port) would be applied: B2(su)->set policy rule 1 ipsourcesocket 1.2.3.4 mask 32 drop clear policy rule Use this command to delete policy classification rule entries.
clear policy all-rules udpdestport Deletes associated UDP destination port classification rule. udpsourceport Deletes associated UDP source port classification rule. Defaults When applicable, data and mask must be specified for individual rules to be cleared. Mode Switch command, read‐write.
Assigning Ports to Policy Profiles Assigning Ports to Policy Profiles Note: The B2 switch supports up to three user policies per port. Purpose To assign and unassign ports to policy profiles. Commands For information about... Refer to page... set policy port 12-15 clear policy port 12-16 set policy port Use this command to assign ports to a policy profile. Syntax set policy port port-string profile-index Parameters port‐string Specifies the port(s) to add to the policy profile.
clear policy port clear policy port Use this command to remove a policy profile from one or more ports. Syntax clear policy port port-string profile-index Parameters port‐string Specifies the port(s) from which to remove the policy profile. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. profile‐index Specifies the ID of the policy profile (role) to which the port(s) will be added.
Configuring Policy Class of Service (CoS) Configuring Policy Class of Service (CoS) Note: It is recommended that you use Enterasys Networks NetSight Policy Manager as an alternative to CLI for configuring policy-based CoS on the switches. The SecureStack B2 supports Class of Service (CoS), which allows you to assign mission‐critical data to a higher priority through the device by delaying less critical traffic during periods of congestion.
Configuring Policy Class of Service (CoS) B2(su)->show cos port-config Inbound Rate Limiting Port Configuration Entries ---------------------------------------------------------------------Port Group Name :Default Port Group :0 Port Type :0 Assigned Ports :none ---------------------------------------------------------------------Port Group Name :Users Port Group :1 Port Type :0 Assigned Ports :fe.1.
Configuring Policy Class of Service (CoS) 2.0 2.0 ... 2.0 2.0 2.0 4. 2 3 irl irl none none 97 98 99 irl irl irl none none none In the CoS settings table, configure a CoS setting for CoS index 1, which has a priority of 0. We enter the IRL reference, created in the previous step.
set cos state B2(su)->set cos state enable B2(su)->set cos port-resource flood-ctrl 1.0 broadcast rate 5 B2(su)->set cos port-config flood-ctrl 1.0 ports fe.1.2;fe.2.2 append Commands For information about... Refer to page...
show cos state Mode Switch command, read‐write. Example This example shows how to enable Class of Service: B2(rw)->set cos state enable show cos state Use this command to display the Class of Service enable state. Syntax show cos state Parameters None. Defaults None. Mode Switch command, read‐only.
set cos settings Example This example shows how to clear the CoS state back to its default setting of disabled: B2(su)->clear cos state set cos settings Use this command to configure a Class of Service entry in the CoS settings table. Syntax set cos settings cos-index priority priority [tos-value tos-value] [irl-reference irl-reference] Parameters cos‐index Specifies a Class of Service entry. Valid values are 0 to 255. priority priority Specifies an 802.1d priority value.
clear cos settings • IRL Reference The CoS IRL reference field is optional, as rate limits are not required. The IRL reference does not assign an inbound rate limit but points to the CoS IRL Reference Mapping Table. This reference may be thought of as the virtual rate limiter that will assign the physical rate limiter defined by the IRL Reference Mapping Table.
set cos port-config Defaults If not specified, all CoS entries will be displayed. Mode Switch command, read‐only.
show cos port-config Mode Switch command, read‐write. Usage CoS port groups are identified by group number and the type of ports in the group, in the form of group#.port‐type. The port group 0.0 exists by default. This default port group cannot be removed and all physical ports in the system are assigned to it. Up to seven additional port groups (1 through 7) can be configured. Currently, only one port type (type 0) is supported. This port type supports 100 limiters.
clear cos port-config Mode Switch command, read‐only. Example This example shows all inbound rate limiting port groups. Note that ports fe.1.1 through fe.1.48 were removed from the default port group 0.0 when they were added to port groups 1.0 and 2.0.
set cos port-resource irl Defaults None. Mode Switch command, read‐write. Usage The default port group 0.0 cannot be deleted. Example This example deletes all IRL Port Groups except for the Default group 0.0: B2(su)->clear cos port-config irl all set cos port-resource irl Use this command to set the inbound rate limit parameters for a specific IRL resource for a specific port group.
set cos port-resource flood-ctrl Usage CoS port resources are where actual physical rate limiters are configured. Resources map directly to the number of rate limiters supported by the port type. (Port type 0 supports 100 IRL resources.) Resources exist for each port group and are indexed as group#.port‐type.irl‐index. Port resources are not initially configured as rate limiting. Inbound rate limiting, or rate policing, simply drops or clips traffic inbound if a configured rate is exceeded.
show cos port-resource Usage CoS port resources are where actual physical rate limiters are configured. This command can be used to create up to three different flood control limit resources for the port‐type index of 0. The resources are assigned to specific ports with the set cos port‐config command. Example This example creates a port resource broadcast rate limiter of 5 packets per second for the port group type index of 1.0 (group # 1 of port‐type index 0). B2(su)->set cos port-resource flood-ctrl 1.
clear cos port-resource irl ----------- -------- ---- ---- ---------2.0 1 irl kbps 10000 --------------- -----drop none This example displays the flood control resources configured for group 0.0. B2(su)->show cos port-resource flood-ctrl 0.0 '?' after the rate value indicates an invalid rate value Group Resource Index --------- ----------0.0 ucast 0.0 mcast 0.
clear cos port-resource flood-ctrl clear cos port-resource flood-ctrl Use this command to clear flood control port resources to default values. Syntax clear cos port-resource flood-ctrl {all | group-type-index {unicast | multicast | broadcast | all [rate]}} Parameters all Clear all flood control resources for all port groups. group‐type‐index Specifies a port group/type index. Valid entries are in the form of group#.port‐type. Valid values for group# can range from 0 to 7.
show cos reference Parameters irl Specifies that an IRL reference is being configured. group‐type‐index Specifies an inbound rate limiting port group/type index. Valid entries are in the form of group#.port‐type. Valid values for group# can range from 0 to 7. Valid values for port‐type can range from 0 to 1, although only port type 0 is currently supported. For example, port group 3 would be specified as 3.0. reference IRL reference number associated with this entry.
clear cos reference Parameters irl (Optional) Specifies that inbound rate limiting reference information should be displayed. group‐type‐index (Optional) Specifies an inbound rate limiting port group/type index. Valid entries are in the form of group#.port‐type. Valid values for group# can range from 0 to 7. Valid values for port‐type can range from 0 to 1, although only port type 0 is currently supported. For example, port group 3 would be specified as 3.0.
show cos unit group‐type‐index Specifies an inbound rate limiting port group/type index. Valid entries are in the form of group#.port‐type. Valid values for group# can range from 0 to 7. Valid values for port‐type can range from 0 to 1, although only port type 0 is currently supported. For example, port group 3 would be specified as 3.0. reference Clear a specific reference for the specified port group. Defaults None. Mode Switch command, read‐write.
clear cos all-entries Port Type --------0 Type ---irl Unit ---Kbps Maximum Rate -----------1000000 Minimum Rate -----------64 Granularity ----------1 This examples shows flood control unit information.
show cos port-type Defaults If no parameters are specified, inbound rate limiting and flood controlinformation for all port types is displayed. Mode Switch command, read‐only. Usage The B2 implementation provides one default port type (0) for designating available inbound rate limiting or flood control resources. Port type 0 includes all ports. The port type 0 IRL description is “C2 100 IRL,” which indicates that this port type provides a maximum of 100 inbound rate limiting resources per port group.
13 Port Priority and Rate Limiting Configuration This chapter describes the Port Priority and Rate Limiting set of commands and how to use them. For information about... Refer to page...
show port priority • Display the current traffic class mapping‐to‐priority of each port. • Set each port to transmit frames according to 802.1D (802.1p) priority set in the frame header. Commands For information about... Refer to page... show port priority 13-4 set port priority 13-2 clear port priority 13-3 show port priority Use this command to display the 802.1D priority for one or more ports.
clear port priority Syntax set port priority port-string priority Parameters port‐string Specifies the port for which to set priority. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. priority Specifies a value of 0 to 7 to set the CoS priority for the port entered in the port‐string. Priority value of 0 is the lowest priority. Defaults None. Mode Switch command, read‐write.
Configuring Priority to Transmit Queue Mapping Example This example shows how to reset fe.1.11 to the default priority: B2(rw)->clear port priority fe.1.11 Configuring Priority to Transmit Queue Mapping Purpose To perform the following: • View the current priority to transmit queue mapping of each physical port.
set port priority-queue Example This example shows how to display priority queue information for fe.1.1. In this case, frames with a priority of 0 are associated with transmit queue 1; frames with 1 or 2 priority, are associated with transmit queue 0; and so forth: B2(su)->show Port P0 --------- -ge.1.1 1 port priority-queue ge.1.1 P1 P2 P3 P4 P5 P6 P7 -- -- -- -- -- -- -0 0 2 3 4 5 5 set port priority-queue Use this command to map 802.1D (802.1p) priorities to transmit queues.
clear port priority-queue clear port priority-queue Use this command to reset port priority queue settings back to defaults for one or more ports. Syntax clear port priority-queue port-string Parameters port‐string Specifies the port for which to clear priority‐to‐queue mappings. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write.
set port txq Parameters port‐string (Optional) Specifies port(s) for which to display QoS settings. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Only physical ports will be displayed. LAG ports have no transmit queue information. Defaults If the port‐string is not specified, the QoS setting of all physical ports will be displayed. Mode Switch command, read‐only.
clear port txq Usage Queues can be set for strict priority (SP) or weighted round‐robin (WRR). If set for WRR mode, weights may be assigned to those queues with this command. Weights are specified in the range of 0 to 100 percent. Weights specified for queues 0 through 7 on any port must total 100 percent. Examples This example shows how to change the arbitration values for the eight transmit queues belonging to fe.1.1: B2(su)->set port txq fe.1.
clear port txq Example This example shows how to clear transmit queue values on fe.1.1: B2(su)->clear port txq fe.1.
Configuring Port Traffic Rate Limiting Configuring Port Traffic Rate Limiting Purpose To limit the rate of inbound traffic on the SecureStack B2 device on a per port/priority basis. The allowable range for the rate limiting is 64 kilobytes per second minimum up to the maximum transmission rate allowable on the interface type. Rate limit is configured for a given port and list of priorities. The list of priorities can include one, some, or all of the eight 802.1p priority levels.
show port ratelimit Example This example shows how to display the current rate limiting information for fe.2.1: B2(su)->show port ratelimit fe.2.1 Global Ratelimiting status is disabled. Port Number ----------fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.1 fe.2.
set port ratelimit set port ratelimit Use this command to configure the traffic rate limiting status and threshold (in kilobytes per second) for one or more ports. Syntax set port ratelimit {disable | enable} | port-string priority threshold {disable | enable} [inbound] [index] Parameters disable | enable When entered without a port‐string, globally disables or enables the port rate limiting function.
clear port ratelimit clear port ratelimit Use this command to clear rate limiting parameters for one or more ports. Syntax clear port ratelimit port-string [index] Parameters port‐string Specifies the port(s) on which to clear rate limiting. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. index (Optional) Specifies the associated resource index to be reset. Defaults If not specified, all index entries will be reset.
clear port ratelimit 13-14 Port Priority and Rate Limiting Configuration
14 IGMP Configuration This chapter describes the IGMP Configuration set of commands and how to use them. For information about... Refer to page... IGMP Overview 14-1 Configuring IGMP at Layer 2 14-2 IGMP Overview About IP Multicast Group Management The Internet Group Management Protocol (IGMP) runs between hosts and their immediately neighboring multicast device.
Configuring IGMP at Layer 2 multicast switch/router it passes through to ensure that traffic is only passed to the hosts that subscribed to this service. Configuring IGMP at Layer 2 Purpose To configure IGMP snooping from the switch CLI. Commands For information about... Refer to page...
set igmpsnooping adminmode the system, refer to “set igmpsnooping adminmode” on page 14‐3. For information on enabling IGMP on one or more ports, refer to “set igmpsnooping interfacemode” on page 14‐3. Example This example shows how to display IGMP snooping information: B2(su)->show igmpsnooping Admin Mode..................................... Group Membership Interval...................... Max Response Time.............................. Multicast Router Present Expiration Time.......
set igmpsnooping groupmembershipinterval Parameters port‐string Specifies one or more ports on which to enable or disable IGMP. enable | disable Enables or disables IGMP. Defaults None. Mode Switch command, read‐write. Usage In order for IGMP snooping to be enabled on one or all ports, it must be globally enabled on the device using the set igmpsnooping adminmode command as described in “set igmpsnooping adminmode” on page 14‐3, and then enabled on a port(s) using this command.
set igmpsnooping maxresponse Example This example shows how to set the IGMP group membership interval to 250 seconds: B2(su)->set igmpsnooping groupmembershipinterval 250 set igmpsnooping maxresponse Use this command to configure the IGMP query maximum response time for the system. Syntax set igmpsnooping maxresponse time Parameters time Specifies the IGMP maximum query response time. Valid values are 100 ‐ 255 seconds. The default value is 100 seconds.
set igmpsnooping add-static Defaults None. Mode Switch command, read‐write. Usage This timer is for expiring the switch from the multicast database. If the timer expires, and the only address left is the multicast switch, then the entry will be removed.
set igmpsnooping remove-static set igmpsnooping remove-static This command deletes a static IGMP entry or removes one or more new ports from an existing entry. Syntax set igmpsnooping remove-static group vlan-list [modify] [port-string] Parameters group Specifies the multicast group IP address of the entry. vlan‐list Specifies the VLANs on which the entry is configured. modify (Optional) Removes the specified port or ports from an existing entry.
show igmpsnooping mfdb Example This example displays the static IGMP ports for VLAN 20. B2(su)->show igmpsnooping static 20 -------------------------------------------------------------------------------Vlan Id = 20 Static Multicast Group Address = 233.11.22.33 Type = IGMP IGMP Port List = fe.1.1 show igmpsnooping mfdb Use this command to display multicast forwarding database (MFDB) information. Syntax show igmpsnooping mfdb [stats] Parameters stats (Optional) Displays MFDB statistics.
clear igmpsnooping Defaults None. Mode Switch command, read‐write. Example This example shows how to clear all IGMP snooping entries: B2(su)->clear igmpsnooping Are you sure you want to clear all IGMP snooping entries? (y/n) y IGMP Snooping Entries Cleared.
clear igmpsnooping 14-10 IGMP Configuration
15 Logging and Network Management This chapter describes switch‐related logging and network management commands and how to use them. Note: The commands in this chapter pertain to network management of the SecureStack B2 device from the switch CLI only. For information about... Refer to page...
show logging server For information about... Refer to page... clear logging application 15-8 show logging local 15-9 set logging local 15-9 clear logging local 15-10 show logging buffer 15-10 show logging server Use this command to display the Syslog configuration for a particular server. Syntax show logging server [index] Parameters index (Optional) Displays Syslog information pertaining to a specific server table entry. Valid values are 1‐8.
set logging server set logging server Use this command to configure a Syslog server. Syntax set logging server index [ip-addr ip-addr] [facility facility] [severity severity] [descr descr] [port port] [state {enable | disable}] Parameters index Specifies the server table index number for this server. Valid values are 1 ‐ 8. ip‐addr ip‐addr (Optional) Specifies the Syslog message server’s IP address. facility facility (Optional) Specifies the server’s facility name.
clear logging server Example This command shows how to enable a Syslog server configuration for index 1, IP address 134.141.89.113, facility local4, severity level 3 on port 514: B2(su)->set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable clear logging server Use this command to remove a server from the Syslog server table. Syntax clear logging server index Parameters index Specifies the server table index number for the server to be removed.
set logging default Example This command shows how to display the Syslog server default values. For an explanation of the command output, refer back to Table 15‐33 on page 15‐2. B2(su)->show logging default Defaults: Facility Severity Port ----------------------------------------local4 warning(5) 514 set logging default Use this command to set logging default values.
clear logging default clear logging default Use this command to reset logging default values. Syntax clear logging default {[facility] [severity] [port]} Parameters facility (Optional) Resets the default facility name to local4. severity (Optional) Resets the default logging severity level to 6 (notifications of significant conditions). port (Optional) Resets the default UDP port the client uses to send to the server to 514. Defaults At least one optional parameter must be entered.
set logging application Mode Switch command, read‐only. Example This example shows how to display system logging information pertaining to the SNMP application. B2(ro)->show logging application SNMP Application Current Severity Level --------------------------------------------90 SNMP 6 1(emergencies) 4(errors) 7(information) 2(alerts) 5(warnings) 8(debugging) 3(critical) 6(notifications) Table 15‐34 provides an explanation of the command output.
clear logging application level level (Optional) Specifies the severity level at which the server will log messages for applications.
show logging local Parameters mnemonic Resets the severity level for a specific application to 6. Valid mnemonic values and their corresponding applications are listed in Table 15‐35 on page 15‐8. all Resets the severity level for all applications to 6. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the logging severity level to 6 for SNMP.
clear logging local Parameters console enable | disable Enables or disables logging to the console. file enable | disable Enables or disables logging to a persistent file. Defaults None. Mode Switch command, read‐write. Example This command shows how to enable logging to the console and disable logging to a persistent file: B2(su)->set logging local console enable file disable clear logging local Use this command to clear the console and persistent store logging for the local session.
show logging buffer Defaults None. Mode Switch command, read‐only. Example This example shows a portion of the information displayed with the show logging buffer command: B2(su)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.122 (telnet) <165>Sep 4 07:43:24 10.42.71.13 CLI[5]User: debug failed login from 10.4.1.
Monitoring Network Events and Status Monitoring Network Events and Status Purpose To display switch events and command history, to set the size of the history buffer, and to display and disconnect current user sessions. Commands For information about... Refer to page... history 15-12 show history 15-13 set history 15-13 ping 15-14 show users 15-14 disconnect 15-15 show netstat 15-15 history Use this command to display the contents of the command history buffer.
show history show history Use this command to display the size (in lines) of the history buffer. Syntax show history Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the size of the history buffer: B2(su)->show history History buffer size: 20 set history Use this command to set the size of the history buffer. Syntax set history size [default] Parameters size Specifies the size of the history buffer in lines. Valid values are 1 to 100.
ping ping Use this command to send ICMP echo‐request packets to another node on the network from the switch CLI. Syntax ping host Parameters host Specifies the IP address of the device to which the ping will be sent. Defaults None. Mode Switch command, read‐write. Examples This example shows how to ping IP address 134.141.89.29. In this case, this host is alive: B2(su)->ping 134.141.89.29 134.141.89.29 is alive In this example, the host at IP address is not responding: B2(su)->ping 134.141.89.
disconnect B2(su)->show users Session User Location -------- ----- -------------------------* telnet rw 134.141.192.119 telnet rw 134.141.192.18 disconnect Use this command to close an active console port or Telnet session from the switch CLI. Syntax disconnect {ip-addr | console} Parameters ip‐addr Specifies the IP address of the Telnet session to be disconnected. This address is displayed in the output shown in “show users” on page 12‐15. console Closes an active console port. Defaults None.
show netstat Example The following example shows the output of this command. B2(su)->show netstat Prot Local Address ---- ----------------------------TCP 127.0.0.1.2222 TCP 0.0.0.0.80 TCP 0.0.0.0.23 TCP 10.1.56.17.23 UDP 0.0.0.0.17185 UDP 127.0.0.1.49152 UDP 0.0.0.0.161 UDP 0.0.0.0.* UDP 0.0.0.0.514 Foreign Address ----------------------------0.0.0.0.* 0.0.0.0.* 0.0.0.0.* 134.141.99.104.47718 0.0.0.0.* 127.0.0.1.17185 0.0.0.0.* 0.0.0.0.* 0.0.0.0.* The following table describes the output of this command.
Managing Switch Network Addresses and Routes Managing Switch Network Addresses and Routes Purpose To display or delete switch ARP table entries, and to display MAC address information. Commands For information about... Refer to page...
set arp Example This example shows how to display the ARP table: B2(su)->show arp LINK LEVEL ARP TABLE IP Address Phys Address Flags Interface ----------------------------------------------------10.20.1.1 00-00-5e-00-01-1 S host 134.142.21.194 00-00-5e-00-01-1 S host 134.142.191.192 00-00-5e-00-01-1 S host 134.142.192.18 00-00-5e-00-01-1 S host 134.142.192.119 00-00-5e-00-01-1 S host ----------------------------------------------------- Table 15‐37 provides an explanation of the command output.
clear arp clear arp Use this command to delete a specific entry or all entries from the switch’s ARP table. Syntax clear arp {ip-address | all} Parameters ip‐address | all Specifies the IP address in the ARP table to be cleared, or clears all ARP entries. Defaults None. Mode Switch command, read‐write. Example This example shows how to delete entry 10.1.10.10 from the ARP table: B2(su)->clear arp 10.1.10.
show mac ‐v (Optional) Displays verbose output, including the size and destination of each response. host Specifies the host to which the route of an IP packet will be traced. Defaults If not specified, waittime will be set to 5 seconds. If not specified, first‐ttl will be set to 1 second. If not specified, max‐ttl will be set to 30 seconds. If not specified, port will be set to 33434. If not specified, nqueries will be set to 3. If ‐r is not specified, normal host routing tables will be used.
show mac agetime Defaults If no parameters are specified, all MAC addresses for the device will be displayed. Mode Switch command, read‐only. Example This example shows how to display MAC address information for ge.3.1: B2(su)->show mac port ge.3.1 MAC Address FID Port Type ----------------- ---- ------------- -------00-09-6B-0F-13-E6 15 ge.3.
set mac agetime Defaults None. Mode Switch command, read‐only. Example This example shows how to display the MAC timeout period: B2(su)->show mac agetime Aging time: 300 seconds set mac agetime Use This command to set the timeout period for aging learned MAC entries. Syntax set mac agetime time Parameters time Specifies the timeout period in seconds for aging learned MAC addresses. Valid values are 10 to 1,000,000 seconds. Default value is 300 seconds. Defaults None. Mode Switch command, read‐only.
set mac algorithm Mode Switch command, read‐only. Example This example shows how to reset the MAC timeout period to the default value of 300 seconds. B2(su)->clear mac agetime set mac algorithm Use this command to set the MAC algorithm mode, which determines the hash mechanism used by the device when performing Layer 2 lookups on received frames.
clear mac algorithm Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows the output of this command. B2(su)->show mac algorithm Mac hashing algorithm is mac-crc16-upperbits. clear mac algorithm Use this command to return the MAC hashing algorithm to the default value of mac‐crc16‐ upperbits. Syntax clear mac algorithm Parameters None. Defaults None. Mode Switch command, read‐write. Example This example resets the MAC hashing algorithm to the default value.
clear mac address Parameters mac‐address Specifies the multicast MAC address. The MAC address can be formatted as xx:xx:xx:xx:xx:xx or xx‐xx‐xx‐xx‐xx‐xx. vlan‐id Specifies the VLAN ID containing the ports. port‐string Specifies the port or range of ports the multicast MAC address can be learned on or flooded to. append | clear Appends or clears the port or range of ports from the egress port list. Defaults If no port‐string is defined, the command will apply to all ports.
show mac unreserved-flood show mac unreserved-flood Use this command to display the state of multicast flood protection. Syntax show mac unreserved-flood Parameters None. Defaults None. Mode Switch command, read‐write. Example This example displays the status of multicast flood protection. B2(su)->show mac unreserved-flood mac unreserved flood is disabled. set mac unreserved-flood Use this command to enable or disable multicast flood protection.
Configuring Simple Network Time Protocol (SNTP) Example This example enables multicast flood protection. B2(su)->set mac unreserved-flood enable Configuring Simple Network Time Protocol (SNTP) Purpose To configure the Simple Network Time Protocol (SNTP), which synchronizes device clocks in a network. Note: A host IP address must be configured on the B2 to support SNTP. Commands For information about... Refer to page...
show sntp Defaults None. Mode Switch command, read‐only.
set sntp client Table 15-39 show sntp Output Details (Continued) Output Field What It Displays... Last SNTP Status Whether or not broadcast reception or unicast transmission and reception was successful. SNTP-Server IP address(es) of SNTP server(s). Precedence Precedence level of SNTP server in relation to its peers. Highest precedence is 1 and lowest is 10. Default of 1 can be reset using the set sntp server command (“set sntp server” on page 15-30).
set sntp server Mode Switch command, read‐write. Example This example shows how to clear the SNTP client’s operational mode: B2(su)->clear sntp client set sntp server Use this command to add a server from which the SNTP client will retrieve the current time when operating in unicast mode. Up to 10 servers can be set as SNTP servers. Syntax set sntp server ip-address [precedence] Parameters ip‐address Specifies the SNTP server’s IP address.
set sntp poll-interval Mode Switch command, read‐write. Example This example shows how to remove the server at IP address 10.21.1.100 from the SNTP server list: B2(su)->clear sntp server 10.21.1.100 set sntp poll-interval Use this command to set the poll interval between SNTP unicast requests. Syntax set sntp poll-interval interval Parameters interval Specifies the poll interval in seconds. Valid values are 16 to 16284. Defaults None. Mode Switch command, read‐write.
set sntp poll-retry Example This example shows how to clear the SNTP poll interval: B2(su)->clear sntp poll-interval set sntp poll-retry Use this command to set the number of poll retries to a unicast SNTP server. Syntax set sntp poll-retry retry Parameters retry Specifies the number of retries. Valid values are 0 to 10. Defaults None. Mode Switch command, read‐write.
set sntp poll-timeout set sntp poll-timeout Use this command to set the poll timeout (in seconds) for a response to a unicast SNTP request. Syntax set sntp poll-timeout timeout Parameters timeout Specifies the poll timeout in seconds. Valid values are 1 to 30. Defaults None. Mode Switch command, read‐write. Example This example shows how to set the SNTP poll timeout to 10 seconds: B2(su)->set sntp poll-timeout 10 clear sntp poll-timeout Use this command to clear the SNTP poll timeout.
set timezone Parameters name The name of the timezone. Typically, this name is a standard abbreviation such as EST (Eastern Standard Time) or EDT (Eastern Daylight Time). hours (Optional) Specifies the offset in hours from UTC. The value can range from ‐13 to 13. The default is 0 hours. minutes (Optional) Specifies additional offset in minutes from UTC. The value can range from 0 to 59. The default is 0 minutes.
Configuring Node Aliases Configuring Node Aliases The node alias feature enables administrators to determine the MAC address and location of a given end‐station (or node) using the node’s Layer 3 alias information (IP address) as a key. With this method, it is possible to determine that, for instance, IP address 123.145.2.23 is located on switch 5 port 3.
set nodealias ----------fe.2.1 fe.2.2 fe.2.3 fe.2.4 fe.2.5 fe.2.6 fe.2.7 fe.2.8 fe.2.9 ----------16 47 47 47 47 47 47 47 4000 -----------0 0 2 0 0 2 0 0 1 -----Enable Enable Enable Enable Enable Enable Enable Enable Enable Table 15‐40 provides an explanation of the command output. Table 15-40 show nodealias config Output Details Output Field What It Displays... Port Number Port designation. Max Entries Maximum number of alias entries configured for this port.
clear nodealias config Itʹs important to make sure that inter‐switch links are not learning node/alias information, as it would slow down searches by the NetSight Compass and ASM tools and give inaccurate results. Example This example shows how to disable the node alias agent on fe.1.3: B2(su)->set nodealias disable fe.1.3 clear nodealias config Use this command to reset node alias state to enabled and clear the maximum entries value.
clear nodealias config 15-38 Logging and Network Management
16 RMON Configuration This chapter describes the commands used to configure RMON on a SecureStack B2 switch. For information about... Refer to page...
Design Considerations Table 16-41 RMON Group History RMON Monitoring Group Functions and Commands (Continued) What It Does... What It Monitors... CLI Command(s) Records periodic statistical samples from a network. Sample period, number of samples and item(s) sampled.
Statistics Group Commands • RMON Packet Capture/Filter Sampling and Port Mirroring cannot be enabled on the same interface concurrently. • You can capture a total of 100 packets on an interface, no more and no less. – The captured frames will be as close to sequential as the hardware will allow. – Only one interface can be configured for capturing at a time. – Once 100 frames have been captured by the hardware, the application will stop without manual intervention.
show rmon stats show rmon stats Use this command to display RMON statistics measured for one or more ports. Syntax show rmon stats [port-string] Parameters port‐string (Optional) Displays RMON statistics for specific port(s). Defaults If port‐string is not specified, RMON stats will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display RMON statistics for Gigabit Ethernet port 1 in switch 1. : B2(su)->show rmon stats fe.1.1 Port: fe.1.
clear rmon stats Defaults If owner is not specified, monitor will be applied. Mode Switch command, read‐write. Example This example shows how to configure RMON statistics entry 2 for fe.1.20: B2(rw)->set rmon stats 2 fe.1.20 clear rmon stats Use this command to delete one or more RMON statistics entries. Syntax clear rmon stats {index-list | to-defaults} Parameters index‐list Specifies one or more stats entries to be deleted, causing them to disappear from any future RMON queries.
History Group Commands History Group Commands Purpose To display, configure, and clear RMON history properties and statistics. Commands For information about... Refer to page... show rmon history 16-6 set rmon history 16-7 clear rmon history 16-7 show rmon history Use this command to display RMON history properties and statistics. The RMON history group records periodic statistical samples from a network.
set rmon history Sample 2779 Drop Events Octets Packets Broadcast Pkts Multicast Pkts CRC Align Errors = = = = = = Interval Start: 1 days 0 hours 2 minutes 22 seconds 0 Undersize Pkts = 0 0 Oversize Pkts = 0 0 Fragments = 0 0 Jabbers = 0 0 Collisions = 0 0 Utilization(%) = 0 set rmon history Use this command to configure an RMON history entry. Syntax set rmon history index [port-string] [buckets buckets] [interval interval] [owner owner] Parameters index‐list Specifies an index number for this entry.
clear rmon history Parameters index‐list Specifies one or more history entries to be deleted, causing them to disappear from any future RMON queries. to‐defaults Resets all history entries to default values. This will cause entries to reappear in RMON queries. Defaults None. Mode Switch command, read‐write.
Alarm Group Commands Alarm Group Commands Purpose To display, configure, and clear RMON alarm entries and properties. Commands For information about... Refer to page... show rmon alarm 16-9 set rmon alarm properties 16-10 set rmon alarm status 16-11 clear rmon alarm 16-12 show rmon alarm Use this command to display RMON alarm entries. The RMON alarm group periodically takes statistical samples from RMON variables and compares them with previously configured thresholds.
set rmon alarm properties Table 16-42 show rmon alarm Output Details Output Field What It Displays... Index Index number for this alarm entry. Owner Text string identifying who configured this entry. Status Whether this event entry is enabled (valid) or disabled. Variable MIB object to be monitored. Sample Type Whether the monitoring method is an absolute or a delta sampling. Startup Alarm Whether alarm generated when this entry is first enabled is rising, falling, or either.
set rmon alarm status startup rising | falling | either (Optional) Specifies the type of alarm generated when this event is first enabled as: • Rising ‐ Sends alarm when an RMON event reaches a maximum threshold condition is reached, for example, more than 30 collisions per second. • Falling ‐ Sends alarm when RMON event falls below a minimum threshold condition, for example when the network is behaving normally again. • Either ‐ Sends alarm when either a rising or falling threshold is reached.
clear rmon alarm Parameters index Specifies an index number for this entry. Maximum number or entries is 50. Maximum value is 65535. enable Enables this alarm entry. Defaults None. Mode Switch command, read‐write. Usage An RMON alarm entry can be created using this command, configured using the set rmon alarm properties command (“set rmon alarm properties” on page 16‐10), then enabled using this command.
Event Group Commands Event Group Commands Purpose To display and clear RMON events, and to configure RMON event properties. Commands For information about... Refer to page... show rmon event 16-13 set rmon event properties 16-14 set rmon event status 16-15 clear rmon event 16-15 show rmon event Use this command to display RMON event entry properties. Syntax show rmon event [index] Parameters index (Optional) Displays RMON properties and log entries for a specific entry index ID.
set rmon event properties Table 16-43 show rmon event Output Details Output Field What It Displays... Index Index number for this event entry. Owner Text string identifying who configured this entry. Status Whether this event entry is enabled (valid) or disabled. Description Text string description of this event. Type Whether the event notification will be a log entry, and SNMP trap, both, or none. Community SNMP community name if message type is set to trap.
set rmon event status Example This example shows how to create and enable an RMON event entry called “STP topology change” that will send both a log entry and an SNMP trap message to the “public” community: B2(rw)->set rmon event properties 2 description "STP topology change" type both community public owner Manager set rmon event status Use this command to enable an RMON event entry. An event entry describes the parameters of an RMON event that can be triggered.
clear rmon event Defaults None. Mode Switch command, read‐write.
Filter Group Commands Filter Group Commands The packet capture and filter function is disabled by default. Only one interface can be configured for capturing and filtering at a time. When packet capture is enabled on an interface, the SecureStack B2 switch will capture 100 frames as close to sequentially as possible. These 100 frames will be placed into a buffer for inspection. If there is data in the buffer when the function is started, the buffer will be overwritten.
set rmon channel Example This example shows how to display RMON channel information for fe.2.12: B2(rw)->show rmon channel fe.2.12 Port fe.2.12 Channel index= 628 EntryStatus= valid ---------------------------------------------------------Control off AcceptType matched OnEventIndex 0 OffEventIndex 0 EventIndex 0 Status ready Matches 4498 Description Thu Dec 16 12:57:32 EST 2004 Owner NetSight smith set rmon channel Use this command to configure an RMON channel entry.
clear rmon channel Example This example shows how to create an RMON channel entry: B2(rw)->set rmon channel 54313 fe.2.12 accept failed control on description "capture all" clear rmon channel Use this command to clear an RMON channel entry. Syntax clear rmon channel index Parameters index Specifies the channel entry to be cleared. Defaults None. Mode Switch command, read‐write.
set rmon filter B2(rw)->show rmon filter Index= 55508 Channel Index= 628 EntryStatus= valid ---------------------------------------------------------Data Offset 0 PktStatus 0 PktStatusMask 0 PktStatusNotMask 0 Owner ETS,NAC-D ----------------------------Data ff ff ff ff ff ff ----------------------------DataMask ff ff ff ff ff ff ----------------------------DataNotMask 00 00 00 00 00 00 set rmon filter Use this command to configure an RMON filter entry.
clear rmon filter Mode Switch command, read‐write. Example This example shows how to create RMON filter 1 and apply it to channel 9: B2(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff clear rmon filter Use this command to clear an RMON filter entry. Syntax clear rmon filter {index index | channel channel} Parameters index index | channel channel Clears a specific filter entry, or all entries belonging to a specific channel. Defaults None. Mode Switch command, read‐write.
Packet Capture Commands Packet Capture Commands Note that packet capture filter is sampling only and does not guarantee receipt of back‐to‐back packets. Purpose To display RMON capture entries, configure, enable, or disable capture entries, and clear capture entries. Commands For information about... Refer to page... show rmon capture 16-22 set rmon capture 16-23 clear rmon capture 16-24 show rmon capture Use this command to display RMON capture entries and associated buffer control entries.
set rmon capture Owner monitor captureEntry= 1 Buff.
clear rmon capture Mode Switch command, read‐write. Example This example shows how to create RMON capture entry 1 to “listen” on channel 628: B2(rw)->set rmon capture 1 628 clear rmon capture Use this command to clears an RMON capture entry. Syntax clear rmon capture index Parameters index Specifies the capture entry to be cleared. Defaults None. Mode Switch command, read‐write.
17 DHCP Server Configuration This chapter describes the commands to configure the IPv4 DHCP server functionality on a SecureStack B2 switch. For information about... Refer to page...
DHCP Overview • NetBIOS WINS server(s) and node name • Boot file • DHCP options as defined by RFC 2132 Note: A total of 16 address pools, dynamic and/or static, and a maximum of 256 addresses for the entire switch, can be configured on the SecureStack B2. Configuring a DHCP Server For DHCP to function on SecureStack B2 systems, the system has to “know about” the IP network for which the DHCP pool is to be created.
Configuring General DHCP Server Parameters Configuring General DHCP Server Parameters Purpose To configure DHCP server parameters, and to display and clear address binding information, server statistics, and conflict information. Commands For information about... Refer to page...
set dhcp bootp Example This example enables DHCP server functionality. B2(rw)->set dhcp enable set dhcp bootp Use this command to enable or disable automatic address allocation for BOOTP clients. By default, address allocation for BOOTP clients is disabled. Refer to RFC 1534, “Interoperation Between DHCP and BOOTP,” for more information. Syntax set dhcp bootp {enable | disable} Parameters enable | disable Enables or disables address allocation for BOOTP clients. Defaults None.
show dhcp conflict Example This example enables DHCP conflict logging. B2(rw)->set dhcp conflict logging show dhcp conflict Use this command to display conflict information, for one address or all addresses. Syntax show dhcp conflict [address] Parameters address [Optional] Specifies the address for which to display conflict information. Defaults If no address is specified, conflict information for all addresses is displayed. Mode Read‐only.
set dhcp exclude Defaults None. Mode Switch command, read‐write. Examples This example disables DHCP conflict logging. B2(rw)->clear dhcp conflict logging This example clears the conflict information for the IP address 192.0.0.2. B2(rw)->clear dhcp conflict 192.0.0.2 set dhcp exclude Use this command to configure the IP addresses that the DHCP server should not assign to DHCP clients. Multiple address ranges can be configured but the ranges cannot overlap.
clear dhcp exclude clear dhcp exclude Use this command to clear the configured IP addresses that the DHCP server should not assign to DHCP clients. Syntax clear dhcp exclude low-ipaddr [high-ipaddr] Parameters low‐ipaddr Specifies the first IP address in the address range to be cleared. high‐ipaddr (Optional) Specifies the last IP address in the address range to be cleared. Defaults None. Mode Switch command, read‐write.
clear dhcp ping clear dhcp ping Use this command to reset the number of ping packets sent by the DHCP server back to the default value of 2. Syntax clear dhcp ping packets Parameters None. Defaults None. Mode Switch command, read‐write. Example This example resets the number of ping packets sent back to the default value. B2(rw)->clear dhcp ping packets show dhcp binding Use this command to display binding information for one or all IP addresses.
clear dhcp binding 192.0.0.13 192.0.0.14 00:33:44:56:22:37 00:33:44:56:22:38 infinite infinite Manual Manual clear dhcp binding Use this command to clear (delete) one or all DHCP address bindings. Syntax clear dhcp binding {ip-addr | *} Parameters ip‐addr Specifies the IP address for which to clear/delete the DHCP binding. * Deletes all address bindings. Defaults None. Mode Switch command, read‐write. Example This example deletes the DHCP address binding for IP address 192.168.1.1.
clear dhcp server statistics Messages ---------DHCP DISCOVER DHCP REQUEST DHCP DECLINE DHCP RELEASE DHCP INFORM Received ---------382 3855 0 67 1 Messages ---------DHCP OFFER DHCP ACK DHCP NACK clear dhcp server statistics Use this command to clear all DHCP server counters. Syntax clear dhcp server statistics Parameters None. Defaults None. Mode Switch command, read‐write. Example This example clears all DHCP server counters.
Configuring IP Address Pools Configuring IP Address Pools Manual Pool Configuration Considerations • The subnet of the IP address being issued should be on the same subnet as the ingress interface (that is, the subnet of the host IP address of the switch, or if routing interfaces are configured, the subnet of the routing interface).
set dhcp pool For information about... Refer to page...
clear dhcp pool clear dhcp pool Use this command to delete a DHCP server pool of addresses. Syntax clear dhcp pool poolname Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. Defaults None. Mode Switch command, read‐write. Example This example deletes the address pool named “auto1.” B2(rw)->clear dhcp pool auto1 set dhcp pool network Use this command to configure the subnet number and mask for an automatic DHCP address pool.
clear dhcp pool network Examples This example configures the IP subnet 172.20.28.0 with a prefix length of 24 for the automatic DHCP pool named “auto1.” Alternatively, the mask could have been specified as 255.255.255.0. B2(rw)->set dhcp pool auto1 network 172.20.28.0 24 This example limits the scope of 255 addresses created for the Class C network 172,20.28.0 by the previous example, by excluding addresses 172.20.28.80 – 100. B2(rw)->set dhcp exclude 172.20.28.80 172.20.28.
clear dhcp pool hardware-address Defaults If no type is specified, Ethernet is assumed. Mode Switch command, read‐write. Example This example specifies 0001.f401.2710 as the Ethernet MAC address for the manual address pool named “manual1.” Alternatively, the MAC address could have be entered as 00:01:f4:01:27:10. B2(rw)->set dhcp pool manual1 hardware-address 0001.f401.
clear dhcp pool host mask (Optional) Specifies the subnet mask in dotted quad notation. prefix‐length (Optional) Specifies the subnet mask as an integer. Defaults If a mask or prefix is not specified, the class A, B, or C natural mask will be used. Mode Switch command, read‐write. Example This example shows how to configure the minimum requirements for a manual binding address pool.
clear dhcp pool client-identifier Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. id Specifies the unique client identifier for this client. The value must be entered in xx:xx:xx:xx:xx:xx format. Defaults None. Mode Switch command, read‐write. Usage The client identifier is formed by concatenating the media type and the MAC address.
set dhcp pool client-name set dhcp pool client-name Use this command to assign a name to a DHCP client when creating an address pool for manual binding. Syntax set dhcp pool poolname client-name name Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. name Specifies the name to be assigned to this client. Client names may be up to 31 characters in length. Defaults None. Mode Switch command, read‐write.
set dhcp pool bootfile set dhcp pool bootfile Use this command to specify a default boot image for the DHCP clients who will be served by the address pool being configured. Syntax set dhcp pool poolname bootfile filename Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. filename Specifies the boot image file name. Defaults None. Mode Switch command, read‐write. Example This example sets the boot image filename for address pool named “auto1.
set dhcp pool next-server set dhcp pool next-server Use this command to specify the file server from which the default boot image is to be loaded by the client. Syntax set dhcp pool poolname next-server ip-address Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. ip‐address Specifies the IP address of the file server the DHCP client should contact to load the default boot image. Defaults None. Mode Switch command, read‐write.
set dhcp pool lease set dhcp pool lease Use this command to specify the duration of the lease for an IP address assigned by the DHCP server from the address pool being configured. Syntax set dhcp pool poolname lease {days [hours [minutes]] | infinite} Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. days Specifies the number of days an address lease will remain valid. Value can range from 0 to 59.
set dhcp pool default-router Mode Switch command, read‐write. Example This example restores the default lease duration of one day for address pool “auto1.” B2(rw)->clear dhcp pool auto1 lease set dhcp pool default-router Use this command to specify a default router list for the DHCP clients served by the address pool being configured. Up to 8 default routers can be configured. Syntax set dhcp pool poolname default-router address [address2 ...
set dhcp pool dns-server Mode Switch command, read‐write. Example This example removes the default router from the address pool “auto1.” B2(rw)->clear dhcp pool auto1 default-router set dhcp pool dns-server Use this command to specify one or more DNS servers for the DHCP clients served by the address pool being configured. Up to 8 DNS servers can be configured. Syntax set dhcp pool poolname dns-server address [address2 ... address8] Parameters poolname Specifies the name of the address pool.
set dhcp pool domain-name Mode Switch command, read‐write. Example This example removes the DNS server list from the address pool “auto1.” B2(rw)->clear dhcp pool auto1 dns-server set dhcp pool domain-name Use this command to specify a domain name to be assigned to DHCP clients served by the address pool being configured. Syntax set dhcp pool poolname domain-name domain Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length.
set dhcp pool netbios-name-server Mode Switch command, read‐write. Example This example removes the domain name from the address pool “auto1.” B2(rw)->clear dhcp pool auto1 domain-name set dhcp pool netbios-name-server Use this command to assign one or more NetBIOS name servers for the DHCP clients served by the address pool being configured. Up to 8 NetBIOS name servers can be configured. Syntax set dhcp pool poolname netbios-name-server address [address2 ...
set dhcp pool netbios-node-type Mode Switch command, read‐write. Example This example removes the NetBIOS name server list from the address pool auto1. B2(rw)->clear dhcp pool auto1 netbios-name-server set dhcp pool netbios-node-type Use this command to specify a NetBIOS node (server) type for the DHCP clients served by the address pool being configured. Syntax set dhcp pool poolname netbios-node-type {b-node | h-node | p-node | m-node} Parameters poolname Specifies the name of the address pool.
set dhcp pool option Defaults None. Mode Switch command, read‐write. Example This example removes the NetBIOS node type from the address pool “auto1.” B2(rw)->clear dhcp pool auto1 netbios-node-type set dhcp pool option Use this command to configure DHCP options, described in RFC 2132. Syntax set dhcp pool poolname option code {ascii string | hex string-list | ip addresslist} Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length.
clear dhcp pool option clear dhcp pool option Use this command to remove a DHCP option from the address pool being configured. Syntax clear dhcp pool poolname option code Parameters poolname Specifies the name of the address pool. Pool names may be up to 31 characters in length. code Specifies the DHCP option code, as defined in RFC 2132. Value can range from 1 to 254. Defaults None. Mode Switch command, read‐write. Example This example removes option 19 from address pool “auto1.
show dhcp pool configuration Network Lease Time Default Routers 192.0.0.0 255.255.255.0 1 days 0 hrs 0 mins 192.0.0.1 Pool: static1 Pool Type Client Name Client Identifier Host Lease Time Option Manual appsvr1 01:00:01:f4:01:27:10 10.1.1.1 255.0.0.0 infinite 19 hex 01 Pool: static2 Pool Type Hardware Address Hardware Address Type Host Lease Time Manual 00:01:f4:01:27:10 ieee802 192.168.10.1 255.255.255.
show dhcp pool configuration 17-30 DHCP Server Configuration
18 DHCP Snooping and Dynamic ARP Inspection This chapter describes two security features: • DHCP snooping, which monitors DHCP messages between a DHCP client and DHCP server to filter harmful DHCP messages and to build a database of authorized address bindings • Dynamic ARP inspection, which uses the bindings database created by the DHCP snooping feature to reject invalid and malicious ARP packets For information about... Refer to page...
DHCP Snooping Overview the hardware forwards client messages and copies server messages to the CPU so DHCP snooping can learn the binding. The DHCP snooping application processes incoming DHCP messages. For DHCP RELEASE and DHCP DECLINE messages, the application compares the receive interface and VLAN with the clientʹs interface and VLAN in the bindings database. If the interfaces do not match, the application logs the event and drops the message.
DHCP Snooping Overview switch is rebooting, when the switch receives a DHCP DISCOVERY or REQUEST message, the clientʹs binding will go to a tentative binding state. Rate Limiting To protect the switch against DHCP attacks when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately.
DHCP Snooping Commands Configuration Notes DHCP Server • When the switch is operating in switch mode, then the DHCP server and DHCP clients must be in the same VLAN. • If the switch is in routing mode (on those platforms that support routing), then the DCHP server can be remotely connected to a routing interface, or running locally.
set dhcpsnooping set dhcpsnooping Use this command to enable or disable DHCP snooping globally. Syntax set dhcpsnooping {enable | disable} Parameters enable Enable DHCP snooping globally on the switch. disable Disable DHCP snooping globally on the switch. Defaults Disabled globally. Mode Switch command, read‐write. Usage By default, DHCP snooping is disabled globally and on all VLANs. You must enable it globally with this command, and then enable it on specific VLANs.
set dhcpsnooping database write-delay Usage By default, DHCP snooping is disabled globally and on all VLANs. You must enable it globally with the set dhcpsnooping command, and then enable it on specific VLANs with this command. Example This example enables DHCP snooping on VLANS 10 through 20. B2(rw)->set dhcpsnooping vlan 10-20 enable set dhcpsnooping database write-delay Use this command to specify the interval between updates to the stored bindings database.
set dhcpsnooping binding enable | disable Enables or disables the specified ports as trusted ports. Defaults By default, ports are untrusted. Mode Switch command, read‐write. Usage In order for DHCP snooping to operate, snooping has to be enabled globally and on specific VLANs, and the ports within the VLANs have to be configured as trusted or untrusted. On trusted ports, DHCP client messages are forwarded directly by the hardware.
set dhcpsnooping verify Usage When enabled globally and on VLANs, DHCP snooping builds its bindings database from DHCP client messages received on untrusted ports. Such entries in the database are dynamic entries which will be removed in response to valid DECLINE, RELEASE, and NACK messages or when the absolute lease time of the entry expires. You can add static entries to the bindings database with this command.
set dhcpsnooping log-invalid set dhcpsnooping log-invalid Use this command to enable or disable logging of invalid DHCP messages on ports. Syntax set dhcpsnooping log-invalid port port-string {enable | disable} Parameters port port‐string Specifies the port or ports on which to enable or disable logging of invalid packets. enable | disable Enables or disables logging on the specified ports. Defaults Disabled. Mode Switch command, read‐write.
set dhcpsnooping limit set dhcpsnooping limit Use this command to configure rate limiting parameters for incoming DHCP packets on a port or ports. Syntax set dhcpsnooping limit port-string {none | rate pps {burst interval secs]} Parameters port‐string Specifies the port or ports to which to apply these rate limiting parameters. none Configures no limit on incoming DHCP packets. rate pps Specifies a rate limit in packets per second. The value of pps can range from 0 to 100 packets per second.
show dhcpsnooping show dhcpsnooping Use this command to display DHCP snooping configuration parameters. Syntax show dhcpsnooping Parameters None. Defaults None. Mode Switch command, read‐write.
show dhcpsnooping port Defaults None. Mode Switch command, read‐write. Usage This command displays where the database file is stored (locally) and what the write delay value is. Example This example shows the output of the show dhcpsnooping database command. B2(su)->show dhcpsnooping database agent url: local write-delay: 300 show dhcpsnooping port Use this command to display DHCP snooping configuration parameters for specific ports.
show dhcpsnooping binding show dhcpsnooping binding Use this command to display the contents of the DHCP snooping bindings database. Syntax show dhcpsnooping binding [dynamic | static] [port port-string] [vlan vlan-id] Parameters dynamic | static (Optional) Limits the display of bindings in the database by type of entry, either dynamic or static. port port‐string (Optional) Limits the display of bindings in the database by port.
clear dhcpsnooping binding Mode Switch command, read‐write. Usage The DHCP snooping application processes incoming DHCP messages on enabled untrusted interfaces. For DHCP RELEASE and DHCP DECLINE messages, the application compares the receive interface and VLAN with the clientʹs interface and VLAN in the bindings database. If the interfaces do not match, the application logs the event (if logging of invalid messages is enabled) and drops the message.
clear dhcpsnooping statistics B2(su)->clear dhcpsnooping binding port ge.1.2 clear dhcpsnooping statistics Use this command to clear the DHCP snooping statistics counters. Syntax clear dhcpsnooping statistics Parameters None. Defaults None. Mode Switch command, read‐write. Example This example clears the DHCP snooping statistics counters for all enabled untrusted ports.
clear dhcpsnooping limit clear dhcpsnooping limit Use this command to reset the rate limit values to the defaults of 15 packets per second with a burst interval of 1 second. Syntax clear dhcpsnooping limit port-string Parameters port‐string Specifies the port or ports to which this command applies. Defaults None. Mode Switch command, read‐write. Example This example resets the rate limit values to their defaults on port ge.1.1. B2(su)->clear dhcpsnooping limit ge.1.
Dynamic ARP Inspection Overview Static Mappings Static mappings are useful when hosts configure static IP addresses, DHCP snooping cannot be run, or other switches in the network do not run dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a VLAN. DAI consults its static mappings before it consults DHCP snooping — thus, static mappings have precedence over DHCP snooping bindings. ARP ACLs are used to define static mappings for DAI.
Dynamic ARP Inspection Overview Eligible Interfaces Dynamic ARP inspection is enabled per VLAN, effectively enabling DAI on the members of the VLAN, either physical ports or LAGs. Trust is specified on the VLAN members. DAI cannot be enabled on port‐based routing interfaces.
Dynamic ARP Inspection Overview Example Configuration T Note: This example applies only to platforms that support routing. The following example configures DHCP snooping and dynamic ARP inspection in a routing environment using RIP. The example configures two interfaces on the switch, configuring RIP on both interfaces, assigning each to a different VLAN, and then enabling DHCP snooping and dynamic ARP inspection on them: • Interface ge.1.
Dynamic ARP Inspection Commands set vlan egress 10 ge.1.2 untagged set vlan egress 192 ge.1.1 untagged DHCP Snooping Configuration set dhcpsnooping enable set dhcpsnooping vlan 1 enable set dhcpsnooping vlan 10 enable set dhcpsnooping vlan 192 enable set dhcpsnooping verify mac-address disable set dhcpsnooping trust port ge.1.1 enable Dynamic ARP Inspection Configuration set arpinspection vlan 1 set arpinspection vlan 10 set arpinspection vlan 192 set arpinspection trust port ge.1.
set arpinspection trust Parameters vlan‐range Specifies the VLAN or range of VLANs on which to enable dynamic ARP inspection. logging (Optional) Enables logging of invalid ARP packets for that VLAN. Defaults Logging is disabled by default. Mode Switch command, read‐write. Usage This command enables dynamic ARP inspection (DAI) on one or more VLANs. When DAI is enabled on a VLAN, DAI is effectively enabled on the interfaces (physical ports or LAGs) that are members of that VLAN.
set arpinspection validate Usage Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is independent of the trust configuration for DHCP snooping. A trusted port is a port the network administrator does not consider to be a security threat. An untrusted port is one which could potentially be used to launch a network attack. DAI considers all physical ports and LAGs untrusted by default. Packets arriving on trusted interfaces bypass all DAI validation checks.
set arpinspection limit Example This example adds the optional verification that sender MAC addresses are the same as the source MAC addresses in the Ethernet headers of ARP packets.
set arpinspection filter set arpinspection filter Use this command to create an ARP ACL and then to assign an ACL to a VLAN, optionally as a static mapping. Syntax set arpinspection filter name {permit ip host sender-ipaddr mac host sender-macaddr | vlan vlan-range [static]} Parameters name Specifies the name of the ARP ACL. permit Specifies that a permit rule is being created. ip host sender‐ipaddr Specifies the IP address in the rule being created.
show arpinspection ports Parameters acl‐name (Optional) Specifies the ARP ACL to display. Defaults If a specific ACL is not specified, information about all configured ARP ACLs is displayed. Mode Switch command, read‐write. Example This example displays information about the ARP ACL named staticARP. B2(su)->show arpinspection access-list staticARP ARP access list staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 permit ip host 192.168.1.
show arpinspection vlan show arpinspection vlan Use this command to display the ARP configuration of one or more VLANs. Syntax show arpinspection vlan vlan-range Parameters vlan‐range Specifies the VLANs for which to display configuration information. Defaults None. Mode Switch command, read‐write. Example This example displays ARP configuration information for VLAN 5.
clear arpinspection validate Examples This example shows what is displayed when no VLANs are specified. B2(su)->show arpinspection statistics VLAN ---5 Forwarded -----------0 Dropped --------0 This example shows what information is displayed when one or more VLANs are specified.
clear arpinspection vlan clear arpinspection vlan Use this command to disable dynamic ARP inspection on one or more VLANs or to disable logging of invalid ARP packets on one or more VLANs. Syntax clear arpinspection vlan vlan-range [logging] Parameters vlan‐range Specifies the VLAN or range of VLANs on which to disable dynamic ARP inspection. logging (Optional) Disable logging of invalid ARP packets for the specified VLANs.
clear arpinspection filter B2(su)->clear arpinspection vlan 5 logging B2(su)->show arpinspection vlan 5 Source MAC Validation Destination MAC Validation IP Address Validation Vlan ---5 Disabled Disabled Disabled Configuration Log Invalid ACL Name ------------- ----------- -------------------------------Disabled Disabled staticARP Static flag ----------Enabled clear arpinspection filter Use this command to remove an ARP ACL from a VLAN or from the switch, or to remove a permit rule from an existing ACL,
clear arpinspection limit Examples This example removes a permit rule from the ARP ACL named staticARP. B2(su)->clear arpinspection filter staticARP permit ip host 192.168.1.10 mac host 00:01:22:33:44:55 This example disables static mapping of the ARP ACL named staticARP that is associated with VLAN 5. B2(su)->clear arpinspection filter staticARP vlan 5 static This example removes the ARP ACL named staticARP from VLAN 5.
clear arpinspection statistics clear arpinspection statistics Use this command to clear all dynamic ARP inspection statistics. Syntax clear arpinspection statistics Parameters None. Defaults None. Mode Switch command, read‐write. Example This example clears all DAI statistics from the switch.
clear arpinspection statistics 18-32 DHCP Snooping and Dynamic ARP Inspection
19 Authentication and Authorization Configuration This chapter describes the authentication and authorization commands and how to use them. For information about... Refer to page... Overview of Authentication and Authorization Methods 19-1 Configuring RADIUS 19-3 Configuring 802.
Overview of Authentication and Authorization Methods • 802.1X Port Based Network Access Control using EAPOL (Extensible Authentication Protocol) – provides a mechanism via a RADIUS server for administrators to securely authenticate and grant appropriate access to end user devices communicating with SecureStack B2 ports. For details on using CLI commands to configure 802.1X, refer to “Configuring 802.1X Authentication” on page 19‐11.
Configuring RADIUS Each user can be configured in the RADIUS server database with a RADIUS Filter‐ID attribute that specifies the name of the policy profile and/or management level the user should be assigned upon successful authentication.
show radius Commands For information about... Refer to page... show radius 19-4 set radius 19-5 clear radius 19-7 show radius accounting 19-7 set radius accounting 19-8 clear radius accounting 19-9 show radius Use this command to display the current RADIUS client/server configuration. Syntax show radius [status | retries | timeout | server [index | all]] Parameters status (Optional) Displays the RADIUS server’s enable status.
set radius Table 19-1 show radius Output Details Output Field What It Displays... RADIUS status Whether RADIUS is enabled or disabled. RADIUS retries Number of retry attempts before the RADIUS server times out. The default value of 3 can be reset using the set radius command as described in “set radius” on page 19-5. RADIUS timeout Maximum amount of time (in seconds) to establish contact with the RADIUS server before retry attempts begin.
set radius realm management‐ access | any | network‐access Realm allows you to define who has to go through the RADIUS server for authentication. • management‐access: This means that anyone trying to access the switch (Telnet, SSH, Local Management) has to authenticate through the RADIUS server. • network‐access: This means that all the users have to authenticate to a RADIUS server before they are allowed access to the network.
clear radius This example shows how to force any management‐access to the switch (Telnet, web, SSH) to authenticate through a RADIUS server. The all parameter at the end of the command means that any of the defined RADIUS servers can be used for this Authentication. B2(rw)->set radius realm management-access all clear radius Use this command to clear RADIUS server settings.
set radius accounting Parameters server (Optional) Displays one or all RADIUS accounting server configurations. counter ip‐address (Optional) Displays counters for a RADIUS accounting server. retries (Optional) Displays the maximum number of attempts to contact the RADIUS accounting server before timing out. timeout (Optional) Displays the maximum amount of time before timing out. Mode Switch command, read‐only.
clear radius accounting timeout timeout Sets the maximum amount of time (in seconds) to establish contact with a specified RADIUS accounting server before timing out. Valid timeout values are 1 ‐ 30. server ip_address port server‐secret Specifies the accounting server’s: • IP address • UDP authentication port (0 ‐ 65535) • server‐secret (Read‐Write password to access this accounting server. Device will prompt for this entry upon creating a server instance, as shown in the example below.
clear radius accounting Defaults None. Example This example shows how to reset the RADIUS accounting timeout to 5 seconds.
Configuring 802.1X Authentication Configuring 802.1X Authentication Purpose To review and configure 802.1X authentication for one or more ports using EAPOL (Extensible Authentication Protocol). 802.1X controls network access by enforcing user authorization on selected ports, which results in allowing or denying network access according to RADIUS server configuration.
show dot1x If port‐string is not specified, information for all ports will be displayed. Mode Switch command, read‐only. Examples This example shows how to display 802.1X status: B2(su)->show dot1x DOT1X is disabled. This example shows how to display authentication diagnostics information for fe.1.1: B2(su)->show dot1x auth-diag fe.1.
show dot1x auth-config show dot1x auth-config Use this command to display 802.1X authentication configuration settings for one or more ports. Syntax show dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [port-string] Parameters authcontrolled‐ portcontrol (Optional) Displays the current value of the controlled Port control parameter for the port.
set dot1x Port : 1 Auth-Config PAE state: Backend auth state: Admin controlled directions: Oper controlled directions: Auth controlled port status: Auth controlled port control: Quiet period: Transmission period: Supplicant timeout: Server timeout: Maximum requests: Reauthentication period: Reauthentication control: Initialize Initialize Both Both Authorized Auto 60 30 30 30 2 3600 Disabled set dot1x Use this command to enable or disable 802.
set dot1x auth-config set dot1x auth-config Use this command to configure 802.1X authentication. Syntax set dot1x auth-config {[authcontrolled-portcontrol {auto | forced-auth | forced-unauth}] [maxreq value] [quietperiod value] [reauthenabled {false | true}] [reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string] Parameters authcontrolled‐ portcontrol auto | forced‐auth | forced‐unauth Specifies the 802.1X port control mode.
clear dot1x auth-config Examples This example shows how to enable reauthentication control on ports fe.1.1‐3: B2(su)->set dot1x auth-config reauthenabled true fe.1.1-3 This example shows how to set the 802.1X quiet period to 120 seconds on ports fe.1.1‐3: B2(su)->set dot1x auth-config quietperiod 120 fe.1.1-3 clear dot1x auth-config Use this command to reset 802.1X authentication parameters to default values on one or more ports.
show eapol This example shows how to reset the 802.1X quiet period to 60 seconds on ports fe.1.1‐3: B2(su)->clear dot1x auth-config quietperiod fe.1.1-3 show eapol Use this command to display EAPOL status or settings for one or more ports. Syntax show eapol [port-string] Parameters port‐string (Optional) Displays EAPOL status for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2.
show eapol Table 19-2 show eapol Output Details Output Field What It Displays... Port Port designation. For a detailed description of possible port-string values, refer to “Port String Syntax Used in the CLI” on page 7-2. Authentication State Current EAPOL authentication state for each port.
set eapol set eapol Use this command to enable or disable EAPOL port‐based user authentication with the RADIUS server and to set the authentication mode for one or more ports. Syntax set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string Parameters enable | disable Enables or disables EAPOL. auth‐mode Specifies the authentication mode as: auto | forced‐auth | forced‐unauth • auto ‐ Auto authorization mode.
clear eapol Parameters auth‐mode (Optional) Globally clears the EAPOL authentication mode. port‐string Specifies the port(s) on which to clear EAPOL parameters. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If auth‐mode is not specified, all EAPOL settings will be cleared. If port‐string is not specified, settings will be cleared for all ports. Mode Switch command, read‐write.
Configuring MAC Authentication Configuring MAC Authentication Purpose To review, disable, enable and configure MAC authentication. This authentication method allows the device to authenticate source MAC addresses in an exchange with an authentication server. The authenticator (switch) selects a source MAC seen on a MAC‐authentication enabled port and submits it to a backend client for authentication.
show macauthentication Parameters port‐string (Optional) Displays MAC authentication information for specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If port‐string is not specified, MAC authentication information will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display MAC authentication information for ge.2.1 through 8: B2(su)->show macauthentication ge.2.
show macauthentication session Table 19-3 show macauthentication Output Details (Continued) Output Field What It Displays... Reauth Period Reauthentication period for this port. Default value of 30 can be changed using the set macauthentication reauthperiod command (page 19-29). Auth Allowed Number of concurrent authentications supported on this port. Default is 1 and cannot be reset. Auth Allocated Maximum number of MAC authentications permitted on this port.
set macauthentication Table 19-4 show macauthentication session Output Details (Continued) Output Field What It Displays... Duration Time this session has been active. Reauth Period Reauthentication period for this port, set using the set macauthentication reauthperiod command described in “set macauthentication reauthperiod” on page 19-29. Reauthentications Whether or not reauthentication is enabled or disabled on this port.
clear macauthentication password Example This example shows how to set the MAC authentication password to “macauth”: B2(su)->set macauthentication password macauth clear macauthentication password Use this command to clear the MAC authentication password. Syntax clear macauthentication password Parameters None. Defaults None. Mode Switch command, read‐write.
set macauthentication portinitialize Usage Enabling port(s) for MAC authentication requires globally enabling MAC authentication on the switch as described in “set macauthentication” on page 19‐24, and then enabling it on a port‐by‐ port basis. By default, MAC authentication is globally disabled and disabled on all ports. Example This example shows how to enable MAC authentication on ge.2.1 though 5: B2(su)->set macauthentication port enable ge.2.
clear macauthentication portquietperiod Defaults None. Mode Switch command, read‐write. Example This example sets port 1 to wait 5 seconds after a failed authentication attempt before a new attempt can be made: B2(su)->set macauthentication portquietperiod 5 ge.1.1 clear macauthentication portquietperiod This sets the quiet period back to the default value of 30 seconds.
set macauthentication reauthentication Mode Switch command, read‐write. Defaults None. Example This example shows how to force the MAC authentication session for address 00‐60‐97‐b5‐4c‐07 to re‐initialize: B2(su)->set macauthentication macinitialize 00-60-97-b5-4c-07 set macauthentication reauthentication Use this command to enable or disable reauthentication of all currently authenticated MAC addresses on one or more ports.
set macauthentication macreauthenticate Parameters port‐string Specifies MAC authentication port(s) to be reauthenticated. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write. Example This example shows how to force ge.2.1 though 5 to reauthenticate: B2(su)->set macauthentication portreauthentication ge.2.
clear macauthentication reauthperiod Parameters time Specifies the number of seconds between reauthentication attempts. Valid values are 1 ‐ 4294967295. port‐string Specifies the port(s) on which to set the MAC reauthentication period. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write.
set macauthentication significant-bits set macauthentication significant-bits Use this command to set the number of significant bits of the MAC address to use for authentication. Syntax set macauthentication significant-bits number Parameters number Specifies the number of significant bits to be used for authentication. Defaults None. Mode Switch command, read‐write. Usage This command allows you to specify a mask to apply to MAC addresses when authenticating users through a RADIUS server.
clear macauthentication significant-bits Mode Switch command, read‐write. Example This example resets the MAC authentication significant bits to 48.
Configuring Multiple Authentication Methods Configuring Multiple Authentication Methods Note: B2 devices support up to three authenticated users per port. About Multiple Authentication Types When enabled, multiple authentication types allow users to authenticate using more than one method on the same port. In order for multiple authentication to function on the device, each possible method of authentication (MAC authentication, 802.
show multiauth For information about... Refer to page...
set multiauth mode set multiauth mode Use this command to set the system authentication mode to allow multiple authenticators simultaneously (802.1x, PWA, and MAC Authentication) on a single port, or to strictly adhere to 802.1x authentication. Syntax set multiauth mode {multi | strict} Parameters multi Allows the system to use multiple authenticators simultaneously (802.1x, PWA, and MAC Authentication) on a port. This is the default mode. strict User must authenticate using 802.
set multiauth precedence Example This example shows how to clear the system authentication mode: B2(rw)->clear multiauth mode set multiauth precedence Use this command to set the system’s multiple authentication administrative precedence. Syntax set multiauth precedence {[dot1x] [mac] } Parameters dot1x Sets precedence for 802.1X authentication. mac Sets precedence for MAC authentication. Defaults None. Mode Switch command, read‐write.
show multiauth port Example This example shows how to clear the multiple authentication precedence: B2(rw)->clear multiauth precedence show multiauth port Use this command to display multiple authentication properties for one or more ports. Syntax show multiauth port [port-string] Parameters port‐string (Optional) Displays multiple authentication information for specific port(s). Defaults If port‐string is not specified, multiple authentication information will be displayed for all ports.
clear multiauth port Parameters mode auth‐opt | auth‐reqd | force‐auth | force‐unauth Specifies the port(s)’ multiple authentication mode as: • auth‐opt — Authentication optional (“non‐strict” behavior). If a user does not attempt to authenticate using 802.1x, or if 802.1x authentication fails, the port will allow traffic to be forwarded according to the defined default VLAN. • auth‐reqd — Authentication is required. • force‐auth — Authentication considered.
show multiauth station Mode Switch command, read‐write. Examples This example shows how to clear the port multiple authentication mode on port ge.3.14: B2(rw)->clear multiauth port mode ge.3.14 This example shows how to clear the number of users on port ge.3.14: B2(rw)->clear multiauth port numusers ge.3.14 show multiauth station Use this command to display multiple authentication station (end user) entries.
show multiauth idle-timeout Parameters all (Optional) Displays information about all sessions, including those with terminated status. agent dot1x | mac | pwa (Optional) Displays 802.1X, or MAC, or port web authentication session information. mac address (Optional) Displays multiple authentication session entries for specific MAC address(es). port port‐string (Optional) Displays multiple authentication session entries for the specified port or ports.
set multiauth idle-timeout Example This example shows how to display timeout values for an idle session for all authentication types. B2(su)->show multiauth idle-timeout Authentication type Timeout (sec) ------------------- ------------dot1x 0 pwa 0 mac 0 set multiauth idle-timeout Use this command to set the maximum number of consecutive seconds an authenticated session may be idle before termination of the session.
clear multiauth idle-timeout clear multiauth idle-timeout Use this command to reset the maximum number of consecutive seconds an authenticated session may be idle before termination of the session to its default value of 0. Syntax clear multiauth idle-timeout [dot1x | mac | pwa] Parameters dot1x (Optional) Specifies the IEEE 802.1X port‐based network access control authentication method for which to reset the timeout value to its default.
set multiauth session-timeout Example This example displays the session timeout values for all authentication methods. B2(su)->show multiauth session-timeout Authentication type Timeout (sec) ------------------- ------------dot1x 0 pwa 0 mac 0 set multiauth session-timeout Use this command to set the maximum number of seconds an authenticated session may last before termination of the session.
clear multiauth session-timeout clear multiauth session-timeout Use this command to reset the maximum number of consecutive seconds an authenticated session may last before termination of the session to its default value of 0. Syntax clear multiauth session-timeout [dot1x | mac | pwa] Parameters dot1x (Optional) Specifies the IEEE 802.1X port‐based network access control authentication method for which to reset the timeout value to its default.
Configuring VLAN Authorization (RFC 3580) Configuring VLAN Authorization (RFC 3580) Purpose RFC 3580 Tunnel Attributes provide a mechanism to contain an 802.1X authenticated or a MAC authenticated user to a VLAN regardless of the PVID. Up to three users can be configured per Gigabit port. Please see section 3‐31 of RFC 3580 for details on configuring a RADIUS server to return the desired tunnel attributes. As stated in RFC 3580, “...
set policy maptable response multiauth port command (page 19‐37) to set the number of RFC 3580 users (numusers) allowed per Gigabit port. Up to three users can be configured per Gigabit port. Syntax show policy maptable response Parameters None. Defaults None. Mode Switch command, read‐only.
set vlanauthorization When a user successfully authenticates to the network, the RADIUS server returns an Access‐ Accept frame. This frame can have many attributes, two of which are a Filter ID (which is how policy assignment is achieved) and RFC 3580 VLAN assignment. If a switch is in tunnel mode: • The FID (Filter ID) is always ignored, but Default policy rules still apply. • The VLAN attribute is used if present, and if VLAN authorization is enabled. See “set vlanauthorization” on page 19‐47.
set vlanauthorization egress set vlanauthorization egress Controls the modification of the current VLAN egress list of 802.1x authenticated ports for the VLANs returned in the RADIUS authorization filter id string. Syntax set vlanauthorization egress {none | tagged | untagged} port-string Parameters none Specifies that no egress manipulation will be made. tagged Specifies that the authenticating port will be added to the current tagged egress for the VLAN‐ID returned.
show vlanauthorization Mode Switch command, read‐write. Example This example show how to clear VLAN authorization for all ports on slots 3, 4, and 5: B2(rw)->clear vlanauthorization ge.3-5.* show vlanauthorization Displays the VLAN authentication status and configuration information for the specified ports. Syntax show vlanauthorization [port-string] Parameters port‐string (Optional) Displays VLAN authentication status for the specified ports.
Configuring MAC Locking Table 19-5 show vlanauthorization Output Details (Continued) Output Field What It Displays... authenticated mac address If authentication has succeeded, displays the MAC address assigned for egress. vlan id If authentication has succeeded, displays the assigned VLAN id for ingress. Configuring MAC Locking This feature locks a MAC address to one or more ports, preventing connection of unauthorized devices through the port(s).
show maclock For information about... Refer to page... set maclock static 19-56 clear maclock static 19-56 set maclock firstarrival 19-57 clear maclock firstarrival 19-58 set maclock agefirstarrival 19-58 clear maclock agefirstarrival 19-59 set maclock move 19-59 set maclock trap 19-60 show maclock Use this command to display the status of MAC locking on one or more ports.
show maclock stations Table 19-6 show maclock Output Details Output Field What It Displays... Port Number Port designation. For a detailed description of possible port-string values, refer to “Port String Syntax Used in the CLI” on page 7-2. Port Status Whether MAC locking is enabled or disabled on the port. MAC locking is globally disabled by default.
set maclock enable Example This example shows how to display MAC locking information for the end stations connected to all Gigabit Ethernet ports in unit/module 2: B2(su)->show maclock stations fe.2.* Port Number MAC Address Status State Aging ------------ ------------------------------ -------------- ----fe.2.1 00:a0:c9:39:5c:b4 active first arrival true fe.2.7 00:a0:c9:39:1f:11 active static false Table 19‐7 provides an explanation of the command output.
set maclock disable MAC locking is disabled by default at device startup. Configuring one or more ports for MAC locking requires globally enabling it on the device and then enabling it on the desired ports. Example This example shows how to enable MAC locking on fe.2.3: B2(su)->set maclock enable fe.2.3 set maclock disable Use this command to disable MAC locking globally or on one or more ports.
clear maclock create Establishes a MAC locking association between the specified MAC address and port. Create automatically enables MAC locking between the specified MAC address and port. enable | disable Enables or disables MAC locking between the specified MAC address and port. Defaults None. Mode Switch command, read‐write.
set maclock static Usage The MAC address that is cleared will no longer be able to communicate on the port unless the first arrival limit has been set to a value greater than 0 and this limit has not yet been met. For example, if user B’s MAC is removed from the static MAC address list and the first arrival limit has been set to 0, then user B will not be able to communicate on the port.
set maclock firstarrival Parameters port‐string Specifies the port on which to reset number of static MAC addresses allowed. For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the number of allowable static MACs on fe.2.3: B2(rw)->clear maclock static fe.2.
clear maclock firstarrival Example This example shows how to restrict MAC locking to 6 MAC addresses on fe.2.3: B2(su)->set maclock firstarrival fe.2.3 6 clear maclock firstarrival Use this command to reset the number of first arrival MAC addresses allowed per port to the default value of 600. Syntax clear maclock firstarrival port-string Parameters port‐string Specifies the port on which to reset the first arrival value.
clear maclock agefirstarrival Mode Switch mode, read‐write. Example This example enables first arrival aging on port ge.1.1. B2(su)-> set maclock agefirstarrival ge.1.1 enable clear maclock agefirstarrival Use this command to reset first arrival aging on one or more ports to its default state of disabled. Syntax clear maclock agefirstarrival port-string Parameters port‐string Specifies the port(s) on which to disable first arrival aging.
set maclock trap Mode Switch command, read‐write. Usage If there are more first arrival MACs than the allowed maximum static MACs, then only the latest first arrival MACs will be moved to static entries. For example, if you set the maximum number of static MACs to 2 with the set maclock static command, and then executed the set maclock move command, even though there were five MACs in the first arrival table, only the two most recent MAC entries would be moved to static entries.
Configuring Port Web Authentication (PWA) Configuring Port Web Authentication (PWA) Note: A license is required to enable PWA on the SecureStack B2 switch. Refer to the chapter entitled “Activating Licensed Features” for more information.
show pwa For information about... Refer to page... show pwa session 19-71 set pwa enhancedmode 19-72 show pwa Use this command to display port web authentication information for one or more ports. Syntax show pwa [port-string] Parameters port‐string (Optional) Displays PWA information for specific port(s). Defaults If port‐string is not specified, PWA information will be displayed for all ports. Mode Switch command, read‐only. Example This example shows how to display PWA information for ge.2.
set pwa Table 19-8 show pwa Output Details (Continued) Output Field What It Displays... PWA Enhanced Mode Whether PWA enhanced mode is enabled or disabled. Default state of disabled can be changed using the set pwa enhancedmode command as described in “set pwa enhancedmode” on page 19-72. PWA Logo Whether the Enterasys Networks logo will be displayed or hidden at user login.
show pwa banner Example This example shows how to enable port web authentication: B2(su)->set pwa enable show pwa banner Use this command to display the port web authentication login banner string. Syntax show pwa banner Parameters None. Defaults None. Mode Switch command, read‐only. Example This example shows how to display the PWA login banner: B2(su)->show pwa banner Welcome to Enterasys Networks set pwa banner Use this command to configure a string to be displayed as the PWA login banner.
clear pwa banner clear pwa banner Use this command to reset the PWA login banner to a blank string. Syntax clear pwa banner Parameters None. Defaults None. Mode Switch command, read‐write. Example This example shows how to reset the PWA login banner to a blank string B2(su)->clear pwa banner set pwa displaylogo Use this command to set the display options for the Enterasys Networks logo.
set pwa ipaddress set pwa ipaddress Use this command to set the PWA IP address. This is the IP address of the end station from which PWA will prevent network access until the user is authenticated. Syntax set pwa ipaddress ip-address Parameters ip‐address Specifies a globally unique IP address. This same value must be configured into every authenticating switch in the domain. Defaults None. Mode Switch command, read‐write. Example This example shows how to set a PWA IP address of 1.2.3.
set pwa guestname set pwa guestname Use this command to set a guest user name for PWA networking. PWA will use this name to grant network access to guests without established login names and passwords. Syntax set pwa guestname name Parameters name Specifies a guest user name. Defaults None. Mode Switch command, read‐write.
set pwa guestpassword set pwa guestpassword Use this command to set the guest user password for PWA networking. Syntax set pwa guestpassword Parameters None. Defaults None. Mode Switch command, read‐write. Usage PWA will use this password and the guest user name to grant network access to guests without established login names and passwords.
set pwa initialize Usage PWA will use a guest password and guest user name to grant network access with default policy privileges to users without established login names and passwords. Example This example shows how to enable PWA guest networking with RADIUS authentication: B2(su)->set pwa guestnetworking authradius set pwa initialize Use this command to initialize a PWA port to its default unauthenticated state.
set pwa maxrequest Defaults If port‐string is not specified, quiet period will be set for all ports. Mode Switch command, read‐write. Example This example shows how to set the PWA quiet period to 30 seconds for ports ge.1.5‐7: B2(su)->set pwa quietperiod 30 ge.1.5-7 set pwa maxrequest Use this command to set the maximum number of log on attempts allowed before transitioning the PWA port to a held state.
show pwa session Parameters enable | disable Enables or disables PWA on specified ports. port‐string (Optional) Sets the control mode on specific port(s). For a detailed description of possible port‐string values, refer to “Port String Syntax Used in the CLI” on page 7‐2. Defaults If port‐string is not specified, PWA will enabled on all ports. Mode Switch command, read‐write. Example This example shows how to enable PWA on ports 1‐22: B2(su)->set pwa portcontrol enable ge.1.
set pwa enhancedmode set pwa enhancedmode This command enables PWA URL redirection. The switch intercepts all HTTP packets on port 80 from the end user, and sends the end user a refresh page destined for the PWA IP Address configured. Syntax set pwa enhancedmode {enable | disable} Parameters enable | disable Enables or disables PWA enhancedmode. Defaults None. Mode Switch command, read‐write.
Configuring Secure Shell (SSH) Configuring Secure Shell (SSH) Purpose To review, enable, disable, and configure the Secure Shell (SSH) protocol, which provides secure Telnet. Commands For information about... Refer to page... show ssh status 19-73 set ssh 19-73 set ssh hostkey 19-74 show ssh status Use this command to display the current status of SSH on the switch. Syntax show ssh status Parameters None. Defaults None. Mode Switch command, read‐only.
set ssh hostkey Parameters enable | disable Enables or disables SSH, or reinitializes the SSH server. reinitialize Reinitializes the SSH server. Defaults None. Mode Switch command, read‐write. Example This example shows how to disable SSH: B2(su)->set ssh disable set ssh hostkey Use this command to set or reinitialize new SSH authentication keys. Syntax set ssh hostkey [reinitialize] Parameters reinitialize (Optional) Reinitializes the server host authentication keys.
Index Numerics 802.1D 9-1 802.1p 12-17, 13-1 802.1Q 10-1 802.1s 9-1 802.1w 9-1 802.
monitoring switch events and status 15-12 Node Alias 15-35 NVRAM clearing 3-49 Rate Limiting 13-10 Rate limiting, via CoS 12-17 Related Manuals xxvi Reset 3-48 RFC 3580 19-45 P S Password aging 3-6 history 3-6, 3-7 set new 3-5 setting the login 3-5 Ping 15-14 Policy Management assigning ports 12-15 classifying to a VLAN or Class of Service 12-7, 12-11 dynamic assignment of profiles 19-2 profiles 12-1, 12-17 Port Mirroring 7-33 Port Priority configuring 13-1 Port String syntax used in the CLI 7-2 Port Tr
