Specifications

ManualsBrandsEnterasys ManualsComputer equipmentSecureStack A2 A2H124-48P

SecureStack A2

Stackable Switches

Configuration Guide

Firmware Version 1.03.xx

P/N 9034155-04

Summary of content (634 pages)

PAGE 1
SecureStack A2 Stackable Switches Configuration Guide Firmware Version 1.03.
PAGE 2
PAGE 3
Notice Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice.
PAGE 4
Notice Enterasys Networks, Inc. Firmware License Agreement BEFORE OPENING OR UTILIZING THE ENCLOSED PRODUCT, CAREFULLY READ THIS LICENSE AGREEMENT. This document is an agreement (“Agreement”) between the end user (“You”) and Enterasys Networks, Inc.
PAGE 5
Notice 3. APPLICABLE LAW. This Agreement shall be interpreted and governed under the laws and in the state and federal courts of the Commonwealth of Massachusetts without regard to its conflicts of laws provisions. You accept the personal jurisdiction and venue of the Commonwealth of Massachusetts courts.
PAGE 6
Notice 8. AUDIT RIGHTS. You hereby acknowledge that the intellectual property rights associated with the Program are of critical value to Enterasys and, accordingly, You hereby agree to maintain complete books, records and accounts showing (i) license fees due and paid, and (ii) the use, copying and deployment of the Program.
PAGE 7
Contents Figures ..........................................................................................................................................xix Tables............................................................................................................................................xxi ABOUT THIS GUIDE Using This Guide......................................................................................................... xxiii Structure of This Guide .................................
PAGE 8
Contents 2.1.8 2.1.9 2.1.10 2.1.11 2.1.12 vi Abbreviating and Completing Commands .................................... 2-17 Basic Line Editing Commands ...................................................... 2-18 Configuring Switches in a Stack ................................................... 2-19 2.1.10.1 set switch stack-port................................................... 2-25 2.1.10.2 show switch................................................................ 2-26 2.1.10.
PAGE 9
Contents 2.1.13 2.1.14 2.1.15 2.1.16 2.1.17 2.1.12.20 show version ............................................................. 2-70 2.1.12.21 set system name ....................................................... 2-72 2.1.12.22 set system location .................................................... 2-73 2.1.12.23 set system contact .................................................... 2-74 2.1.12.24 set width .................................................................... 2-75 2.1.12.
PAGE 10
Contents 2.1.18 2.1.19 3 PORT CONFIGURATION 3.1 3.2 3.3 viii 2.1.17.3 set cdp auth ............................................................. 2-117 2.1.17.4 set cdp interval ........................................................ 2-118 2.1.17.5 set cdp hold-time ..................................................... 2-119 2.1.17.6 clear cdp .................................................................. 2-120 Clearing and Closing the CLI ......................................................
PAGE 11
Contents 3.3.7 3.4 3.5 3.6 Setting Port Traps ......................................................................... 3-36 3.3.7.1 show port trap ............................................................ 3-37 3.3.7.2 set port trap ................................................................ 3-38 3.3.8 Configuring Broadcast Suppression ............................................. 3-39 3.3.8.1 show port broadcast................................................... 3-40 3.3.8.
PAGE 12
Contents 4 SNMP CONFIGURATION 4.1 4.2 4.3 x SNMP Configuration Summary ....................................................................... 4-1 4.1.1 SNMPv1 and SNMPv2c.................................................................. 4-1 4.1.2 SNMPv3.......................................................................................... 4-2 4.1.3 About SNMP Security Models and Levels ...................................... 4-2 4.1.4 Using SNMP Contexts to Access Specific MIBs .....................
PAGE 13
Contents 4.3.8 5 4.3.7.4 show snmp notifyfilter ................................................ 4-54 4.3.7.5 set snmp notifyfilter ................................................... 4-55 4.3.7.6 clear snmp notifyfilter ................................................ 4-56 4.3.7.7 show snmp notifyprofile ............................................. 4-57 4.3.7.8 set snmp notifyprofile ................................................ 4-58 4.3.7.9 clear snmp notifyprofile .................................
PAGE 14
Contents 5.2.2 6 802.1Q VLAN CONFIGURATION 6.1 6.2 6.3 xii 5.2.1.28 clear spantree fwddelay ............................................ 5-35 5.2.1.29 show spantree backuproot ......................................... 5-36 5.2.1.30 set spantree backuproot............................................. 5-37 5.2.1.31 clear spantree backuproot.......................................... 5-38 5.2.1.32 show spantree tctrapsuppress ................................... 5-39 5.2.1.33 set spantree tctrapsuppress....
PAGE 15
Contents 6.3.3 6.3.4 6.3.5 6.3.6 6.3.7 7 6.3.2.1 set vlan ........................................................................ 6-7 6.3.2.2 set vlan name .............................................................. 6-8 6.3.2.3 clear vlan ..................................................................... 6-9 6.3.2.4 clear vlan name ......................................................... 6-10 Assigning Port VLAN IDs (PVIDs) and Ingress Filtering............... 6-11 6.3.3.1 show port vlan .....
PAGE 16
Contents 7.3.3 7.3.4 8 PORT PRIORITY AND RATE LIMITING CONFIGURATION 8.1 8.2 8.3 xiv 7.3.2.4 set diffserv class delete ............................................... 7-7 7.3.2.5 set diffserv class match ............................................... 7-8 7.3.2.6 set diffserv class rename .......................................... 7-12 Configuring Diffserv Policies and Assigning Classes.................... 7-13 7.3.3.1 show diffserv policy ................................................... 7-14 7.3.
PAGE 17
Contents 9 IGMP CONFIGURATION 9.1 9.2 9.3 9.4 10 About IP Multicast Group Management .......................................................... 9-1 IGMP Configuration Summary ........................................................................ 9-2 Process Overview: IGMP Configuration.......................................................... 9-2 IGMP Configuration Command Set................................................................. 9-2 9.4.1 Enabling / Disabling IGMP .........................
PAGE 18
Contents 10.3.4 10.3.5 10.3.6 xvi 10.3.3.5 clear macauthentication password........................... 10-37 10.3.3.6 set macauthentication port ....................................... 10-38 10.3.3.7 clear macauthentication authallocated..................... 10-39 10.3.3.8 set macauthentication portinitialize .......................... 10-40 10.3.3.9 set macauthentication macinitialize.......................... 10-41 10.3.3.10 set macauthentication reauthentication.................... 10-42 10.3.3.
PAGE 19
Contents 10.3.7 11 Configuring Secure Shell (SSH) ................................................. 10-80 10.3.7.1 show ssh status........................................................ 10-81 10.3.7.2 set ssh...................................................................... 10-82 10.3.7.3 set ssh hostkey ........................................................ 10-83 LOGGING AND NETWORK MANAGEMENT 11.1 11.2 Process Overview: Network Management ....................................................
PAGE 20
Contents 11.2.5 12 11.2.4.11 clear sntp poll-timeout ............................................. 11-39 Configuring Node Aliases ........................................................... 11-40 11.2.5.1 show nodealias config ............................................. 11-41 11.2.5.2 set nodealias ........................................................... 11-42 11.2.5.3 clear nodealias config ............................................. 11-43 CONFIGURING RMON 12.1 12.
PAGE 21
Figures Figure 2-1 2-2 2-3 2-4 2-5 2-6 6-1 Page Sample CLI Default Description ...................................................................................... 2-5 SecureStack A2 Startup Screen.................................................................................... 2-14 Performing a Keyword Lookup ...................................................................................... 2-15 Performing a Partial Keyword Lookup...................................................................
PAGE 22
Figures xx SecureStack A2 Configuration Guide
PAGE 23
Tables Table 2-1 2-2 2-3 2-4 2-5 2-6 2-7 3-1 3-2 3-3 3-4 4-2 4-3 4-4 4-5 4-6 4-7 4-8 4-9 4-10 5-1 6-1 6-2 6-3 6-4 7-1 8-1 10-1 10-2 10-3 10-4 10-5 10-6 10-7 11-1 Page Default Switch Settings................................................................................................. 2-1 Basic Line Editing Commands.................................................................................... 2-18 show system login Output Details .....................................................................
PAGE 24
Tables 11-2 11-3 12-1 12-2 12-3 12-4 xxii show mac Output Details.......................................................................................... 11-25 show sntp Output Details.......................................................................................... 11-29 RMON Monitoring Group Functions and Commands ................................................. 12-1 show rmon stats Output Details..................................................................................
PAGE 25
About This Guide Welcome to the Enterasys Networks SecureStack A2 Configuration Guide. This manual explains how to access the device’s Command Line Interface (CLI) and how to use it to configure SecureStack A2 switch devices. Important Notice Depending on the firmware version used in your device, some features described in this document may not be supported. Refer to the Release Notes shipped with your device to determine which features are supported.
PAGE 26
Structure of This Guide STRUCTURE OF THIS GUIDE The guide is organized as follows: Chapter 1, Introduction, provides an overview of the tasks that can be accomplished using the CLI interface, an overview of local management requirements, and information about obtaining technical support.
PAGE 27
Related Documents Chapter 11, Logging and Network Management, describes how to configure Syslog, how to manage general switch settings, how to monitor network events and status, how to manage network addresses and routes, and how to configure SNTP and node aliases.
PAGE 28
Conventions Used in This Guide CONVENTIONS USED IN THIS GUIDE The following conventions are used in the text of this document: Convention Description Bold font Indicates mandatory keywords, parameters or keyboard keys. italic font Indicates complete document titles. Courier font Used for examples of information displayed on the screen. Courier font in italics Indicates a user-supplied value, either required or optional. [] Square brackets indicate an optional value.
PAGE 29
1 Introduction This chapter provides an overview of the SecureStack A2’s unique features and functionality, an overview of the tasks that may be accomplished using the CLI interface, an overview of ways to manage the switch, and information on how to contact Enterasys Networks for technical support. Important Notice Depending on the firmware version you are using, some features described in this document may not be supported.
PAGE 30
Device Management Methods • Configure ports to prioritize and assign a VLAN or Class of Service to incoming frames based on Layer 2, Layer 3, and Layer 4 information. • Configure the switch to operate as a Generic Attribute Registration Protocol (GARP) device to dynamically create VLANs across a switched network. • Redirect frames according to a port or VLAN and transmit them on a preselected destination port. • Configure Spanning Trees. • Clear NVRAM. • Configure security methods, including 802.
PAGE 31
Getting Help 1.3 GETTING HELP For additional support related to this switch or document, contact Enterasys Networks using one of the following methods: World Wide Web http://www.enterasys.com/services/support/ Phone 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/services/support/contact/ Internet mail support@enterasys.com To expedite your message, type [SWITCHING] in the subject line.
PAGE 32
Getting Help 1-4 SecureStack A2 Configuration Guide
PAGE 33
2 Startup and General Configuration This chapter describes factory default settings and the Startup and General Configuration set of commands. 2.1 STARTUP AND GENERAL CONFIGURATION SUMMARY At startup, the SecureStack A2 switch is configured with many defaults and standard features. The following sections provide information on how to review and change factory defaults, and how to customize basic system settings to adapt to your work environment. 2.1.
PAGE 34
Startup and General Configuration Summary Factory Default Settings Table 2-1 Default Switch Settings (Continued) Feature Default Setting GVRP Globally enabled. IGMP Disabled. When enabled, query interval is set to 260 seconds and response time is set to 10 seconds. IP mask and gateway Subnet mask set to 0.0.0.0; default gateway set to 0.0.0.0 IP routes No static routes configured. Jumbo frame support Disabled on all ports. Link aggregation control protocol (LACP) Enabled.
PAGE 35
Startup and General Configuration Summary Factory Default Settings Table 2-1 Default Switch Settings (Continued) Feature Default Setting Port broadcast suppression Enabled and set to limit broadcast packets to 14,881 per second on all switch ports. Port duplex mode Set to half duplex, except for 100BASE-FX and 1000BASE-X, which is set to full duplex. Port enable/disable Enabled. Port priority Set to 1.
PAGE 36
Startup and General Configuration Summary CLI “Command Defaults” Descriptions Table 2-1 Default Switch Settings (Continued) Feature Default Setting Spanning Tree maximum aging time Set to 20 seconds. Spanning Tree port priority All ports with bridge priority are set to 128 (medium priority). Spanning Tree priority Bridge priority is set to 32768. Spanning Tree version Set to mstp (Multiple Spanning Tree Protocol). SSH Disabled. System baud rate Set to 9600 baud.
PAGE 37
Startup and General Configuration Summary CLI Command Modes Figure 2-1 Sample CLI Default Description show port status [port-string] Command Defaults If port-string is not specified, status information for all ports will be displayed. 2.1.3 CLI Command Modes Each command description in this guide includes a section entitled “Command Mode” which states whether the command is executable in Admin (Super User), Read-Write, or Read-Only mode.
PAGE 38
Startup and General Configuration Summary Using and Configuring WebView 2.1.4 Using and Configuring WebView Purpose WebView is the Enterasys Networks embedded web server for switch configuration and management tasks. By default, WebView is enabled on TCP port number 80 on the SecureStack A2 switch. You can verify WebView status, and enable or disable WebView, as described in the following sections. WebView can also be securely used over SSL port 443. By default SSL is disabled.
PAGE 39
Startup and General Configuration Summary Using and Configuring WebView 2.1.4.1 show webview Use this command to display WebView status. show webview Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display WebView status: A2(rw)->show webview WebView is Enabled.
PAGE 40
Startup and General Configuration Summary Using and Configuring WebView 2.1.4.2 set webview Use this command to enable or disable WebView on the switch. set webview {enable [ssl-only] | disable} Syntax Description enable | disable Enable or disable WebView on the switch. ssl-only (Optional) Allow WebView access by means of SSL only. Command Defaults None. Command Mode Read-Write.
PAGE 41
Startup and General Configuration Summary Using and Configuring WebView 2.1.4.3 show ssl Use this command to display SSL status. show ssl Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 42
Startup and General Configuration Summary Using and Configuring WebView 2.1.4.4 set ssl Use this command to enable or disable the use of WebView over SSL port 443. By default, SSL is disabled on the switch. This command can also be used to reinitialize the hostkey that is used for encryption. set ssl {enable | disable | reinitialize | hostkey reinitialize} Syntax Description enable | disable Enable or disable the ability to use WebView over SSL. reinitialize Stops and then restarts the SSL process.
PAGE 43
Startup and General Configuration Summary Process Overview: CLI Startup and General Configuration 2.1.5 Process Overview: CLI Startup and General Configuration Use the following steps as a guide to the startup and general configuration process: 1. Starting and navigating the Command Line Interface (CLI) (Section 2.1.6) 2. Configuring switch operation in a stack (Section 2.1.10) 3. Setting user accounts and passwords (Section 2.1.11) 4. Setting basic switch properties (Section 2.1.12) 5.
PAGE 44
Startup and General Configuration Summary Starting and Navigating the Command Line Interface 2.1.6 Starting and Navigating the Command Line Interface 2.1.6.1 Using a Console Port Connection NOTE: By default, the SecureStack A2 switch is configured with three user login accounts: ro for Read-Only access; rw for Read-Write access; and admin for super-user access to all modifiable parameters. The default password is set to a blank string.
PAGE 45
Startup and General Configuration Summary Starting and Navigating the Command Line Interface 2.1.6.3 Logging in with an Administratively Configured User Account If the switch’s default user account settings have been changed, proceed as follows: 1. At the login prompt, enter your administratively-assigned user name and press ENTER. 2. At the Password prompt, enter your password and press ENTER. The notice of authorization and prompt displays as shown in Figure 2-2.
PAGE 46
Startup and General Configuration Summary Starting and Navigating the Command Line Interface Figure 2-2 SecureStack A2 Startup Screen Username: admin Password: Enterasys Networks, Inc. 50 Minuteman Rd. Andover, MA 01810-1008 U.S.A. Phone: +1 978 684 1000 E-mail: support@enterasys.com WWW: http://www.enterasys.com (c) Copyright Enterasys Networks, Inc. 2005 Serial Number: 1234567 Firmware Revision: 01.00.
PAGE 47
Startup and General Configuration Summary Getting Help with CLI Syntax 2.1.7 Getting Help with CLI Syntax The SecureStack A2 switch allows you to display usage and syntax information for individual commands by typing help or ? after the command. 2.1.7.1 Performing Keyword Lookups Entering a space and a question mark (?) after a keyword will display all commands beginning with the keyword. Figure 2-3 shows how to perform a keyword lookup for the show snmp command.
PAGE 48
Startup and General Configuration Summary Getting Help with CLI Syntax 2.1.7.2 Displaying Scrolling Screens If the CLI screen length has been set using the set length command as described in Section 2.1.12.25, CLI output requiring more than one screen will display --More-- to indicate continuing screens. To display additional screen output: • Press any key other than ENTER to advance the output one screen at a time. • Press ENTER to advance the output one line at a time.
PAGE 49
Startup and General Configuration Summary Abbreviating and Completing Commands 2.1.8 Abbreviating and Completing Commands The SecureStack A2 switch allows you to abbreviate CLI commands and keywords down to the number of characters that will allow for a unique abbreviation. Figure 2-6 shows how to abbreviate the show netstat command to sh net.
PAGE 50
Startup and General Configuration Summary Basic Line Editing Commands 2.1.9 Basic Line Editing Commands The CLI supports EMACs-like line editing commands. Table 2-2 lists some commonly used commands. Table 2-2 Basic Line Editing Commands Key Sequence Command Ctrl+A Move cursor to beginning of line. Ctrl+B Move cursor back one character. Ctrl+D Delete a character. Ctrl+E Move cursor to end of line. Ctrl+F Move cursor forward one character. Ctrl+H Delete character to left of cursor.
PAGE 51
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10 Configuring Switches in a Stack About SecureStack A2 Switch Operation in a Stack The SecureStack A2 products are stackable switches that can be adapted and scaled to help meet your network needs. These switches provide a management platform and uplink to a network backbone for a stacked group of up to eight SecureStack A2 switches.
PAGE 52
Startup and General Configuration Summary Configuring Switches in a Stack 3. The management election process uses the following precedence to assign a management switch: a. Previously assigned / elected management unit b. Management assigned priority (values 1-15) c. Hardware preference level d. Highest MAC Address Use the following recommended procedures when installing a new stackable system or adding a new unit to an existing stack.
PAGE 53
Startup and General Configuration Summary Configuring Switches in a Stack Installing a Previously-Configured System of Up to Eight Units If member units in a stack have been previous members of a different stack, you may need to configure the renumbering of the stack as follows: 1. Stack the units in the method desired, and connect the stack cables. 2. Power up only the unit you wish to be manager. 3.
PAGE 54
Startup and General Configuration Summary Configuring Switches in a Stack • If the running stack uses a closed loop configuration, break the loop and make the stack cable connections to the new unit to close the loop. 3. Apply power to the new unit. Creating a Virtual Switch Configuration You can create a configuration for a SecureStack A2 switch before adding the actual physical device to a stack. This preconfiguration feature includes configuring protocols on the ports of the “virtual switch.
PAGE 55
Startup and General Configuration Summary Configuring Switches in a Stack A2(su)->set vlan create 555 A2(su)->clear vlan egress 1 fe.2.1 A2(su)->set port vlan fe.2.1 555 untagged A2(su)->show port vlan fe.2.1 fe.2.1 is set to 555 Considerations About Using Clear Config in a Stack When using the clear config command (as described in Section 2.1.19.
PAGE 56
Startup and General Configuration Summary Configuring Switches in a Stack • show switch switchtype (Section 2.1.10.3) • show switch stack-ports (Section 2.1.10.4) • set switch (Section 2.1.10.5) • set switch copy-fw (Section 2.1.10.6) • set switch description (Section 2.1.10.7) • set switch movemanagement (Section 2.1.10.8) • set switch member (Section 2.1.10.9) • clear switch member (Section 2.1.10.
PAGE 57
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.1 set switch stack-port Use this command to configure the two front panel uplink ports as standard Gigabit Ethernet ports or stack ports. set switch stack-port {ethernet | stack} NOTES: Use this command only on standalone (non-stacked) A2 switches. Using this command will cause a switch reset. Do not stack A2 switches with uplink ports that are in Ethernet mode.
PAGE 58
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.2 show switch Use this command to display information about one or more units in the stack. After a stack has been configured, you can use this command to physically confirm the identity of each unit. When you enter the command with a unit number, the MGR LED of the specified switch will blink for 10 seconds. The normal state of this LED is off for member units and steady green for the manager unit.
PAGE 59
Startup and General Configuration Summary Configuring Switches in a Stack This example shows how to display information for switch unit 1 in the stack: A2(rw)->show switch 1 Switch Management Status Hardware Management Preference Admin Management Preference Switch Type Preconfigured Model Identifier Plugged-in Model Identifier Switch Status Switch Description Detected Code Version Detected Code in Flash Detected Code in Back Image Up Time A2(su)-> 1 Management Switch Unassigned Unassigned A2H124-48 A2H124
PAGE 60
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.3 show switch switchtype Use this command to display information about supported switch types in the stack. show switch switchtype Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 61
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.4 show switch stack-ports Use this command to display various data flow and error counters on stack ports. show switch stack-ports Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 62
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.5 set switch Use this command to assign a switch ID, to set a switch’s priority for becoming the management switch if the previous management switch fails, or to change the switch unit ID for a switch in the stack. set switch {unit [priority value | renumber newunit]} Syntax Description unit Specifies a unit number for the switch. priority value Specifies a priority value for the unit.
PAGE 63
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.6 set switch copy-fw Use this command to replicate the code image file from the management switch to other switch(es) in the stack. set switch copy-fw [destination-system unit] Syntax Description destination-system unit (Optional) Specifies the unit number of unit on which to copy the management image file.
PAGE 64
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.7 set switch description Use this command to assign a name to a switch in the stack. set switch description unit description Syntax Description unit Specifies a unit number for the switch. description Specifies a text description for the unit. Command Defaults None. Command Mode Read-Write.
PAGE 65
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.8 set switch movemanagement Use this command to move management switch functionality from one switch to another. set switch movemanagement fromunit tounit Syntax Description fromunit Specifies the unit number of the current management switch. tounit Specifies the unit number of the newly-designated management switch. Command Defaults None. Command Mode Read-Write.
PAGE 66
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.9 set switch member Use this command to specify a unit as a non-existent member of a future stack. set switch member unit switch-id Syntax Description unit Specifies a unit number for the switch. switch-id Specifies a switch ID number for the switch. Command Defaults None. Command Mode Read-Write.
PAGE 67
Startup and General Configuration Summary Configuring Switches in a Stack 2.1.10.10 clear switch member Use this command to remove a member entry from the stack. clear switch member unit Syntax Description unit Specifies the unit number of the switch. Command Defaults None. Command Mode Read-Write.
PAGE 68
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11 Setting User Accounts and Passwords Purpose To change the switch’s default user login and password settings, and to add new user accounts and passwords. Commands The commands used to configure user accounts and passwords are listed below and described in the associated section as shown. • show system login (Section 2.1.11.1) • set system login (Section 2.1.11.2) • clear system login (Section 2.1.11.
PAGE 69
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.1 show system login Use this command to display user login account information. show system login Syntax Description None. Command Defaults None. Command Mode Super User. Example This example shows how to display login account information.
PAGE 70
Startup and General Configuration Summary Setting User Accounts and Passwords Table 2-3 2-38 show system login Output Details (Continued) Output What It Displays... Access Access assigned to this user account: super-user, read-write or read-only. State Whether this user account is enabled or disabled.
PAGE 71
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.2 set system login Use this command to create a new user login account, or to disable or enable an existing account. The SecureStack A2 switch supports up to 16 user accounts, including the admin account, which cannot be disabled or deleted. set system login username {super-user | read-write | read-only} {enable | disable} Syntax Description username Specifies a login name for a new or existing user.
PAGE 72
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.3 clear system login Use this command to remove a local login user account. clear system login username Syntax Description username Specifies the login name of the account to be cleared. NOTE: The default admin (su) account cannot be deleted. Command Defaults None. Command Mode Super User.
PAGE 73
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.4 set password Use this command to change system default passwords or to set a new login password on the CLI. set password [username] Syntax Description username (Only available to users with super-user access.) Specifies a system default or a user-configured login account name. By default, the SecureStack A2 switch provides the following account names: • ro for Read-Only access. • rw for Read-Write access.
PAGE 74
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.5 set system password length Use this command to set the minimum user login password length. set system password length characters Syntax Description characters Specifies the minimum number of characters for a user account password. Valid values are 0 to 40. Command Defaults None. Command Mode Super User.
PAGE 75
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.6 set system password aging Use this command to set the number of days user passwords will remain valid before aging out, or to disable user account password aging. set system password aging {days | disable} Syntax Description days Specifies the number of days user passwords will remain valid before aging out. Valid values are 1 to 365. disable Disables password aging. Command Defaults None. Command Mode Super User.
PAGE 76
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.7 set system password history Use this command to set the number of previously used user login passwords that will be checked for password duplication. This prevents duplicate passwords from being entered into the system with the set password command. set system password history size Syntax Description size Specifies the number of passwords checked for duplication. Valid values are 0 to 10. Command Defaults None.
PAGE 77
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.8 show system lockout Use this command to display settings for locking out users after failed attempts to log in to the system. show system lockout Syntax Description None. Command Defaults None. Command Mode Super User. Example This example shows how to display user lockout settings. In this case, switch defaults have not been changed: A2(su)->show system lockout Lockout attempts: 3 Lockout time: 15 minutes.
PAGE 78
Startup and General Configuration Summary Setting User Accounts and Passwords 2.1.11.9 set system lockout Use this command to set the number of failed login attempts before locking out (disabling) a read-write or read-only user account, and the number of minutes to lockout the default admin super user account after maximum login attempts. Once a user account is locked out, it can only be re-enabled by a super user with the set system login command (Section 2.1.11.2).
PAGE 79
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12 Setting Basic Device Properties Purpose To display and set the system IP address and other basic system (switch) properties, including time, contact name and version information. Commands The commands used to set basic system information are listed below and described in the associated section as shown. • show ip address (Section 2.1.12.1) • show ip protocol (Section 2.1.12.2) • set ip address (Section 2.1.12.
PAGE 80
Startup and General Configuration Summary Setting Basic Device Properties • set system name (Section 2.1.12.21) • set system location (Section 2.1.12.22) • set system contact (Section 2.1.12.23) • set width (Section 2.1.12.24) • set length (Section 2.1.12.25) • show logout (Section 2.1.12.26) • set logout (Section 2.1.12.27) • show console (Section 2.1.12.28) • set console baud (Section 2.1.12.
PAGE 81
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.1 show ip address Use this command to display the system IP address and subnet mask. show ip address Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the system IP address and subnet mask: A2(rw)->show ip address Name Address ------------------------------host 10.42.13.20 Mask ---------------255.255.0.
PAGE 82
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.2 show ip protocol Use this command to display the method used to acquire a network IP address for switch management. show ip protocol Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 83
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.3 set ip address Use this command to set the system IP address, subnet mask and default gateway. set ip address ip-address [mask ip-mask] [gateway ip-gateway] Syntax Description ip-address Sets the IP address for the system. For SecureStack A2 stackable systems, this is the IP address of the management switch as described in Section 2.1.10. mask ip-mask (Optional) Sets the system’s subnet mask.
PAGE 84
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.4 clear ip address Use this command to clear the system IP address. clear ip address Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 85
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.5 show system Use this command to display system information, including contact information, power and fan tray status and uptime. show system Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 86
Startup and General Configuration Summary Setting Basic Device Properties Table 2-5 show system Output Details Output What It Displays... System contact Contact person for the system. Default of a blank string can be changed with the set system contact command (Section 2.1.12.23). System location Where the system is located. Default of a blank string can be changed with the set system location command (Section 2.1.12.22). System name Name identifying the system.
PAGE 87
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.6 show system hardware Use this command to display the system’s hardware configuration. show system hardware Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 88
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.7 show system utilization Use this command to display detailed information about the processor running on the switch, or the overall memory usage of the Flash and SDRAM storage devices on the unit, or the processes running on the switch. Only the memory usage in the master unit of a stack is shown.
PAGE 89
Startup and General Configuration Summary Setting Basic Device Properties This example shows how to display information about the processes running on the system. Only partial output is shown. A2(su)->show system utilization process Switch:1 CPU:1 TID Name 5Sec 1Min 5Min ---------------------------------------------------------3836d40 sshd 0.00% 0.00% 0.00% 3896c98 captureTask 0.00% 0.00% 0.00% 3978148 vlanDynEg 0.00% 0.00% 0.00% 3a3cbe0 tcdpSendTask 0.00% 0.00% 0.00% 3a4ceb8 tcdpTask 0.00% 0.00% 0.
PAGE 90
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.8 set system enhancedbuffermode Use this command to enable or disable enhanced buffer mode, which optimizes buffer distribution for non-stacking single CoS queue operation. Executing this command will reset the switch, so the system prompts you to confirm whether you want to proceed. set system enhancedbuffermode {enable | disable} Syntax Description enable | disable Enables or disables enhanced buffer mode.
PAGE 91
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.9 show time Use this command to display the current time of day in the system clock. show time Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the current time.
PAGE 92
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.10 set time Use this command to change the time of day on the system clock. set time [mm/dd/yyyy] [hh:mm:ss] Syntax Description [mm/dd/yyyy] [hh:mm:ss] Sets the time in: • month, day, year and/or • 24-hour format At least one set of time parameters must be entered. Command Defaults None. Command Mode Read-Write. Example This example shows how to set the system clock to 7:50 a.
PAGE 93
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.11 show summertime Use this command to display daylight savings time settings. show summertime Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 94
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.12 set summertime Use this command to enable or disable the daylight savings time function. set summertime {enable | disable} [zone] Syntax Description enable | disable Enables or disables the daylight savings time function. zone (Optional) Applies a name to the daylight savings time settings. Command Defaults If a zone name is not specified, none will be applied. Command Mode Read-Only.
PAGE 95
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.13 set summertime date Use this command to configure specific dates to start and stop daylight savings time. These settings will be non-recurring and will have to be reset annually. set summertime date start_month start_date start_year start_hr_min end_month end_date end_year end_hr_min [offset_minutes] Syntax Description start_month Specifies the month of the year to start daylight savings time.
PAGE 96
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.14 set summertime recurring Use this command to configure recurring daylight savings time settings. These settings will start and stop daylight savings time at the specified day of the month and hour each year and will not have to be reset annually.
PAGE 97
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.15 clear summertime Use this command to clear the daylight savings time configuration. clear summertime Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 98
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.16 set prompt Use this command to modify the command prompt. set prompt “prompt_string” Syntax Description prompt_string Specifies a text string for the command prompt. NOTE: A prompt string containing a space in the text must be enclosed in quotes as shown in the example below. Command Defaults None. Command Mode Read-Write.
PAGE 99
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.17 show banner motd Use this command to show the banner message of the day that will display at session login. show banner motd Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 100
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.18 set banner motd Use this command to set the banner message of the day displayed at session login. set banner motd message Syntax Description message Specifies a message of the day. This is a text string that needs to be in double quotes if any spaces are used. Use a \n for a new line and \t for a tab (eight spaces). Command Defaults None. Command Mode Read-Write.
PAGE 101
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.19 clear banner motd Use this command to clear the banner message of the day displayed at session login to a blank string. clear banner motd Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 102
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.20 show version Use this command to display hardware and firmware information. Refer to Section 2.1.14 for instructions on how to download a firmware image. show version Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display version information: A2(rw)->show version Copyright (c) 2005 by Enterasys Networks, Inc.
PAGE 103
Startup and General Configuration Summary Setting Basic Device Properties Table 2-6 show version Output Details Output What It Displays... Model Switch’s model number. Serial # Serial number of the switch. Versions • • • • • Hw: Hardware version number. Bp: BootPROM version Fw: Current firmware version number. BuFw: Backup firmware version number. PoE: Power over Ethernet driver version.
PAGE 104
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.21 set system name Use this command to configure a name for the system. set system name [string] Syntax Description string (Optional) Specifies a text string that identifies the system. NOTE: A name string containing a space in the text must be enclosed in quotes as shown in the example below. Command Defaults If string is not specified, the system name will be cleared. Command Mode Read-Write.
PAGE 105
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.22 set system location Use this command to identify the location of the system. set system location [string] Syntax Description string (Optional) Specifies a text string that indicates where the system is located. NOTE: A location string containing a space in the text must be enclosed in quotes as shown in the example below. Command Defaults If string is not specified, the location name will be cleared.
PAGE 106
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.23 set system contact Use this command to identify a contact person for the system. set system contact [string] Syntax Description string (Optional) Specifies a text string that contains the name of the person to contact for system administration. NOTE: A contact string containing a space in the text must be enclosed in quotes as shown in the example below.
PAGE 107
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.24 set width Use this command to set the number of columns for the terminal connected to the switch’s console port. The length of the CLI is set using the set length command as described in Section 2.1.12.25. set width screenwidth [default] Syntax Description screenwidth Sets the number of terminal columns. Valid values are 50 to 150.
PAGE 108
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.25 set length Use this command to set the number of lines the CLI will display. This command is persistent (written to NV-RAM). set length screenlength Syntax Description screenlength Sets the number of lines in the CLI display. Valid values are 0, which disables the scrolling screen feature described in Section 2.1.7.2, and from 5 to 512. Command Defaults None. Command Mode Read-Write.
PAGE 109
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.26 show logout Use this command to display the time (in seconds) an idle console or Telnet CLI session will remain connected before timing out. show logout Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the CLI logout setting: A2(rw)->show logout Logout currently set to: 10 minutes.
PAGE 110
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.27 set logout Use this command to set the time (in minutes) an idle console or Telnet CLI session will remain connected before timing out. set logout timeout Syntax Description timeout Sets the number of minutes the system will remain idle before timing out. Command Defaults None. Command Mode Read-Write.
PAGE 111
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.28 show console Use this command to display console settings. show console [baud] [bits] [flowcontrol] [parity] [stopbits] Syntax Description baud (Optional) Displays the input/output baud rate. bits (Optional) Displays the number of bits per character. flowcontrol (Optional) Displays the type of flow control. parity (Optional) Displays the type of parity. stopbits (Optional) Displays the number of stop bits.
PAGE 112
Startup and General Configuration Summary Setting Basic Device Properties 2.1.12.29 set console baud Use this command to set the console port baud rate. set console baud rate Syntax Description rate Sets the console baud rate. Valid values are: 300, 600, 1200, 2400, 4800, 5760, 9600, 14400, 19200, 38400, and 115200. Command Defaults None. Command Mode Read-Write.
PAGE 113
Startup and General Configuration Summary Configuring Power over Ethernet (PoE) 2.1.13 Configuring Power over Ethernet (PoE) Important Notice This section applies only to PoE-equipped SecureStack switches. Consult the Installation Guide shipped with your product to determine if it is PoE-equipped.
PAGE 114
Startup and General Configuration Summary Configuring Power over Ethernet (PoE) 2.1.13.1 show inlinepower Use this command to display switch PoE properties. show inlinepower Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display switch PoE properties.
PAGE 115
Startup and General Configuration Summary Configuring Power over Ethernet (PoE) 2.1.13.2 set inlinepower threshold Use this command to set the PoE usage threshold on a specified unit. set inlinepower threshold usage-threshold module-number Syntax Description usage-threshold Specifies a PoE threshold as a percentage of total system power usage. Valid values are 1 - 99. unit-number Specifies the unit on which to set the PoE threshold. Command Defaults None. Command Mode Read-Write.
PAGE 116
Startup and General Configuration Summary Configuring Power over Ethernet (PoE) 2.1.13.3 set inlinepower trap Use this command to enable or disable the sending of an SNMP trap message for a unit whenever the status of its ports changes, or whenever the module’s PoE usage threshold is crossed. The unit’s PoE usage threshold must be set using the set inlinepower threshold command as described in Section 2.1.13.2.
PAGE 117
Startup and General Configuration Summary Configuring Power over Ethernet (PoE) 2.1.13.4 show port inlinepower Use this command to display all ports supporting PoE. show port inlinepower [port-string] Syntax Description port-string (Optional) Displays information for specific PoE port(s). Command Defaults If not specified, information for all PoE ports will be displayed. Command Mode Read-Only. Example This example shows how to display PoE information for Fast Ethernet ports 1 through 6 on unit 1.
PAGE 118
Startup and General Configuration Summary Configuring Power over Ethernet (PoE) 2.1.13.5 set port inlinepower Use this command to configure PoE parameters on one or more ports. set port inlinepower port-string {[admin {off | auto}] [priority {critical | high | low}] [type type]} Syntax Description port-string Specifies the port(s) on which to configure PoE. admin off | auto Sets the PoE administrative state to off (disabled) or auto (on).
PAGE 119
Startup and General Configuration Summary Downloading a New Firmware Image 2.1.14 Downloading a New Firmware Image You can upgrade the operational firmware in the SecureStack A2 switch without physically opening the switch or being in the same location. There are two ways to download firmware to the switch: • Via TFTP download. This procedure uses a TFTP server connected to the network and downloads the firmware using the TFTP protocol.
PAGE 120
Startup and General Configuration Summary Downloading a New Firmware Image 2.1.14.2 Downloading via the Serial Port To download switch firmware via the serial (console) port, proceed as follows: 1. With the console port connected, power up the switch. The following message displays: Enterasys A2-Series Boot Code... SDRAM Circuit Test of 256MB 100% Version 1.0.13 6/14/2004 Computing MD5 Checksum of operational code... Select an option. If no selection in 2 seconds then operational code will start.
PAGE 121
Startup and General Configuration Summary Downloading a New Firmware Image 3. The following boot menu options screen displays. Boot Menu Version 01.00.33 08-03-2005 Options available 1 - Start operational code 2 - Change baud rate 3 - Retrieve event log using XMODEM (64KB).
PAGE 122
Startup and General Configuration Summary Downloading a New Firmware Image 7. From the boot menu options screen, type 4 to load new operational code using XMODEM. When the XMODEM transfer is complete, the following message and header information will display: [Boot Menu] 4 Ready to receive the file with XMODEM/CRC.... Ready to RECEIVE File xcode.bin in binary mode Send several Control-X characters to cCKCKCKCKCKCKCK XMODEM transfer complete, checking CRC.... Verified operational code CRC.
PAGE 123
Startup and General Configuration Summary Downloading a New Firmware Image 2.1.14.3 show boot system Use this command to display the firmware image the switch loads at startup. show boot system Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 124
Startup and General Configuration Summary Downloading a New Firmware Image 2.1.14.4 set boot system Use this command to set the firmware image the switch loads at startup. set boot system filename Syntax Description filename Specifies the name of the firmware image file. Command Defaults None. Command Mode Read-Write.
PAGE 125
Startup and General Configuration Summary Starting and Configuring Telnet 2.1.15 Starting and Configuring Telnet Purpose To enable or disable Telnet. Commands The commands used to enable, start and configure Telnet are listed below and described in the associated section as shown. • show telnet (Section 2.1.15.1) • set telnet (Section 2.1.15.2) • telnet (Section 2.1.15.
PAGE 126
Startup and General Configuration Summary Starting and Configuring Telnet 2.1.15.1 show telnet Use this command to display the status of Telnet on the switch. show telnet Syntax Description None. Command Defaults None. Command Mode Read-only.
PAGE 127
Startup and General Configuration Summary Starting and Configuring Telnet 2.1.15.2 set telnet Use this command to enable or disable Telnet on the switch. set telnet {enable | disable}[inbound | outbound | all] Syntax Description enable | disable Enables or disables Telnet services. inbound | outbound (Optional) Specifies inbound service (the ability to Telnet | all to this switch), outbound service (the ability to Telnet to other devices), or all (both inbound and outbound).
PAGE 128
Startup and General Configuration Summary Starting and Configuring Telnet 2.1.15.3 telnet Use this command to start a Telnet connection to a remote host. The SecureStack A2 switch allows a total of four inbound and / or outbound Telnet session to run simultaneously. telnet host [port] Syntax Description host Specifies the name or IP address of the remote host. port (Optional) Specifies the server port number. Command Defaults If not specified, the default port number 23 will be used.
PAGE 129
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.
PAGE 130
Startup and General Configuration Summary Managing Switch Configuration and Image Files • set tftp timeout (Section 2.1.16.10) • clear tftp timeout (Section 2.1.16.11) • set tftp retry (Section 2.1.16.12) • clear tftp retry (Section 2.1.16.
PAGE 131
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.1 show snmp persistmode Use this command to display the configuration persistence mode setting. By default, the mode is set to “auto save,” which automatically saves configuration changes at specific intervals. If the mode is set to “manual,” configuration commands are never automatically saved.
PAGE 132
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.2 set snmp persistmode Use this command to set the configuration persistence mode, which determines whether user-defined configuration changes are saved automatically, or require issuing the save config command. See “Configuration Persistence Mode” on page 2-97 for more information. set snmp persistmode {auto | manual} Syntax Description auto Sets the configuration persistence mode to automatic.
PAGE 133
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.3 save config Use this command to save the running configuration on all switch members in a stack. save config Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 134
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.4 dir Use this command to list configuration files stored in the file system. dir [filename] Syntax Description filename (Optional) Specifies the file name or directory to list. Command Mode Read-Only. Command Defaults If filename is not specified, all files in the system will be displayed.
PAGE 135
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.5 show config Use this command to display the system configuration or write the configuration to a file. show config [all | facility] [outfile {configs/filename}] Syntax Description all (Optional) Displays default and non-default configuration settings. facility Exact name of one facility for which to show configuration, ‘router’ to show router only configuration.
PAGE 136
Startup and General Configuration Summary Managing Switch Configuration and Image Files This example shows how to display the current non-default switch configuration: A2(rw)->show config ! #***** NON-DEFAULT CONFIGURATION ***** #console ! #diffserv ! #eapol ! #flowlimit ! #garp ! #gvrp ! #igmp ! #ip set ip protocol dhcp ! #length ! #logout ! #mac ! #mtu set port jumbo enable fe.3.
PAGE 137
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.6 configure Use this command to execute a previously downloaded configuration file stored on the switch. configure filename [append] Syntax Description filename Specifies the path and file name of the configuration file to execute. append (Optional) Executes the configuration as an appendage to the current configuration.
PAGE 138
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.7 copy Use this command to upload or download an image or a CLI configuration file. copy source destination Syntax Description source Specifies location and name of the source file to copy. Options are a local file path in the configs directory, or the URL of a TFTP server. destination Specifies location and name of the destination where the file will be copied.
PAGE 139
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.8 delete Use this command to remove an image or a CLI configuration file from the SecureStack system. delete filename NOTE: Use the show config command as described in Section 2.1.16.5 to display current image and configuration file names. Syntax Description filename Specifies the local path name to the file. Valid directories are /images and /slotN. Command Mode Read-Write. Command Defaults None.
PAGE 140
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.9 show tftp settings Use this command to display TFTP settings used by the switch during data transfers using TFTP. The TFTP timeout value can be set with the set tftp timeout command. The TFTP retry value can be set with the set tftp retry command. show tftp settings Syntax Description None. Command Mode Read-Only. Command Defaults None. Example This example shows the output of this command.
PAGE 141
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.10 set tftp timeout Use this command to configure how long TFTP will wait for a reply of either an acknowledgement packet or a data packet during a data transfer. set tftp timeout seconds Syntax Description seconds Specifies the number of seconds to wait for a reply. The valid range is from 1 to 30 seconds. Default value is 2 seconds. Command Mode Read-Write. Command Defaults None.
PAGE 142
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.11 clear tftp timeout Use this command to reset the TFTP timeout value to the default value of 2 seconds. clear tftp timeout Syntax Description None. Command Mode Read-Write. Command Defaults None. Example This example shows how to clear the timeout value to the default of 2 seconds.
PAGE 143
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.12 set tftp retry Use this command to configure how many times TFTP will resend a packet, either an acknowledgement packet or a data packet. set tftp retry retry Syntax Description retry Specifies the number of times a packet will be resent. The valid range is from 1 to 1000. Default value is 5 retries. Command Mode Read-Write. Command Defaults None. Example This example sets the retry count to 3.
PAGE 144
Startup and General Configuration Summary Managing Switch Configuration and Image Files 2.1.16.13 clear tftp retry Use this command to reset the TFTP retry value to the default value of 5 retries. clear tftp retry Syntax Description None. Command Mode Read-Write. Command Defaults None. Example This example shows how to clear the retry value to the default of 5 retries.
PAGE 145
Startup and General Configuration Summary Configuring CDP 2.1.17 Configuring CDP Purpose To review and configure the CDP discovery protocol. Commands The commands used to review and configure the CDP discovery protocol are listed below and described in the associated section as shown. • show cdp (Section 2.1.17.1) • set cdp state (Section 2.1.17.2) • set cdp auth (Section 2.1.17.3) • set cdp interval (Section 2.1.17.4) • set cdp hold-time (Section 2.1.17.5) • clear cdp (Section 2.1.17.
PAGE 146
Startup and General Configuration Summary Configuring CDP 2.1.17.1 show cdp Use this command to display the status of the CDP discovery protocol and message interval on one or more ports. show cdp [port-string] Syntax Description port-string (Optional) Displays CDP status for a specific port. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, CDP information for all ports will be displayed. Command Mode Read-Only.
PAGE 147
Startup and General Configuration Summary Configuring CDP Table 2-7 show cdp Output Details Output What It Displays... CDP Global Status Whether CDP is globally auto-enabled, enabled or disabled. The default state of auto-enabled can be reset with the set cdp state command. For details, refer to Section 2.1.17.2. CDP Versions Supported CDP version number(s) supported by the switch. CDP Hold Time Minimum time interval (in seconds) at which CDP configuration messages can be set.
PAGE 148
Startup and General Configuration Summary Configuring CDP 2.1.17.2 set cdp state Use this command to enable or disable the CDP discovery protocol on one or more ports. set cdp state {auto | disable | enable} [port-string] Syntax Description auto | disable | enable Auto-enables, disables or enables the CDP protocol on the specified port(s). In auto-enable mode, which is the default mode for all ports, a port automatically becomes CDP-enabled upon receiving its first CDP message.
PAGE 149
Startup and General Configuration Summary Configuring CDP 2.1.17.3 set cdp auth Use this command to set a global CDP authentication code. This value determines a device’s CDP domain. If two or more devices have the same CDP authentication code, they will be entered into each other's CDP neighbor tables. If they have different authentication codes, they are in different domains and will not be entered into each other’s CDP neighbor tables.
PAGE 150
Startup and General Configuration Summary Configuring CDP 2.1.17.4 set cdp interval Use this command to set the message interval frequency (in seconds) of the CDP discovery protocol. set cdp interval frequency Syntax Description frequency Specifies the transmit frequency of CDP messages in seconds.Valid values are from 5 to 900 seconds. Command Defaults None. Command Mode Read-Write.
PAGE 151
Startup and General Configuration Summary Configuring CDP 2.1.17.5 set cdp hold-time Use this command to set the hold time value for CDP discovery protocol configuration messages. set cdp hold-time hold-time Syntax Description hold-time Specifies the hold time value for CDP messages in seconds.Valid values are from 15 to 600. Command Defaults None. Command Mode Read-Write.
PAGE 152
Startup and General Configuration Summary Configuring CDP 2.1.17.6 clear cdp Use this command to reset CDP discovery protocol settings to defaults. clear cdp {[state] [port-state port-string] [interval] [hold-time] [auth-code]} Syntax Description state (Optional) Resets the global CDP state to auto-enabled. port-state port-string (Optional) Resets the port state on specific port(s) to auto-enabled. interval (Optional) Resets the message frequency interval to 60 seconds.
PAGE 153
Startup and General Configuration Summary Clearing and Closing the CLI 2.1.18 Clearing and Closing the CLI Purpose To clear the CLI screen or to close your CLI session. Commands The commands used to clear and close the CLI session are listed below and described in the associated sections as shown. • cls (Section 2.1.18.1) • exit (Section 2.1.18.
PAGE 154
Startup and General Configuration Summary Clearing and Closing the CLI 2.1.18.1 cls (clear screen) Use this command to clear the screen for the current CLI session. cls Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 155
Startup and General Configuration Summary Clearing and Closing the CLI 2.1.18.2 exit Use this command to leave a CLI session. exit NOTE: By default, switch timeout occurs after 15 minutes of user inactivity, automatically closing your CLI session. Use the set logout command as described in Section 2.1.12.27 to change this default. Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 156
Startup and General Configuration Summary Resetting the Switch 2.1.19 Resetting the Switch Purpose To reset one or more units, and to clear the user-defined configuration parameters. Commands The commands used to reset the switch and clear the configuration are listed below and described in the associated sections as shown. • reset (Section 2.1.19.1) • clear config (Section 2.1.19.
PAGE 157
Startup and General Configuration Summary Resetting the Switch 2.1.19.1 reset Use this command to reset the switch without losing any user-defined configuration settings, or to display information about switch resets. reset [unit] NOTE: The reset button located on the front panel of a SecureStack A2 switch is used to reset administratively set passwords only. Pushing the reset button will not cause the unit to reboot.
PAGE 158
Startup and General Configuration Summary Resetting the Switch 2.1.19.2 clear config Use this command to clear the user-defined configuration parameters. clear config [all] NOTES: The switch’s IP address will be retained when running the clear config or the clear config all command. To clear the IP address on the SecureStack use the set ip protocol none command.
PAGE 159
3 Port Configuration This chapter describes the Port Configuration set of commands and how to use them. Important Notice CLI examples in this guide illustrate a generic command prompt. Depending on which device you are using, your default command prompt and output may be different than the examples shown. 3.
PAGE 160
Port Configuration Summary • 2 SFP slots (labeled port 51 and 52) that provide the option of installing Small Form Pluggable (SFP) Mini-GBICs for 1000BASE-T compliant copper connections or 1000BASE-SX\LX fiber-optic connections. • 2 1000BASE-T RJ45 connectors (labeled port 49 and 50) that can be used for stack connections when the switch is operating in a stack configuration, or as standard switch ports when the switch is operating as a stand alone device.
PAGE 161
Port Configuration Summary Port String Syntax Used in the CLI 3.1.1 Port String Syntax Used in the CLI Commands requiring a port-string parameter use the following syntax to designate port type, unit number, and port number: port type.unit number.port number Where port type can be: fe for 100-Mbps Ethernet ge for 1-Gbps Ethernet com for COM (console) port host for the host port lag for IEEE802.
PAGE 162
Process Overview: Port Configuration Port String Syntax Used in the CLI 3.2 PROCESS OVERVIEW: PORT CONFIGURATION Use the following steps as a guide to configuring switch ports on the device: 1. Reviewing port status (Section 3.3.1) 2. Disabling / Enabling and Naming ports (Section 3.3.2) 3. Setting switch port speed and duplex mode (Section 3.3.3) 4. Enabling / Disabling jumbo frame support (Section 3.3.4) 5. Setting auto negotiation (Section 3.3.5) 6. Setting flow control (Section 3.3.6) 7.
PAGE 163
Port Configuration Command Set Reviewing Port Status 3.3 3.3.1 PORT CONFIGURATION COMMAND SET Reviewing Port Status Purpose To display operating status, duplex mode, speed, port type, and statistical information about traffic received and transmitted through one or all switch ports on the device. Commands The commands used to review port status are listed below and described in the associated sections as shown. • show port (Section 3.3.1.1) • show port status (Section 3.3.1.
PAGE 164
Port Configuration Command Set Reviewing Port Status 3.3.1.1 show port Use this command to display whether or not one or more ports are enabled for switching. show port [port-string] Syntax Description port-string (Optional) Displays operational status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, operational status information for all ports will be displayed. Command Mode Read-Only.
PAGE 165
Port Configuration Command Set Reviewing Port Status 3.3.1.2 show port status Use this command to display operating and admin status, speed, duplex mode and port type for one or more ports on the device. show port status [port-string] Syntax Description port-string (Optional) Displays status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, status information for all ports will be displayed.
PAGE 166
Port Configuration Command Set Reviewing Port Status Table 3-1 show port status Output Details (Continued) Output What It Displays... Speed Operational speed in Mbps or Kbps of the specified port. For details on using the set port speed command to change defaults, refer to Section 3.3.3.2. Duplex Duplex mode (half or full) of the specified port. For details on using the set port duplex command to change defaults, refer to Section 3.3.5. Type Physical port and interface type.
PAGE 167
Port Configuration Command Set Reviewing Port Status 3.3.1.3 show port counters Use this command to display port counter statistics detailing traffic through the device and through all MIB2 network devices. show port counters [port-string] [switch | mib2] Syntax Description port-string (Optional) Displays counter statistics for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. switch | mib2 (Optional) Displays switch or MIB2 statistics.
PAGE 168
Port Configuration Command Set Reviewing Port Status Examples This example shows how to display all counter statistics, including MIB2 network traffic and traffic through the device for fe.3.1: A2(rw)->show port counters fe.3.1 Port: fe.3.
PAGE 169
Port Configuration Command Set Reviewing Port Status Table 3-2 show port counters Output Details Output What It Displays... Port Port designation. For a detailed description of possible port-string values, refer to Section 3.1.1. MIB2 Interface MIB2 interface designation. Bridge Port IEEE 802.1D bridge port designation. MIB2 Interface Counters MIB2 network traffic counts. 802.1Q Switch Counters Counts of frames received, transmitted, and filtered.
PAGE 170
Port Configuration Command Set Disabling / Enabling Ports 3.3.2 Disabling / Enabling Ports Purpose To disable and re-enable one or more ports. By default, all ports are enabled at device startup. You may want to disable ports for security or to troubleshoot network issues. Ports may also be assigned an alias for convenience. Commands The commands used enable, disable, and name ports are listed below and described in the associated section as shown. • set port disable (Section 3.3.2.
PAGE 171
Port Configuration Command Set Disabling / Enabling Ports 3.3.2.1 set port disable Use this command to administratively disable one or more ports. set port disable port-string Syntax Description port-string Specifies the port(s) to disable. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write. Example This example shows how to disable fe.1.1: A2(rw)->set port disable fe.1.
PAGE 172
Port Configuration Command Set Disabling / Enabling Ports 3.3.2.2 set port enable Use this command to administratively enable one or more ports. set port enable port-string Syntax Description port-string Specifies the port(s) to enable. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write. Example This example shows how to enable fe.1.3: A2(rw)->set port enable fe.1.
PAGE 173
Port Configuration Command Set Disabling / Enabling Ports 3.3.2.3 show port alias Use this command to display the alias name for one or more ports. show port alias [port-string] Syntax Description port-string (Optional) Displays alias name(s) for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, aliases for all ports will be displayed. Command Mode Read-Only.
PAGE 174
Port Configuration Command Set Disabling / Enabling Ports 3.3.2.4 set port alias Use this command to assign an alias name to a port. set port alias port-string [name] Syntax Description port-string Specifies the port to which an alias will be assigned. For a detailed description of possible port-string values, refer to Section 3.1.1. name (Optional) Assigns an alias name to the port. If the alias name contains spaces, the text string must be surrounded by double quotes.
PAGE 175
Port Configuration Command Set Setting Speed and Duplex Mode 3.3.3 Setting Speed and Duplex Mode Purpose To review and set the operational speed in Mbps and the default duplex mode: Half, for half duplex, or Full, for full duplex for one or more ports. NOTE: These settings only take effect on ports that have auto-negotiation disabled. Commands The commands used to review and set port speed and duplex mode are listed below and described in the associated section as shown. • show port speed (Section 3.3.
PAGE 176
Port Configuration Command Set Setting Speed and Duplex Mode 3.3.3.1 show port speed Use this command to display the default speed setting on one or more ports. show port speed [port-string] Syntax Description port-string (Optional) Displays default speed setting(s) for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, default speed settings for all ports will display. Command Mode Read-Only.
PAGE 177
Port Configuration Command Set Setting Speed and Duplex Mode 3.3.3.2 set port speed Use this command to set the default speed of one or more ports. This setting only takes effect on ports that have auto-negotiation disabled. set port speed port-string {10 | 100} Syntax Description port-string Specifies the port(s) for which to a speed value will be set. For a detailed description of possible port-string values, refer to Section 3.1.1. 10 | 100 Specifies the port speed.
PAGE 178
Port Configuration Command Set Setting Speed and Duplex Mode 3.3.3.3 show port duplex Use this command to display the default duplex setting (half or full) for one or more ports. show port duplex [port-string] Syntax Description port-string (Optional) Displays default duplex setting(s) for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, default duplex settings for all ports will be displayed.
PAGE 179
Port Configuration Command Set Setting Speed and Duplex Mode 3.3.3.4 set port duplex Use this command to set the default duplex type for one or more ports. set port duplex port-string {full | half} NOTE: This command will only take effect on ports that have auto-negotiation disabled. Syntax Description port-string Specifies the port(s) for which duplex type will be set. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 180
Port Configuration Command Set Enabling / Disabling Jumbo Frame Support 3.3.4 Enabling / Disabling Jumbo Frame Support Purpose To review, enable, and disable jumbo frame support on one or more ports. This allows Ethernet ports to transmit frames up to 10 KB in size. Commands The commands used to review, enable and disable jumbo frame support are listed below and described in the associated section as shown. • show port jumbo (Section 3.3.4.1) • set port jumbo (Section 3.3.4.
PAGE 181
Port Configuration Command Set Enabling / Disabling Jumbo Frame Support 3.3.4.1 show port jumbo Use this command to display the status of jumbo frame support and maximum transmission units (MTU) on one or more ports. show port jumbo [port-string] Syntax Description port-string (Optional) Displays the status of jumbo frame support for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 182
Port Configuration Command Set Enabling / Disabling Jumbo Frame Support 3.3.4.2 set port jumbo Use this command to enable or disable jumbo frame support on one or more ports. set port jumbo {enable | disable} [port-string] Syntax Description enable | disable Enables or disables jumbo frame support. port-string (Optional) Specifies the port(s) on which to disable or enable jumbo frame support. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 183
Port Configuration Command Set Enabling / Disabling Jumbo Frame Support 3.3.4.3 clear port jumbo Use this command to reset jumbo frame support status to enabled on one or more ports. clear port jumbo [port-string] Syntax Description port-string (Optional) Specifies the port(s) on which to reset jumbo frame support status to enabled. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 184
Port Configuration Command Set Setting Auto-Negotiation 3.3.5 Setting Auto-Negotiation Purpose To review, disable or enable auto-negotiation, and to configure port advertisement for speed and duplex. During auto-negotiation, the port “tells” the device at the other end of the segment what its capabilities and mode of operation are. If auto-negotiation is disabled, the port reverts to the values specified by default speed, default duplex, and the port flow control commands.
PAGE 185
Port Configuration Command Set Setting Auto-Negotiation 3.3.5.1 show port negotiation Use this command to display the status of auto-negotiation for one or more ports. show port negotiation [port-string] Syntax Description port-string (Optional) Displays auto-negotiation status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, auto-negotiation status for all ports will be displayed.
PAGE 186
Port Configuration Command Set Setting Auto-Negotiation 3.3.5.2 set port negotiation Use this command to enable or disable auto-negotiation on one or more ports. set port negotiation port-string {enable | disable} Syntax Description port-string Specifies the port(s) for which to enable or disable auto-negotiation. For a detailed description of possible port-string values, refer to Section 3.1.1. enable | disable Enables or disables auto-negotiation. Command Defaults None. Command Mode Read-Write.
PAGE 187
Port Configuration Command Set Setting Auto-Negotiation 3.3.5.3 show port advertise Use this command to display a port’s actual speed/duplex capabilities along with the port’s advertised speed/duplex capabilities to be used in auto-negotiation. show port advertise [port-string] Syntax Description port-string (Optional) Displays advertised ability for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 188
Port Configuration Command Set Setting Auto-Negotiation 3.3.5.4 set port advertise Use this command to configure what a port will advertise for speed/duplex capabilities in auto-negotiation. set port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause} Syntax Description port-string Select the ports for which to configure advertisements. For a detailed description of possible port-string values, refer to Section 3.1.1. 10t Advertises 10BASE-T half duplex mode.
PAGE 189
Port Configuration Command Set Setting Auto-Negotiation 3.3.5.5 clear port advertise Use this command to configure a port to not advertise a specific speed/duplex capability when auto-negotiating with another port. clear port advertise {port-string}{10t | 10tfd | 100tx | 100txfd | 1000t | 1000tfd | pause} Syntax Description port-string Clear advertisements for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 190
Port Configuration Command Set Setting Auto-Negotiation Example This example shows how to configure port 1 to not advertise 10 Mbps capability, half and full duplex, for auto-negotiation: A2(su)->show port advertise fe.2.1 fe.2.1 capability advertised remote ------------------------------------------------10BASE-T yes yes no 10BASE-TFD yes yes no 100BASE-TX yes yes no 100BASE-TXFD yes yes no 1000BASE-T no no no 1000BASE-TFD no no no pause yes yes no A2(su)->clear port advertise fe.2.
PAGE 191
Port Configuration Command Set Setting Flow Control 3.3.6 Setting Flow Control Purpose To review, enable or disable port flow control. Flow control is used to manage the transmission between two devices as specified by IEEE 802.3x to prevent receiving ports from being overwhelmed by frames from transmitting devices. Commands The commands used to review and set port flow control are listed below and described in the associated section as shown. • show flowcontrol (Section 3.3.6.
PAGE 192
Port Configuration Command Set Setting Flow Control 3.3.6.1 show flowcontrol Use this command to display the flow control state. show flowcontrol Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 193
Port Configuration Command Set Setting Flow Control 3.3.6.2 set flowcontrol Use this command to enable or disable flow control. set flowcontrol {enable | disable} Syntax Description enable | disable Enables or disables flow control settings. Command Defaults None. Command Mode Read-Write.
PAGE 194
Port Configuration Command Set Setting Port Traps 3.3.7 Setting Port Traps Purpose To display the status, and to enable or disable an SNMP link trap on one or more ports. This operation is typically used to alert the system manager of a change in the link status of the port. Commands The commands needed to display, enable or disable port traps are listed below and described in the associated section as shown. • show port trap (Section 3.3.7.1) • set port trap (Section 3.3.7.
PAGE 195
Port Configuration Command Set Setting Port Traps 3.3.7.1 show port trap Use this command to display whether the port is enabled for generating an SNMP trap message if its link state changes. show port trap [port-string] Syntax Description port-string (Optional) Displays link trap status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, the trap status for all ports will be displayed.
PAGE 196
Port Configuration Command Set Setting Port Traps 3.3.7.2 set port trap Use this command to enabled or disable ports from sending an SNMP trap message if its link state changes (link goes up or down). set port trap [port-string] {enable | disable} Syntax Description port-string Specifies the port(s) for which to enable or disable link state traps. For a detailed description of possible port-string values, refer to Section 3.1.1. enable | disable Enables or disables a trap on the specified port.
PAGE 197
Port Configuration Command Set Configuring Broadcast Suppression 3.3.8 Configuring Broadcast Suppression Purpose To review and set the broadcast suppression threshold for one or more ports. This feature limits the number of received broadcast frames the switch will accept per port. Broadcast suppression thresholds apply only to broadcast traffic—multicast traffic is not affected. By default, a broadcast suppression threshold of 14881 packets per second (pps) will be used, regardless of actual port speed.
PAGE 198
Port Configuration Command Set Configuring Broadcast Suppression 3.3.8.1 show port broadcast Use this command to display port broadcast suppression limits. show port broadcast port-string Syntax Description port-string (Optional) Select the ports for which to show broadcast suppression thresholds. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If no ports are defined then broadcast suppression rates will be shown for all ports.
PAGE 199
Port Configuration Command Set Configuring Broadcast Suppression 3.3.8.2 set port broadcast Use this command to set the broadcast suppression limit, in packets per second, on one or more ports. This sets a threshold on the broadcast traffic that is received and switched out to other ports. set port broadcast port-string threshold_val Syntax Description port-string Select the ports for which to configure broadcast suppression thresholds.
PAGE 200
Port Configuration Command Set Configuring Broadcast Suppression 3.3.8.3 clear port broadcast Use this command to clear the broadcast threshold limit to the default value of 14881 for the selected port. clear port broadcast port-string threshold Syntax Description port-string Select the ports for which to clear broadcast suppression thresholds. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 201
Port Mirroring Mirroring Features 3.4 PORT MIRRORING CAUTION: Port mirroring configuration should be performed only by personnel who are knowledgeable about the effects of port mirroring and its impact on network operation. The SecureStack device allows you to mirror (or redirect) the traffic being switched on a port for the purposes of network traffic analysis and connection assurance. When port mirroring is enabled, one port becomes a monitor port for one or more other ports within the system. 3.4.
PAGE 202
Port Mirroring Setting Port Mirroring 3.4.2.1 show port mirroring Use this command to display the source and target ports for mirroring, and whether mirroring is currently enabled or disabled for those ports. show port mirroring Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display port mirroring information. In this case, fe.1.4 is configured as a source port and fe.1.
PAGE 203
Port Mirroring Setting Port Mirroring 3.4.2.2 set port mirroring Use this command to create a new mirroring relationship or to enable or disable an existing mirroring relationship between two ports. NOTE: LAG ports and their underlying physical ports, as described in Section 3.5, cannot be mirrored. set port mirroring {create | disable | enable} source destination Syntax Description create | disable | enable Creates, disables or enables mirroring settings on the specified ports.
PAGE 204
Port Mirroring Setting Port Mirroring 3.4.2.3 clear port mirroring Use this command to clear a port mirroring relationship. clear port mirroring source destination Syntax Description source Specifies the source port of the mirroring configuration to be cleared. For a detailed description of possible port-string values, refer to Section 3.1.1. destination Specifies the target port of the mirroring configuration to be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 205
Link Aggregation Control Protocol (LACP) LACP Operation 3.5 LINK AGGREGATION CONTROL PROTOCOL (LACP) CAUTION: Link aggregation configuration should only be performed by personnel who are knowledgeable about Spanning Tree and Link Aggregation, and fully understand the ramifications of modifications beyond device defaults. Otherwise, the proper operation of the network could be at risk.
PAGE 206
Link Aggregation Control Protocol (LACP) LACP Terminology • Uses information from the partner device’s link aggregation control entity to decide whether to aggregate ports. The operation of LACP involves the following activities: • Checking that candidate links can actually be aggregated. • Controlling the addition of a link to a LAG, and the creation of the group if necessary. • Monitoring the status of aggregated links to ensure that the aggregation is still valid.
PAGE 207
Link Aggregation Control Protocol (LACP) SecureStack A2 Usage Considerations Table 3-3 LACP Terms and Definitions (Continued) Term Definition Actor and Partner An actor is the local device sending LACPDUs. Its protocol partner is the device on the other end of the link aggregation. Each maintains current status of the other via LACPDUs containing information about their ports’ LACP status and operational state.
PAGE 208
Link Aggregation Control Protocol (LACP) SecureStack A2 Usage Considerations There are a few cases in which ports will not aggregate: • An underlying physical port is attached to another port on this same switch (loopback). • There is no available aggregator for two or more ports with the same LAG ID. This can happen if there are simply no available aggregators, or if none of the aggregators have a matching admin key and system priority. • 802.
PAGE 209
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4 Configuring Link Aggregation Purpose To disable and re-enable the Link Aggregation Control Protocol (LACP), to display and configure LACP settings for one or more aggregator ports, and to display and configure the LACP settings for underlying physical ports that are potential members of a link aggregation. Commands The commands used to review and configure LACP are listed below and described in the associated section as shown.
PAGE 210
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.1 show lacp Use this command to display information about one or more aggregator ports. Each SecureStack A2 unit provides 6 virtual link aggregator ports, which are designated in the CLI as lag.0.1 through lag.0.6.Once underlying physical ports (that is, fe.x.x or ge.x.x) are associated with an aggregator port, the resulting aggregation will be represented as one Link Aggregation Group (LAG) with a lag.0.x port designation.
PAGE 211
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation Table 3-4 show lacp Output Details Output What It Displays... Global Link Aggregation state Shows if LACP is enabled or disabled on the SecureStack switch. Single Port LAGs Shows if the single port LAG feature has been enabled on the switch. See Section 3.5.4.8 for more information about single port LAGs. Aggregator LAG port designation.
PAGE 212
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.2 set lacp Use this command to disable or enable the Link Aggregation Control Protocol (LACP) on the device. set lacp {disable | enable} Syntax Description disable | enable Disables or enables LACP. Command Defaults None. Command Mode Read-Write.
PAGE 213
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.3 set lacp asyspri Use this command to set the LACP system priority. LACP uses this value to determine aggregation precedence. If there are two partner devices competing for the same aggregator, LACP compares the LAG IDs for each grouping of ports. The LAG with the lower LAG ID is given precedence and will be allowed to use the aggregator.
PAGE 214
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.4 set lacp aadminkey Use this command to set the administratively assigned key for one or more aggregator ports. LACP will use this value to form an oper key. Only underlying physical ports with oper keys matching those of their aggregators will be allowed to aggregate. set lacp aadminkey port-string value Syntax Description port-string Specifies the LAG port(s) on which to assign an admin key.
PAGE 215
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.5 clear lacp Use this command to clear LACP system priority or admin key settings. clear lacp {asyspri | aadminkey port-string} Syntax Description asyspri Clears system priority. aadminkey port-string Clears admin keys for one or more ports. Command Defaults None. Command Mode Read-Write. Example This example shows how to clear the actor admin key for LAG port 6: A2(rw)->clear lacp aadminkey lag.0.
PAGE 216
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.6 set lacp static Use this command to disable or enable static link aggregation, or to assign one or more underlying physical ports to a Link Aggregation Group (LAG). set lacp static {disable | enable} | lagportstring [key] port-string Syntax Description disable | enable Disables or enables static link aggregation. lagportstring Specifies the LAG aggregator port to which new ports will be assigned.
PAGE 217
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.7 clear lacp static Use this command to remove specific ports from a Link Aggregation Group. clear lacp static lagportstring port-string Syntax Description lagportstring Specifies the LAG aggregator port from which ports will be removed. port-string Specifies the port(s) to remove from the LAG. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 218
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.8 set lacp singleportlag Use this command to enable or disable the formation of single port LAGs. When enabled, this maintains LAGs when only one port is receiving protocol transmissions from a partner. If single port LAG is not enabled, when a LAG goes down to one port, the LAG (lag.0.x) will not be used but instead the port’s syntax will be used (for example, fe.3.24).
PAGE 219
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.9 clear lacp singleportlag Use this command to reset the single port LAG function back to the default state of disabled. clear lacp singleportlag Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 220
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.10 show port lacp Use this command to display link aggregation information for one or more underlying physical ports. show port lacp port port-string {[status {detail | summary}] | [counters]} Syntax Description port port-string Displays LACP information for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 221
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation NOTE: State definitions, such as ActorAdminState and Partner AdminState, are indicated with letter abbreviations.
PAGE 222
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.11 set port lacp Use this command to set link aggregation parameters for one or more ports. These settings will determine the specified underlying physical ports’ ability to join a LAG, and their administrative state once aggregated.
PAGE 223
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation aportpri aportpri Sets the port’s actor port priority. Valid values are 0 65535, with lower values designating higher priority. asyspri asyspri Sets the port’s actor system priority. The LACP implementation on the SecureStack A2 device uses this value to determine aggregation precedence when there are two devices competing for the same aggregator. Valid values are 0 - 65535, with higher precedence given to lower values.
PAGE 224
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation Command Defaults • At least one parameter must be entered per port-string. • If enable or disable are not specified, port(s) will be enabled with the LACP parameters entered. Example This example shows how to set the actor admin key to 3555 for port fe.3.16: A2(rw)->set port lacp fe.3.
PAGE 225
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation 3.5.4.12 clear port lacp Use this command to clear link aggregation settings for one or more ports.
PAGE 226
Link Aggregation Control Protocol (LACP) Configuring Link Aggregation padminstate Clears the port’s specific partner admin state, or all partner lacpactive | admin state(s). lacptimeout | lacpagg | lacpsync | lacpcollect | lacpdist | lacpdef | lacpexpire | all Command Defaults None. Command Mode Read-Write. Example This example shows how to clear all link aggregation parameters for port fe.3.16: A2(rw)->clear port lacp port fe.3.
PAGE 227
Configuring Protected Ports Protected Port Operation 3.6 CONFIGURING PROTECTED PORTS The Protected Port feature is used to prevent ports from forwarding traffic to each other, even when they are on the same VLAN. Ports may be designated as either protected or unprotected. Ports are unprotected by default. Multiple groups of protected ports are supported. 3.6.
PAGE 228
Configuring Protected Ports Protected Port Command Set 3.6.2.1 set port protected Use this command to specify a port to be protected and assign the port to a group of protected ports. A port can be assigned to only one group. set port protected port-string group-id Syntax Description port-string Specifies the port or ports to be protected. group-id Specifies the id of the group to which the ports should be assigned. Id can range from 0 to 2. Command Defaults None. Command Mode Read-write.
PAGE 229
Configuring Protected Ports Protected Port Command Set 3.6.2.2 show port protected Use this command to display information about the ports configured for protected mode. show port protected [port-string] | [group-id ] Syntax Description port-string (Optional) Specifies the port or ports for which to display information. group-id (Optional) Specifies the id of the group for which to display information. Id can range from 0 to 2.
PAGE 230
Configuring Protected Ports Protected Port Command Set 3.6.2.3 clear port protected Use this command to remove a port or group from protected mode. clear port protected [port-string] | [group-id ] Syntax Description port-string (Optional) Specifies the port or ports to remove from protected mode. group-id (Optional) Specifies the id of the group to remove from protected mode. Id can range from 0 to 2. Command Defaults If no parameters are entered, all protected ports and groups are cleared.
PAGE 231
Configuring Protected Ports Protected Port Command Set 3.6.2.4 set port protected name Use this command to assign a name to a protected port group id. set port protected name group-id name Syntax Description group-id Specifies the id of this group. Id can range from 0 to 2. name Specifies a name for the group. The name can be up to 32 characters in length. Command Defaults None. Command Mode Read-write.
PAGE 232
Configuring Protected Ports Protected Port Command Set 3.6.2.5 show port protected name Use this command to display the name for the group ids specified. show port protected name group-id Syntax Description group-id Specifies the id of the group to display. Id can range from 0 to 2. Command Defaults None. Command Mode Read-only.
PAGE 233
Configuring Protected Ports Protected Port Command Set 3.6.2.6 clear port protected name Use this command to clear the name of a protected group. clear port protected name group-id Syntax Description group-id Specifies the id of the group for which to clear the name. Id can range from 0 to 2. Command Defaults None. Command Mode Read-write.
PAGE 234
Configuring Protected Ports Protected Port Command Set 3-76 SecureStack A2 Configuration Guide
PAGE 235
4 SNMP Configuration This chapter describes the Simple Network Management Protocol (SNMP) set of commands and how to use them. 4.1 SNMP CONFIGURATION SUMMARY SNMP is an application-layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.
PAGE 236
SNMP Configuration Summary SNMPv3 4.1.2 SNMPv3 SNMPv3 is an interoperable standards-based protocol that provides secure access to devices by authenticating and encrypting frames over the network. The advanced security features provided in SNMPv3 are as follows: • Message integrity — Collects data securely without being tampered with or corrupted. • Authentication — Determines the message is from a valid source.
PAGE 237
SNMP Configuration Summary Using SNMP Contexts to Access Specific MIBs Table 4-1 SNMP Security Levels (Continued) Model Security Level Authentication Encryption How It Works v2c NoAuthNoPriv Community string None Uses a community string match for authentication. v3 NoAuthNoPriv User name None Uses a user name match for authentication. AuthNoPriv MD5 or SHA None Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms.
PAGE 238
Process Overview: SNMP Configuration Using SNMP Contexts to Access Specific MIBs 4.2 PROCESS OVERVIEW: SNMP CONFIGURATION NOTE: Commands for configuring SNMP on the SecureStack A2 device are independent during the SNMP setup process. For instance, target parameters can be specified when setting up optional notification filters — even though these parameters have not yet been created with the set snmp targetparams command.
PAGE 239
SNMP Configuration Command Set Reviewing SNMP Statistics 4.3 4.3.1 SNMP CONFIGURATION COMMAND SET Reviewing SNMP Statistics Purpose To review SNMP statistics. Commands The commands used to review SNMP statistics are listed below and described in the associated section as shown. • show snmp engineid (Section 4.3.1.1) • show snmp counters (Section 4.3.1.
PAGE 240
SNMP Configuration Command Set Reviewing SNMP Statistics 4.3.1.1 show snmp engineid Use this command to display the SNMP local engine ID. This is the SNMP v3 engine’s administratively unique identifier. show snmp engineid Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 241
SNMP Configuration Command Set Reviewing SNMP Statistics 4.3.1.2 show snmp counters Use this command to display SNMP traffic counter values. show snmp counters Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 242
SNMP Configuration Command Set Reviewing SNMP Statistics snmpOutSetRequests snmpOutGetResponses snmpOutTraps snmpSilentDrops snmpProxyDrops = = = = = 0 396601 0 0 0 --- USM Stats counters: usmStatsUnsupportedSecLevels usmStatsNotInTimeWindows usmStatsUnknownUserNames usmStatsUnknownEngineIDs usmStatsWrongDigests usmStatsDecryptionErrors = = = = = = 0 0 0 0 0 0 Table 4-3 shows a detailed explanation of the command output. Table 4-3 show snmp counters Output Details 4-8 Output What It Displays...
PAGE 243
SNMP Configuration Command Set Reviewing SNMP Statistics Table 4-3 show snmp counters Output Details (Continued) Output What It Displays... snmpInBadValues Number of SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "badValue." snmpInReadOnlys Number of valid SNMP PDUs delivered to the SNMP protocol entity with the value of the error-status field as "readOnly.
PAGE 244
SNMP Configuration Command Set Reviewing SNMP Statistics Table 4-3 show snmp counters Output Details (Continued) 4-10 Output What It Displays... snmpOutGetRequests Number of SNMP Get-Request PDUs generated by the SNMP protocol entity. snmpOutGetNexts Number of SNMP Get-Next PDUs generated by the SNMP protocol entity. snmpOutSetRequests Number of SNMP Set-Request PDUs generated by the SNMP protocol entity. snmpOutGetResponses Number of SNMP Get-Response PDUs generated by the SNMP protocol entity.
PAGE 245
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2 Configuring SNMP Users, Groups, and Communities Purpose To review and configure SNMP users, groups, and v1 and v2 communities. These are defined as follows: • User — A person registered in SNMPv3 to access SNMP management. • Group — A collection of users who share the same SNMP access privileges. • Community — A name used to authenticate SNMPv1 and v2 users.
PAGE 246
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.1 show snmp user Use this command to display information about SNMP users. These are people registered to access SNMP management. show snmp user [list] | [user] | [remote remote] [volatile | nonvolatile | read-only] Syntax Description list (Optional) Displays a list of registered SNMP user names. user (Optional) Displays information about a specific user.
PAGE 247
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities This example shows how to display information for the SNMP “guest” user: A2(rw)->show snmp user guest --- SNMP user information --EngineId: 00:00:00:63:00:00:00:a1:00:00:00:00 Username = Guest Auth protocol = usmNoAuthProtocol Privacy protocol = usmNoPrivProtocol Storage type = nonVolatile Row status = active Table 4-4 shows a detailed explanation of the command output.
PAGE 248
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.2 set snmp user Use this command to create a new SNMPv3 user. set snmp user user [remote remoteid] [authentication {md5 | sha}] [authpassword] [privacy privpassword] [volatile | nonvolatile] Syntax Description user Specifies a name for the SNMPv3 user. remote remoteid (Optional) Registers the user on a specific remote SNMP engine.
PAGE 249
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.3 clear snmp user Use this command to remove a user from the SNMPv3 security-model list. clear snmp user user [remote remote] Syntax Description user Specifies an SNMPv3 user to remove. remote remote (Optional) Removes the user from a specific remote SNMP engine. Command Defaults If remote is not specified, the user will be removed from the local SNMP engine. Command Mode Read-Write.
PAGE 250
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.4 show snmp group Use this command to display an SNMP group configuration. An SNMP group is a collection of SNMPv3 users who share the same access privileges. show snmp group [groupname groupname] [user user] [security-model {v1 | v2c | usm}] [volatile | nonvolatile | read-only] Syntax Description groupname groupname (Optional) Displays information for a specific SNMP group.
PAGE 251
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities Example This example shows how to display SNMP group information: A2(rw)->show snmp group --- SNMP group information --Security model = SNMPv1 Security/user name = public Group name = Anyone Storage type = nonVolatile Row status = active Security model Security/user name Group name Storage type Row status = = = = = SNMPv1 public.router1 Anyone nonVolatile active Table 4-5 shows a detailed explanation of the command output.
PAGE 252
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.5 set snmp group Use this command to create an SNMP group. This associates SNMPv3 users to a group that shares common access privileges. set snmp group groupname user user security-model {v1 | v2c | usm} [volatile | nonvolatile] Syntax Description groupname Specifies an SNMP group name to create. user user Specifies an SNMPv3 user name to assign to the group.
PAGE 253
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.6 clear snmp group Use this command to clear SNMP group settings globally or for a specific SNMP group and user. clear snmp group groupname user [security-model {v1 | v2c | usm}] Syntax Description groupname Specifies the SNMP group to be cleared. user Specifies the SNMP user to be cleared. security-model v1 | (Optional) Clears the settings associated with a specific v2c | usm security model.
PAGE 254
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.7 show snmp community Use this command to display SNMP community names and status. In SNMPv1 and v2, community names act as passwords to remote management. show snmp community [name] Syntax Description name (Optional) Displays SNMP information for a specific community name. Command Defaults If name is not specified, information will be displayed for all SNMP communities. Command Mode Read-Only.
PAGE 255
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.8 set snmp community Use this command to configure an SNMP community group. set snmp community community [securityname securityname] [context context] [transport transport] [volatile | nonvolatile] Syntax Description community Specifies a community group name. securityname securityname (Optional) Specifies an SNMP security name to associate with this community.
PAGE 256
SNMP Configuration Command Set Configuring SNMP Users, Groups, and Communities 4.3.2.9 clear snmp community Use this command to delete an SNMP community name. clear snmp community name Syntax Description name Specifies the SNMP community name to clear. Command Defaults None. Command Mode Read-Write. Example This example shows how to delete the community name “vip.
PAGE 257
SNMP Configuration Command Set Configuring SNMP Access Rights 4.3.3 Configuring SNMP Access Rights Purpose To review and configure SNMP access rights, assigning viewing privileges and security levels to SNMP user groups. Commands The commands used to review and configure SNMP access are listed below and described in the associated section as shown. • show snmp access (Section 4.3.3.1) • set snmp access (Section 4.3.3.2) • clear snmp access (Section 4.3.3.
PAGE 258
SNMP Configuration Command Set Configuring SNMP Access Rights 4.3.3.1 show snmp access Use this command to display access rights and security levels configured for SNMP one or more groups. show snmp access [groupname] [security-model {v1 | v2c | usm}] [noauthentication | authentication | privacy] [context context] [volatile | nonvolatile | read-only] Syntax Description groupname (Optional) Displays access information for a specific SNMPv3 group.
PAGE 259
SNMP Configuration Command Set Configuring SNMP Access Rights Example This example shows how to display SNMP access information: A2(rw)->show snmp Group = Security model = Security level = Read View = Write View = Notify View = Context match = Storage type = Row status = access SystemAdmin USM noAuthNoPriv All Group Security model Security level Read View Write View Notify View Context match Storage type Row status NightOperator USM noAuthNoPriv All = = = = = = = = = All exact match nonVolatile active
PAGE 260
SNMP Configuration Command Set Configuring SNMP Access Rights Table 4-6 show snmp access Output Details (Continued) 4-26 Output What It Displays... Notify View Name of the view that allows this group to send an SNMP trap message. Context match Whether or not SNMP context match must be exact (full context name match) or a partial match with a given prefix. Storage type Whether access entries for this group are stored in volatile, nonvolatile or read-only memory.
PAGE 261
SNMP Configuration Command Set Configuring SNMP Access Rights 4.3.3.2 set snmp access Use this command to set an SNMP access configuration. set snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context {exact | prefix}] [read read] [write write] [notify notify] [volatile | nonvolatile] Syntax Description groupname Specifies a name for an SNMPv3 group. security-model v1 | Specifies SNMP version 1, 2c or 3 (usm).
PAGE 262
SNMP Configuration Command Set Configuring SNMP Access Rights Command Defaults • If security level is not specified, no authentication will be applied. • If context is not specified, access will be enabled for the default context. If context is specified without a context match, exact match will be applied. • If read view is not specified none will be applied. • If write view is not specified, none will be applied. • If notify view is not specified, none will be applied.
PAGE 263
SNMP Configuration Command Set Configuring SNMP Access Rights 4.3.3.3 clear snmp access Use this command to clear the SNMP access entry of a specific group, including its set SNMP security-model, and level of security. clear snmp access groupname security-model {v1 | v2c | usm} [noauthentication | authentication | privacy] [context context] Syntax Description groupname Specifies the name of the SNMP group for which to clear access.
PAGE 264
SNMP Configuration Command Set Configuring SNMP MIB Views 4.3.4 Configuring SNMP MIB Views Purpose To review and configure SNMP MIB views. SNMP views map SNMP objects to access rights. Commands The commands used to review and configure SNMP MIB views are listed below and described in the associated section as shown. • show snmp view (Section 4.3.4.1) • show snmp context (Section 4.3.4.2) • set snmp view (Section 4.3.4.3) • clear snmp view (Section 4.3.4.
PAGE 265
SNMP Configuration Command Set Configuring SNMP MIB Views 4.3.4.1 show snmp view Use this command to display the MIB configuration for SNMPv3 view-based access (VACM). show snmp view [viewname] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only] Syntax Description viewname (Optional) Displays information for a specific MIB view. subtree oid-or-mibobject (Optional) Displays information for a specific MIB subtree when viewname is specified.
PAGE 266
SNMP Configuration Command Set Configuring SNMP MIB Views View Name Subtree OID Subtree mask View Type Storage type Row status = = = = = = Network 1.3.6.1.2.1 included nonVolatile active Table 4-7 provides an explanation of the command output. For details on using the set snmp view command to assign variables, refer to Section 4.3.4.3. Table 4-7 4-32 show snmp view Output Details Output What It Displays... View Name Name assigned to a MIB view. Subtree OID Name identifying a MIB subtree.
PAGE 267
SNMP Configuration Command Set Configuring SNMP MIB Views 4.3.4.2 show snmp context Use this command to display the context list configuration for SNMP’s view-based access control. An SNMP context is a collection of management information that can be accessed by an SNMP agent or entity. The default context allows all SNMP agents to access all management information (MIBs). When created using the set snmp access command (Section 4.3.3.
PAGE 268
SNMP Configuration Command Set Configuring SNMP MIB Views 4.3.4.3 set snmp view Use this command to set a MIB configuration for SNMPv3 view-based access (VACM). set snmp view viewname viewname subtree subtree [mask mask] [included | excluded] [volatile | nonvolatile] Syntax Description viewname viewname Specifies a name for a MIB view. subtree subtree Specifies a MIB subtree name. mask mask (Optional) Specifies a bitmask for a subtree.
PAGE 269
SNMP Configuration Command Set Configuring SNMP MIB Views 4.3.4.4 clear snmp view Use this command to delete an SNMPv3 MIB view. clear snmp view viewname subtree Syntax Description viewname Specifies the MIB view name to be deleted. subtree Specifies the subtree name of the MIB view to be deleted. Command Defaults None. Command Mode Read-Write. Example This example shows how to delete SNMP MIB view “public”: A2(rw)->clear snmp view public 1.3.6.
PAGE 270
SNMP Configuration Command Set Configuring SNMP Target Parameters 4.3.5 Configuring SNMP Target Parameters Purpose To review and configure SNMP target parameters. This controls where and under what circumstances SNMP notifications will be sent. A target parameter entry can be bound to a target IP address allowed to receive SNMP notification messages with the set snmp targetaddr command (Section 4.3.6.2).
PAGE 271
SNMP Configuration Command Set Configuring SNMP Target Parameters 4.3.5.1 show snmp targetparams Use this command to display SNMP parameters used to generate a message to a target. show snmp targetparams [targetParams] [volatile | nonvolatile | read-only] Syntax Description targetParams (Optional) Displays entries for a specific target parameter. volatile | nonvolatile | read-only (Optional) Displays target parameter entries for a specific storage type.
PAGE 272
SNMP Configuration Command Set Configuring SNMP Target Parameters Target Parameter Name Security Name Message Proc. Model Security Level Storage type Row status = = = = = = v3ExampleParams CharlieDChief USM authNoPriv nonVolatile active Table 4-8 shows a detailed explanation of the command output. Table 4-8 show snmp targetparams Output Details 4-38 Output What It Displays... Target Parameter Name Unique identifier for the parameter in the SNMP target parameters table. Maximum length is 32 bytes.
PAGE 273
SNMP Configuration Command Set Configuring SNMP Target Parameters 4.3.5.2 set snmp targetparams Use this command to set SNMP target parameters, a named set of security/authorization criteria used to generate a message to a target.
PAGE 274
SNMP Configuration Command Set Configuring SNMP Target Parameters Example This example shows how to set SNMP target parameters named “v1ExampleParams” for a user named “fred” using version 3 security model and message processing, and authentication: A2(rw)->set snmp targetparams v1ExampleParams user fred security-model usm message-processing v3 authentication 4-40 SecureStack A2 Configuration Guide
PAGE 275
SNMP Configuration Command Set Configuring SNMP Target Parameters 4.3.5.3 clear snmp targetparams Use this command to clear the SNMP target parameter configuration. clear snmp targetparams targetParams Syntax Description targetParams Specifies the name of the parameter in the SNMP target parameters table to be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 276
SNMP Configuration Command Set Configuring SNMP Target Addresses 4.3.6 Configuring SNMP Target Addresses Purpose To review and configure SNMP target addresses which will receive SNMP notification messages. An address configuration can be linked to optional SNMP transmit, or target, parameters (such as timeout, retry count, and UDP port) set with the set snmp targetparams command (Section 4.3.5.2).
PAGE 277
SNMP Configuration Command Set Configuring SNMP Target Addresses 4.3.6.1 show snmp targetaddr Use this command to display SNMP target address information. show snmp targetaddr [targetAddr] [volatile | nonvolatile | read-only] Syntax Description targetAddr (Optional) Displays information for a specific target address name. volatile | nonvolatile | read-only (Optional) When target address is specified, displays target address information for a specific storage type.
PAGE 278
SNMP Configuration Command Set Configuring SNMP Target Addresses Table 4-9 show snmp targetaddr Output Details 4-44 Output What It Displays... Target Address Name Unique identifier in the snmpTargetAddressTable. Tag List Tags a location to the target address as a place to send notifications. IP Address Target IP address. UDP Port# Number of the UDP port of the target host to use. Target Mask Target IP address mask. Timeout Timeout setting for the target address.
PAGE 279
SNMP Configuration Command Set Configuring SNMP Target Addresses 4.3.6.2 set snmp targetaddr Use this command to configure an SNMP target address. The target address is a unique identifier and a specific IP address that will receive SNMP notification messages and determine which community strings will be accepted. This address configuration can be linked to optional SNMP transmit parameters (such as timeout, retry count, and UDP port).
PAGE 280
SNMP Configuration Command Set Configuring SNMP Target Addresses • If not specified, number of retries will be set to 3. • If taglist is not specified, none will be set. • If not specified, storage type will be nonvolatile. Command Mode Read-Write. Example This example shows how to configure a trap notification called “TrapSink.” This trap notification will be sent to the workstation 192.168.190.80 (which is target address “tr”).
PAGE 281
SNMP Configuration Command Set Configuring SNMP Target Addresses 4.3.6.3 clear snmp targetaddr Use this command to delete an SNMP target address entry. clear snmp targetaddr targetAddr Syntax Description targetAddr Specifies the target address entry to delete. Command Defaults None. Command Mode Read-Write.
PAGE 282
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7 Configuring SNMP Notification Parameters Purpose To configure SNMP notification parameters and optional filters. Notifications are entities which handle the generation of SNMP v1 and v2 “traps” or SNMP v3 “informs” messages to select management targets. Optional notification filters identify which targets should not receive notifications.
PAGE 283
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.1 show snmp notify Use this command to display the SNMP notify configuration, which determines which management targets will receive SNMP notifications. show snmp notify [notify] [volatile | nonvolatile | read-only] Syntax Description notify (Optional) Displays notify entries for a specific notify name. volatile | nonvolatile | read-only (Optional) Displays notify entries for a specific storage type.
PAGE 284
SNMP Configuration Command Set Configuring SNMP Notification Parameters Table 4-10 show snmp notify Output Details 4-50 Output What It Displays... Notify name A unique identifier used to index the SNMP notify table. Notify Tag Name of the entry in the SNMP notify table. Notify Type Type of notification: SNMPv1 or v2 trap or SNMPv3 InformRequest message. Storage type Whether access entry is stored in volatile, nonvolatile or read-only memory.
PAGE 285
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.2 set snmp notify Use this command to set the SNMP notify configuration. This creates an entry in the SNMP notify table, which is used to select management targets who should receive notification messages. This command’s tag parameter can be used to bind each entry to a target address using the set snmp targetaddr command (Section 4.3.6.2).
PAGE 286
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.3 clear snmp notify Use this command to clear an SNMP notify configuration. clear snmp notify notify Syntax Description notify Specifies an SNMP notify name to clear. Command Defaults None. Command Mode Read-Write.
PAGE 287
SNMP Configuration Command Set Configuring SNMP Notification Parameters About SNMP Notify Filters Profiles indicating which targets should not receive SNMP notification messages are kept in the NotifyFilter table. If this table is empty, meaning that no filtering is associated with any SNMP target, then no filtering will take place. “Traps” or “informs” notifications will be sent to all destinations in the SNMP targetAddrTable that have tags matching those found in the NotifyTable.
PAGE 288
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.4 show snmp notifyfilter Use this command to display SNMP notify filter information, identifying which profiles will not receive SNMP notifications. show snmp notifyfilter [profile] [subtree oid-or-mibobject] [volatile | nonvolatile | read-only] Syntax Description profile (Optional) Displays a specific notify filter. subtree oid-or-mibobject (Optional) Displays a notify filter within a specific subtree.
PAGE 289
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.5 set snmp notifyfilter Use this command to create an SNMP notify filter configuration. This identifies which management targets should NOT receive notification messages, which is useful for fine-tuning the amount of SNMP traffic generated. set snmp notifyfilter profile subtree oid-or-mibobject [mask mask] [included | excluded] [volatile | nonvolatile] Syntax Description profile Specifies an SNMP filter notify name.
PAGE 290
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.6 clear snmp notifyfilter Use this command to delete an SNMP notify filter configuration. clear snmp notifyfilter profile subtree oid-or-mibobject Syntax Description profile Specifies an SNMP filter notify name to delete. subtree oid-or-mibobject Specifies a MIB subtree ID containing the filter to be deleted. Command Defaults None. Command Mode Read-Write.
PAGE 291
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.7 show snmp notifyprofile Use this command to display SNMP notify profile information. This associates target parameters to an SNMP notify filter to determine who should not receive SNMP notifications. show snmp notifyprofile [profile] [targetparam targetparam] [volatile | nonvolatile | read-only] Syntax Description profile (Optional) Displays a specific notify profile.
PAGE 292
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.8 set snmp notifyprofile Use this command to create an SNMP notify filter profile configuration. This associates a notification filter, created with the set snmp notifyfilter command (Section 4.3.7.5), to a set of SNMP target parameters to determine which management targets should not receive SNMP notifications.
PAGE 293
SNMP Configuration Command Set Configuring SNMP Notification Parameters 4.3.7.9 clear snmp notifyprofile Use this command to delete an SNMP notify profile configuration. clear snmp notifyprofile profile targetparam targetparam Syntax Description profile Specifies an SNMP filter notify name to delete. targetparam targetparam Specifies an associated entry in the snmpTargetParamsTable. Command Defaults None. Command Mode Read-Write.
PAGE 294
SNMP Configuration Command Set Creating a Basic SNMP Trap Configuration 4.3.8 Creating a Basic SNMP Trap Configuration Traps are notification messages sent by an SNMPv1 or v2 agent to a network management station, a console, or a terminal to indicate the occurrence of a significant event, such as when a port or device goes up or down, when there are authentication failures, and when power supply errors occur.
PAGE 295
SNMP Configuration Command Set Creating a Basic SNMP Trap Configuration Table 4-11 Basic SNMP Trap Configuration Command Set (Continued) To do this... Use these commands... Create a target address entry. set snmp targetaddr (Section 4.3.6.2) Example This example shows how to: • Create an SNMP community called mgmt. • Configure a trap notification called TrapSink. This trap notification will be sent with the community name mgmt to the workstation 192.168.190.80 (which is target address tr).
PAGE 296
SNMP Configuration Command Set Creating a Basic SNMP Trap Configuration the set snmp targetparams command, which tells exactly which SNMP protocol to use and what community name to provide. In this case, the community name is mgmt. 5. Verifies that the mgmt community name is available. In this case, it has been configured using the set snmp community command. 6. Sends the trap notification message.
PAGE 297
5 Spanning Tree Configuration This chapter describes the Spanning Tree Configuration set of commands and how to use them. 5.1 SPANNING TREE CONFIGURATION SUMMARY 5.1.1 Overview: Single, Rapid, and Multiple Spanning Tree Protocols The IEEE 802.1D Spanning Tree Protocol (STP) resolves the problems of physical loops in a network by establishing one primary path between any two devices in a network.
PAGE 298
Spanning Tree Configuration Summary Spanning Tree Features blocking for all traffic flowing between the two switches. The blocking links are effectively used only if the forwarding link goes down. MSTP assigns each VLAN present on the network to a particular Spanning Tree instance, allowing each switch port to be in a distinct state for each such instance: blocking for one Spanning Tree while forwarding for another.
PAGE 299
Spanning Tree Configuration Command Set Process Overview: Spanning Tree Configuration 5.1.3 Process Overview: Spanning Tree Configuration CAUTION: Spanning Tree configuration should be performed only by personnel who are very knowledgeable about Spanning Trees and the configuration of the Spanning Tree Algorithm. Otherwise, the proper operation of the network could be at risk. Use the following steps as a guide in the Spanning Tree configuration process: 1.
PAGE 300
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters • show spantree bridgeprioritymode (Section 5.2.1.8) • set spantree bridgeprioritymode (Section 5.2.1.9) • clear spantree bridgeprioritymode (Section 5.2.1.10) • show spantree mstilist (Section 5.2.1.11) • set spantree msti (Section 5.2.1.12) • clear spantree msti (Section 5.2.1.13) • show spantree mstmap (Section 5.2.1.14) • set spantree mstmap (Section 5.2.1.15) • clear spantree mstmap (Section 5.2.1.
PAGE 301
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters • show spantree spanguard (Section 5.2.1.36) • set spantree spanguard (Section 5.2.1.37) • clear spantree spanguard (Section 5.2.1.38) • show spantree spanguardtimeout (Section 5.2.1.39) • set spantree spanguardtimeout (Section 5.2.1.40) • clear spantree spanguardtimeout (Section 5.2.1.41) • show spantree spanguardlock (Section 5.2.1.42) • clear / set spantree spanguardlock (Section 5.2.1.
PAGE 302
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.1 show spantree stats Use this command to display Spanning Tree information for one or more ports. show spantree stats [port port-string] [sid sid] [active] Syntax Description port port-string (Optional) Displays information for the specified port(s). For a detailed description of possible port--string values, refer to Section 3.1.1.
PAGE 303
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters Example This example shows how to display the device’s Spanning Tree configuration: A2(rw)->show spantree stats Spanning tree status Spanning tree instance Designated Root MacAddr Designated Root Priority Designated Root Cost Designated Root Port Root Max Age Root Hello Time Root Forward Delay Bridge ID MAC Address Bridge ID Priority Bridge Max Age Bridge Hello Time Bridge Forward Delay Topology Change Count Time
PAGE 304
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters Table 5-1 5-8 show spantree Output Details (Continued) Output What It Displays... Bridge ID MAC Address Unique bridge MAC address, recognized by all bridges in the network. Bridge ID Priority Bridge priority, which is a default value, or is assigned using the set spantree priority command. For details, refer to Section 5.2.1.21.
PAGE 305
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.2 set spantree Use this command to globally enable or disable the Spanning Tree protocol on the switch. set spantree {disable | enable} Syntax Description disable | enable Globally disables or enables Spanning Tree. Command Defaults None. Command Mode Read-Write.
PAGE 306
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.3 show spantree version Use this command to display the current version of the Spanning Tree protocol running on the device. show spantree version Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 307
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.4 set spantree version Use this command to set the version of the Spanning Tree protocol to MSTP (Multiple Spanning Tree Protocol), RSTP (Rapid Spanning Tree Protocol) or to STP 802.1D-compatible. set spantree version {mstp | stpcompatible | rstp} NOTE: In most networks, Spanning Tree version should not be changed from its default setting of mstp (Multiple Spanning Tree Protocol) mode.
PAGE 308
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.5 clear spantree version Use this command to reset the Spanning Tree version to MSTP mode. clear spantree version Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 309
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.6 show spantree bpdu-forwarding Use this command to display the Spanning Tree BPDU forwarding mode. show spantree bpdu-forwarding Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the Spanning Tree BPDU forwarding mode: A2(su)->show spantree bpdu-forwarding BPDU forwarding is disabled.
PAGE 310
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.7 set spantree bpdu-forwarding Use this command to set the Spanning Tree BPDU forwarding to enable or disable. By default BPDU forwarding is disabled. NOTE: The Spanning Tree protocol must be disabled (set spantree disable) for this feature to take effect. set spantree bpdu-forwarding {disable | enable} Syntax Description disable | enable Sets BPDU forwarding to enabled or disabled.
PAGE 311
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.8 show spantree bridgeprioritymode Use this command to display the Spanning Tree bridge priority mode setting. show spantree bridgeprioritymode Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the Spanning Tree bridge priority mode setting: A2(rw)->show spantree bridgeprioritymode Bridge Priority Mode is set to IEEE802.1t mode.
PAGE 312
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.9 set spantree bridgeprioritymode Use this command to set the Spanning Tree bridge priority mode to 802.1D (legacy) or 802.1t. The mode affects the range of priority values used to determine which device is selected as the Spanning Tree root as described in set spantree priority (Section 5.2.1.21). The default for the switch is to use 802.1t bridge priority mode.
PAGE 313
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.10 clear spantree bridgeprioritymode Use this command to reset the Spanning Tree bridge priority mode to the default setting of 802.1t. clear spantree bridgeprioritymode Syntax Description None. Command Defaults None. Command Mode Read-Write. Example This example shows how to reset the bridge priority mode to 802.
PAGE 314
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.11 show spantree mstilist Use this command to display a list of Multiple Spanning Tree (MST) instances configured on the device. show spantree mstilist Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display a list of MST instances.
PAGE 315
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.12 set spantree msti Use this command to create or delete a Multiple Spanning Tree instance. set spantree msti sid sid {create | delete} Syntax Description sid sid Sets the Multiple Spanning Tree ID. Valid values are 1 4094. NOTE: SecureStack A2 devices will support up to 4 MST instances. create | delete Creates or deletes an MST instance. Command Defaults None. Command Mode Read-Write.
PAGE 316
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.13 clear spantree msti Use this command to delete one or more Multiple Spanning Tree instances. clear spantree msti [sid sid] Syntax Description sid sid (Optional) Deletes a specific multiple Spanning Tree ID. Command Defaults If sid is not specified, all MST instances will be cleared. Command Mode Read-Write.
PAGE 317
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.14 show spantree mstmap Use this command to display the mapping of a filtering database ID (FID) to Spanning Trees. Since VLANs are mapped to FIDs, this shows to which SID a VLAN is mapped. show spantree mstmap [fid fid] Syntax Description fid fid (Optional) Displays information for specific FIDs. Command Defaults If fid is not specified, information for all assigned FIDs will be displayed.
PAGE 318
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.15 set spantree mstmap Use this command to map one or more filtering database IDs (FIDs) to a SID. Since VLANs are mapped to FIDs, this essentially maps one or more VLAN IDs to a Spanning Tree (SID). set spantree mstmap fid [sid sid] Syntax Description fid Specifies one or more FIDs to assign to the MST.
PAGE 319
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.16 clear spantree mstmap Use this command to map a FID back to SID 0. clear spantree mstmap fid Syntax Description fid Specifies one or more FIDs to reset to 0. Command Defaults If fid is not specified, all SID to FID mappings will be reset. Command Mode Read-Write.
PAGE 320
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.17 show spantree vlanlist Use this command to display the Spanning Tree ID(s) assigned to one or more VLANs. show spantree vlanlist [vlan-list] Syntax Description vlan-list (Optional) Displays SIDs assigned to specific VLAN(s). Command Defaults If not specified, SID assignment will be displayed for all VLANs. Command Mode Read-Only. Example This example shows how to display the SIDs mapped to VLAN 1.
PAGE 321
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.18 show spantree mstcfgid Use this command to display the MST configuration identifier elements, including format selector, configuration name, revision level, and configuration digest. show spantree mstcfgid Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the MST configuration identifier elements.
PAGE 322
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.19 set spantree mstcfgid Use this command to set the MST configuration name and/or revision level. set spantree mstcfgid {cfgname name | rev level} Syntax Description cfgname name Specifies an MST configuration name. rev level Specifies an MST revision level. Valid values are 0 - 65535. Command Defaults None. Command Mode Read-Write.
PAGE 323
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.20 clear spantree mstcfgid Use this command to reset the MST revision level to a default value of 0, and the configuration name to a default string representing the bridge MAC address. clear spantree mstcfgid Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 324
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.21 set spantree priority Use this command to set the device’s Spanning Tree priority. The device with the highest priority (lowest numerical value) becomes the Spanning Tree root device. If all devices have the same priority, the device with the lowest MAC address will then become the root device.
PAGE 325
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.22 clear spantree priority Use this command to reset the Spanning Tree priority to the default value of 32768. clear spantree priority [sid] Syntax Description sid (Optional) Resets the priority on a specific Spanning Tree. Valid values are 0 - 4094. If not specified, SID 0 is assumed. Command Defaults If sid is not specified, priority will be reset on Spanning Tree 0. Command Mode Read-Write.
PAGE 326
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.23 set spantree hello Use this command to set the device’s Spanning Tree hello time, This is the time interval (in seconds) the device will transmit BPDUs indicating it is active. set spantree hello interval Syntax Description interval Specifies the number of seconds the system waits before broadcasting a bridge hello message (a multicast message indicating that the system is active).
PAGE 327
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.24 clear spantree hello Use this command to reset the Spanning Tree hello time to the default value of 2 seconds. clear spantree hello Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 328
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.25 set spantree maxage Use this command to set the bridge maximum aging time. This is the maximum time (in seconds) a device can wait without receiving a configuration message (bridge “hello”) before attempting to reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals.
PAGE 329
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.26 clear spantree maxage Use this command to reset the maximum aging time for a Spanning Tree to the default value of 20 seconds. clear spantree maxage Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 330
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.27 set spantree fwddelay Use this command to set the Spanning Tree forward delay. This is the maximum time (in seconds) the root device will wait before changing states (i.e., listening to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
PAGE 331
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.28 clear spantree fwddelay Use this command to reset the Spanning Tree forward delay to the default setting of 15 seconds. clear spantree fwddelay Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 332
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.29 show spantree backuproot Use this command to display the backup root status for an MST instance. show spantree backuproot [sid] Syntax Description sid (Optional) Display backup root status for a specific Spanning Tree identifier. Valid values are 0 - 4094. If not specified, SID 0 is assumed. Command Defaults If a SID is not specified then status will be shown for Spanning Tree instance 0.
PAGE 333
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.30 set spantree backuproot Use this command to enable or disable the Spanning Tree backup root function on the switch. This feature is disabled by default on the SecureStack A2. When this feature is enabled and the A2 is directly connected to the root bridge, stale Spanning Tree information is prevented from circulating if the root bridge is lost.
PAGE 334
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.31 clear spantree backuproot Use this command to reset the Spanning Tree backup root function to the default state of disabled. clear spantree backuproot sid Syntax Description sid Specifies the Spanning Tree on which to clear the backup root function.Valid values are 0 - 4094. Command Defaults None. Command Mode Read-Write.
PAGE 335
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.32 show spantree tctrapsuppress Use this command to display the status of topology change trap suppression on Rapid Spanning Tree edge ports. show spantree tctrapsuppress Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 336
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.33 set spantree tctrapsuppress Use this command to disable or enable topology change trap suppression on Rapid Spanning Tree edge ports. By default, RSTP non-edge (bridge) ports that transition to forwarding or blocking cause the switch to issue a topology change trap.
PAGE 337
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.34 clear spantree tctrapsuppress Use this command to clear the status of topology change trap suppression on Rapid Spanning Tree edge ports to the default state of enabled (edge port topology changes do not generate traps). clear spantree tctrapsuppress Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 338
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.35 set spantree protomigration Use this command to reset the protocol state migration machine for one or more Spanning Tree ports. When operating in RSTP mode, this forces a port to transmit MSTP BPDUs. set spantree protomigration Syntax Description port-string Reset the protocol state migration machine for specific port(s).
PAGE 339
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.36 show spantree spanguard Use this command to display the status of the Spanning Tree span guard function. show spantree spanguard Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 340
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.37 set spantree spanguard Use this command to enable or disable the Spanning Tree span guard function. Span guard is designed to disable, or lock out an "edge" port when an unexpected BPDU is received. The port can be configured to be re-enabled after a set time period, or only after manual intervention.
PAGE 341
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.38 clear spantree spanguard Use this command to reset the status of the Spanning Tree span guard function to disabled. clear spantree spanguard Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 342
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.39 show spantree spanguardtimeout Use this command to display the Spanning Tree span guard timeout setting. show spantree spanguardtimeout Syntax Description None. Command Defaults None. CCommand Mode Read-Only.
PAGE 343
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.40 set spantree spanguardtimeout Use this command to set the amount of time (in seconds) an edge port will remain locked by the span guard function. set spantree spanguardtimeout timeout Syntax Description timeout Specifies a timeout value in seconds. Valid values are 0 to 65535. A value of 0 will keep the port locked until manually unlocked. The default value is 300 seconds. Command Defaults None.
PAGE 344
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.41 clear spantree spanguardtimeout Use this command to reset the Spanning Tree span guard timeout to the default value of 300 seconds. clear spantree spanguardtimeout Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 345
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.42 show spantree spanguardlock Use this command to display the span guard lock status of one or more ports. show spantree spanguardlock [port-string] Syntax Description port-string (Optional) Specifies the port(s) for which to show span guard lock status. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 346
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.43 clear / set spantree spanguardlock Use either of these commands to unlock one or more ports locked by the Spanning Tree span guard function. When span guard is enabled, it locks ports that receive BPDUs when those ports have been defined as edge (user) ports (as described in Section 5.2.2.11).
PAGE 347
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.44 show spantree spanguardtrapenable Use this command to display the state of the Spanning Tree span guard trap function. show spantree spanguardtrapenable Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 348
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.45 set spantree spanguardtrapenable Use this command to enable or disable the sending of an SNMP trap message when span guard has locked a port. set spantree spanguardtrapenable {disable | enable} Syntax Description disable | enable Disables or enables sending span guard traps. By default, sending traps is enabled. Command Defaults None. Command Mode Read-Write.
PAGE 349
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Bridge Parameters 5.2.1.46 clear spantree spanguardtrapenable Use this command to reset the Spanning Tree span guard trap function back to the default state of enabled. clear spantree spanguardtrapenable Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 350
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2 Reviewing and Setting Spanning Tree Port Parameters Purpose To display and set Spanning Tree port parameters. Commands The commands used to review and set Spanning Tree port parameters are listed below and described in the associated section as shown. • show spantree portadmin (Section 5.2.2.1) • set spantree portadmin (Section 5.2.2.2) • clear spantree portadmin (Section 5.2.2.
PAGE 351
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.1 show spantree portadmin Use this command to display the status of the Spanning Tree algorithm on one or more ports. show spantree portadmin [port port-string] Syntax Description port port-string (Optional) Displays status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 352
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.2 set spantree portadmin Use this command to disable or enable the Spanning Tree algorithm on one or more ports. set spantree portadmin port-string {disable | enable} Syntax Description port-string Specifies the port(s) for which to enable or disable Spanning Tree. For a detailed description of possible port-string values, refer to Section 3.1.1. disable | enable Disables or enables Spanning Tree.
PAGE 353
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.3 clear spantree portadmin Use this command to reset the default Spanning Tree admin status to enable on one or more ports. clear spantree portadmin port-string Syntax Description port-string Resets the default admin status on specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 354
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.4 show spantree portpri Use this command to show the Spanning Tree priority for one or more ports. Port priority is a component of the port ID, which is one element used in determining Spanning Tree port roles. show spantree portpri [port port-string] [sid sid] Syntax Description port port-string (Optional) Specifies the port(s) for which to display Spanning Tree priority.
PAGE 355
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.5 set spantree portpri Use this command to set a port’s Spanning Tree priority. set spantree portpri port-string priority [sid sid] Syntax Description port-string Specifies the port(s) for which to set Spanning Tree port priority. For a detailed description of possible port-string values, refer to Section 3.1.1. priority Specifies a number that represents the priority of a link in a Spanning Tree bridge.
PAGE 356
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.6 clear spantree portpri Use this command to reset the bridge priority of a Spanning Tree port to a default value of 128. clear spantree portpri port-string [sid sid] Syntax Description port-string Specifies the port(s) for which to set Spanning Tree port priority. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 357
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.7 show spantree adminpathcost Use this command to display the admin path cost for a port on one or more Spanning Trees. show spantree adminpathcost [port port-string] [sid sid] Syntax Description port port-string (Optional) Displays the admin path cost value for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 358
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.8 set spantree adminpathcost Use this command to set the administrative path cost on a port and one or more Spanning Trees. set spantree adminpathcost port-string cost [sid sid] Syntax Description port-string Specifies the port(s) on which to set an admin path cost. For a detailed description of possible port-string values, refer to Section 3.1.1. cost Specifies the port path cost.
PAGE 359
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.9 clear spantree adminpathcost Use this command to reset the Spanning Tree default value for port admin path cost to 0. clear spantree adminpathcost port-string [sid sid] Syntax Description port-string Specifies the port(s) for which to reset admin path cost. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 360
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.10 show spantree adminedge Use this command to display the edge port administrative status for a port. show spantree adminedge [port port-string] Syntax Description port port-string (Optional) Displays edge port administrative status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 361
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.11 set spantree adminedge Use this command to set the edge port administrative status on a Spanning Tree port. Edge port administrative status begins with the value set to false initially after the device is powered up. If a Spanning Tree BDPU is not received on the port within a few seconds, the status setting changes to true.
PAGE 362
Spanning Tree Configuration Command Set Reviewing and Setting Spanning Tree Port Parameters 5.2.2.12 clear spantree adminedge Use this command to reset a Spanning Tree port to non-edge status. clear spantree adminedge port-string Syntax Description port-string Specifies port(s) on which to reset edge port status. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write. Example This example shows how to reset fe.1.
PAGE 363
6 802.1Q VLAN Configuration This chapter describes the SecureStack system’s capabilities to implement 802.1Q virtual LANs (VLANs). It documents how to: • Create, enable, disable and name a VLAN. • Review status and other information related to VLANs. • Assign ports to a VLAN and filter unwanted frames on one or more ports • Set VLAN constraints in order to control the filtering database to which VLANs are allowed to belong.
PAGE 364
Process Overview: 802.1Q VLAN Configuration Port String Syntax Used in the CLI 6.1.2 Port String Syntax Used in the CLI For information on how to designate port numbers in the CLI syntax, refer to Section 3.1.1. 6.2 PROCESS OVERVIEW: 802.1Q VLAN CONFIGURATION Use the following steps as a guide to configure VLANs on the device (refer to the associated section in parentheses): 1. Review existing VLANs (Section 6.3.1) 2. Create and name VLANs (Section 6.3.2) 3.
PAGE 365
VLAN Configuration Command Set Reviewing Existing VLANs 6.3 6.3.1 VLAN CONFIGURATION COMMAND SET Reviewing Existing VLANs Purpose To display a list of VLANs currently configured on the device, to determine how one or more VLANs were created, the ports allowed and disallowed to transmit traffic belonging to VLAN(s), and if those ports will transmit the traffic with a VLAN tag included. Command The command needed to review existing VLANs is listed below and described in the associated section as shown.
PAGE 366
VLAN Configuration Command Set Reviewing Existing VLANs 6.3.1.1 show vlan Use this command to display all information related to one or more VLANs. show vlan [static] [vlan-list] [portinfo [vlan vlan-list | vlan-name] [port port-string]] Syntax Description static (Optional) Displays information related to static VLANs. Static VLANs are manually created using the set vlan command (Section 6.3.2.1), SNMP MIBs, or the WebView management application.
PAGE 367
VLAN Configuration Command Set Reviewing Existing VLANs Example This example shows how to display information for VLAN 1. In this case, VLAN 1 is named “DEFAULT VLAN” and it is enabled to operate. Ports allowed to transmit frames belonging to VLAN 1 are listed as egress ports. Ports that won’t include a VLAN tag in their transmitted frames are listed as untagged ports.
PAGE 368
VLAN Configuration Command Set Creating and Naming Static VLANs 6.3.2 Creating and Naming Static VLANs Purpose To create a new static VLAN, or to enable or disable existing VLAN(s). Commands The commands used to create and name static VLANs are listed below and described in the associated section as shown. • set vlan (Section 6.3.2.1) • set vlan name (Section 6.3.2.2) • clear vlan (Section 6.3.2.3) • clear vlan name (Section 6.3.2.
PAGE 369
VLAN Configuration Command Set Creating and Naming Static VLANs 6.3.2.1 set vlan Use this command to create a new static IEEE 802.1Q VLAN, or to enable or disable an existing VLAN. Once a VLAN is created, you can assign it a name using the set vlan name command described in Section 6.3.2.2. NOTE: Each VLAN ID must be unique. If a duplicate VLAN ID is entered, the device assumes that the Administrator intends to modify the existing VLAN. Enter the VLAN ID using a unique number between 2 and 4093.
PAGE 370
VLAN Configuration Command Set Creating and Naming Static VLANs 6.3.2.2 set vlan name Use this command to set or change the ASCII name for a new or existing VLAN. set vlan name vlan-list vlan-name Syntax Description vlan-list Specifies the VLAN ID of the VLAN(s) to be named. vlan-name Specifies the string used as the name of the VLAN (1 to 32 characters). Command Defaults None. Command Mode Read-Write.
PAGE 371
VLAN Configuration Command Set Creating and Naming Static VLANs 6.3.2.3 clear vlan Use this command to remove a static VLAN from the list of VLANs recognized by the device. clear vlan vlan-list Syntax Description vlan-list Specifies the VLAN ID of the VLAN(s) to be removed. Command Defaults None. Command Mode Read-Write.
PAGE 372
VLAN Configuration Command Set Creating and Naming Static VLANs 6.3.2.4 clear vlan name Use this command to remove the name of a VLAN from the VLAN list. clear vlan name vlan-list Syntax Description vlan-list Specifies the VLAN ID of the VLAN(s) for which the name will be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 373
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3 Assigning Port VLAN IDs (PVIDs) and Ingress Filtering Purpose To assign default VLAN IDs to untagged frames on one or more ports, to configure VLAN ingress filtering and constraints, and to set the frame discard mode. Commands The commands used to configure port VLAN IDs and ingress filtering are listed below and described in the associated section as shown. • show port vlan (Section 6.3.3.
PAGE 374
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.1 show port vlan Use this command to display port VLAN identifier (PVID) information. PVID determines the VLAN to which all untagged frames received on one or more ports will be classified. show port vlan [port-string] Syntax Description port-string (Optional) Displays PVID information for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 375
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.2 set port vlan Use this command to configure the PVID (port VLAN identifier) for one or more ports. The PVID is used to classify untagged frames as they ingress into a given port. If the specified VLAN has not already been created, this command will create it, add the VLAN to the port’s egress list as untagged, and remove the default VLAN from the port’s egress list.
PAGE 376
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.3 clear port vlan Use this command to reset a port’s 802.1Q port VLAN ID (PVID) to the host VLAN ID 1. clear port vlan port-string Syntax Description port-string Specifies the port(s) to be reset to the host VLAN ID 1. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 377
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.4 show port ingress filter Use this command to show all ports that are enabled for port ingress filtering, which limits incoming VLAN ID frames according to a port VLAN egress list. If the VLAN ID specified in the received frame is not on the port’s VLAN egress list, then that frame is dropped and not forwarded.
PAGE 378
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.5 set port ingress filter Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. When ingress filtering is enabled on a port, the VLAN IDs of incoming frames are compared to the port’s egress list. If the received VLAN ID does not match a VLAN ID on the port’s egress list, then the frame is dropped. Ingress filtering is implemented according to the IEEE 802.
PAGE 379
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.6 show port discard Use this command to display the frame discard mode for one or more ports. Ports can be set to discard frames based on whether or not the frame contains a VLAN tag. They can also be set to discard both tagged and untagged frames, or neither. show port discard [port-string] Syntax Description port-string (Optional) Displays the frame discard mode for specific port(s).
PAGE 380
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.7 set port discard Use this command to set the frame discard mode on one or more ports. The options are to discard all incoming tagged frames, all incoming untagged frames, neither (essentially allow all traffic), or both (essentially discarding all traffic). A common practice is to discard all tagged packets on user ports.
PAGE 381
VLAN Configuration Command Set Assigning Port VLAN IDs (PVIDs) and Ingress Filtering 6.3.3.8 clear port discard Use this command to reset the frame discard mode to the factory default setting (none). clear port discard port-string Syntax Description port-string Specifies the port(s) for which to reset frame discard mode. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write. Example This example shows how to reset fe.2.
PAGE 382
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4 Configuring the VLAN Egress List Purpose To assign or remove ports on the egress list of a particular VLAN. This determines which ports on the switch will be eligible to transmit frames for a particular VLAN. For example, ports 1, 5, 7, 8 could be allowed to transmit frames belonging to VLAN 20 and ports 7,8, 9, 10 could be allowed to transmit frames tagged with VLAN 30 (a port can belong to multiple VLAN Egress lists).
PAGE 383
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4.1 show port egress Use this command to display the VLAN membership for one or more ports. show port egress [port-string] Syntax Description port-string (Optional) Displays VLAN membership for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, VLAN membership will be displayed for all ports. Command Mode Read-Write.
PAGE 384
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4.2 set vlan forbidden Use this command to prevent one or more ports from participating in a VLAN. This setting instructs the device to ignore dynamic requests (either through GVRP or dynamic egress) for the port to join the VLAN. set vlan forbidden vlan-id port-string Syntax Description vlan-id Specifies the VLAN for which to set forbidden port(s). port-string Specifies the port(s) to set as forbidden for the specified vlan-id.
PAGE 385
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4.3 set vlan egress Use this command to add ports to the VLAN egress list for the device, or to prevent one or more ports from participating in a VLAN. This determines which ports will transmit frames for a particular VLAN. set vlan egress vlan-list port-string [untagged | forbidden | tagged] Syntax Description vlan-list Specifies the VLAN where a port(s) will be added to the egress list.
PAGE 386
VLAN Configuration Command Set Configuring the VLAN Egress List This example shows how to forbid Fast Ethernet ports 13 through 15 in unit 1 from joining VLAN 7 and disallow egress on those ports: A2(rw)->set vlan egress 7 fe.1.13-15 forbidden This example shows how to allow Fast Ethernet port 2 in unit 1 to transmit VLAN 7 frames as untagged: A2(rw)->set vlan egress 7 fe.1.
PAGE 387
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4.4 clear vlan egress Use this command to remove ports from a VLAN’s egress list. clear vlan egress vlan-list port-string [forbidden] Syntax Description vlan-list Specifies the number of the VLAN from which a port(s) will be removed from the egress list. port-string Specifies one or more ports to be removed from the VLAN egress list of the specified vlan-list.
PAGE 388
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4.5 show vlan dynamicegress Use this command to display the status of dynamic egress (enabled or disabled) for one or more VLANs. show vlan dynamicegress [vlan-list] Syntax Description vlan-list (Optional) Displays dynamic egress status for specific VLAN(s). Command Defaults If vlan-list is not specified, the dynamic egress status for all VLANs will be displayed. Command Mode Read-Write.
PAGE 389
VLAN Configuration Command Set Configuring the VLAN Egress List 6.3.4.6 set vlan dynamicegress Use this command to administratively set the dynamic egress status for one or more VLANs. If dynamic egress is enabled for a particular VLAN, when a port receives a frame tagged with that VLAN’s ID, the switch will add the receiving port to that VLAN’s egress list. Dynamic egress is disabled on the SecureStack A2 by default.
PAGE 390
VLAN Configuration Command Set Setting the Host VLAN 6.3.5 Setting the Host VLAN Purpose To configure a host VLAN that only select devices are allowed to access. This secures the host port for management-only tasks. NOTE: The host port is the management entity of the device. Commands The commands needed to configure host VLANs are listed below and described in the associated section as shown. • show host vlan (Section 6.3.5.1) • set host vlan (Section 6.3.5.2) • clear host vlan (Section 6.3.5.
PAGE 391
VLAN Configuration Command Set Setting the Host VLAN 6.3.5.1 show host vlan Use this command to display the current host VLAN. show host vlan Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the host VLAN: A2(rw)->show host vlan Host vlan is 7.
PAGE 392
VLAN Configuration Command Set Setting the Host VLAN 6.3.5.2 set host vlan Use this command to assign host status to a VLAN. The host VLAN should be a secure VLAN where only designated users are allowed access. For example, a host VLAN could be specifically created for device management. This would allow a management station connected to the management VLAN to manage all ports on the device and make management secure by preventing management via ports assigned to other VLANs.
PAGE 393
VLAN Configuration Command Set Setting the Host VLAN 6.3.5.3 clear host vlan Use this command to reset the host VLAN to the default setting of 1. clear host vlan Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 394
VLAN Configuration Command Set Creating a Secure Management VLAN 6.3.6 Creating a Secure Management VLAN If the SecureStack A2 device is to be configured for multiple VLAN’s, it may be desirable to configure a management-only VLAN. This allows a station connected to the management VLAN to manage the device. It also makes management secure by preventing configuration via ports assigned to other VLANs. To create a secure management VLAN, you must: 1. Create a new VLAN. (Section 6.3.2.1) 2.
PAGE 395
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6.3.7 Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Purpose To dynamically create VLANs across a switched network. The GVRP command set is used to display GVRP configuration information, the current global GVRP state setting, individual port settings (enable or disable) and timer settings. By default, GVRP is enabled globally, but disabled on all ports.
PAGE 396
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Figure 6-1 Example of VLAN Propagation via GVRP Switch 3 Switch 2 R 2D 1 3 1 D R Switch 1 1 R 2 D 3 D End Station A 1 R D Switch 4 1 R Switch 5 R = Port registered as a member of VLAN Blue = Port declaring VLAN Blue Configuring a VLAN on an 802.1Q switch creates a static VLAN entry. The entry will always remain registered and will not time out.
PAGE 397
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Commands The commands used to configure GVRP are listed below and described in the associated section as shown. • show gvrp (Section 6.3.7.1) • show garp timer (Section 6.3.7.2) • set gvrp (Section 6.3.7.3) • clear gvrp (Section 6.3.7.4) • set garp timer (Section 6.3.7.
PAGE 398
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6.3.7.1 show gvrp Use this command to display GVRP configuration information. show gvrp [port-string] Syntax Description port-string (Optional) Displays GVRP configuration information for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, GVRP configuration information will be displayed for all ports and the device.
PAGE 399
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6.3.7.2 show garp timer Use this command to display GARP timer values for one or more ports. show garp timer [port-string] Syntax Description port-string (Optional) Displays GARP timer information for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, GARP timer information will be displayed for all ports.
PAGE 400
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) Table 6-4 provides an explanation of the command output. For details on using the set gvrp command to enable or disable GVRP, refer to Section 6.3.7.3. For details on using the set garp timer command to change default timer values, refer to Section 6.3.7.5. Table 6-4 6-38 show garp timer Output Details Output What It Displays... Port Number Port designation.
PAGE 401
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6.3.7.3 set gvrp Use this command to enable or disable GVRP globally on the device or on one or more ports. set gvrp {enable | disable} [port-string] Syntax Description disable | enable Disables or enables GVRP on the device. port-string (Optional) Disables or enables GVRP on specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 402
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6.3.7.4 clear gvrp Use this command to clear GVRP status or on one or more ports. clear gvrp [port-string] Syntax Description port-string (Optional) Clears GVRP status on specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, GVRP status will be cleared for all ports. Command Mode Read-Write.
PAGE 403
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6.3.7.5 set garp timer Use this command to adjust the values of the join, leave, and leaveall timers. set garp timer {[join timer-value] [leave timer-value] [leaveall timer-value]} port-string NOTE: The setting of these timers is critical and should only be changed by personnel familiar with the 802.1Q standards documentation, which is not supplied with this device.
PAGE 404
VLAN Configuration Command Set Enabling/Disabling GVRP (GARP VLAN Registration Protocol) 6-42 SecureStack A2 Configuration Guide
PAGE 405
7 Differentiated Services Configuration This chapter describes the Differentiated Services (Diffserv) set of commands and how to use them. 7.1 DIFFERENTIATED SERVICES CONFIGURATION SUMMARY SecureStack A2 devices support Diffserv policy-based provisioning of network resources by allowing IT administrators to: • Create, change or remove Diffserv policies based on business-specific use of network services. • Prioritize and police traffic according to assigned policies and conditions.
PAGE 406
Differentiated Services Configuration Command Set Globally Enabling or Disabling Diffserv 7.3 DIFFERENTIATED SERVICES CONFIGURATION COMMAND SET 7.3.1 Globally Enabling or Disabling Diffserv Purpose To globally enable or disable Diffserv on the device. Command The command used to globally enable or disable Diffserv on the device is listed below and described in the associated section as shown. • set diffserv adminmode (Section 7.3.1.1) 7.3.1.
PAGE 407
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2 Creating Diffserv Classes and Matching Conditions Purpose To review, create, and configure Diffserv classes and matching conditions. Commands The commands used to review, create, and configure Diffserv classes and matching conditions are listed below and described in the associated section as shown. • show diffserv info (Section 7.3.2.1) • show diffserv class (Section 7.3.2.
PAGE 408
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2.1 show diffserv info Use this command to display general Diffserv status information. show diffserv info Syntax Description None. Command Defaults None. Command Type Switch command. Command Mode Read-Only. Example This example shows how to display general Diffserv status information: A2(rw)->show diffserv info DiffServ Admin Mode............................ Class Table Size Current/Max...............
PAGE 409
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2.2 show diffserv class Use this command to display information about Diffserv classes. show diffserv class {summary | detailed classname} Syntax Description summary Displays a summary of Diffserv class information. detailed classname Displays detailed Diffserv information for a specific class. Command Defaults None. Command Type Switch command. Command Mode Read-Only.
PAGE 410
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2.3 set class create Use this command to create a new Diffserv class. set diffserv class create {all classname} Syntax Description all Specifies that all match conditions must be met before the associated policy is executed. classname Specifies a class name for this new Diffserv class. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 411
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2.4 set diffserv class delete Use this command to delete a Diffserv class and remove any match assigned to the class. NOTE: You cannot use this command to delete a class that has been assigned to a policy. Before deleting a class with an assigned policy and service port(s), you must first: • Remove the service port(s) assigned to the policy using the set diffserv service remove command (Section 7.3.
PAGE 412
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2.5 set diffserv class match Use this command to match a Diffserv class to a service condition based on layer 2, 3 and 4 packet parameters. Any policy that is applied must be composed of rules that come from only one of the following four groups.
PAGE 413
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions Class matches of layer 4 destination or source must be sequenced before the corresponding protocol match, as illustrated in the third example below. You can only add classes of the same category to a policy.
PAGE 414
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions ipprecedence Matches to a specific class based on the value of the IP classname precedence field. Valid precedencenumber values are: precedencenumber 0 - 7. iptos classname tosbits tosmask Matches to a specific class based on the value of the IP type of service (TOS) field. Valid tosbits values are 0 - 255. Valid tosmask values are 1 - 8.
PAGE 415
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions Examples This example shows how to match the “admin” class to source IP address 130.10.0.32 and only that IP address type: A2(rw)->set diffserv class match srcip admin 130.10.0.32 255.255.255.255 This example shows how to match the “admin” class to VLAN 10: A2(rw)->set diffserv class match vlan admin 10 This example shows how to match the “http” class to TCP packets with a destination port of 80 (HTTP).
PAGE 416
Differentiated Services Configuration Command Set Creating Diffserv Classes and Matching Conditions 7.3.2.6 set diffserv class rename Use this command to change the name of a Diffserv class. set diffserv class rename classname newclassname Syntax Description classname Specifies the class name previously set for this new Diffserv class. newclassname Specifies a new class name. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 417
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3 Configuring Diffserv Policies and Assigning Classes Purpose To review, create, and configure Diffserv policies and assign classes. Commands The commands used to review, create, and configure Diffserv policies and assign classes are listed below and described in the associated section as shown. • show diffserv policy (Section 7.3.3.1) • set diffserv policy create (Section 7.3.3.
PAGE 418
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.1 show diffserv policy Use this command to display information about Diffserv policies. show diffserv policy {summary | detailed policyname} Syntax Description summary Displays Diffserv policy summary information. detailed policyname Displays detailed Diffserv information for a specific policy. Command Defaults None. Command Type Switch command. Command Mode Read-Only.
PAGE 419
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.2 set diffserv policy create Use this command to create a new Diffserv policy. set diffserv policy create policyname {in} Syntax Description policyname Specifies a policy name. in Applies this policy to incoming packets. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 420
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.3 set diffserv policy delete Use this command to delete a Diffserv policy. NOTE: In order to delete a policy you must first remove the service port(s) assigned to the policy using the set diffserv service remove command as described in Section 7.3.4.3. set diffserv policy delete policyname Syntax Description policyname Specifies a policy name to be deleted. Command Defaults None.
PAGE 421
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.4 set diffserv policy class Use this command to add or remove a Diffserv class to a specified policy. Once added, policies will be active for the specified class. NOTE: Class must be added to a policy using this command before policy parameters, such as bandwidth, marking, and policing, can be configured.
PAGE 422
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.5 set diffserv policy mark Use this command to mark all packets for the associated Diffserv traffic stream with a specific IP DSCP or IP precedence value. set diffserv policy mark {ipdscp | ipprecedence policyname classname value} Syntax Description ipdscp | ipprecedence Specifies that packets will be marked with either an IP DSCP or precedence value.
PAGE 423
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.6 set diffserv policy police style simple Use this command to establish the policing style for a Diffserv policy based only on bandwidth for the specified class. set diffserv policy police style simple policyname classname bandwidth burstsize Syntax Description policyname Specifies the policy name being configured. classname Specifies a Diffserv class to associate to this policy.
PAGE 424
Differentiated Services Configuration Command Set Configuring Diffserv Policies and Assigning Classes 7.3.3.7 set diffserv policy rename Use this command to change the name of a Diffserv policy. set diffserv policy rename policyname newpolicyname Syntax Description policyname Specifies the policy name previously set for this new Diffserv class. newpolicyname Specifies a new policy name. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 425
Differentiated Services Configuration Command Set Assigning Policies to Service Ports 7.3.4 Assigning Policies to Service Ports Purpose To review and assign Diffserv policies and their associated classes to service ports. Commands The commands used to review and assign Diffserv policies to service ports are listed below and described in the associated section as shown. • show diffserv service info (Section 7.3.4.1) • show diffserv service stats (Section 7.3.4.2) • set diffserv service (Section 7.3.4.
PAGE 426
Differentiated Services Configuration Command Set Assigning Policies to Service Ports 7.3.4.1 show diffserv service info Use this command to display information about Diffserv service ports. show diffserv service info {summary | detailed port-string} {in} Syntax Description summary Displays Diffserv service port summary information. detailed port-string Displays detailed information for a specific port(s). in Displays information about incoming traffic. Command Defaults None.
PAGE 427
Differentiated Services Configuration Command Set Assigning Policies to Service Ports 7.3.4.2 show diffserv service stats Use this command to display Diffserv policy service statistics. show diffserv service stats {summary | detailed port-string} {in} Syntax Description summary Displays Diffserv a summary of service statistics. detailed port-string Displays detailed statistics for a specific port. in Displays information about incoming traffic. Command Defaults None. Command Type Switch command.
PAGE 428
Differentiated Services Configuration Command Set Assigning Policies to Service Ports 7.3.4.3 set diffserv service Use this command to add or remove a Diffserv policy to incoming traffic on one or more ports. set diffserv service {add | remove} {in} port-string policyname Syntax Description add | remove Adds or removes the specified policy. in Adds or removes the specified policy to incoming traffic. port-string Specifies the port(s) to which this policy will be applied.
PAGE 429
8 Port Priority and Rate Limiting Configuration This chapter describes the Port Priority and Rate Limiting set of commands and how to use them. 8.1 PORT PRIORITY CONFIGURATION SUMMARY The SecureStack A2 device supports Class of Service (CoS), which allows you to assign mission-critical data to higher priority through the device by delaying less critical traffic during periods of congestion. The higher priority traffic through the device is serviced first before lower priority traffic.
PAGE 430
Port Priority and Rate Limiting Configuration Command Set Configuring Port Priority 3. Configuring Port Quality of Service (Section 8.3.3) 4. Configuring Port Traffic Rate Limiting (Section 8.3.4) 8.3 PORT PRIORITY AND RATE LIMITING CONFIGURATION COMMAND SET 8.3.
PAGE 431
Port Priority and Rate Limiting Configuration Command Set Configuring Port Priority 8.3.1.1 show port priority Use this command to display the 802.1D priority for one or more ports. show port priority [port-string] Syntax Description port-string (Optional) Displays priority information for a specific port. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, priority for all ports will be displayed. Command Mode Read-Only.
PAGE 432
Port Priority and Rate Limiting Configuration Command Set Configuring Port Priority 8.3.1.2 set port priority Use this command to set the 802.1D (802.1p) Class-of-Service transmit queue priority (0 through 7) on each port. A port receiving a frame without priority information in its tag header is assigned a priority according to the priority setting on the port.
PAGE 433
Port Priority and Rate Limiting Configuration Command Set Configuring Port Priority 8.3.1.3 clear port priority Use this command to reset the current CoS port priority setting to 0. This will cause all frames received without a priority value in its header to be set to priority 0. clear port priority port-string Syntax Description port-string Specifies the port for which to clear priority. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None.
PAGE 434
Port Priority and Rate Limiting Configuration Command Set Configuring Priority to Transmit Queue Mapping 8.3.2 Configuring Priority to Transmit Queue Mapping Purpose To perform the following: • View the current priority to transmit queue mapping of each physical port. • Configure each port to either transmit frames according to the port priority, set using the set port priority command described in Section 8.3.1.
PAGE 435
Port Priority and Rate Limiting Configuration Command Set Configuring Priority to Transmit Queue Mapping 8.3.2.1 show port priority-queue Use this command to display the port priority levels (0 through 7, with 0 as the lowest level) associated with the current transmit queue (0 through 5, with 0 being the lowest priority) for each priority of the selected port.
PAGE 436
Port Priority and Rate Limiting Configuration Command Set Configuring Priority to Transmit Queue Mapping 8.3.2.2 set port priority-queue Use this command to map 802.1D (802.1p) priorities to transmit queues. This command enables you to change the transmit queue (0 through 5, with 0 being the lowest priority queue) for each port priority of the selected port. You can apply the new settings to one or more ports.
PAGE 437
Port Priority and Rate Limiting Configuration Command Set Configuring Priority to Transmit Queue Mapping 8.3.2.3 clear port priority-queue Use this command to reset port priority queue settings back to defaults for one or more ports. clear port priority-queue port-string Syntax Description port-string Specifies the port for which to clear priority-to-queue mappings. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 438
Port Priority and Rate Limiting Configuration Command Set Configuring Quality of Service (QoS) 8.3.3 Configuring Quality of Service (QoS) Purpose Eight transmit queues are implemented in the switch hardware for each port, but only six are available for use in prioritizing various data and control traffic. The seventh and eighth queues are reserved for stacking and network control related communications.
PAGE 439
Port Priority and Rate Limiting Configuration Command Set Configuring Quality of Service (QoS) 8.3.3.1 show port txq Use this command to display QoS transmit queue information for one or more ports. show port txq [port-string] Syntax Description port-string (Optional) Specifies port(s) for which to display QoS settings. For a detailed description of possible port-string values, refer to Section 3.1.1. NOTE: Only physical ports will be displayed. LAG ports have no transmit queue information.
PAGE 440
Port Priority and Rate Limiting Configuration Command Set Configuring Quality of Service (QoS) 8.3.3.2 set port txq Use this command to set QoS transmit queue arbitration values for ports. Eight transmit queues are implemented in the switch hardware for each port, but only six are available for use in prioritizing various data and control traffic. The seventh and eighth queues are reserved for stacking and network control related communications and cannot be configured.
PAGE 441
Port Priority and Rate Limiting Configuration Command Set Configuring Quality of Service (QoS) This example shows how to change the algorithm to strict priority for the six transmit queues belonging to ge.1.1: A2(su)->set port txq ge.1.1 0 0 0 0 0 100 A2(su)->show port txq ge.1.1 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- --ge.1.
PAGE 442
Port Priority and Rate Limiting Configuration Command Set Configuring Quality of Service (QoS) 8.3.3.3 clear port txq Use this command to clear port transmit queue values back to their default values. clear port txq port-string Syntax Description port-string Clears transmit queue values on specific port(s) back to their default values. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 443
Port Priority and Rate Limiting Configuration Command Set Configuring Quality of Service (QoS) Example This example shows how to clear transmit queue values on ge.1.1: A2(su)->clear port txq ge.1.1 A2(su)->show port txq ge.1.1 Port Alg Q0 Q1 Q2 Q3 Q4 Q5 Q6 Q7 ------- --- --- --- --- --- --- --- --ge.1.
PAGE 444
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting 8.3.4 Configuring Port Traffic Rate Limiting Purpose To limit the rate of inbound traffic on the SecureStack A2 device on a per port/priority basis. The allowable range for the rate limiting is 64 kilobytes per second minimum up to the maximum transmission rate allowable on the interface type. Rate limit is configured for a given port and list of priorities.
PAGE 445
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting 8.3.4.1 show port ratelimit Use this command to show the traffic rate limiting configuration on one or more ports. show port ratelimit [port-string] Syntax Description port-string (Optional) Displays rate limiting information for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 446
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting Table 8-1 8-18 show port ratelimit Output Details Output What It Displays... Port Number Port designation. For a detailed description of possible port-string values, refer to Section 3.1.1. Index Resource index for this port. Threshold (kB/s) Port rate limiting threshold in kilobytes per second. Action Whether or not frames not conforming to rate limiting will be discarded.
PAGE 447
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting 8.3.4.2 set port ratelimit Use this command to configure the traffic rate limiting status and threshold (in kilobytes per second) for one or more ports. set port ratelimit {disable | enable} | port-string priority threshold {disable | enable} [inbound] [index] Syntax Description disable | enable When entered without a port-string, globally disables or enables the port rate limiting function.
PAGE 448
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting Example This example shows how to: • globally enable rate limiting • configure rate limiting for inbound traffic on port fe.2.1, index 1, priority 5, to a threshold of 125 KBps: A2(rw)->set port ratelimit enable A2(rw)->set port ratelimit fe.2.
PAGE 449
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting 8.3.4.3 clear port ratelimit Use this command to clear rate limiting parameters for one or more ports. clear port ratelimit port-string [index] Syntax Description port-string Specifies the port(s) on which to clear rate limiting. For a detailed description of possible port-string values, refer to Section 3.1.1. index (Optional) Specifies the associated resource index to be reset.
PAGE 450
Port Priority and Rate Limiting Configuration Command Set Configuring Port Traffic Rate Limiting 8-22 SecureStack A2 Configuration Guide
PAGE 451
9 IGMP Configuration This chapter describes the IGMP Configuration set of commands and how to use them. 9.1 ABOUT IP MULTICAST GROUP MANAGEMENT The Internet Group Management Protocol (IGMP) runs between hosts and their immediately neighboring multicast switch device. The protocol’s mechanisms allow a host to inform its local switch device that it wants to receive transmissions addressed to a specific multicast group.
PAGE 452
IGMP Configuration Summary Enabling / Disabling IGMP 9.2 IGMP CONFIGURATION SUMMARY Multicasting is used to support real-time applications such as video conferences or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch.
PAGE 453
IGMP Configuration Command Set Enabling / Disabling IGMP 9.4.1.1 show igmpsnooping Use this command to display IGMP snooping information. Configured information is displayed whether or not IGMP snooping is enabled. Status information is displayed only when the function is enabled. For information on enabling IGMP on the system, refer to Section 9.4.1.2. For information on enabling IGMP on one or more ports, refer to Section 9.4.1.3. show igmpsnooping Syntax Description None. Command Defaults None.
PAGE 454
IGMP Configuration Command Set Enabling / Disabling IGMP 9.4.1.2 set igmpsnooping adminmode Use this command to enable or disable IGMP on the system. NOTE: In order for IGMP snooping to be enabled on one or all ports, it must be globally enabled on the device with this command, and then enabled on a port(s) using the set igmpsnooping interface mode command as described in Section 9.4.1.3.
PAGE 455
IGMP Configuration Command Set Enabling / Disabling IGMP 9.4.1.3 set igmpsnooping interfacemode Use this command to enable or disable IGMP on one or all ports. NOTE: In order for IGMP snooping to be enabled on one or all ports, it must be globally enabled on the device using the set igmpsnooping adminmode command as described in Section 9.4.1.2, and then enabled on a port(s) using this command.
PAGE 456
IGMP Configuration Command Set Configuring IGMP 9.4.2 Configuring IGMP Purpose To display and set IGMP configuration parameters, including query interval and response time settings. Commands The commands used to configure IGMP are listed below and described in the associated sections as shown. • set igmpsnooping groupmembershipinterval (Section 9.4.2.1) • set igmpsnooping maxresponse (Section 9.4.2.2) • set igmpsnooping mcrtrexpiretime (Section 9.4.2.3) • show igmpsnooping mfdb (Section 9.4.2.
PAGE 457
IGMP Configuration Command Set Configuring IGMP 9.4.2.1 set igmpsnooping groupmembershipinterval Use this command to configure the IGMP group membership interval time for the system. This value sets the frequency of host-query frame transmissions and must be greater than the IGMP maximum response time as described in Section 9.4.2.2. set igmpsnooping groupmembershipinterval time Syntax Description time Specifies the IGMP group membership interval. Valid values are 2 - 3600 seconds.
PAGE 458
IGMP Configuration Command Set Configuring IGMP 9.4.2.2 set igmpsnooping maxresponse Use this command to configure the IGMP query maximum response time for the system. This value must be less than the IGMP maximum response time as described in Section 9.4.2.1. set igmpsnooping maxresponse time Syntax Description time Specifies the IGMP maximum query response time. Valid values are 100 - 255 seconds.
PAGE 459
IGMP Configuration Command Set Configuring IGMP 9.4.2.3 set igmpsnooping mcrtrexpiretime Use this command to configure the IGMP multicast router expiration time for the system. This timer is for expiring the switch from the multicast database. If the timer expires, and the only address left is the multicast switch, then the entry will be removed. set igmpsnooping mcrtrexpire time Syntax Description time Specifies the IGMP multicast router expiration time. Valid values are 0 - 3600 seconds.
PAGE 460
IGMP Configuration Command Set Configuring IGMP 9.4.2.4 show igmpsnooping mfdb Use this command to display multicast forwarding database (MFDB) information. show igmpsnooping mfdb [stats] Syntax Description stats (Optional) Displays MFDB statistics. Command Defaults If stats is not specified, all MFDB table entries will be displayed. Command Mode Read-Only.
PAGE 461
IGMP Configuration Command Set Configuring IGMP 9.4.2.5 clear igmpsnooping Use this command to clear all IGMP snooping entries. clear igmpsnooping Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 462
IGMP Configuration Command Set Configuring IGMP 9-12 SecureStack A2 Configuration Guide
PAGE 463
10 Security Configuration This chapter describes the Security Configuration set of commands and how to use them. 10.1 OVERVIEW OF SECURITY METHODS The following security methods are available for controlling which users are allowed to access, monitor, and manage the device. • Login user accounts and passwords – used to log in to the CLI by way of a Telnet connection or local COM port connection. For details, refer to Section 2.1.11.
PAGE 464
Process Overview: Security Configuration • MAC Authentication – provides a mechanism for administrators to securely authenticate source MAC addresses and grant appropriate access to end user devices communicating on SecureStack A2 ports. For details, refer to Section 10.3.3. • Multiple Authentication Methods – allows users to authenticate using multiple methods of authentication on the same port. For details, refer to Section 10.3.4. • RFC 3580 Tunnel Attributes provide a mechanism to contain an 802.
PAGE 465
Security Configuration Command Set Configuring RADIUS 10.3 SECURITY CONFIGURATION COMMAND SET 10.3.1 Configuring RADIUS Purpose To perform the following: • Review the RADIUS client/server configuration on the switch. • Enable or disable the RADIUS client. • Set local and remote login options. • Set primary and secondary server parameters, including IP address, timeout period, authentication realm, and number of user login attempts allowed. • Reset RADIUS server settings to default values.
PAGE 466
Security Configuration Command Set Configuring RADIUS 10.3.1.1 show radius Use this command to display the current RADIUS client/server configuration. show radius [status | retries | timeout | server [index | all]] Syntax Description status (Optional) Displays the RADIUS server’s enable status. retries (Optional) Displays the number of retry attempts before the RADIUS server times out.
PAGE 467
Security Configuration Command Set Configuring RADIUS Table 10-1 show radius Output Details Output What It Displays... RADIUS status Whether RADIUS is enabled or disabled. RADIUS retries Number of retry attempts before the RADIUS server times out. The default value of 3 can be reset using the set radius command as described in Section 10.3.1.2. RADIUS timeout Maximum amount of time (in seconds) to establish contact with the RADIUS server before retry attempts begin.
PAGE 468
Security Configuration Command Set Configuring RADIUS 10.3.1.2 set radius Use this command to enable, disable, or configure RADIUS authentication.
PAGE 469
Security Configuration Command Set Configuring RADIUS realm Realm allows you to define who has to go through the management-access RADIUS server for authentication. | any-access | • management-access: This means that anyone trying to network-access access the switch (Telnet, SSH, Local Management) has to authenticate through the RADIUS server. • network-access: This means that all the users have to authenticate to a RADIUS server before they are allowed access to the network.
PAGE 470
Security Configuration Command Set Configuring RADIUS This example shows how to force any management-access to the switch (telnet, web, SSH) to authenticate through a RADIUS server. The “all” at the end of the command means that any of the defined RADIUS servers can be used for this Authentication.
PAGE 471
Security Configuration Command Set Configuring RADIUS 10.3.1.3 clear radius Use this command to clear RADIUS server settings. clear radius [retries] [timeout] [server [realm] {index | all}] Syntax Description retries Resets the maximum number of attempts a user can contact the RADIUS server before timing out to 3. timeout Resets the maximum amount of time to establish contact with the RADIUS server before timing out to 20 seconds. server Deletes the RADIUS server settings.
PAGE 472
Security Configuration Command Set Configuring RADIUS 10.3.1.4 show radius accounting Use this command to display the RADIUS accounting configuration. This transmits accounting information between a network access server and a shared accounting server. show radius accounting [server | counter ip-address | retries | timeout] Syntax Description server (Optional) Displays one or all RADIUS accounting server configurations. counter ip-address (Optional) Displays counters for a RADIUS accounting server.
PAGE 473
Security Configuration Command Set Configuring RADIUS 10.3.1.5 set radius accounting Use this command to configure RADIUS accounting. set radius accounting {[enable | disable] [retries retries] [timeout timeout] [server ip_address port [server-secret]]} Syntax Description enable | disable Enables or disables the RADIUS accounting client. retries retries Sets the maximum number of attempts to contact a specified RADIUS accounting server before timing out. Valid retry values are 1 - 10.
PAGE 474
Security Configuration Command Set Configuring RADIUS This example shows how to set the RADIUS accounting timeout to 30 seconds: A2(rw)->set radius accounting timeout 30 This example shows how to set RADIUS accounting retries to 10: A2(rw)->set radius accounting retries 10 10-12 SecureStack A2 Configuration Guide
PAGE 475
Security Configuration Command Set Configuring RADIUS 10.3.1.6 clear radius accounting Use this command to clear RADIUS accounting configuration settings. clear radius accounting {server ip-address | retries | timeout | counter} Syntax Description server ip-address Clears the configuration on one or more accounting servers. retries Resets the retries to the default value of 2. timeout Resets the timeout to 5 seconds. counter Clears counters. Command Mode Read-Write. Command Defaults None.
PAGE 476
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2 Configuring 802.1X Authentication Purpose To review and configure 802.1X authentication for one or more ports using EAPOL (Extensible Authentication Protocol). 802.1X controls network access by enforcing user authorization on selected ports, which results in allowing or denying network access according to RADIUS server configuration. NOTES: One user per EAPOL-configured port can be authenticated on SecureStack A2 devices.
PAGE 477
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.1 show dot1x Use this command to display 802.1X status, diagnostics, statistics, and reauthentication or initialization control information for one or more ports. show dot1x [auth-config] [auth-diag] [auth-stats] [port [init | reauth]] [port-string] Syntax Description auth-config (Optional) Display 802.1X authentication parameters. auth-diag (Optional) Displays authentication diagnostics information.
PAGE 478
Security Configuration Command Set Configuring 802.1X Authentication This example shows how to display authentication diagnostics information for fe.1.1: A2(rw)->show dot1x auth-diag fe.1.
PAGE 479
Security Configuration Command Set Configuring 802.1X Authentication This example shows how to display the status of port reauthentication control for fe.1.1 through fe.1.6: A2(rw)->show dot1x port reauth fe.1.
PAGE 480
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.2 show dot1x auth-config Use this command to display 802.1X authentication configuration settings for one or more ports. show dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [port-string] Syntax Description authcontrolledportcontrol (Optional) Displays the current value of the controlled Port control parameter for the port.
PAGE 481
Security Configuration Command Set Configuring 802.1X Authentication Command Defaults • If no parameters are specified, all 802.1X settings will be displayed. • If port-string is not specified, information for all ports will be displayed. Examples This example shows how to display the EAPOL port control mode for fe.1.1: A2(rw)->show dot1x auth-config authcontrolled-portcontrol fe.1.1 Port 1: Auth controlled port control: Auto This example shows how to display the 802.1X quiet period settings for fe.1.
PAGE 482
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.3 set dot1x Use this command to enable or disable 802.1X authentication, to reauthenticate one or more access entities, or to reinitialize one or more supplicants. Disabling 802.1X authentication globally, by not entering a specific port-string value, will enable the EAP pass-through feature. EAP pass-through allows client authentication packets to be forwarded unmodified through the SecureStack switch to an upstream device.
PAGE 483
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.4 set dot1x auth-config Use this command to configure 802.1X authentication. set dot1x auth-config {[maxreq value] [quietperiod value] [reauthenabled {false | true}] [reauthperiod value] [servertimeout timeout] [supptimeout timeout] [txperiod value]} [port-string] Syntax Description maxreq value Specifies the maximum number of authentication requests allowed by the backend authentication state machine.
PAGE 484
Security Configuration Command Set Configuring 802.1X Authentication Command Defaults If port-string is not specified, authentication parameters will be set on all ports. Examples This example shows how to enable reauthentication control on ports fe.1.1-3: A2(rw)->set dot1x auth-config reauthenabled true fe.1.1-3 This example shows how to set the 802.1X quiet period to 120 seconds on ports fe.1.1-3: A2(rw)->set dot1x auth-config quietperiod 120 fe.1.
PAGE 485
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.5 clear dot1x auth-config Use this command to reset 802.1X authentication parameters to default values on one or more ports. clear dot1x auth-config [authcontrolled-portcontrol] [maxreq] [quietperiod] [reauthenabled] [reauthperiod] [servertimeout] [supptimeout] [txperiod] [port-string] Syntax Description authcontrolledportcontrol (Optional) Resets the 802.1X port control mode to auto.
PAGE 486
Security Configuration Command Set Configuring 802.1X Authentication This example shows how to reset reauthentication control to disabled on ports fe.1.1-3: A2(rw)->clear dot1x auth-config reauthenabled fe.1.1-3 This example shows how to reset the 802.1X quiet period to 60 seconds on ports fe.1.1-3: A2(rw)->clear dot1x auth-config quietperiod fe.1.
PAGE 487
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.6 show eapol Use this command to display EAPOL status or settings for one or more ports. show eapol [port-string] Syntax Description port-string (Optional) Displays EAPOL status for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Only. Command Defaults If port-string is not specified, only EAPOL enable status will be displayed.
PAGE 488
Security Configuration Command Set Configuring 802.1X Authentication Table 10-2 show eapol Output Details (Continued) Output What It Displays... Authentication State Current EAPOL authentication state for each port. Possible internal states for the authenticator (switch) are: • • 10-26 initialized: A port is in the initialize state when: a. authentication is disabled, b. authentication is enabled and the port is not linked, or c. authentication is enabled and the port is linked.
PAGE 489
Security Configuration Command Set Configuring 802.1X Authentication Table 10-2 Output show eapol Output Details (Continued) What It Displays... Authentication Mode Mode enabling network access for each port. Modes include: • Auto: Frames are forwarded according to the authentication state of each port. • Forced Authorized Mode: Meant to disable authentication on a port. It is intended for ports that support ISLs and devices that cannot authenticate, such as printers and file servers.
PAGE 490
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.7 set eapol Use this command to enable or disable EAPOL port-based user authentication with the RADIUS server and to set the authentication mode for one or more ports. set eapol [enable | disable] [auth-mode {auto | forced-auth | forced-unauth} port-string] Syntax Description enable | disable Enables or disables EAPOL. auth-mode Specifies the authentication mode as: auto • auto - Auto authorization mode.
PAGE 491
Security Configuration Command Set Configuring 802.1X Authentication 10.3.2.8 clear eapol Use this command to globally clear the EAPOL authentication mode, or to clear settings for one or more ports. clear eapol [auth-mode] [port-string] Syntax Description auth-mode (Optional) Globally clears the EAPOL authentication mode. port-string (Optional) Specifies the port(s) on which to clear EAPOL parameters. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 492
Security Configuration Command Set Configuring MAC Authentication 10.3.3 Configuring MAC Authentication Purpose To review, disable, enable, and configure MAC authentication. This feature allows the switch to authenticate source MAC addresses in an exchange with an authentication server. The authenticator (switch) takes the source MAC seen on a MAC-authentication enabled port and submits it to a backend client for authentication.
PAGE 493
Security Configuration Command Set Configuring MAC Authentication • set macauthentication portquietperiod (Section 10.3.3.15) • clear macauthentication portquietperiod (Section 10.3.3.
PAGE 494
Security Configuration Command Set Configuring MAC Authentication 10.3.3.1 show macauthentication Use this command to display MAC authentication information for one or more ports. show macauthentication [port-string] Syntax Description port-string (Optional) Displays MAC authentication information for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Only.
PAGE 495
Security Configuration Command Set Configuring MAC Authentication Table 10-3 show macauthentication Output Details Output What It Displays... MAC authentication Whether MAC authentication is globally enabled or disabled. Set using the set macauthentication command as described in Section 10.3.3.3. MAC user password User password associated with MAC authentication on the switch. Set using the set macauthentication password command as described in Section 10.3.3.4.
PAGE 496
Security Configuration Command Set Configuring MAC Authentication 10.3.3.2 show macauthentication session Use this command to display the active MAC authenticated sessions. show macauthentication session Syntax Description None. Command Mode Read-Only. Command Defaults If port-string is not specified, MAC session information will be displayed for all MAC authentication ports.
PAGE 497
Security Configuration Command Set Configuring MAC Authentication 10.3.3.3 set macauthentication Use this command to globally enable or disable MAC authentication. set macauthentication {enable | disable} Syntax Description enable | disable Globally enables or disables MAC authentication. Command Mode Read-Write. Command Defaults None.
PAGE 498
Security Configuration Command Set Configuring MAC Authentication 10.3.3.4 set macauthentication password Use this command to set a MAC authentication password. set macauthentication password password Syntax Description password Specifies a text string MAC authentication password. Command Mode Read-Write. Command Defaults None.
PAGE 499
Security Configuration Command Set Configuring MAC Authentication 10.3.3.5 clear macauthentication password Use this command to clear the MAC authentication password. clear macauthentication password Syntax Description None. Command Mode Read-Write. Command Defaults None.
PAGE 500
Security Configuration Command Set Configuring MAC Authentication 10.3.3.6 set macauthentication port Use this command to enable or disable one or more ports for MAC authentication. set macauthentication port {enable | disable} port-string NOTE: Enabling port(s) for MAC authentication requires globally enabling MAC authentication on the switch as described in Section 10.3.3.3, and then enabling it on a port-by-port basis. By default, MAC authentication is globally disabled and disabled on all ports.
PAGE 501
Security Configuration Command Set Configuring MAC Authentication 10.3.3.7 clear macauthentication authallocated Use this command to clear the number of MAC authentication sessions allowed for one or more ports. clear macauthentication authallocated [port-string] Syntax Description port-string (Optional) Clears the number of authentication sessions allowed for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Write.
PAGE 502
Security Configuration Command Set Configuring MAC Authentication 10.3.3.8 set macauthentication portinitialize Use this command to force one or more MAC authentication ports to re-initialize and remove any currently active sessions on those ports. set macauthentication portinitialize port-string Syntax Description port-string Specifies the MAC authentication port(s) to re-initialize. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Write.
PAGE 503
Security Configuration Command Set Configuring MAC Authentication 10.3.3.9 set macauthentication macinitialize Use this command to force a current MAC authentication session to re-initialize and remove the session. set macauthentication macinitialize mac_addr Syntax Description mac_addr Specifies the MAC address of the session to re-initialize. Command Mode Read-Write. Command Defaults None.
PAGE 504
Security Configuration Command Set Configuring MAC Authentication 10.3.3.10 set macauthentication reauthentication Use this command to enable or disable reauthentication of all currently authenticated MAC addresses on one or more ports. set macauthentication reauthentication {enable | disable} port-string Syntax Description enable | disable Enables or disables MAC reauthentication. port-string Specifies port(s) on which to enable or disable MAC reauthentication.
PAGE 505
Security Configuration Command Set Configuring MAC Authentication 10.3.3.11 set macauthentication portreauthenticate Use this command to force an immediate reauthentication of the currently active sessions on one or more MAC authentication ports. set macauthentication portreauthenticate port-string Syntax Description port-string Specifies MAC authentication port(s) to be reauthenticated. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Write.
PAGE 506
Security Configuration Command Set Configuring MAC Authentication 10.3.3.12 set macauthentication macreauthenticate Use this command to force an immediate reauthentication of a MAC address. set macauthentication macreauthenticate mac_addr Syntax Description mac_addr Specifies the MAC address of the session to reauthenticate. Command Mode Read-Write. Command Defaults None.
PAGE 507
Security Configuration Command Set Configuring MAC Authentication 10.3.3.13 set macauthentication reauthperiod Use this command to set the MAC reauthentication period (in seconds). This is the time lapse between attempts to reauthenticate any current MAC address authenticated to a port. set macauthentication reauthperiod time port-string Syntax Description time Specifies the number of seconds between reauthentication attempts. Valid values are 1 - 4294967295.
PAGE 508
Security Configuration Command Set Configuring MAC Authentication 10.3.3.14 clear macauthentication reauthperiod Use this command to clear the MAC reauthentication period on one or more ports. clear macauthentication reauthperiod [port-string] Syntax Description port-string (Optional) Clears the MAC reauthentication period on specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Write.
PAGE 509
Security Configuration Command Set Configuring MAC Authentication 10.3.3.15 set macauthentication portquietperiod Use this command to set the number of seconds following a failed authentication before another attempted may be made on the port. set macauthentication portquietperiod time [port-string] Syntax Description time Quiet period in seconds between authentication attempts port-string Specifies the port(s) on which to set the quiet period.
PAGE 510
Security Configuration Command Set Configuring MAC Authentication 10.3.3.16 clear macauthentication portquietperiod Use this command to clear the number of seconds following a failed authentication before another attempted may be made on the port to the default setting. set macauthentication portquietperiod time [port-string] Syntax Description time Quiet period in seconds between authentication attempts port-string Specifies the port(s) on which to set the quiet period.
PAGE 511
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4 Configuring Multiple Authentication Methods About Multiple Authentication When enabled, multiple authentication allows users to authenticate using up to two methods on the same port. In order for multiple authentication to function on the device, each possible method of authentication (MAC authentication, 802.
PAGE 512
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.1 show multiauth Use this command to display multiple authentication system configuration show multiauth Syntax Description None. Command Mode Read-Only. Command Defaults None.
PAGE 513
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.2 set multiauth mode Use this command to set the system authentication mode to allow multiple authentication modes simultaneously (802.1x and MAC Authentication) on a single port, or to strictly adhere to 802.1x authentication. set multiauth mode {multi | strict} Syntax Description multi Allow the system to use multiple authentication modes simultaneously (802.1x and MAC Authentication) on a port.
PAGE 514
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.3 clear multiauth mode Use this command to clear the system authentication mode. clear multiauth mode Syntax Description None Command Mode Read-Write. Command Defaults None.
PAGE 515
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.4 set multiauth precedence Use this command to set the system’s multiple authentication administrative precedence. When a user is successfully authenticated by more than one method at the same time, the precedence of the authentication methods will determine which RADIUS-returned attribute will be processed. set multiauth precedence {[dot1x] [mac]} Syntax Description dot1x Sets precedence for 802.1X authentication.
PAGE 516
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.5 clear multiauth precedence Use this command to clear the system’s multiple authentication administrative precedence. clear multiauth precedence Syntax Description None Command Mode Read-Write. Command Defaults None.
PAGE 517
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.6 show multiauth port Use this command to display multiple authentication properties for one or more ports. show multiauth port [port-string] Syntax Description port-string (Optional) Displays multiple authentication information for specific port(s). Command Mode Read-Only. Command Defaults If port-string is not specified, multiple authentication information will be displayed for all ports.
PAGE 518
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.7 set multiauth port Use this command to set multiple authentication properties for one or more ports. set multiauth port mode {auth-opt | auth-reqd | force-auth | force-unauth} | numusers numusers port-string Syntax Description mode auth-opt | auth-reqd | force-auth | force-unauth Specifies the port(s)’ multiple authentication mode as: • auth-opt — Authentication optional (“non-strict” behavior).
PAGE 519
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.8 clear multiauth port Use this command to clear multiple authentication properties for one or more ports. clear multiauth port {mode | numusers} port-string Syntax Description mode Clears the specified port’s multiple authentication mode. numusers Clears the value set for the number of users allowed authentication on the specified port.
PAGE 520
Security Configuration Command Set Configuring Multiple Authentication Methods 10.3.4.9 show multiauth station Use this command to display multiple authentication station (end user) entries. show multiauth station [mac address] [port port-string] Syntax Description mac address (Optional) Displays multiple authentication station entries for specific MAC address(es). port port-string (Optional) Displays multiple authentication station entries for specific port(s). Command Mode Read-Only.
PAGE 521
Security Configuration Command Set Configuring VLAN Authorization (RFC 3580) 10.3.5 Configuring VLAN Authorization (RFC 3580) Purpose Please see section 3-31 of RFC 3580 for details on configuring a RADIUS server to return the desired tunnel attributes. From RFC 3580, “... it may be desirable to allow a port to be placed into a particular Virtual LAN (VLAN), defined in [IEEE8021Q], based on the result of the authentication.
PAGE 522
Security Configuration Command Set Configuring VLAN Authorization (RFC 3580) 10.3.5.1 set vlanauthorization Use this command to enable or disable the use of the RADIUS VLAN tunnel attribute to put a port into a particular VLAN based on the result of authentication.
PAGE 523
Security Configuration Command Set Configuring VLAN Authorization (RFC 3580) 10.3.5.2 set vlanauthorization egress Use this command to control the modification of the current VLAN egress list of 802.1x authenticated ports for the VLAN(s) returned in the RADIUS authorization filter id string. set vlanauthorization egress {none | tagged | untagged} port-string Syntax Description none No egress manipulation will be made.
PAGE 524
Security Configuration Command Set Configuring VLAN Authorization (RFC 3580) 10.3.5.3 clear vlanauthorization Use this command to return port(s) to the default VLAN authorization configuration (disabled, egress untagged). clear vlanauthorization [port-string] Syntax Description port-string (Optional) Specifies which ports are to be restored to default configuration. If no port string is entered, the action will be a global setting.
PAGE 525
Security Configuration Command Set Configuring VLAN Authorization (RFC 3580) 10.3.5.4 show vlanauthorization This command displays the VLAN authorization status and configuration information for the specified ports. show vlanauthorization [port-string] Syntax Description port-string (Optional) Displays VLAN authorization status for the specified ports. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Mode Read-Only.
PAGE 526
Security Configuration Command Set Configuring VLAN Authorization (RFC 3580) Table 10-5 10-64 show vlanauthorization Output Details (Continued) Output What It Displays... operational egress If authentication has succeeded, displays the VLAN ID assigned for egress. vlan id If authentication has succeeded, displays the assigned VLAN ID for ingress.
PAGE 527
Security Configuration Command Set Configuring MAC Locking 10.3.6 Configuring MAC Locking Purpose To review, disable, enable and configure MAC locking. This feature locks a MAC address to one or more ports, preventing connection of unauthorized devices through the port(s). When source MAC addresses are received on specified ports, the switch discards all subsequent frames not containing the configured source addresses.
PAGE 528
Security Configuration Command Set Configuring MAC Locking 10.3.6.1 show maclock Use this command to display the status of MAC locking on one or more ports. show maclock [port-string] Syntax Description port-string (Optional) Displays MAC locking status for specified port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, MAC locking status will be displayed for all ports. Command Mode Read-Only.
PAGE 529
Security Configuration Command Set Configuring MAC Locking Table 10-6 show maclock Output Details Output What It Displays... Port Number Port designation. For a detailed description of possible port-string values, refer to Section 3.1.1. Port Status Whether MAC locking is enabled or disabled on the port. MAC locking is globally disabled by default. For details on using set maclock to enable it on the device and on one or more ports, refer to Section 10.3.6.3.
PAGE 530
Security Configuration Command Set Configuring MAC Locking 10.3.6.2 show maclock stations Use this command to display MAC locking information about end stations connected to the device. show maclock stations [port-string] Syntax Description port-string (Optional) Displays end station information for specified port(s). For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 531
Security Configuration Command Set Configuring MAC Locking Table 10-7 show maclock stations Output Details Output What It Displays... Port Number Port designation. For a detailed description of possible port-string values, refer to Section 3.1.1. MAC Address MAC address of the end station(s) locked to the port. Status Whether the end stations are active or inactive. State Whether the end station locked to the port is a first learned or first arrival connection.
PAGE 532
Security Configuration Command Set Configuring MAC Locking 10.3.6.3 set maclock enable Use this command to enable MAC locking globally on the switch, and then on a port by port basis. Both must be done for MAC locking to function. When enabled and configured for a specific MAC address and port string, this locks a port so that only one end station address is allowed to communicate on the port.
PAGE 533
Security Configuration Command Set Configuring MAC Locking 10.3.6.4 set maclock disable Use this command to disable MAC locking globally on the switch, or on one or more ports. set maclock disable [port-string] Syntax Description port-string (Optional) Disables MAC locking on specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, MAC locking will be disabled on the switch. Command Mode Read-Write.
PAGE 534
Security Configuration Command Set Configuring MAC Locking 10.3.6.5 set maclock Use this command to create a static MAC address and enable or disable MAC locking for the specified MAC address and port. When created and enabled, the specified MAC address is the only MAC that will be permitted to communicate on the port.
PAGE 535
Security Configuration Command Set Configuring MAC Locking 10.3.6.6 clear maclock Use this command to remove a static maclock MAC address entry. The MAC address that is cleared will no longer be able to communicate on the port unless the first arrival limit has been set to a value greater than 0 and this limit has not yet been met.
PAGE 536
Security Configuration Command Set Configuring MAC Locking 10.3.6.7 set maclock static Use this command to set the maximum number of static MAC addresses allowed per port. Static MACs are administratively defined. set maclock static port-string value Syntax Description port-string Specifies the port on which to set the maximum number of static MACs allowed. For a detailed description of possible port-string values, refer to Section 3.1.1.
PAGE 537
Security Configuration Command Set Configuring MAC Locking 10.3.6.8 clear maclock static Use this command to reset the number of static MAC addresses allowed per port to the default value of 20. clear maclock static port-string Syntax Description port-string Specifies the port on which to reset number of static MAC addresses allowed. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 538
Security Configuration Command Set Configuring MAC Locking 10.3.6.9 set maclock firstarrival Use this command to restrict MAC locking on a port to a maximum number of end station addresses first connected to that port. The maclock first arrival count resets when the link goes down.
PAGE 539
Security Configuration Command Set Configuring MAC Locking 10.3.6.10 clear maclock firstarrival Use this command to reset the number of first arrival MAC addresses allowed per port to the default value of 600. clear maclock firstarrival port-string Syntax Description port-string Specifies the port on which to reset the first arrival value. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Mode Read-Write.
PAGE 540
Security Configuration Command Set Configuring MAC Locking 10.3.6.11 set maclock move Use this command to move all current first arrival MACs to static entries. If there are more firstarrival MACs than the allowed maximum static MACs, then only the latest firstarrival MACS will be used.
PAGE 541
Security Configuration Command Set Configuring MAC Locking 10.3.6.12 set maclock trap Use this command to enable or disable MAC lock trap messaging. When enabled, this feature authorizes the switch to send an SNMP trap message if an end station is connected that exceeds the maximum value configured using the set maclock firstarrival command. Violating MAC addresses are dropped from the switch’s routing table.
PAGE 542
Security Configuration Command Set Configuring Secure Shell (SSH) 10.3.7 Configuring Secure Shell (SSH) Purpose To review, enable, disable, and configure the Secure Shell (SSH) protocol, which provides secure Telnet. Commands The commands used to review and configure SSH are listed below and described in the associated section as shown: • show ssh status (Section 10.3.7.1) • set ssh (Section 10.3.7.2) • set ssh hostkey (Section 10.3.7.
PAGE 543
Security Configuration Command Set Configuring Secure Shell (SSH) 10.3.7.1 show ssh status Use this command to display the current status of SSH on the switch. show ssh status Syntax Description None. Command Mode Read-Only. Command Defaults None. Example This example shows how to display SSH status on the switch: A2(rw)->show ssh status SSH Server status: Disabled.
PAGE 544
Security Configuration Command Set Configuring Secure Shell (SSH) 10.3.7.2 set ssh Use this command to enable, disable or reinitialize SSH server on the device. set ssh {enable | disable | reinitialize} Syntax Description enable | disable Enables or disables SSH, or reinitializes the SSH server. reinitialize Reinitializes the SSH server. Command Mode Read-Write. Command Defaults None.
PAGE 545
Security Configuration Command Set Configuring Secure Shell (SSH) 10.3.7.3 set ssh hostkey Use this command to set or reinitialize new SSH authentication keys. set ssh hostkey [reinitialize] Syntax Description reinitialize (Optional) Reinitializes the server host authentication keys. Command Mode Read-Write. Command Defaults If reinitialize is not specified, the user must supply SSH authentication key values.
PAGE 546
Security Configuration Command Set Configuring Secure Shell (SSH) 10-84 SecureStack A2 Configuration Guide
PAGE 547
11 Logging and Network Management This chapter describes switch-related logging and network management commands and how to use them. 11.1 PROCESS OVERVIEW: NETWORK MANAGEMENT Switch-related network management tasks include the following: • Configuring System Logging (Section 11.2.1) • Monitoring Network Events and Status (Section 11.2.2) • Managing Network Addresses and Routes (Section 11.2.3) • Configuring SNTP (Section 11.2.4) • Configuring Node Aliases (Section 11.2.
PAGE 548
Logging And Network Management Command Set Configuring System Logging 11.2 LOGGING AND NETWORK MANAGEMENT COMMAND SET 11.2.1 Configuring System Logging Purpose To display and configure system logging, including Syslog server settings, logging severity levels for various applications, Syslog default settings, and the logging buffer. Commands Commands to configure system logging are listed below and described in the associated section as shown. • show logging server (Section 11.2.1.
PAGE 549
Logging And Network Management Command Set Configuring System Logging 11.2.1.1 show logging server Use this command to display the Syslog configuration for a particular server. show logging server [index] Syntax Description index (Optional) Displays Syslog information pertaining to a specific server table entry. Valid values are 1-8. Command Defaults If index is not specified, all Syslog server information will be displayed. Command Type Switch command. Command Mode Read-Only.
PAGE 550
Logging And Network Management Command Set Configuring System Logging 11.2.1.2 set logging server Use this command to configure a Syslog server. set logging server index [ip-addr ip-addr] [facility facility] [severity severity] [descr descr] [port port] [state {enable | disable}] Syntax Description index Specifies the server table index number for this server. Valid values are 1 - 8. ip-addr ip-addr (Optional) Specifies the Syslog message server’s IP address.
PAGE 551
Logging And Network Management Command Set Configuring System Logging Command Defaults • If ip-addr is not specified, an entry in the Syslog server table will be created with the specified index number and the system loopback address, 127.0.0.1, will be used. • If not specified, facility, severity and port will be set to defaults configured with the set logging default command (Section 11.2.1.5). • If state is not specified, the server will not be enabled or disabled. Command Type Switch command.
PAGE 552
Logging And Network Management Command Set Configuring System Logging 11.2.1.3 clear logging server Use this command to remove a server from the Syslog server table. clear logging server index Syntax Description index Specifies the server table index number for the server to be removed. Valid values are 1 - 8. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 553
Logging And Network Management Command Set Configuring System Logging 11.2.1.4 show logging default Use this command to display the Syslog server default values. show logging default Syntax Description None. Command Defaults None. Command Type Switch command. Command Mode Read-Only. Example This command shows how to display the Syslog server default values.
PAGE 554
Logging And Network Management Command Set Configuring System Logging 11.2.1.5 set logging default Use this command to set logging default values. set logging default {[facility facility] [severity severity] port port]} Syntax Description facility facility Specifies the default facility name. Valid values are: local0 to local7. severity severity Specifies the default logging severity level. Valid severity values range from 1 to 8.
PAGE 555
Logging And Network Management Command Set Configuring System Logging 11.2.1.6 clear logging default Use this command to reset logging default values. clear logging default {[facility] [severity] [port]} Syntax Description facility (Optional) Resets the default facility name to local4. severity (Optional) Resets the default logging severity level to 6 (notifications of significant conditions). port (Optional) Resets the default UDP port the client uses to send to the server to 514.
PAGE 556
Logging And Network Management Command Set Configuring System Logging 11.2.1.7 show logging local Use this command to display the state of message logging to the console and a persistent file. show logging local Syntax Description None. Command Defaults None. Command Type Switch command. Command Mode Read-Only. Example This example shows how to display the state of message logging. In this case, logging to the console is enabled and logging to a persistent file is disabled.
PAGE 557
Logging And Network Management Command Set Configuring System Logging 11.2.1.8 set logging local Use this command to configure log messages to the console and a persistent file. set logging local console {enable | disable} file {enable | disable} Syntax Description console enable | disable Enables or disables logging to the console. file enable | disable Enables or disables logging to a persistent file. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 558
Logging And Network Management Command Set Configuring System Logging 11.2.1.9 clear logging local Use this command to clear the console and persistent store logging for the local session. clear logging local Syntax Description None. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 559
Logging And Network Management Command Set Configuring System Logging 11.2.1.10 show logging buffer Use this command to display the last 256 messages logged. show logging buffer Syntax Description None. Command Defaults None. Command Type Switch command. Command Mode Read-Only. Example This example shows a portion of the information displayed with the show logging buffer command: A2(rw)->show logging buffer <165>Sep 4 07:43:09 10.42.71.13 CLI[5]User:rw logged in from 10.2.1.
PAGE 560
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2 Monitoring Network Events and Status Purpose To display switch events and command history, to set the size of the history buffer, and to display and disconnect current user sessions. Commands Commands to monitor switch network events and status are listed below and described in the associated section as shown. • history (Section 11.2.2.1) • show history (Section 11.2.2.2) • set history (Section 11.2.2.
PAGE 561
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2.1 history Use this command to display the contents of the command history buffer. The command history buffer includes all the switch commands entered up to a maximum of 100, as specified in the set history command (Section 11.2.2.3). history Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the contents of the command history buffer.
PAGE 562
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2.2 show history Use this command to display the size (in lines) of the history buffer. show history Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 563
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2.3 set history Use this command to set the size of the history buffer. set history size [default] Syntax Description size Specifies the size of the history buffer in lines. Valid values are 1 to 100. default (Optional) Makes this setting persistent for all future sessions. Command Defaults None. Command Mode Read-Write.
PAGE 564
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2.4 ping Use this command to send ICMP echo-request packets to another node on the network from the switch CLI. ping host Syntax Description host Specifies the IP address of the device to which the ping will be sent. Command Defaults None. Command Mode Read-Write. Examples This example shows how to ping IP address 134.141.89.29. In this case, this host is alive: A2(rw)->ping 134.141.89.29 134.141.89.
PAGE 565
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2.5 show users Use this command to display information about the active console port or Telnet session(s) logged in to the switch. show users Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to use the show users command. In this output, there are two Telnet users logged in with Read-Write access privileges from IP addresses 134.141.192.119 and 134.141.192.
PAGE 566
Logging And Network Management Command Set Monitoring Network Events and Status 11.2.2.6 disconnect Use this command to close an active console port or Telnet session from the switch CLI. disconnect {ip-addr | console} Syntax Description ip-addr Specifies the IP address of the Telnet session to be disconnected. This address is displayed in the output shown in Section 11.2.2.5. console Closes an active console port. Command Defaults None. Command Mode Read-Write.
PAGE 567
Logging And Network Management Command Set Managing Switch Network Addresses and Routes 11.2.3 Managing Switch Network Addresses and Routes Purpose To display or delete switch ARP table entries, and to display MAC address information. Commands Commands to manage switch network addresses and routes are listed below and described in the associated section as shown. • show arp (Section 11.2.3.1) • clear arp (Section 11.2.3.2) • show mac (Section 11.2.3.3) • show mac agetime (Section 11.2.3.
PAGE 568
Logging And Network Management Command Set Managing Switch Network Addresses and Routes 11.2.3.1 show arp Use this command to display the switch’s ARP table. show arp Syntax Description None. Command Defaults None. Command Mode Read-Only. Example This example shows how to display the ARP table: A2(rw)->show arp LINK LEVEL ARP TABLE IP Address Phys Address Flags Interface ----------------------------------------------------10.20.1.1 00-00-5e-00-01-1 S host 134.142.21.194 00-00-5e-00-01-1 S host 134.142.
PAGE 569
Logging And Network Management Command Set Managing Switch Network Addresses and Routes 11.2.3.2 clear arp Use this command to delete a specific entry or all entries from the switch’s ARP table. clear arp {ip | all} Syntax Description ip | all Specifies the IP address in the ARP table to be cleared, or clears all ARP entries. Command Defaults None. Command Mode Read-Write. Example This example shows how to delete entry 10.1.10.10 from the ARP table: A2(rw)->clear arp 10.1.10.
PAGE 570
Logging And Network Management Command Set Managing Switch Network Addresses and Routes 11.2.3.3 show mac Use this command to display MAC addresses in the switch’s filtering database. These are addresses learned on a port through the switching process. show mac [address mac-address] [fid fid] [port port-string] [type {other | invalid | learned | self | mgmt} Syntax Description address mac-address (Optional) Displays a specific MAC address (if it is known by the device).
PAGE 571
Logging And Network Management Command Set Managing Switch Network Addresses and Routes Example This example shows how to display MAC address information for fe.2.4: A2(rw)->show mac port fe.2.
PAGE 572
Logging And Network Management Command Set Managing Switch Network Addresses and Routes 11.2.3.4 show mac agetime Use this command to display the timeout period for aging learned MAC entries. show mac agetime Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 573
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4 Configuring Simple Network Time Protocol (SNTP) Purpose To configure the Simple Network Time Protocol (SNTP), which synchronizes device clocks in a network. Commands Commands to configure SNTP are listed below and described in the associated section as shown. • show sntp (Section 11.2.4.1) • set sntp client (Section 11.2.4.2) • clear sntp client (Section 11.2.4.3) • set sntp server (Section 11.2.4.
PAGE 574
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.1 show sntp Use this command to display SNTP client settings. show sntp Syntax Description None. Command Defaults None. Command Mode Read-Only.
PAGE 575
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) Table 11-3 show sntp Output Details Output What It Displays... SNTP Version SNTP version number. Current Time Current time on the system clock. Timezone Time zone name and amount it is offset from UTC (Universal Time). Client Mode Whether SNTP client is operating in unicast or broadcast mode. Set using set sntp client command (Section 11.2.4.2). Broadcast Count Number of SNTP broadcast frames received.
PAGE 576
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.2 set sntp client Use this command to set the SNTP operation mode. set sntp client {broadcast | unicast | disable} Syntax Description broadcast Enables SNTP in broadcast client mode. unicast Enables SNTP in unicast (point-to-point) client mode. In this mode, the client must supply the IP address from which to retrieve the current time. disable Disables SNTP. Command Defaults None.
PAGE 577
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.3 clear sntp client Use this command to clear the SNTP client’s operational mode. clear sntp client Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 578
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.4 set sntp server Use this command to add a server from which the SNTP client will retrieve the current time when operating in unicast mode. Up to 10 servers can be set as SNTP servers. set sntp server ip-address [precedence] Syntax Description ip-address Specifies the SNTP server’s IP address. precedence (Optional) Specifies this SNTP server’s precedence in relation to its peers.
PAGE 579
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.5 clear sntp server Use this command to remove one or all servers from the SNTP server list. clear sntp server {ip-address | all} Syntax Description ip-address Specifies the IP address of a server to remove from the SNTP server list. all Removes all servers from the SNTP server list. Command Defaults None. Command Mode Read-Write. Example This example shows how to remove the server at IP address 10.21.1.
PAGE 580
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.6 set sntp poll-interval Use this command to set the poll interval between SNTP unicast requests. set sntp poll-interval interval Syntax Description interval Specifies the poll interval in seconds. Valid values are 16 to 16284. Command Defaults None. Command Mode Read-Write.
PAGE 581
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.7 clear sntp poll-interval Use this command to clear the poll interval between unicast SNTP requests. clear sntp poll-interval Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 582
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.8 set sntp poll-retry Use this command to set the number of poll retries to a unicast SNTP server. set sntp poll-retry retry Syntax Description retry Specifies the number of retries. Valid values are 0 to 10. Command Defaults None. Command Mode Read-Write.
PAGE 583
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.9 clear sntp poll-retry Use this command to clear the number of poll retries to a unicast SNTP server. clear sntp poll-retry Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 584
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.10 set sntp poll-timeout Use this command to set the poll timeout (in seconds) for a response to a unicast SNTP request. set sntp poll-timeout timeout Syntax Description timeout Specifies the poll timeout in seconds. Valid values are 1 to 30. Command Defaults None. Command Mode Read-Write.
PAGE 585
Logging And Network Management Command Set Configuring Simple Network Time Protocol (SNTP) 11.2.4.11 clear sntp poll-timeout Use this command to clear the SNTP poll timeout. clear sntp poll-timeout Syntax Description None. Command Defaults None. Command Mode Read-Write.
PAGE 586
Logging And Network Management Command Set Configuring Node Aliases 11.2.5 Configuring Node Aliases Purpose To review, configure, disable, and re-enable node (port) alias functionality, which determines what network protocols are running on one or more ports. Commands Commands to configure node aliases are listed below and described in the associated section as shown. • show nodealias config (Section 11.2.5.1) • set nodealias (Section 11.2.5.2) • clear nodealias config (Section 11.2.5.
PAGE 587
Logging And Network Management Command Set Configuring Node Aliases 11.2.5.1 show nodealias config Use this command to display node alias properties for one or more ports. show nodealias config [port-string] Syntax Description port-string (Optional) Displays node alias properties for specific port(s). For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults If port-string is not specified, node alias properties will be displayed for all ports.
PAGE 588
Logging And Network Management Command Set Configuring Node Aliases 11.2.5.2 set nodealias Use this command to enable or disable a node alias agent on one or more ports, or set the maximum number of alias entries per port. Upon packet reception, node aliases are dynamically assigned to ports enabled with an alias agent, which is the default setting on SecureStack A2 devices. Node aliases cannot be statically created, but can be deleted using the clear node alias config command as described in Section 11.
PAGE 589
Logging And Network Management Command Set Configuring Node Aliases 11.2.5.3 clear nodealias config Use this command to reset node alias state to enabled. clear nodealias config port-string Syntax Description port-string Specifies the port(s) on which to reset the node alias configuration. For a detailed description of possible port-string values, refer to Section 3.1.1. Command Defaults None. Command Type Switch command. Command Mode Read-Write.
PAGE 590
Logging And Network Management Command Set Configuring Node Aliases 11-44 SecureStack A2 Configuration Guide
PAGE 591
12 Configuring RMON RMON (Remote Network Monitoring) provides comprehensive network fault diagnosis, planning, and performance tuning information, and allows for interoperability between SNMP management stations and monitoring agents. RMON extends the SNMP MIB capability by defining additional MIBs that generate a much richer set of data about network usage. These MIB “groups” each gather specific sets of data to meet common network monitoring requirements. 12.
PAGE 592
RMON Monitoring Group Functions Table 12-1 RMON Group Alarm Event RMON Monitoring Group Functions and Commands (Continued) What It Does... What It Monitors... CLI Command(s) Periodically gathers statistical samples from variables in the probe and compares them with previously configured thresholds. If the monitored variable crosses a threshold, an event is generated. Alarm type, interval, starting threshold, stop threshold. show rmon alarm (Section 12.2.3.
PAGE 593
RMON Command Set Statistics Group Commands 12.2 RMON COMMAND SET 12.2.1 Statistics Group Commands Purpose To display, configure, and clear RMON statistics. Commands • show rmon stats (Section 12.2.1.1) • set rmon stats (Section 12.2.1.2) • clear rmon stats (Section 12.2.1.
PAGE 594
RMON Command Set Statistics Group Commands 12.2.1.1 show rmon stats Use this command to display RMON statistics measured for one or more ports. show rmon stats [port-string] Syntax Description port-string (Optional) Displays RMON statistics for specific port(s). Command Defaults If port-string is not specified, RMON stats will be displayed for all ports. Command Mode Read-Only. Example This example shows how to display RMON statistics for Fast Ethernet port 1 in switch 1. : A2(ro)->show rmon stats fe.
PAGE 595
RMON Command Set Statistics Group Commands Table 12-2 show rmon stats Output Details Output What It Displays... Port Port designation. Owner Name of the entity that configured this entry. Monitor is default. Data Source Data source of the statistics being displayed. Drop Events Total number of times that the switch was forced to discard frames due to lack of available switch device resources.
PAGE 596
RMON Command Set Statistics Group Commands Table 12-2 12-6 show rmon stats Output Details (Continued) Output What It Displays... 65 – 127 Octets Total number of frames, including bad frames, received that were between 65 and 127 bytes in length (excluding framing bits, but including FCS bytes). 128 – 255 Octets Total number of frames, including bad frames, received that were between 128 and 255 bytes in length (excluding framing bits, but including FCS bytes).
PAGE 597
RMON Command Set Statistics Group Commands 12.2.1.2 set rmon stats Use this command to configure an RMON statistics entry. set rmon stats index port-string [owner] Syntax Description index Specifies an index for this statistics entry. port-string Specifies port(s) to which this entry will be assigned. owner (Optional) Assigns an owner for this entry. Command Defaults If owner is not specified, monitor will be applied. Command Mode Read-Write.
PAGE 598
RMON Command Set Statistics Group Commands 12.2.1.3 clear rmon stats Use this command to delete one or more RMON statistics entries. clear rmon stats {index-list | to-defaults} Syntax Description index-list Specifies one or more stats entries to be deleted, causing them to disappear from any future RMON queries. to-defaults Resets all history entries to default values. This will cause entries to reappear in RMON queries. Command Defaults None. Command Mode Read-Write.
PAGE 599
RMON Command Set History Group Commands 12.2.2 History Group Commands Purpose To display, configure, and clear RMON history properties and statistics. Commands • show rmon history (Section 12.2.2.1) • set rmon history (Section 12.2.2.2) • clear rmon history (Section 12.2.2.
PAGE 600
RMON Command Set History Group Commands 12.2.2.1 show rmon history Use this command to display RMON history properties and statistics. The RMON history group records periodic statistical samples from a network. show rmon history [port-string] Syntax Description port-string (Optional) Displays RMON history entries for specific port(s). Command Defaults If port-string is not specified, information about all RMON history entries will be displayed. Command Mode Read-Only.
PAGE 601
RMON Command Set History Group Commands : A2(ro)->show rmon history fe.1.1 Port: fe.1.1 ------------------------------------Index 1 Owner = monitor Status = valid Data Source = ifIndex.
PAGE 602
RMON Command Set History Group Commands 12.2.2.2 set rmon history Use this command to configure an RMON history entry. set rmon history index [port-string] [buckets buckets] [interval interval] [owner owner] Syntax Description index-list Specifies an index number for this entry. port-string (Optional) Assigns this entry to a specific port. buckets buckets (Optional) Specifies the maximum number of entries to maintain. interval interval (Optional) Specifies the sampling interval in seconds.
PAGE 603
RMON Command Set History Group Commands 12.2.2.3 clear rmon history Use this command to delete one or more RMON history entries or reset one or more entries to default values. For specific values, refer to Section 12.2.2.2. clear rmon history {index-list | to-defaults} Syntax Description index-list Specifies one or more history entries to be deleted, causing them to disappear from any future RMON queries. to-defaults Resets all history entries to default values.
PAGE 604
RMON Command Set Alarm Group Commands 12.2.3 Alarm Group Commands Purpose To display, configure, and clear RMON alarm entries and properties. Commands • show rmon alarm (Section 12.2.3.1) • set rmon alarm properties (Section 12.2.3.2) • set rmon alarm status (Section 12.2.3.3) • clear rmon alarm (Section 12.2.3.
PAGE 605
RMON Command Set Alarm Group Commands 12.2.3.1 show rmon alarm Use this command to display RMON alarm entries. The RMON alarm group periodically takes statistical samples from RMON variables and compares them with previously configured thresholds. If the monitored variable crosses a threshold an RMON event is generated. show rmon alarm [index] Syntax Description index (Optional) Displays RMON alarm entries for a specific entry index ID.
PAGE 606
RMON Command Set Alarm Group Commands Table 12-3 12-16 show rmon alarm Output Details (Continued) Output What It Displays... Status Whether this event entry is enabled (valid) or disabled. Variable MIB object to be monitored. Sample Type Whether the monitoring method is an absolute or a delta sampling. Startup Alarm Whether alarm generated when this entry is first enabled is rising, falling, or either. Interval Interval in seconds at which RMON will conduct sample monitoring.
PAGE 607
RMON Command Set Alarm Group Commands 12.2.3.2 set rmon alarm properties Use this command to configure an RMON alarm entry, or to create a new alarm entry with an unused alarm index number. set rmon alarm properties index [interval interval] [object object] [type {absolute | delta}] [startup {rising | falling | either}] [rthresh rthresh] [fthresh fthresh] [revent revent] [fevent fevent] [owner owner] Syntax Description index Specifies an index number for this entry. Maximum number or entries is 50.
PAGE 608
RMON Command Set Alarm Group Commands fevent fevent Specifies the index number of the RMON event to be triggered when the falling threshold is crossed. owner owner (Optional) Specifies the name of the entity that configured this alarm entry. Command Defaults • interval - 3600 seconds • type - absolute • startup - rising • rthresh - 0 • fthresh - 0 • revent - 0 • fevent - 0 • owner - monitor Command Mode Read-Write. Example This example shows how to configure a rising RMON alarm.
PAGE 609
RMON Command Set Alarm Group Commands 12.2.3.3 set rmon alarm status Use this command to enable an RMON alarm entry. An alarm is a notification that a statistical sample of a monitored variable has crossed a configured threshold. set rmon alarm status index enable NOTE: An RMON alarm entry can be created using this command, configured using the set rmon alarm properties command (Section 12.2.3.2), then enabled using this command.
PAGE 610
RMON Command Set Alarm Group Commands 12.2.3.4 clear rmon alarm Use this command to delete an RMON alarm entry. clear rmon alarm index Syntax Description index Specifies the index number of entry to be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 611
RMON Command Set Event Group Commands 12.2.4 Event Group Commands Purpose To display and clear RMON events, and to configure RMON event properties. Commands • show rmon event (Section 12.2.4.1) • set rmon event properties (Section 12.2.4.2) • set rmon event status (Section 12.2.4.3) • clear rmon event (Section 12.2.4.
PAGE 612
RMON Command Set Event Group Commands 12.2.4.1 show rmon event Use this command to display RMON event entry properties. show rmon event [index] Syntax Description index (Optional) Displays RMON properties and log entries for a specific entry index ID. Command Defaults If index is not specified, information about all RMON entries will be displayed. Command Mode Read-Only.
PAGE 613
RMON Command Set Event Group Commands Table 12-4 show rmon event Output Details (Continued) Output What It Displays... Community SNMP community name if message type is set to trap. Last Time Sent When an event notification matching this entry was sent.
PAGE 614
RMON Command Set Event Group Commands 12.2.4.2 set rmon event properties Use this command to configure an RMON event entry, or to create a new event entry with an unused event index number. set rmon event properties index [description description] [type {none | log | trap | both}] [community community] [owner owner] Syntax Description index Specifies an index number for this entry. Maximum number of entries is 100. Maximum value is 65535.
PAGE 615
RMON Command Set Event Group Commands 12.2.4.3 set rmon event status Use this command to enable an RMON event entry. An event entry describes the parameters of an RMON event that can be triggered. Events can be fired by RMON alarms and can be configured to create a log entry, generate a trap, or both. set rmon event status index enable NOTE: An RMON event entry can be created using this command, configured using the set rmon event properties command (Section 12.2.4.2), then enabled using this command.
PAGE 616
RMON Command Set Event Group Commands 12.2.4.4 clear rmon event Use this command to delete an RMON event entry and any associated log entries. clear rmon event index Syntax Description index Specifies the index number of the entry to be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 617
RMON Command Set Filter Group Commands 12.2.5 Filter Group Commands The packet capture and filter function is disabled by default. When it is enabled, the SecureStack A2 switch will capture 100 frames as close to sequentially as possible. These 100 frames will be placed into a buffer for inspection. If there is data in the buffer when the function is started, the buffer will be overwritten. Once 100 frames have been captured, the capture will stop.
PAGE 618
RMON Command Set Filter Group Commands 12.2.5.1 show rmon channel Use this command to display RMON channel entries for one or more ports. show rmon channel [port-string] Syntax Description port-string (Optional) Displays RMON channel entries for a specific port(s). Command Defaults If port-string is not specified, information about all channels will be displayed. Command Mode Read-Only. Example This example shows how to display RMON channel information for fe.2.12: A2(rw)->show rmon channel fe.2.
PAGE 619
RMON Command Set Filter Group Commands 12.2.5.2 set rmon channel Use this command to configure an RMON channel entry. set rmon channel index port-string [accept {matched | failed}] [control {on | off}] [description description] [owner owner] Syntax Description index Specifies an index number for this entry. An entry will automatically be created if an unused index number is chosen. Maximum number of entries is 2. Maximum value is 65535.
PAGE 620
RMON Command Set Filter Group Commands Example This example shows how to create an RMON channel entry: A2(rw)->set rmon channel 54313 fe.2.
PAGE 621
RMON Command Set Filter Group Commands 12.2.5.3 clear rmon channel Use this command to clear an RMON channel entry. clear rmon channel index Syntax Description index Specifies the channel entry to be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 622
RMON Command Set Filter Group Commands 12.2.5.4 show rmon filter Use this command to display one or more RMON filter entries. show rmon filter [index index | channel channel] Syntax Description index index | channel channel (Optional) Displays information about a specific filter entry, or about all filters which belong to a specific channel. Command Defaults If no options are specified, information for all filter entries will be displayed. Command Mode Read-Only.
PAGE 623
RMON Command Set Filter Group Commands 12.2.5.5 set rmon filter Use this command to configure an RMON filter entry. set rmon filter index channel_index [offset offset] [status status] [smask smask] [snotmask snotmask] [data data] [dmask dmask] [dnotmask dnotmask] [owner owner] Syntax Description index Specifies an index number for this entry. An entry will automatically be created if an unused index number is chosen. Maximum number of entries is 10. Maximum value is 65535.
PAGE 624
RMON Command Set Filter Group Commands Example This example shows how to create RMON filter 1 and apply it to channel 9: A2(rw)->set rmon filter 1 9 offset 30 data 0a154305 dmask ffffffff 12-34 SecureStack A2 Configuration Guide
PAGE 625
RMON Command Set Filter Group Commands 12.2.5.6 clear rmon filter Use this command to clear an RMON filter entry. clear rmon filter {index index | channel channel} Syntax Description index index | channel channel Clears a specific filter entry, or all entries belonging to a specific channel. Command Defaults None. Command Mode Read-Write.
PAGE 626
RMON Command Set Packet Capture Commands 12.2.6 Packet Capture Commands Note that packet capture filter is sampling only and does not guarantee receipt of back to back packets. Purpose To display RMON capture entries, configure, enable, or disable capture entries, and clear capture entries. Commands • show rmon capture (Section 12.2.6.1) • set rmon capture (Section 12.2.6.2) • clear rmon capture (Section 12.2.6.
PAGE 627
RMON Command Set Packet Capture Commands 12.2.6.1 show rmon capture Use this command to display RMON capture entries and associated buffer control entries. show rmon capture [index [nodata]] Syntax Description index (Optional) Displays the specified buffer control entry and all captured packets associated with that entry. nodata (Optional) Displays only the buffer control entry specified by index.
PAGE 628
RMON Command Set Packet Capture Commands 12.2.6.2 set rmon capture Use this command to configure an RMON capture entry. set rmon capture index {channel [action {lock}] [slice slice] [loadsize loadsize] [offset offset] [asksize asksize] [owner owner]} Syntax Description index Specifies a buffer control entry. channel Specifies the channel to which this capture entry will be applied.
PAGE 629
RMON Command Set Packet Capture Commands Command Mode Read-Write.
PAGE 630
RMON Command Set Packet Capture Commands 12.2.6.3 clear rmon capture Use this command to clears an RMON capture entry. clear rmon capture index Syntax Description index Specifies the capture entry to be cleared. Command Defaults None. Command Mode Read-Write.
PAGE 631
Index Numerics 802.1D 5-1 802.1p 8-1 802.1Q 6-1 802.1s 5-1 802.1w 5-1 802.1X 10-28 A Advertised Ability 3-26 Alias node 11-40 Authentication 802.
PAGE 632
Index E K EAP pass-through 10-1, 10-20 EAPOL 10-28 Keyword Lookups 2-15 F L Getting Help 1-3 GVRP enabling and disabling 6-39 purpose of 6-33 timer 6-41 Line Editing Commands 2-18 Link Aggregation (LACP) 3-51 Lockout set system 2-45 Logging 11-2 Login administratively configured 2-13 default 2-12 setting accounts 2-36 via Telnet 2-13 H M Flow Control 3-33 Forbidden VLAN port 6-22 G Hardware show system 2-55, 2-70 Help keyword lookups 2-15 Host VLAN 6-28 I ICMP 11-18 IGMP 9-1 configuration summ
PAGE 633
Index P Password aging 2-43 history 2-43, 2-44 set new 2-41 setting the login 2-41 Ping 11-18 PoE, see Power over Ethernet Port Mirroring 3-43 Port Priority configuring 8-2 Port String syntax used in the CLI 3-3 Port(s) alias 3-16 assignment scheme 3-3 auto-negotiation and advertised ability 3-26 broadcast suppression 3-39 counters, reviewing statistics 3-9 duplex mode, setting 3-17 flow control 3-33 MAC lock 10-70 mirroring 3-43 priority, configuring 8-2 speed, setting 3-17 status, reviewing 3-5 Power ove
PAGE 634
Index setting basic 2-47 V Technical Support 1-3 Telnet disconnecting 11-20 enabling in switch mode 2-95 TFTP downloading firmware upgrades via 2-87 retry 2-111 settings 2-108 timeout 2-109 Timeout CLI, system 2-78 RADIUS 10-6 Trap SNMP configuration example 4-60 Tunnel Attributes 10-59 Version Information 2-70 VLANs assigning ingress filtering 6-16 assigning port VLAN IDs 6-11 authentication 10-59, 10-63 configuring for IP routing 6-2 creating static 6-6 dynamic egress 6-27 egress lists 6-20, 10-61 ena