1. Software

AT-S63 Command Line User s Guide

Add to my manuals
718 Pages

advertisement

AT-S63 Command Line User s Guide | Manualzz 
Management
Software
AT-S63
◆
Command Line Interface
User’s Guide
AT-9400 Series Layer 2+ Gigabit Ethernet Switches
Version 2.0.0
613-50571-00 Rev. E
Copyright © 2006 Allied Telesyn, Inc.
All rights reserved. No part of this publication may be reproduced without prior written permission from Allied Telesyn, Inc.
Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation. Netscape Navigator is a registered trademark of
Netscape Communications Corporation. All other product names, company names, logos or other designations mentioned herein are
trademarks or registered trademarks of their respective owners.
Allied Telesyn, Inc. reserves the right to make changes in specifications and other information contained in this document without prior
written notice. The information provided herein is subject to change without notice. In no event shall Allied Telesyn, Inc. be liable for any
incidental, special, indirect, or consequential damages whatsoever, including but not limited to lost profits, arising out of or related to this
manual or the information contained herein, even if Allied Telesyn, Inc. has been advised of, known, or should have known, the possibility
of such damages.
Contents
Preface ............................................................................................................................................................ 15
How This Guide is Organized........................................................................................................................... 16
Document Conventions .................................................................................................................................... 18
Where to Find Web-based Guides ................................................................................................................... 19
Contacting Allied Telesyn ................................................................................................................................. 20
Online Support ........................................................................................................................................... 20
Email and Telephone Support.................................................................................................................... 20
Returning Products .................................................................................................................................... 20
Sales or Corporate Information .................................................................................................................. 20
Management Software Updates................................................................................................................. 20
History of New Features ................................................................................................................................... 21
Version 2.0.0 .............................................................................................................................................. 21
Version 1.3.0 .............................................................................................................................................. 22
Version 1.2.0 .............................................................................................................................................. 23
Section I: Basic Operations ...................................................................................... 25
Chapter 1: Starting a Command Line Management Session .................................................................... 27
Starting a Command Line Management Session ............................................................................................. 28
Command Line Interface Features ................................................................................................................... 29
Command Formatting....................................................................................................................................... 30
Redundant Twisted Pair Ports.......................................................................................................................... 31
Chapter 2: Basic Command Line Commands ............................................................................................. 33
CLEAR SCREEN.............................................................................................................................................. 34
EXIT.................................................................................................................................................................. 35
HELP ................................................................................................................................................................ 36
LOGOFF, LOGOUT and QUIT ......................................................................................................................... 37
MENU ............................................................................................................................................................... 38
SAVE CONFIGURATION................................................................................................................................. 39
SET PROMPT .................................................................................................................................................. 40
SET SWITCH CONSOLEMODE ...................................................................................................................... 41
SHOW USER ................................................................................................................................................... 42
Chapter 3: Basic Switch Commands ........................................................................................................... 43
DISABLE TELNET............................................................................................................................................ 44
ENABLE TELNET............................................................................................................................................. 45
PING................................................................................................................................................................. 46
RESET SWITCH .............................................................................................................................................. 47
RESET SYSTEM.............................................................................................................................................. 48
RESTART REBOOT......................................................................................................................................... 49
RESTART SWITCH.......................................................................................................................................... 50
SET ASYN........................................................................................................................................................ 52
SET PASSWORD MANAGER ......................................................................................................................... 53
SET PASSWORD OPERATOR ....................................................................................................................... 54
SET SWITCH CONSOLETIMER...................................................................................................................... 55
3
Contents
SET SYSTEM ................................................................................................................................................... 56
SET TELNET INSERTNULL ............................................................................................................................. 57
SET USER PASSWORD .................................................................................................................................. 58
SHOW ASYN .................................................................................................................................................... 59
SHOW CONFIG DYNAMIC .............................................................................................................................. 60
SHOW CONFIG INFO ...................................................................................................................................... 63
SHOW SWITCH................................................................................................................................................ 64
SHOW SYSTEM ............................................................................................................................................... 67
Chapter 4: Enhanced Stacking Commands ................................................................................................. 69
ACCESS SWITCH ............................................................................................................................................ 70
SET SWITCH STACKMODE ............................................................................................................................ 72
SHOW REMOTELIST ....................................................................................................................................... 74
Chapter 5: Simple Network Time Protocol (SNTP) Commands .................................................................77
ADD SNTPSERVER PEER|IPADDRESS......................................................................................................... 78
DELETE SNTPSERVER PEER|IPADDRESS .................................................................................................. 79
DISABLE SNTP ................................................................................................................................................ 80
ENABLE SNTP ................................................................................................................................................. 81
PURGE SNTP................................................................................................................................................... 82
SET DATE ........................................................................................................................................................ 83
SET SNTP ........................................................................................................................................................ 84
SET TIME ......................................................................................................................................................... 85
SHOW SNTP .................................................................................................................................................... 86
SHOW TIME ..................................................................................................................................................... 88
Chapter 6: SNMPv2 and SNMPv2c Commands ........................................................................................... 89
ADD SNMP COMMUNITY ................................................................................................................................ 90
CREATE SNMP COMMUNITY ......................................................................................................................... 92
DELETE SNMP COMMUNITY.......................................................................................................................... 95
DESTROY SNMP COMMUNITY ...................................................................................................................... 97
DISABLE SNMP ............................................................................................................................................... 98
DISABLE SNMP AUTHENTICATETRAP ......................................................................................................... 99
DISABLE SNMP COMMUNITY ......................................................................................................................100
ENABLE SNMP ..............................................................................................................................................101
ENABLE SNMP AUTHENTICATETRAP ........................................................................................................102
ENABLE SNMP COMMUNITY .......................................................................................................................103
SET SNMP COMMUNITY ..............................................................................................................................104
SHOW SNMP .................................................................................................................................................106
Chapter 7: Port Parameter Commands ......................................................................................................109
ACTIVATE SWITCH PORT ............................................................................................................................110
DISABLE INTERFACE LINKTRAP .................................................................................................................111
DISABLE SWITCH PORT...............................................................................................................................112
DISABLE SWITCH PORT FLOW ...................................................................................................................113
ENABLE INTERFACE LINKTRAP ..................................................................................................................114
ENABLE SWITCH PORT................................................................................................................................115
ENABLE SWITCH PORT FLOW ....................................................................................................................116
PURGE SWITCH PORT .................................................................................................................................117
RESET SWITCH PORT ..................................................................................................................................118
SET SWITCH PORT .......................................................................................................................................119
SET SWITCH PORT FILTERING ...................................................................................................................123
SET SWITCH PORT RATELIMITING.............................................................................................................126
SHOW INTERFACE .......................................................................................................................................129
SHOW SWITCH PORT...................................................................................................................................131
4
AT-S63 Management Software Command Line Interface User’s Guide
Chapter 8: Port Statistics Commands ....................................................................................................... 137
RESET SWITCH PORT COUNTER............................................................................................................... 138
SHOW SWITCH COUNTER .......................................................................................................................... 139
SHOW SWITCH PORT COUNTER ............................................................................................................... 142
Chapter 9: MAC Address Table Commands ............................................................................................. 143
ADD SWITCH FDB|FILTER ........................................................................................................................... 144
DELETE SWITCH FDB|FILTER ..................................................................................................................... 146
RESET SWITCH FDB .................................................................................................................................... 148
SET SWITCH AGINGTIMER|AGEINGTIMER................................................................................................ 149
SHOW SWITCH AGINGTIMER|AGEINGTIMER ........................................................................................... 150
SHOW SWITCH FDB ..................................................................................................................................... 151
Chapter 10: Static Port Trunking Commands ........................................................................................... 155
ADD SWITCH TRUNK ................................................................................................................................... 156
CREATE SWITCH TRUNK ............................................................................................................................ 158
DELETE SWITCH TRUNK ............................................................................................................................. 160
DESTROY SWITCH TRUNK.......................................................................................................................... 161
SET SWITCH TRUNK .................................................................................................................................... 162
SHOW SWITCH TRUNK................................................................................................................................ 163
Chapter 11: LACP Port Trunking Commands ........................................................................................... 165
ADD LACP PORT........................................................................................................................................... 166
CREATE LACP AGGREGATOR.................................................................................................................... 167
DELETE LACP PORT .................................................................................................................................... 169
DESTROY LACP AGGREGATOR ................................................................................................................. 170
DISABLE LACP .............................................................................................................................................. 171
ENABLE LACP ............................................................................................................................................... 172
SET LACP AGGREGATOR ........................................................................................................................... 173
SET LACP SYSPRIORITY ............................................................................................................................. 175
SET LACP STATE.......................................................................................................................................... 176
SHOW LACP .................................................................................................................................................. 177
Chapter 12: Port Mirroring Commands ..................................................................................................... 181
SET SWITCH MIRROR.................................................................................................................................. 182
SET SWITCH PORT MIRROR....................................................................................................................... 183
SHOW SWITCH MIRROR.............................................................................................................................. 184
Section II: Advanced Operations ........................................................................... 185
Chapter 13: File System Commands ......................................................................................................... 187
COPY ............................................................................................................................................................. 188
CREATE CONFIG .......................................................................................................................................... 190
DELETE FILE ................................................................................................................................................. 191
FORMAT DEVICE .......................................................................................................................................... 193
RENAME ........................................................................................................................................................ 194
SET CFLASH DIR .......................................................................................................................................... 196
SET CONFIG.................................................................................................................................................. 197
SHOW CFLASH ............................................................................................................................................. 199
SHOW CONFIG ............................................................................................................................................. 200
SHOW FILE.................................................................................................................................................... 201
SHOW FLASH................................................................................................................................................ 202
5
Contents
Chapter 14: File Download and Upload Commands .................................................................................203
LOAD METHOD=LOCAL................................................................................................................................204
LOAD METHOD=TFTP...................................................................................................................................206
LOAD METHOD=XMODEM ...........................................................................................................................211
UPLOAD METHOD=LOCAL...........................................................................................................................215
UPLOAD METHOD=REMOTESWITCH .........................................................................................................217
UPLOAD METHOD=TFTP..............................................................................................................................221
UPLOAD METHOD=XMODEM ......................................................................................................................224
Chapter 15: Event Log and Syslog Server Commands ............................................................................227
ADD LOG OUTPUT ........................................................................................................................................228
CREATE LOG OUTPUT .................................................................................................................................230
DESTROY LOG OUTPUT ..............................................................................................................................234
DISABLE LOG ................................................................................................................................................235
DISABLE LOG OUTPUT ................................................................................................................................236
ENABLE LOG .................................................................................................................................................237
ENABLE LOG OUTPUT .................................................................................................................................238
PURGE LOG...................................................................................................................................................239
SAVE LOG ......................................................................................................................................................240
SET LOG FULLACTION .................................................................................................................................242
SET LOG OUTPUT.........................................................................................................................................243
SHOW LOG ....................................................................................................................................................246
SHOW LOG OUTPUT ....................................................................................................................................251
SHOW LOG STATUS .....................................................................................................................................253
Chapter 16: Classifier Commands .............................................................................................................255
CREATE CLASSIFIER ...................................................................................................................................256
DESTROY CLASSIFIER.................................................................................................................................260
PURGE CLASSIFIER .....................................................................................................................................261
SET CLASSIFIER ...........................................................................................................................................262
SHOW CLASSIFIER .......................................................................................................................................265
Chapter 17: Access Control List Commands ............................................................................................267
CREATE ACL .................................................................................................................................................268
DESTROY ACL...............................................................................................................................................270
PURGE ACL ...................................................................................................................................................271
SET ACL .........................................................................................................................................................272
SHOW ACL .....................................................................................................................................................274
Chapter 18: Class of Service (CoS) Commands .......................................................................................277
MAP QOS COSP ............................................................................................................................................278
PURGE QOS ..................................................................................................................................................280
SET QOS COSP .............................................................................................................................................281
SET QOS SCHEDULING ...............................................................................................................................282
SET SWITCH PORT PRIORITY OVERRIDEPRIORITY ................................................................................284
SHOW QOS CONFIG .....................................................................................................................................286
Chapter 19: Quality of Service (QoS) Commands .....................................................................................289
ADD QOS FLOWGROUP ...............................................................................................................................290
ADD QOS POLICY .........................................................................................................................................291
ADD QOS TRAFFICCLASS ...........................................................................................................................292
CREATE QOS FLOWGROUP ........................................................................................................................293
CREATE QOS POLICY ..................................................................................................................................296
CREATE QOS TRAFFICCLASS ....................................................................................................................303
DELETE QOS FLOWGROUP ........................................................................................................................308
DELETE QOS POLICY ...................................................................................................................................309
DELETE QOS TRAFFICCLASS .....................................................................................................................310
6
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY QOS FLOWGROUP..................................................................................................................... 311
DESTROY QOS POLICY ............................................................................................................................... 312
DESTROY QOS TRAFFICCLASS ................................................................................................................. 313
PURGE QOS.................................................................................................................................................. 314
SET QOS FLOWGROUP ............................................................................................................................... 315
SET QOS POLICY ......................................................................................................................................... 318
SET QOS PORT............................................................................................................................................. 321
SET QOS TRAFFICCLASS............................................................................................................................ 322
SHOW QOS FLOWGROUP........................................................................................................................... 327
SHOW QOS POLICY ..................................................................................................................................... 329
SHOW QOS TRAFFICCLASS ....................................................................................................................... 331
Chapter 20: Denial of Service Defense Commands ................................................................................. 333
SET DOS........................................................................................................................................................ 334
SET DOS IPOPTION...................................................................................................................................... 335
SET DOS LAND ............................................................................................................................................. 337
SET DOS PINGOFDEATH............................................................................................................................. 338
SET DOS SMURF .......................................................................................................................................... 340
SET DOS SYNFLOOD ................................................................................................................................... 341
SET DOS TEARDROP................................................................................................................................... 342
SHOW DOS.................................................................................................................................................... 344
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping .................... 347
Chapter 21: IGMP Snooping Commands .................................................................................................. 349
DISABLE IGMPSNOOPING........................................................................................................................... 350
ENABLE IGMPSNOOPING............................................................................................................................ 351
SET IP IGMP .................................................................................................................................................. 352
SHOW IGMPSNOOPING............................................................................................................................... 355
SHOW IP IGMP.............................................................................................................................................. 356
Chapter 22: MLD Snooping Commands .................................................................................................... 359
DISABLE MLDSNOOPING ............................................................................................................................ 360
ENABLE MLDSNOOPING ............................................................................................................................. 361
SET IPV6 MLDSNOOPING............................................................................................................................ 362
SHOW MLDSNOOPING ................................................................................................................................ 364
SHOW IPV6 MLDSNOOPING........................................................................................................................ 366
Chapter 23: RRP Snooping Commands .................................................................................................... 369
DISABLE RRPSNOOPING ............................................................................................................................ 370
ENABLE RRPSNOOPING ............................................................................................................................. 371
SHOW RRPSNOOPING ................................................................................................................................ 372
Section IV: SNMPv3 ............................................................................................... 373
Chapter 24: SNMPv3 Commands ............................................................................................................... 375
ADD SNMPV3 USER ..................................................................................................................................... 377
CREATE SNMPV3 ACCESS ......................................................................................................................... 379
CREATE SNMPV3 COMMUNITY .................................................................................................................. 382
CREATE SNMPV3 GROUP ........................................................................................................................... 384
CREATE SNMPV3 NOTIFY ........................................................................................................................... 386
CREATE SNMPV3 TARGETADDR ............................................................................................................... 388
CREATE SNMPV3 TARGETPARAMS .......................................................................................................... 390
CREATE SNMPV3 VIEW ............................................................................................................................... 392
DELETE SNMPV3 USER............................................................................................................................... 394
7
Contents
DESTROY SNMPv3 ACCESS........................................................................................................................395
DESTROY SNMPv3 COMMUNITY ................................................................................................................397
DESTROY SNMPv3 GROUP .........................................................................................................................398
DESTROY SNMPv3 NOTIFY .........................................................................................................................399
DESTROY SNMPv3 TARGETADDR..............................................................................................................400
DESTROY SNMPv3 TARGETPARMS ...........................................................................................................401
DESTROY SNMPV3 VIEW.............................................................................................................................402
PURGE SNMPV3 ACCESS............................................................................................................................403
PURGE SNMPV3 COMMUNITY ....................................................................................................................404
PURGE SNMPV3 NOTIFY .............................................................................................................................405
PURGE SNMPV3 TARGETADDR..................................................................................................................406
PURGE SNMPV3 VIEW .................................................................................................................................407
SET SNMPV3 ACCESS .................................................................................................................................408
SET SNMPV3 COMMUNITY ..........................................................................................................................410
SET SNMPV3 GROUP ...................................................................................................................................412
SET SNMPV3 NOTIFY ...................................................................................................................................414
SET SNMPV3 TARGETADDR .......................................................................................................................416
SET SNMPV3 TARGETPARAMS ..................................................................................................................418
SET SNMPV3 USER ......................................................................................................................................420
SET SNMPV3 VIEW .......................................................................................................................................422
SHOW SNMPV3 ACCESS .............................................................................................................................424
SHOW SNMPV3 COMMUNITY ......................................................................................................................425
SHOW SNMPv3 GROUP ...............................................................................................................................426
SHOW SNMPV3 NOTIFY ...............................................................................................................................427
SHOW SNMPV3 TARGETADDR ...................................................................................................................428
SHOW SNMPV3 TARGETPARAMS ..............................................................................................................429
SHOW SNMPV3 USER ..................................................................................................................................430
SHOW SNMPV3 VIEW ...................................................................................................................................431
Section V: Spanning Tree Protocols ......................................................................433
Chapter 25: Spanning Tree Protocol Commands .....................................................................................435
ACTIVATE STP ..............................................................................................................................................436
DISABLE STP .................................................................................................................................................437
ENABLE STP ..................................................................................................................................................438
PURGE STP ...................................................................................................................................................439
SET STP .........................................................................................................................................................440
SET STP PORT ..............................................................................................................................................443
SET SWITCH MULTICASTMODE..................................................................................................................445
SHOW STP .....................................................................................................................................................447
Chapter 26: Rapid Spanning Tree Protocols Commands ........................................................................449
ACTIVATE RSTP ............................................................................................................................................450
DISABLE RSTP ..............................................................................................................................................451
ENABLE RSTP ...............................................................................................................................................452
PURGE RSTP.................................................................................................................................................453
SET RSTP ......................................................................................................................................................454
SET RSTP PORT ...........................................................................................................................................457
SHOW RSTP ..................................................................................................................................................460
Chapter 27: Multiple Spanning Tree Protocol Commands .......................................................................463
ACTIVATE MSTP ...........................................................................................................................................464
ADD MSTP .....................................................................................................................................................465
CREATE MSTP ..............................................................................................................................................466
DELETE MSTP ...............................................................................................................................................467
DESTROY MSTP MSTIID ..............................................................................................................................468
8
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE MSTP ............................................................................................................................................. 469
ENABLE MSTP .............................................................................................................................................. 470
PURGE MSTP................................................................................................................................................ 471
SET MSTP...................................................................................................................................................... 472
SET MSTP CIST ............................................................................................................................................ 475
SET MSTP MSTI ............................................................................................................................................ 476
SET MSTP MSTIVLANASSOC ...................................................................................................................... 478
SET MSTP PORT........................................................................................................................................... 479
SHOW MSTP ................................................................................................................................................. 483
Section VI: Virtual LANs ....................................................................................... 487
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands ............................................... 489
ADD VLAN...................................................................................................................................................... 490
CREATE VLAN............................................................................................................................................... 493
DELETE VLAN ............................................................................................................................................... 497
DESTROY VLAN............................................................................................................................................ 500
SET SWITCH INFILTERING .......................................................................................................................... 501
SET SWITCH VLANMODE ............................................................................................................................ 502
SET VLAN ...................................................................................................................................................... 504
SHOW VLAN .................................................................................................................................................. 505
Chapter 29: GARP VLAN Registration Protocol Commands .................................................................. 509
DISABLE GARP ............................................................................................................................................. 510
ENABLE GARP .............................................................................................................................................. 511
PURGE GARP................................................................................................................................................ 512
SET GARP PORT .......................................................................................................................................... 513
SET GARP TIMER ......................................................................................................................................... 514
SHOW GARP ................................................................................................................................................. 516
SHOW GARP COUNTER .............................................................................................................................. 517
SHOW GARP DATABASE ............................................................................................................................. 519
SHOW GARP GIP .......................................................................................................................................... 520
SHOW GARP MACHINE................................................................................................................................ 521
Chapter 30: Protected Ports VLAN Commands ........................................................................................ 523
ADD VLAN GROUP ....................................................................................................................................... 524
CREATE VLAN PORTPROTECTED ............................................................................................................. 526
DELETE VLAN ............................................................................................................................................... 527
DESTROY VLAN............................................................................................................................................ 529
SET VLAN ...................................................................................................................................................... 530
SHOW VLAN .................................................................................................................................................. 531
Chapter 31: MAC Address-based VLAN Commands ............................................................................... 533
ADD VLAN MACADDRESS ........................................................................................................................... 534
ADD VLAN PORT MACADDRESS ................................................................................................................ 535
CREATE VLAN TYPE=MACADDRESS......................................................................................................... 536
DELETE VLAN MACADDRESS..................................................................................................................... 538
DELETE VLAN PORT MACADDRESS.......................................................................................................... 539
DESTROY VLAN............................................................................................................................................ 540
SHOW VLAN .................................................................................................................................................. 541
9
Contents
Section VII: Internet Protocol Routing .................................................................543
Chapter 32: Internet Protocol Version 4 Packet Routing .........................................................................545
Internet Protocol Version 4 Packet Routing Overview ....................................................................................546
Supported Switches..................................................................................................................................547
Routing Interfaces ....................................................................................................................................547
Interface Names .......................................................................................................................................550
Static Routes ............................................................................................................................................550
Routing Information Protocol (RIP)...........................................................................................................552
Routing Table ...........................................................................................................................................553
Address Resolution Protocol (ARP) Table ...............................................................................................555
Internet Control Message Protocol (ICMP)...............................................................................................556
Routing Interfaces and Management Features ........................................................................................557
Local Interface ..........................................................................................................................................559
AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches ....................................................................560
Routing Command Example.....................................................................................................................562
Non-routing Command Example ..............................................................................................................566
Upgrading from AT-S63 Version 1.3.0 or Earlier......................................................................................567
ADD IP ARP....................................................................................................................................................568
ADD IP INTERFACE.......................................................................................................................................570
ADD IP RIP .....................................................................................................................................................572
ADD IP ROUTE ..............................................................................................................................................574
DELETE IP ARP .............................................................................................................................................576
DELETE IP INTERFACE ................................................................................................................................577
DELETE IP RIP...............................................................................................................................................578
DELETE IP ROUTE ........................................................................................................................................579
PURGE IP .......................................................................................................................................................580
SET IP ARP ....................................................................................................................................................581
SET IP ARP TIMEOUT ...................................................................................................................................582
SET IP INTERFACE .......................................................................................................................................583
SET IP LOCAL INTERFACE ..........................................................................................................................585
SET IP RIP......................................................................................................................................................586
SET IP ROUTE ...............................................................................................................................................588
SHOW IP ARP ................................................................................................................................................590
SHOW IP COUNTER......................................................................................................................................592
SHOW IP INTERFACE ...................................................................................................................................594
SHOW IP RIP COUNTER...............................................................................................................................596
SHOW IP RIP INTERFACE ............................................................................................................................598
SHOW IP ROUTE ...........................................................................................................................................600
Section VIII: Port Security .....................................................................................603
Chapter 33: MAC Address-based Port Security Commands ...................................................................605
SET SWITCH PORT INTRUSIONACTION.....................................................................................................606
SET SWITCH PORT SECURITYMODE .........................................................................................................607
SHOW SWITCH PORT INTRUSION ..............................................................................................................610
SHOW SWITCH PORT SECURITYMODE.....................................................................................................611
Chapter 34: 802.1x Port-based Network Access Control Commands ....................................................613
DISABLE PORTACCESS|PORTAUTH ..........................................................................................................614
DISABLE RADIUSACCOUNTING ..................................................................................................................615
ENABLE PORTACCESS|PORTAUTH ...........................................................................................................616
ENABLE RADIUSACCOUNTING ...................................................................................................................617
SET PORTACCESS|PORTAUTH PORT ROLE=AUTHENTICATOR ............................................................618
SET PORTACCESS|PORTAUTH PORT ROLE=SUPPLICANT ....................................................................626
SET RADIUSACCOUNTING ..........................................................................................................................628
10
AT-S63 Management Software Command Line Interface User’s Guide
SHOW PORTACCESS|PORTAUTH .............................................................................................................. 630
SHOW PORTACCESS|PORTAUTH PORT ................................................................................................... 632
SHOW RADIUSACCOUNTING...................................................................................................................... 635
Section IX: Management Security ......................................................................... 637
Chapter 35: Web Server Commands ......................................................................................................... 639
DISABLE HTTP SERVER .............................................................................................................................. 640
ENABLE HTTP SERVER ............................................................................................................................... 641
PURGE HTTP SERVER................................................................................................................................. 642
SET HTTP SERVER ...................................................................................................................................... 643
SHOW HTTP SERVER .................................................................................................................................. 648
Chapter 36: Encryption Key Commands ................................................................................................... 649
CREATE ENCO KEY ..................................................................................................................................... 650
DESTROY ENCO KEY................................................................................................................................... 654
SET ENCO KEY ............................................................................................................................................. 655
SHOW ENCO ................................................................................................................................................. 656
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands ...................................................... 657
ADD PKI CERTIFICATE................................................................................................................................. 658
CREATE PKI CERTIFICATE.......................................................................................................................... 660
CREATE PKI ENROLLMENTREQUEST ....................................................................................................... 663
DELETE PKI CERTIFICATE .......................................................................................................................... 665
PURGE PKI .................................................................................................................................................... 666
SET PKI CERTIFICATE ................................................................................................................................. 667
SET PKI CERTSTORELIMIT ......................................................................................................................... 669
SET SYSTEM DISTINGUISHEDNAME ......................................................................................................... 670
SHOW PKI...................................................................................................................................................... 671
SHOW PKI CERTIFICATE ............................................................................................................................. 672
Chapter 38: Secure Sockets Layer (SSL) Commands ............................................................................. 673
SET SSL......................................................................................................................................................... 674
SHOW SSL..................................................................................................................................................... 675
Chapter 39: Secure Shell (SSH) Commands ............................................................................................. 677
DISABLE SSH SERVER ................................................................................................................................ 678
ENABLE SSH SERVER ................................................................................................................................. 679
SET SSH SERVER ........................................................................................................................................ 682
SHOW SSH .................................................................................................................................................... 684
Chapter 40: TACACS+ and RADIUS Commands ...................................................................................... 685
ADD RADIUSSERVER................................................................................................................................... 686
ADD TACACSSERVER.................................................................................................................................. 688
DELETE RADIUSSERVER ............................................................................................................................ 690
DELETE TACACSSERVER ........................................................................................................................... 691
DISABLE AUTHENTICATION........................................................................................................................ 692
ENABLE AUTHENTICATION......................................................................................................................... 693
PURGE AUTHENTICATION .......................................................................................................................... 694
SET AUTHENTICATION ................................................................................................................................ 695
SHOW AUTHENTICATION............................................................................................................................ 697
Chapter 41: Management ACL Commands ............................................................................................... 699
ADD MGMTACL ............................................................................................................................................. 700
CREATE MGMTACL ...................................................................................................................................... 701
DESTROY MGMTACL ................................................................................................................................... 703
DISABLE MGMTACL ..................................................................................................................................... 704
ENABLE MGMTACL ...................................................................................................................................... 705
11
Contents
PURGE MGMTACL ........................................................................................................................................706
SET MGMTACL ..............................................................................................................................................707
SHOW MGMTACL ..........................................................................................................................................708
Index ..............................................................................................................................................................709
12
Tables
Table 1. New Features in AT-S63 Version 2.0.0 .................................................................................................................21
Table 2. New Features in AT-S63 Version 1.3.0 .................................................................................................................22
Table 3. New Features in AT-S63 Version 1.2.0 .................................................................................................................23
Table 4. Twisted Pair Ports Matched with GBIC and SFP Slots ..........................................................................................31
Table 5. Module Variable .....................................................................................................................................................60
Table 6. File Extensions and File Types ............................................................................................................................188
Table 7. File Name Extensions - Downloading Files .........................................................................................................207
Table 8. File Name Extensions - Uploaded Files ...............................................................................................................222
Table 9. Default Syslog Facilities .......................................................................................................................................232
Table 10. Numerical Code and Facility Level Mappings ....................................................................................................233
Table 11. AT-S63 Modules ................................................................................................................................................247
Table 12. Event Log Severity Levels .................................................................................................................................249
Table 13. Default Mappings of IEEE 802.1p Priority Levels to Priority Queues ................................................................278
Table 14. Bridge Priority Value Increments .......................................................................................................................440
Table 15. STP Auto-Detect Port Costs ..............................................................................................................................443
Table 16. Auto-Detect Port Trunk Costs ............................................................................................................................443
Table 17. Port Priority Value Increments ...........................................................................................................................444
Table 18. Bridge Priority Value Increments .......................................................................................................................454
Table 19. RSTP Auto-Detect Port Costs ...........................................................................................................................457
Table 20. RSTP Auto-Detect Port Trunk Costs .................................................................................................................457
Table 21. Port Priority Value Increments ...........................................................................................................................458
Table 22. CIST Priority Value Increments .........................................................................................................................475
Table 23. MSTI Priority Value Increments .........................................................................................................................476
Table 24. Auto External Path Costs ..................................................................................................................................479
Table 25. Auto External Path Trunk Costs ........................................................................................................................479
Table 26. Port Priority Value Increments ...........................................................................................................................481
Table 27. ICMP Messages Implemented on the AT-9400 Series Switch ..........................................................................556
Table 28. IPv4 Routing Example .......................................................................................................................................562
13
Tables
14
Preface
This guide contains instructions on how to configure the operating
parameters of an AT-9400 Series Layer 2+ Gigabit Ethernet switch using
the command line interface in the AT-S63 management software.
For instructions on how to manage the switch with the menus or web
browser interface, refer to the AT-S63 Management Software Menus
Interface User’s Guide and the AT-S63 Management Software Web
Browser Interface User’s Guide. The guides are available from the Allied
Telesyn web site.
For background information and guidelines on the various features of the
AT-9400 Series switches and the AT-S63 management software, as well
as an overview of the different methods to managing a switch, refer to the
AT-S63 Management Software Menus Interface User’s Guide. Internet
Protocol packet routing feature is an exception. The overview and
guidelines for that feature are found in this guide.
This Preface contains the following sections:
ˆ
“How This Guide is Organized” on page 16
ˆ
“Document Conventions” on page 18
ˆ
“Where to Find Web-based Guides” on page 19
ˆ
“Contacting Allied Telesyn” on page 20
ˆ
“History of New Features” on page 21
Caution
The software described in this documentation contains certain
cryptographic functionality and its export is restricted by U.S. law. As
of this writing, it has been submitted for review as a “retail encryption
item” in accordance with the Export Administration Regulations, 15
C.F.R. Part 730-772, promulgated by the U.S. Department of
Commerce, and conditionally may be exported in accordance with
the pertinent terms of License Exception ENC (described in 15
C.F.R. Part 740.17). In no case may it be exported to Cuba, Iran,
Iraq, Libya, North Korea, Sudan, or Syria. If you wish to transfer this
software outside the United States or Canada, please contact your
local Allied Telesyn sales representative for current information on
this product’s export status.
15
Preface
How This Guide is Organized
This guide is organized into the following sections
ˆ
Section I: Basic Operations
The chapters in this section contain the commands for performing a
variety of basic operations, such as setting port parameters, creating
port trunks, and accessing switches in an enhanced stack.
ˆ
Section II: Advanced Operations
The chapters in this section contain the commands for performing
different advanced operations, such as managing the file system,
uploading and downloading files, using the event log, and working with
classifiers and Quality of Service.
ˆ
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
The chapters in this section contain the commands for configuring
IGMP snooping, MLD snooping, and RRP snooping.
ˆ
Section IV: SNMPv3
The chapter in this section contains the commands for configuring
SNMPv3.
ˆ
Section V: Spanning Tree Protocols
The chapters in this section contain the commands for configuring the
Spanning Tree, Rapid Spanning Tree, and Multiple Spanning Tree
Protocols.
ˆ
Section VI: Virtual LANs
The chapters in this section contain the commands for configuring
port-based and tagged VLANs, GVRP, protected ports VLANs, MAC
address-based VLANs, and multiple VLAN modes.
ˆ
Section VII: Internet Protocol Routing
The chapter in this section describes the IPv4 packet routing feature. It
contains the overview and commands for routing interfaces, static
routes, and the Routing Information Protocol (RIP) versions 1 and 2.
ˆ
Section VIII: Port Security
The chapters in this section contain the commands for configuring
MAC address-based security and 802.1x port-based network access
control.
16
AT-S63 Management Software Command Line Interface User’s Guide
ˆ
Section IX: Management Security
The chapters in this section contain the commands for managing the
web server, encryption keys, Public Key Infrastructure certificates,
Secure Shell, TACACS+ and RADIUS, and the management access
control list.
17
Preface
Document Conventions
This document uses the following conventions:
Note
Notes provide additional information.
Caution
Cautions inform you that performing or omitting a specific action
may result in equipment damage or loss of data.
Warning
Warnings inform you that performing or omitting a specific action
may result in bodily injury.
18
AT-S63 Management Software Command Line Interface User’s Guide
Where to Find Web-based Guides
The installation and user guides for all Allied Telesyn products are
available in portable document format (PDF) on our web site at
www.alliedtelesyn.com. You can view the documents online or download
them onto a local workstation or server.
19
Preface
Contacting Allied Telesyn
This section provides Allied Telesyn contact information for technical
support as well as sales and corporate information.
Online Support
You can request technical support online by accessing the Allied Telesyn
Knowledge Base: http://kb.alliedtelesyn.com. You can use the
Knowledge Base to submit questions to our technical support staff and
review answers to previously asked questions.
Email and
Telephone
Support
For Technical Support via email or telephone, refer to the Support &
Services section of the Allied Telesyn web site: www.alliedtelesyn.com.
Returning
Products
Products for return or repair must first be assigned a return materials
authorization (RMA) number. A product sent to Allied Telesyn without an
RMA number will be returned to the sender at the sender’s expense.
To obtain an RMA number, contact Allied Telesyn Technical Support
through our web site: www.alliedtelesyn.com.
Sales or
Corporate
Information
Management
Software Updates
You can contact Allied Telesyn for sales or corporate information through
our web site: www.alliedtelesyn.com. To find the contact information for
your country, select Contact Us -> Worldwide Contacts.
New releases of management software for our managed products are
available from either of the following Internet sites:
ˆ
Allied Telesyn web site: www.alliedtelesyn.com
ˆ
Allied Telesyn FTP server: ftp://ftp.alliedtelesyn.com
If you prefer to download new software from the Allied Telesyn FTP server
from your workstation’s command prompt, you will need FTP client
software and you must log in to the server. Enter “anonymous” for the user
name and your email address for the password.
20
AT-S63 Management Software Command Line Interface User’s Guide
History of New Features
This section contains the history of the new features in the AT-S63
management software.
Version 2.0.0
Table 1 lists the new features in version 2.0.0 of the AT-S63 management
software.
Table 1. New Features in AT-S63 Version 2.0.0
Feature
Internet Protocol version
4 packet routing with:
ˆ
Routing interfaces
ˆ
Static routes
ˆ
Router Information
Protocol (RIP)
versions 1 and 2
Change
New feature.
Chapter
Chapter 32, “Internet Protocol
Version 4 Packet Routing” on
page 545
Note
The AT-9408LC⁄SP, AT-9424T/GB, and AT-9424T/SP switches do
not support the IPv4 packet routing feature. However, these
switches do allow you to create one routing interface so that you can
assign an IP address to the switch for those management functions
that require it. For further information, refer to “AT-9408LC/SP
AT-9424T/GB, and AT-9424T/SP Switches” on page 560.
Note
When an AT-9400 Series switch with an IP address is upgraded
from AT-S63 version 1.3.0 or earlier to the latest version, a routing
interface is automatically created on the device to preserve its IP
configuration. The interface is assigned to the same VLAN that
functioned as the switch’s management VLAN. If the switch does not
have an IP address, no routing interface is created. For further
information, refer to Chapter 32, “Internet Protocol Version 4 Packet
Routing” on page 545.
21
Preface
Version 1.3.0
Table 2 lists the new features in version 1.3.0.
Table 2. New Features in AT-S63 Version 1.3.0
Feature
Basic Switch
Commands
802.1x port-based
network access control
Management Access
Control List
22
Change
Chapter
Modified the SHOW CONFIG DYN
command to display the parameter
settings of individual switch
modules.
Chapter 3, “Basic Switch
Commands” on page 43
Added the following new features:
Chapter 34, “802.1x Port-based
Network Access Control
Commands” on page 613
ˆ
GUESTVLAN parameter for
supporting Guest VLANs.
ˆ
VLANASSIGNMENT and
SECUREVLAN parameters for
supporting dynamic VLAN
assignments from a RADIUS
authentication server for
supplicant accounts.
ˆ
MACBASED parameter for
supporting MAC addressbased authentication as an
alternative to 802.1x username
and password authentication.
Simplified the commands for
managing the access control
entries in the Management ACL.
Modified command:
“SHOW CONFIG DYNAMIC” on
page 60
Modified command:
“SET PORTACCESS|PORTAUTH
PORT ROLE=AUTHENTICATOR”
on page 618
Chapter 41, “Management ACL
Commands” on page 699
AT-S63 Management Software Command Line Interface User’s Guide
Version 1.2.0
Table 3 lists the new features in version 1.2.0 of the AT-S63 management
software.
Table 3. New Features in AT-S63 Version 1.2.0
Feature
MAC Address Table
Quality of Service
MLD Snooping
Change
Added new parameters to the CLI
commands for deleting and
displaying specific types of MAC
addresses in the MAC address
table. The new parameters are:
ˆ
STATIC, STATICUNICAST,
and, STATICMULTICAST for
deleting and displaying static
unicast and multicast MAC
addresses.
ˆ
DYNAMIC,
DYNAMICUNICAST, and,
DYNAMICMULTICAST for
deleting and displaying
dynamic unicast and multicast
MAC addresses.
Added the following parameters to
the commands for creating and
modifying flow groups, traffic
classes, and policies:
ˆ
TOS parameter for replacing
the Type of Service (ToS) field
of IPv4 packets.
ˆ
MOVETOSTOPRIORITY
parameter for replacing the
value in the 802.1p priority
field with the value in the ToS
priority field in IPv4 packets.
ˆ
MOVEPRIORITYTOTOS
parameter for replacing the
value in the ToS priority field
with the 802.1p priority field in
IPv4 packets.
ˆ
SENDTOMIRROR parameter
for copying traffic to a
destination mirror port.
(Policies only.)
New feature.
Chapter
Chapter 9, “MAC Address Table
Commands” on page 143
Modified commands:
“DELETE SWITCH FDB|FILTER”
on page 146
“SHOW SWITCH FDB” on
page 151
Chapter 19, “Quality of Service
(QoS) Commands” on page 289
Modified commands:
“CREATE QOS FLOWGROUP” on
page 293
“SET QOS FLOWGROUP” on
page 315
“CREATE QOS TRAFFICCLASS”
on page 303
“SET QOS TRAFFICCLASS” on
page 322
“CREATE QOS POLICY” on
page 296
“SET QOS POLICY” on page 318
Chapter 22, “MLD Snooping
Commands” on page 359
23
Preface
Table 3. New Features in AT-S63 Version 1.2.0 (Continued)
Feature
Change
Chapter
MAC address-based
VLANs
New feature.
Chapter 31, “MAC Address-based
VLAN Commands” on page 533
802.1x port-based
network access control
Added the following parameter to
the command for configuring an
authenticator port:
Chapter 34, “802.1x Port-based
Network Access Control
Commands” on page 613
ˆ
24
MODE parameter for
supporting multiple supplicant
accounts on an authenticator
port.
Modified command:
“SET PORTACCESS|PORTAUTH
PORT ROLE=AUTHENTICATOR”
on page 618
Section I
Basic Operations
The chapters in this section provide information and procedures for basic
switch setup using the AT-S63 management software. The chapters
include:
Section I: Basic Operations
ˆ
Chapter 1, “Starting a Command Line Management Session” on page
27
ˆ
Chapter 2, “Basic Command Line Commands” on page 33
ˆ
Chapter 3, “Basic Switch Commands” on page 43
ˆ
Chapter 4, “Enhanced Stacking Commands” on page 69
ˆ
Chapter 5, “Simple Network Time Protocol (SNTP) Commands” on
page 77
ˆ
Chapter 6, “SNMPv2 and SNMPv2c Commands” on page 89
ˆ
Chapter 7, “Port Parameter Commands” on page 109
ˆ
Chapter 8, “Port Statistics Commands” on page 137
ˆ
Chapter 9, “MAC Address Table Commands” on page 143
ˆ
Chapter 10, “Static Port Trunking Commands” on page 155
ˆ
Chapter 11, “LACP Port Trunking Commands” on page 165
ˆ
Chapter 12, “Port Mirroring Commands” on page 181
25
26
Section I: Basic Operations
Chapter 1
Starting a Command Line Management
Session
This chapter contains the following topics:
ˆ
“Starting a Command Line Management Session” on page 28
ˆ
“Command Line Interface Features” on page 29
ˆ
“Command Formatting” on page 30
ˆ
“Redundant Twisted Pair Ports” on page 31
27
Chapter 1: Starting a Command Line Management Session
Starting a Command Line Management Session
The command line interface is supported from a local management
session using the Terminal Port on an AT-9400 Series switch and a
remote Telnet or SSH management session. For instructions on how to
start a local or remote management session, refer to the AT-S63
Management Software Menus Interface User’s Guide.
The default management interface when you start a session is the
command line interface (CLI). The prompt differs depending on whether
you logged in as manager or operator. If you logged in as manager, you
will see “#.” If you logged in as operator, you will see “$.”
Note
Web browser interface does not support the command line interface.
28
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Command Line Interface Features
The following features are supported in the command line interface:
Section I: Basic Operations
ˆ
Command history - Use the up and down arrow keys.
ˆ
Context-specific help - Press the question mark key at any time to see
a list of legal next parameters.
ˆ
Keyword abbreviations - Any keyword can be recognized by typing an
unambiguous prefix, for example, “sh” for “show”.
ˆ
Tab key - Pressing the Tab key fills in the rest of the keyword. For
example, typing “di” and pressing the Tab key enters “disable.”
29
Chapter 1: Starting a Command Line Management Session
Command Formatting
The following formatting conventions are used in this manual:
ˆ
screen text font - This font illustrates the format of a command and
command examples.
30
ˆ
screen text font - Italicized screen text indicates a variable for you
to enter.
ˆ
[ ] - Brackets indicate optional parameters.
ˆ
| - Vertical line separates parameter options for you to choose from.
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Redundant Twisted Pair Ports
Your AT-9400 Series switch may have two or four twisted pair ports that
are paired with GBIC or SFP slots. The twisted pair ports are identified
with the letter “R” for “Redundant” as part of their number on the front
faceplate of the unit. The ports and slots are listed in Table 4.
Table 4 Twisted Pair Ports Matched with GBIC and
SFP Slots
Model
Ports and Slots
AT-9424T/GB
23R with GBIC slot 23
24R with GBIC slot 24
AT-9424T/SP
23R with SFP slot 23
23R with SFP slot 24
AT-9424Ts and
AT-9424Ts/XP
21R with SFP slot 21
22R with SFP slot 22
23R with SFP slot 23
23R with SFP slot 24
AT-9448T/SP
45R with SFP slot 45
46R with SFP slot 46
47R with SFP slot 47
48R with SFP slot 48
Follow these guidelines when using these ports and slots:
Section I: Basic Operations
ˆ
Only one port in a pair — either the twisted pair port or a corresponding
GBIC or SFP module — can be active at a time.
ˆ
The twisted pair port is the active port when its GBIC or SFP slot is
empty, or when a GBIC or SFP module is installed but has not
established a link to an end node.
ˆ
The twisted pair port automatically changes to the redundant status
mode when a GBIC or SFP module establishes a link with an end
node.
ˆ
A twisted pair port automatically transitions back to the active status
when the link is lost on the GBIC or SFP module.
ˆ
A twisted pair port and a GBIC or SFP module share the same
configuration settings, including port settings, VLAN assignments,
access control lists, and spanning tree.
ˆ
An exception to the shared settings is port speed. If you disable AutoNegotiation on a twisted pair port and set the speed and duplex mode
manually, the speed reverts to Auto-Negotiation when a GBIC or SFP
module establishes a link with an end node.
31
Chapter 1: Starting a Command Line Management Session
ˆ
Omit the letter “R” when specifying a redundant twisted pair port in a
command line command. For instance, to assign the description
“Sales server” to port 23R on an AT-9424T/GB switch, you enter:
set switch port=23 description=”Sales server”
Note
These guidelines do not apply to the SFP slots on the
AT-9408LC/SP switch and the XFP slots on the AT-9424Ts/XP and
AT-9448Ts/XP switches.
32
Section I: Basic Operations
Chapter 2
Basic Command Line Commands
This chapter contains the following commands:
ˆ
“CLEAR SCREEN” on page 34
ˆ
“EXIT” on page 35
ˆ
“HELP” on page 36
ˆ
“LOGOFF, LOGOUT and QUIT” on page 37
ˆ
“MENU” on page 38
ˆ
“SAVE CONFIGURATION” on page 39
ˆ
“SET PROMPT” on page 40
ˆ
“SET SWITCH CONSOLEMODE” on page 41
ˆ
“SHOW USER” on page 42
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Section I: Basic Features
33
Chapter 2: Basic Command Line Commands
CLEAR SCREEN
Syntax
clear screen
Parameters
None.
Description
This command clears the screen.
Example
The following command clears the screen:
clear screen
34
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
EXIT
Syntax
exit
Parameters
None.
Description
This command ends a management session. If you are managing a slave
switch, the command returns you to the master switch from where you
started the management session.
Example
The following command ends the current management session:
exit
Equivalent Commands
logoff
logout
quit
For information, see “LOGOFF, LOGOUT and QUIT” on page 37.
Section I: Basic Features
35
Chapter 2: Basic Command Line Commands
HELP
Syntax
help
Parameters
None.
Description
This command displays a list of the CLI keywords with a brief description
for each keyword.
Example
The following command displays the CLI keywords:
help
36
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
LOGOFF, LOGOUT and QUIT
Syntax
logoff
logout
quit
Parameters
None.
Description
These three commands all perform the same function: they end a
management session. If you are managing a slave switch, the commands
return you to the master switch from which you started the management
session.
Example
The following command ends a management session:
logoff
Section I: Basic Features
37
Chapter 2: Basic Command Line Commands
MENU
Syntax
menu
Parameters
None.
Description
This command displays the AT-S63 Main Menu. For instructions on how
to use the menus, refer to the AT-S63 Management Software Menus
Interface User’s Guide.
Example
The following command displays the AT-S63 Main Menu:
menu
Equivalent Command
exit
For information, see “EXIT” on page 35.
38
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
SAVE CONFIGURATION
Syntax
save configuration
Parameters
None.
Description
This command saves your changes to the switch’s active boot
configuration file for permanent storage.
Whenever you make a change to an operating parameter of the switch,
such as enter a new IP address or create a new VLAN, the change is
stored in temporary memory. It will be lost the next time you reset the
switch or power cycle the unit.
To permanently save your changes, you must use this command. The
changes are saved in the active boot configuration file as a series of
commands. The commands in the file are used by the switch to recreate
all of its settings, such as VLANs and port settings, whenever you reset or
power cycle the unit.
To view the name of the currently active boot configuration file, see
“SHOW CONFIG” on page 200. To view the contents of a configuration
file, see “SHOW FILE” on page 201. For background information on boot
configuration files, refer to Chapter 10, “File System” in the AT-S63
Management Software Menus Interface User’s Guide.
Example
The following command saves your configuration changes to the active
boot configuration file:
save configuration
Section I: Basic Features
39
Chapter 2: Basic Command Line Commands
SET PROMPT
Syntax
set prompt="prompt"
Parameter
prompt
Specifies the command line prompt. The prompt can be
from one to 12 alphanumeric characters. Spaces and
special characters are allowed. The prompt must be
enclosed in quotes.
Description
This command changes the command prompt. Assigning each switch a
different command prompt can make it easier for you to identify the
different switches in your network when you manage them.
Note
If you define the system name before you set up a system prompt,
the switch uses the first 16 characters of the system name as the
prompt. See “SET SYSTEM” on page 56.
Example
The following command changes the command prompt to “Sales Switch”:
set prompt="Sales Switch"
Equivalent Command
set asyn prompt=”prompt”
For information, see “SET ASYN” on page 52.
40
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH CONSOLEMODE
Syntax
set switch consolemode=menu|cli
Parameter
consolemode
Specifies the mode you want management sessions to
start in. Options are:
menu
Specifies the AT-S63 Main Menu.
cli
Specifies the command line prompt. This is
the default.
Description
You use this command to specify whether you want your management
sessions to start by displaying the command line interface (CLI) or the
AT-S63 Main Menu. The default is the CLI.
Example
The following command configures the management software to display
the menus whenever you start a management session:
set switch consolemode=menu
Section I: Basic Features
41
Chapter 2: Basic Command Line Commands
SHOW USER
Syntax
show user
Parameter
None.
Description
Displays the user account you used to log on to manage the switch.
Example
show user
42
Section I: Basic Features
Chapter 3
Basic Switch Commands
This chapter contains the following commands:
ˆ
“DISABLE TELNET” on page 44
ˆ
“ENABLE TELNET” on page 45
ˆ
“PING” on page 46
ˆ
“RESET SWITCH” on page 47
ˆ
“RESET SYSTEM” on page 48
ˆ
“RESTART REBOOT” on page 49
ˆ
“RESTART SWITCH” on page 50
ˆ
“SET ASYN” on page 52
ˆ
“SET PASSWORD MANAGER” on page 53
ˆ
“SET PASSWORD OPERATOR” on page 54
ˆ
“SET SWITCH CONSOLETIMER” on page 55
ˆ
“SET SYSTEM” on page 56
ˆ
“SET TELNET INSERTNULL” on page 57
ˆ
“SET USER PASSWORD” on page 58
ˆ
“SHOW ASYN” on page 59
ˆ
“SHOW CONFIG DYNAMIC” on page 60
ˆ
“SHOW CONFIG INFO” on page 63
ˆ
“SHOW SWITCH” on page 64
ˆ
“SHOW SYSTEM” on page 67
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
43
Chapter 3: Basic Switch Commands
DISABLE TELNET
Syntax
disable telnet
Parameters
None.
Description
This command disables the Telnet server on the switch. You might disable
the server to prevent anyone from managing the switch with the Telnet
application protocol or in the event you decide to use the Secure Shell
protocol for remote management. The default setting for the Telnet server
is enabled.
Example
The following command deactivates the Telnet server:
disable telnet
44
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE TELNET
Syntax
enable telnet
Parameters
None.
Description
This command activates the Telnet server on the switch. With the server
activated, you can remotely manage the switch using the Telnet
application protocol. To disable the server, refer to “DISABLE TELNET” on
page 44. The default setting for the Telnet server is enabled.
Example
The following command activates the Telnet server:
enable telnet
Section I: Basic Operations
45
Chapter 3: Basic Switch Commands
PING
Syntax
ping ipaddress
Parameter
ipaddress
Specifies the IP address of an end node to be pinged.
Description
This command instructs the switch to ping an end node. You can use this
command to determine whether an active link exists between the switch
and another network device.
Note
The local subnet from where the switch is pinging the end node must
have a routing interface. The switch uses the IP address of the
interface as its source address when pinging the device. For
background information, refer to “Routing Interfaces and
Management Features” on page 557. For instructions on how to add
a routing interface to the switch, refer to “ADD IP INTERFACE” on
page 570.
Example
The following command pings an end node with the IP address of
149.245.22.22
ping 149.245.22.22
The results of the ping are displayed on the screen.
46
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
RESET SWITCH
Syntax
reset switch
Parameters
None.
Description
This command does the following:
ˆ
Performs a soft reset on all ports. The reset takes less than a second
to complete. The ports retain their current operating parameter
settings. To perform this function on a per-port basis, refer to “RESET
SWITCH PORT” on page 118.
ˆ
Resets the statistics counters for all ports to zero. To perform this
function on a per-port basis, refer to “RESET SWITCH PORT
COUNTER” on page 138.
ˆ
Deletes all dynamic MAC addresses from the MAC address table. To
perform this function on a per-port basis, refer to “RESET SWITCH
FDB” on page 148.
Example
This command resets the switch according to the description above:
reset switch
Section I: Basic Operations
47
Chapter 3: Basic Switch Commands
RESET SYSTEM
Syntax
reset system [name] [contact] [location]
Parameters
name
Deletes the switch’s name.
contact
Deletes the switch’s contact.
location
Deletes the switch’s location.
Description
This command delete’s the switch’s name, the name of the network
administrator responsible for managing the unit, and the location of the
unit. To set these parameters, refer to “SET SYSTEM” on page 56. To
view the current settings, refer to “SHOW SYSTEM” on page 67.
Examples
This command deletes all three parameter settings:
reset system
This command deletes just the name:
reset system name
48
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
RESTART REBOOT
Syntax
restart reboot
Parameters
None.
Description
This command resets the switch. The switch runs its internal diagnostics,
loads the AT-S63 management software, and configures its parameter
settings using the active boot configuration file. The reset can take from 20
seconds to two minutes to complete, depending on the number and
complexity of the commands in the active boot configuration file.
Note
The switch does not forward traffic during the reset process. Some
network traffic may be lost.
Note
Be sure to use the SAVE CONFIGURATION command to save your
changes before resetting the switch. Any unsaved changes are lost.
Your local or remote management session with the switch ends when the
unit is reset. You must reestablish the session to continue managing the
unit.
Example
The following resets the switch:
restart reboot
Section I: Basic Operations
49
Chapter 3: Basic Switch Commands
RESTART SWITCH
Syntax
restart switch config=none|filename.cfg
Parameters
config
Specifies the configuration file. The file must already exist
on the switch. The NONE option returns the switch to its
default values.
Description
This command loads a different configuration file on the switch or returns
the switch’s parameter settings to their default values. This command can
also be used to reset the switch.
If you specify a configuration file, the switch automatically resets itself and
configures its parameters according to the settings in the configuration file
specified in the command. However, the assignment of the active boot
configuration file does not change. Resetting or power cycling the switch
again causes the unit to revert to its previous configuration. To change the
assignment of the active boot configuration file, refer to “SET CONFIG” on
page 197.
Specifying the NONE option returns the switch’s operating parameters to
the default setting. Note the following before using this option:
50
ˆ
Returning all parameter settings to their default values deletes all
routing interfaces as well as all port-based and tagged VLANs on the
switch.
ˆ
This option does not delete files from the AT-S63 file system. To delete
files, refer to “DELETE FILE” on page 191.
ˆ
This option does not delete encryption keys stored in the key
database. To delete encryption keys, refer to “DESTROY ENCO KEY”
on page 654.
ˆ
Returning a switch to its default values does not change the settings in
the active boot configuration file.
ˆ
This command does not change the assignment of the active boot
configuration file, the configuration file the switch uses the next time it
is reset. To reset the active configuration file back to the default
settings, you must use the SAVE CONFIGURATION command after
the switch reboots and you have reestablished your management
session. Otherwise, the switch reverts to the previous configuration the
next time you reset the switch.
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Note
The switch does not forward network traffic during the reset process.
Some network traffic may be lost.
Note
For a list of default values, refer to Appendix A, “AT-S63 Default
Settings” in the AT-S63 Management Software Menus Interface
User’s Guide.
Your local or remote management session with the switch ends when you
reset the switch. You must reestablish the session to continue managing
the switch.
Examples
The following command configures the switch using the configuration file
named switch12.cfg:
restart switch config=switch12.cfg
The following command resets the switch to its default values:
restart switch config=none
The following command resets the switch:
restart switch
Equivalent Command
restart reboot
For information, see “RESTART REBOOT” on page 49.
Section I: Basic Operations
51
Chapter 3: Basic Switch Commands
SET ASYN
Syntax
set asyn [speed=1200|2400|4800|9600|19200|38400|
57600|115200] [prompt=”prompt”]
Parameters
speed
Sets the speed (baud rate) of the serial terminal port
on the switch. The default is 9600 bps.
prompt
Specifies the command line prompt. The prompt can
be from one to 12 alphanumeric characters. Spaces
and special characters are allowed. The prompt must
be enclosed in double quotes. This parameter
performs the same function as “SET PROMPT” on
page 40.
Description
This command sets the baud rate of the serial terminal port on the switch.
The port is used for local management of the switch. You can also use this
command to set the command line prompt.
Note
A change to the baud rate of the port ends your management
session if you are managing the switch locally. To reestablish a local
management session you must change the speed of the terminal or
the terminal emulator program to match the new speed of the serial
terminal port on the switch.
Example
The following command sets the baud rate to 115200 bps:
set asyn speed=115200
Equivalent Command
set prompt="prompt"
For information, see “SET PROMPT” on page 40.
52
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET PASSWORD MANAGER
Syntax
set password manager
Parameters
None.
Description
This command sets the manager’s password. The manager account
allows you to view and change all switch parameters. The default
password is “friend.” The password can be from 0 to 16 alphanumeric
characters. Allied Telesyn recommends that you avoid special characters,
such as spaces, asterisks, or exclamation points because some web
browsers do not accept them in passwords. The password is case
sensitive.
Example
The following command changes the manager’s password:
set password manager
Follow the prompts to enter the new password.
Equivalent Command
set user manager password=password
For information, see “SET USER PASSWORD” on page 58.
Section I: Basic Operations
53
Chapter 3: Basic Switch Commands
SET PASSWORD OPERATOR
Syntax
set password operator
Parameters
None.
Description
This command sets the operator’s password. Logging in as operator
allows you to only view the switch parameters. The default password is
“operator.” The password can be from 0 to 16 alphanumeric characters.
Allied Telesyn recommends that you avoid special characters, such as
spaces, asterisks, or exclamation points because some web browsers do
not accept them in passwords. The password is case sensitive.
Example
The following command changes the operator’s password:
set password operator
Follow the prompts to enter the new password.
Equivalent Command
set user operator password=password
For information, see “SET USER PASSWORD” on page 58.
54
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH CONSOLETIMER
Syntax
set switch consoletimer=value
Parameter
consoletimer
Specifies the console timer in minutes. The range is 1
to 60 minutes. The default is 10 minutes.
Description
This command sets the console timer, which is used by the management
software to end inactive management sessions. The AT-S63 software
automatically ends a management session if it does not detect any activity
from a local or remote management station for the length of time specified
by the console timer. This security feature can prevent unauthorized
individuals from using your management station should you step away
from your system while configuring a switch. To view the current console
timer setting, refer to “SHOW SWITCH” on page 64.
Example
The following command sets the console timer to 25 minutes:
set switch consoletimer=25
Section I: Basic Operations
55
Chapter 3: Basic Switch Commands
SET SYSTEM
Syntax
set system [name="name"] [contact="contact"]
[location="location"]
Parameters
name
Specifies the name of the switch. The name can be from 1 to
39 alphanumeric characters in length and must be enclosed
in double quotes (“ “). Spaces are allowed.
contact
Specifies the name of the network administrator responsible
for managing the switch. The contact can be from 1 to 39
alphanumeric characters in length and must be enclosed in
double quotes. Spaces are allowed.
location
Specifies the location of the switch. The location can be from
1 to 39 alphanumeric characters in length and must be
enclosed in double quotes. Spaces are allowed.
Description
This command sets a switch’s name, the name of the network
administrator responsible for managing the unit, and the location of the
unit.
If a parameter already has a value, the new value replaces the existing
value. To view the current values for these parameters, refer to “SHOW
SYSTEM” on page 67. To delete a value without assigning a new value,
refer to “RESET SYSTEM” on page 48.
Note
If you define the system name before you set up a system prompt,
the switch uses the first 16 characters of the system name as the
prompt. See “SET PROMPT” on page 40.
Examples
The following command sets a switch’s information:
set system name="Sales" contact="Jane Smith" location="Bldg
3, rm 212"
The following command sets just the system’s name:
set system name="PR Office"
56
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET TELNET INSERTNULL
Syntax
set telnet insertnull=on|off
Parameters
insertnull
Controls whether a NULL character is inserted after each CR
sent by the Telnet server to the remote client. Options are:
on
Sends a NULL character after each CR sent to the
remote client.
off
Specifies that no NULL character is sent to the
remote client. This is the default setting.
Description
You can use this command to toggle the Telnet server on the switch to add
a NULL character after each CR for those Telnet clients that require the
character in order to display the information correctly. The default setting
on the switch is to not send the NULL character after a CR. To view the
current setting, see “SHOW SWITCH” on page 64.
Example
This command configures the switch to send a NULL character after each
CR during a Telnet management session:
set telnet insertnull=on
Section I: Basic Operations
57
Chapter 3: Basic Switch Commands
SET USER PASSWORD
Syntax
set user manager|operator password=password
Parameter
password
Specifies the password.
Description
This command sets the manager or operator’s password. The default
manager password is “friend.” The default operator password is
“operator.” The password can be from 0 to 16 alphanumeric characters.
Allied Telesyn recommends that you avoid special characters, such as
spaces, asterisks, or exclamation points because some web browsers do
not accept them in passwords. The password is case sensitive.
Example
The following command sets the operator’s password to “newby”:
set user operator password=newby
Equivalent Commands
set password manager
For information, see “SET PASSWORD MANAGER” on page 53
set password operator
For information, see “SET PASSWORD OPERATOR” on page 54
58
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW ASYN
Syntax
show asyn
Parameters
None.
Description
This command displays the settings for the serial terminal port on the
switch, used for local management of the device. An example of the
display is shown in Figure 1.
Asynchronous Port (Console) Information:
Baud Rate .................................
Parity ....................................
Data bits .................................
Stop bits .................................
Prompt ....................................
115200
NONE
8
1
"Sales Switch"
Figure 1. SHOW ASYN Command
To configure the serial port’s baud rate, refer to “SET ASYN” on page 52.
To configure the command line prompt, refer to “SET PROMPT” on
page 40. You cannot adjust the parity, data bits, or stop bit of the serial
terminal port.
Example
The following command displays the serial terminal port settings:
show asyn
Section I: Basic Operations
59
Chapter 3: Basic Switch Commands
SHOW CONFIG DYNAMIC
Syntax
show config dynamic[=module]
Parameters
module
Displays the settings of a specific switch module. You can
specify only one module. For a list of modules, refer to Table 5.
Description
This command displays the settings of the switch parameters that have
been changed from their default values, including those not yet saved to
the active boot configuration file. The parameters are displayed in their
command line command equivalents. You can view all of the settings or
limit the display to just those of a particular switch module. An example of
the display is shown in Figure 2.
---Start of current configuration -----------------#
# System Configuration
#
set system name="Production Server"
set system contact="Jane Smith"
set system location="Bldg. 2, room 411"
#
# IP Configuration
#
Figure 2. SHOW CONFIG DYNAMIC Command
The MODULE variable is used to limit the display to the parameter
settings of a particular switch module. You can specify only one module
per command. The modules are listed in Table 5.
Table 5. Module Variable
Variable
60
Description
ACL
Port access control list
ARP
Static ARP entries
AUTH
Manager and operator passwords (encrypted)
and RADIUS and TACACS+
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Table 5. Module Variable (Continued)
Variable
Section I: Basic Operations
Description
CLASSIFIER
Classifiers for ACL and QoS
DOS
Denial of service defense
ENCO
Encryption keys
ENHSTACK
Enhanced stacking
EVTLOG
Event log and syslog client
GARP
GARP and GVRP
IGMPSNOOP
IGMP snooping
INTF
Routing interfaces
LACP
Link Aggregation Control Protocol
MAC
Static MAC addresses
MACTIMER
MAC address table timeout value
MACVLAN
MAC address-based VLANs
MGMTACL
Management access control list
MIRROR
Source ports of port mirror
MIRTO
Destination port of port mirror
MLDSNOOP
MLD snooping
PKI
Public Key Infrastructure
PORT
Port configuration
PORTACC
802.1x port-based access control
PORTSEC
MAC address-based port security
PORTTRUNK
Static port trunks
QOS
Quality of Service
RIP
Routing Information Protocol
ROUTE
Static routes
RRPSNOOP
RRP snooping
SNMP
SNMP
SNTP
SNTP
SSH
Secure Shell protocol
61
Chapter 3: Basic Switch Commands
Table 5. Module Variable (Continued)
Variable
Description
SSL
Secure Sockets Layer protocol
STP
Spanning Tree, Rapid Spanning, and Multiple
Spanning Tree protocols
SWITCH
Switch console timer, console startup mode,
serial port baud rate, Telnet server
SYSTEM
Administrator name, switch name, and switch
location
VLAN
Port-based and tagged VLANs, and multiple
VLAN modes
WEBSERV
Web server
Examples
The following command displays all the switch parameter settings that
have been changed from their default values:
show config dynamic
The following command displays the non-default parameter settings for
IGMP snooping:
show config dynamic=igmpsnoop
62
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW CONFIG INFO
Syntax
show config info
Parameters
None.
Description
This command displays the settings of all the switch parameters, including
those not yet saved to the active boot configuration file.
Examples
The following command displays all the parameter settings on the switch:
show config info
Section I: Basic Operations
63
Chapter 3: Basic Switch Commands
SHOW SWITCH
Syntax
show switch
Parameters
None.
Description
This command displays a variety of switch parameters. An example of the
display is shown in Figure 3.
Switch Information:
Application Software Version .........
Application Software Build Date ......
Bootloader Version ...................
Bootloader Build Date ................
MAC Address ..........................
VLAN Mode ............................
Ingress Filtering ....................
Active Spanning Tree version .........
Mirroring State ......................
Enhanced Stacking mode ...............
Console Disconnect Timer Interval ....
Web Server Status ....................
Telnet Server status .................
Telnet insert NULL ...................
MAC address aging time ...............
Console Startup Mode .................
Multicast Mode .......................
ATS63 v1.2.0 NE
Jun 10 2005 16:27:38
ATS63_LOADER v1.3.0
Apr 7 2005 16:25:19
00:21:46:A7:B4:43
User Configured
OFF
RSTP
Disabled
Master
10 minute(s)
Enabled
Enabled
OFF
300 second(s)
CLI
Forward Across VLANs
Figure 3. SHOW SWITCH Command
This command displays the following information:
64
ˆ
Application software version and Application software build date - The
version number and build date of the AT-S63 management software.
ˆ
Bootloader version and Bootloader build date - The version number
and build date of the AT-S63 bootloader.
ˆ
MAC address - The MAC address of the switch. This value cannot be
changed.
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
ˆ
VLAN mode - The switch’s VLAN mode. The three possible VLAN
modes are:
ˆ
User configured (for creating your own port-based and tagged
VLANs)
ˆ
802.1Q-compliant
ˆ
Non-802.1Q-compliant.
The default is user configured. To set a switch’s VLAN mode, refer to
“SET SWITCH VLANMODE” on page 502.
Section I: Basic Operations
ˆ
Ingress filtering - The status of ingress filtering on the switch. When
ingress filtering is activated, tagged frames are filtered when they are
received on a port. When ingress filtering is deactivated, which is the
default, tagged frames are filtered before they are transmitted out a
port. To set ingress filtering, refer to “SET SWITCH INFILTERING” on
page 501.
ˆ
Active Spanning Tree version - The spanning tree protocol that has
been designated as the active protocol on the switch. To configure or
enable a spanning tree protocol, you must first designate it as the
active protocol on the switch. The switch supports, STP, RSTP, and
MSTP. The default is RSTP. To select an active spanning tree protocol,
refer to “ACTIVATE STP” on page 436, “ACTIVATE RSTP” on
page 450, and “ACTIVATE MSTP” on page 464.
ˆ
Mirroring state - The status of port mirroring. The display includes the
destination port as well as the ingress and egress source ports if port
mirroring is activated on the switch. To configure port mirroring, refer to
“SET SWITCH MIRROR” on page 182 and “SET SWITCH PORT
MIRROR” on page 183.
ˆ
Enhanced stacking mode - The enhanced stacking mode of the switch,
which can be master, slave, or unavailable. The default is slave. To set
the enhanced stacking status, refer to “SET SWITCH STACKMODE”
on page 72.
ˆ
Console disconnect timer interval - The current value of the console
timer, used by the management software to end inactive management
sessions. The AT-S63 software ends a local or remote management
session if it does not detect any management activity for the length of
time specified by the console timer. The default is 10 minutes. To set
the console timer, refer to “SET SWITCH CONSOLETIMER” on
page 55.
ˆ
Web server status - The status of the web server. When the web server
is disabled, you cannot remotely manage the switch using a web
browser and the web browser interface. The default setting is enabled.
To enable or disable the server, refer to “ENABLE HTTP SERVER” on
page 641 and “DISABLE HTTP SERVER” on page 640.
ˆ
Telnet server status - The status of the Telnet server. When the Telnet
server is disabled, you cannot remotely manage the switch using the
Telnet application protocol. The default setting is enabled. To enable or
65
Chapter 3: Basic Switch Commands
disable the server, refer to “ENABLE TELNET” on page 45 and
“DISABLE TELNET” on page 44.
ˆ
Telnet insert NULL - The status of the Telnet NULL parameter. When
ON, the Telnet server on the switch adds a NULL character after each
CR for those Telnet clients that require the character to display the
information correctly. When OFF, the default setting, no NULL
character is set after a CR. To set this feature, see “SET TELNET
INSERTNULL” on page 57.
ˆ
MAC address aging time - The current value for the MAC address
aging timer. The switch uses the aging timer to delete inactive dynamic
MAC addresses from the MAC address table. To set this value, refer
to “SET SWITCH AGINGTIMER|AGEINGTIMER” on page 149.
ˆ
Console startup mode - The management interface —menus or
command line — that initially appears when you start a local or remote
management session. The default is the command line interface. To
set the startup mode, refer to “SET SWITCH CONSOLEMODE” on
page 41.
ˆ
Multicast Mode - The multicast mode, which determines the behavior
of the switch when forwarding ingress spanning tree BPDU packets
and 802.1x port-based access control EAPOL packets To set the
multicast mode, refer to “SET SWITCH MULTICASTMODE” on
page 445.
Example
The following command displays the switch information described above:
show switch
66
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SYSTEM
Syntax
show system
Parameters
None.
Description
This command displays the following information:
MAC Address
The MAC address of the switch.
Model Name
The model name of the switch.
Serial Number
The serial number of the switch.
IP Address
The IP address of the local interface.
Subnet Mask
The subnet mask of the local interface.
Note
To manage routing interfaces and designate a local interface, refer
to Chapter 32, “Internet Protocol Version 4 Packet Routing” on page
545
Default Gateway
For AT-9400 Series switches that support IPv4 routing, such as the
AT-9448Ts and AT-9448Ts/XP switches, this field displays the IP address
of the next hop of the switch’s default route. The switch uses the default
route when it receives a network packet for routing, but cannot find a route
for it in the routing table. This field will contain 0.0.0.0 if no default route is
defined on the switch.
For AT-9400 Series switches that do not support IPv4 packet routing, such
as the AT-9424T/GB and AT-9424T/SP switches, this field displays the
default gateway address. This is the IP address of a router interface on
your network. The switch’s management software uses this address as the
next hop to reaching a remote network device when the switch’s local
interface and the remote device are on different subnets. The default value
Section I: Basic Operations
67
Chapter 3: Basic Switch Commands
is 0.0.0.0.
System Up Time
The length of time since the switch was last reset or power cycled.
Application Software
The version number and build date of the AT-S63 management software.
Bootloader
The version number and build date of the AT-S63 bootloader.
System Name
The name of the switch.
Administrator
The name of the network administrator responsible for managing the
switch.
Location
The location of the switch, (for example, 4th Floor - rm 402B).
Note
To configure the name, administrator, and location parameters, refer
to “SET SYSTEM” on page 56.
Power Information
The status of the main power supply, the redundant power supply (if
present), and internal power consumption.
Temperature (Deg.C)
The ambient temperature as measured where the air enters the cooling
vents on the side of the unit.
Fan Information
The speed or operating status of the system fan(s).
Example
The following command displays the above information about the switch:
show system
68
Section I: Basic Operations
Chapter 4
Enhanced Stacking Commands
This chapter contains the following commands:
ˆ
“ACCESS SWITCH” on page 70
ˆ
“SET SWITCH STACKMODE” on page 72
ˆ
“SHOW REMOTELIST” on page 74
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 4, “Enhanced
Stacking” in the AT-S63 Management Software Menus Interface
User’s Guide.
69
Chapter 4: Enhanced Stacking Commands
ACCESS SWITCH
Syntax
access switch number=number|macaddress=macaddress
Parameters
number
Specifies the number of the switch in an enhanced
stack that you want to manage. You view this number
using the SHOW REMOTELIST command.
macaddress
Specifies the MAC address of the switch you want to
manage. This can also be displayed using the SHOW
REMOTELIST command. You can enter the address
in either of the following formats:
xxxxxxxxxxxx or xx:xx:xx:xx:xx:xx
Description
This command starts a management session on another switch that
supports enhanced stacking, such as another AT-9400 Series switch or an
AT-8500 Series switch. You can specify the switch by switch number or by
MAC address, both of which are displayed with “SHOW REMOTELIST” on
page 74.
Note
You must perform the ACCESS SWITCH command from the
management session of the master switch where you started the
session. This command will not work from a management session of
a slave switch. To determine the master or slave status of your
switch, use “SHOW SWITCH” on page 64.
Note
You must perform the SHOW REMOTELIST command before the
ACCESS SWITCH command.
When you are finished managing a slave switch, use the LOGOFF,
LOGOUT, or QUIT command to end the management session and return
back to the master switch from which you started the management
session. For information, refer to “LOGOFF, LOGOUT and QUIT” on
page 37.
70
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command starts a management session on switch number
12:
access switch number=12
The following command starts a management session on a switch with the
MAC address 00:30:84:52:02:11
access switch macaddress=003084520211
Section I: Basic Operations
71
Chapter 4: Enhanced Stacking Commands
SET SWITCH STACKMODE
Syntax
set switch stackmode=master|slave|unavailable
Parameter
stackmode
Specifies the enhanced stacking mode of the switch.
The options are:
master
Specifies the switch’s stacking mode
as master. A master switch must be
assigned an IP address and subnet
mask.
slave
Specifies the switch’s stacking mode
as slave. A slave does not need an
IP address. This is the default setting
for a switch.
unavailable
Specifies the switch’s stacking mode
as unavailable. A switch with this
status cannot be managed from an
enhanced stack. It can be managed
locally through its RS-232 terminal
port or remotely if it is assigned an IP
address and subnet mask.
Description
This command sets a switch’s enhanced stacking status.
Note
To determine the master or slave status of a switch, use “SHOW
SWITCH” on page 64.
Note
You cannot change the stacking status of a switch through
enhanced stacking. If a switch does not have an IP address or
subnet mask, such as a slave switch, you must use a local
management session to change its stacking status. If the switch has
an IP address and subnet mask, such as a master switch, you can
use a local session or a remote Telnet or SSH management session
to change its stacking status.
72
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following command sets the switch’s stacking status to master:
set switch stackmode=master
Section I: Basic Operations
73
Chapter 4: Enhanced Stacking Commands
SHOW REMOTELIST
Syntax
show remotelist [sorted by=macaddress|name]
Parameter
sorted
Sorts the list either by MAC address or by name. The
default is by MAC address.
Description
This command displays the list of switches in an enhanced stack. The list
does not include the master switch where you started the management
session or switches with a stacking status of unavailable.
Note
You must perform the SHOW REMOTELIST command from the
management session of the master switch where you started the
management session. This command will not work from a slave
switch. Nor will the command work from a master switch that you
accessed through enhanced stacking from another master switch.
To determine the master or slave status of your switch, use “SHOW
SWITCH” on page 64.
An example of the information displayed by this command is shown in
Figure 4.
Searching for slave devices. Please wait...
Num
MAC Address
Name
Switch
Software
Switch
Mode
Version
Model
------------------------------------------------------------------------01
00:21:46:A7:B4:04 Production..
Slave
S63 v1.2.0
AT-9424T/SP
02
00:21:46:A7:B4:43 Marketing
Slave
S63 v1.2.0
AT-9424T/SP
03
00:30:84:00:00:02 Tech Suppo..
Slave
S62 v1.3.0
AT-8524M
Figure 4. SHOW REMOTELIST Command
Examples
The following command displays the switches in an enhanced stack,
sorted by MAC address, the default sorting method:
show remotelist
74
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
The following command displays the switches sorted by name:
show remotelist sorted by=name
Section I: Basic Operations
75
Chapter 4: Enhanced Stacking Commands
76
Section I: Basic Operations
Chapter 5
Simple Network Time Protocol (SNTP)
Commands
This chapter contains the following commands:
ˆ
“ADD SNTPSERVER PEER|IPADDRESS” on page 78
ˆ
“DELETE SNTPSERVER PEER|IPADDRESS” on page 79
ˆ
“DISABLE SNTP” on page 80
ˆ
“ENABLE SNTP” on page 81
ˆ
“PURGE SNTP” on page 82
ˆ
“SET DATE” on page 83
ˆ
“SET SNTP” on page 84
ˆ
“SET TIME” on page 85
ˆ
“SHOW SNTP” on page 86
ˆ
“SHOW TIME” on page 88
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on SNTP, refer to Chapter 3, “Basic
Switch Parameters” in the AT-S63 Management Software Menus
Interface User’s Guide.
77
Chapter 5: Simple Network Time Protocol (SNTP) Commands
ADD SNTPSERVER PEER|IPADDRESS
Syntax
add sntpserver peer|ipaddress=ipaddress
Parameter
peer or
ipaddress
Specifies the IP address of an SNTP server. These
parameters are equivalent.
Description
This command adds the IP address of an SNTP or NTP server to the
SNTP client on the switch. The switch uses the SNTP or NTP server to set
its date and time. You can specify only one SNTP or NTP server.
Note
The local subnet from where the switch is reaching the SNTP or
NTP server must have a routing interface. The switch uses the IP
address of the interface as its source address when sending packets
to the server. For background information, refer to “Routing
Interfaces and Management Features” on page 557. For instructions
on how to add a routing interface to the switch, refer to “ADD IP
INTERFACE” on page 570.
If the routing interface obtains its IP address and subnet mask from
a DHCP sever, you can configure the DHCP server to provide the
switch with an IP address of an NTP or SNTP server. If you
configured the DHCP server to provide this address, then you do not
need to enter it in this command.
Example
The following command specifies the IP address of 148.35.16.248 for the
SNTP server:
add sntpserver ipaddress=148.35.16.248
78
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
DELETE SNTPSERVER PEER|IPADDRESS
Syntax
delete sntpserver peer|ipaddress=ipaddress
Parameter
peer or
ipaddress
Specifies the IP address of an SNTP server. The
parameters are equivalent.
Description
This command deletes the IP address of the SNTP server from the SNTP
client software on the switch and returns the parameter to the default value
of 0.0.0.0. To view the IP address, refer to “SHOW SNTP” on page 86.
Example
The following command deletes the SNTP server with the IP address
148.35.16.248:
delete sntpserver ipaddress=148.35.16.248
Section I: Basic Operations
79
Chapter 5: Simple Network Time Protocol (SNTP) Commands
DISABLE SNTP
Syntax
disable sntp
Parameters
None.
Description
This command disables the SNTP client software on the switch. The
default setting for SNTP is disabled.
Example
The following command disables SNTP on the switch:
disable sntp
80
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE SNTP
Syntax
enable sntp
Parameters
None.
Description
This command enables the SNTP client software on the switch. The
default setting for SNTP is disabled. With SNTP enabled, the switch will
obtain its date and time from an SNTP server, assuming that you have
specified a server IP address with “ADD SNTPSERVER
PEER|IPADDRESS” on page 78.
Example
The following command enables the SNTP client software:
enable sntp
Section I: Basic Operations
81
Chapter 5: Simple Network Time Protocol (SNTP) Commands
PURGE SNTP
Syntax
purge sntp
Parameters
None.
Description
This command clears the SNTP configuration and disables the SNTP
server. To disable SNTP and retain the configuration, see “DISABLE
SNTP” on page 80.
Example
The following command clears the SNTP configuration and disables
SNTP:
purge sntp
82
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET DATE
Syntax
set date=dd-mm-yyyy
Parameter
date
Specifies the date for the switch in day-month-year
format.
Description
This command sets the date on the switch. You can use this command to
set the switch’s date if you are not using an SNTP server. The AT-9400
Series switch has an onboard battery that maintains the date even when
the unit is powered off or reset.
Example
The following command sets the switch’s date to December 11, 2004:
set date=11-12-2004
Section I: Basic Operations
83
Chapter 5: Simple Network Time Protocol (SNTP) Commands
SET SNTP
Syntax
set sntp [dst=enabled|disabled] [pollinterval=value]
[utcoffset=value]
Parameters
dst
Enables or disables daylight savings time.
pollinterval
Specifies the time interval between two successive
queries to the SNTP server. The range is 60 to 1200
seconds. The default is 600 seconds.
utcoffset
Specifies the time difference in hours between UTC
and local time. The range is -12 to +12 hours. The
default is 0 hours.
Description
This command enables or disables daylight savings time and sets the
polling and UTC offset times for the SNTP client software.
Note
The switch does not set DST automatically. If the switch is in a
locale that uses DST, you must remember to enable this in April
when DST begins and disable it in October when DST ends. If the
switch is in a locale that does not use DST, set this option to
disabled all the time.
Example
The following command enables daylight savings time, sets the poll
interval to 300 seconds, and sets the UTC offset to -8 hours:
set sntp dst=enabled pollinterval=300 utcoffset=-8
84
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET TIME
Syntax
set time=hh:mm:ss
Parameter
time
Specifies the hour, minute, and second for the switch’s
time in 24-hour format.
Description
This command sets the time on the switch. You can use this command to
set the switch’s time if you are not using an SNTP server. The AT-9400
Series switch has an onboard battery that maintains the time even when
the unit is powered off or reset.
Example
The following command sets the switch’s time to 4:34 pm and 52 seconds:
set time=16:34:52
Section I: Basic Operations
85
Chapter 5: Simple Network Time Protocol (SNTP) Commands
SHOW SNTP
Syntax
show sntp
Parameters
None.
Description
This command displays the current settings for the client SNTP software
on the switch. An example of the display is shown in Figure 5.
SNTP Configuration:
Status ........................
Server ........................
UTC Offset ....................
Daylight Savings Time (DST) ...
Poll Interval .................
Last Delta ....................
Disabled
0.0.0.0
+0
Enabled
600 seconds
+0 seconds
Figure 5. SHOW SNTP Command
The information displayed by this command is described here:
86
ˆ
Status - The status of the SNTP client software on the switch. The
status can be either enabled or disabled. If enabled, the switch seeks
its date and time from an SNTP server. The default is disabled.
ˆ
SNTP - The IP address of the SNTP server.
ˆ
UTC Offset - The time difference in hours between UTC and local time.
The range is -12 to +12 hours. The default is 0 hours.
ˆ
Daylight Savings Time (DST) - The status of the daylight savings time
setting. The status can be enabled or disabled.
ˆ
Poll interval - The time interval between two successive queries to the
SNTP server. The range is 60 to 1200 seconds. The default is 600
seconds.
ˆ
Last Delta - The last adjustment applied to the system time. It is the
drift in the system clock between two successive queries to the SNTP
server.
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following command displays SNTP client software information:
show sntp
Section I: Basic Operations
87
Chapter 5: Simple Network Time Protocol (SNTP) Commands
SHOW TIME
Syntax
show time
Parameters
None.
Description
This command shows the system’s current date and time.
Example
The following command shows the system’s date and time.
show time
88
Section I: Basic Operations
Chapter 6
SNMPv2 and SNMPv2c Commands
This chapter contains the following commands:
ˆ
“ADD SNMP COMMUNITY” on page 90
ˆ
“CREATE SNMP COMMUNITY” on page 92
ˆ
“DELETE SNMP COMMUNITY” on page 95
ˆ
“DESTROY SNMP COMMUNITY” on page 97
ˆ
“DISABLE SNMP” on page 98
ˆ
“DISABLE SNMP AUTHENTICATETRAP” on page 99
ˆ
“DISABLE SNMP COMMUNITY” on page 100
ˆ
“ENABLE SNMP” on page 101
ˆ
“ENABLE SNMP AUTHENTICATETRAP” on page 102
ˆ
“ENABLE SNMP COMMUNITY” on page 103
ˆ
“SET SNMP COMMUNITY” on page 104
ˆ
“SHOW SNMP” on page 106
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 5,
“SNMPv1 and SNMPv2c” in the AT-S63 Management Software
Menus Interface User’s Guide.
Section I: Basic Features
89
Chapter 6: SNMPv2 and SNMPv2c Commands
ADD SNMP COMMUNITY
Sy nt a x
add snmp community="community" [traphost=ipaddress]
[manager=ipaddress]
Pa r a me t e r s
community
Specifies an existing SNMP community string on the
switch. This parameter is case sensitive. The name
must be enclosed in double quotes if it contains a
space or special character such as an exclamation
point. Otherwise, the quotes are optional.
traphost
Specifies the IP address of a trap receiver.
manager
Specifies the IP address of a management station to
have SNMP access to the switch using the
community string.
De s c r i pt i on
This command adds the IP address of a trap receiver or a management
station to an existing community string.
The TRAPHOST parameter specifies a trap receiver for the SNMP
community string. This is the IP address of a device to which traps
generated by the switch are sent. A community string can have up to eight
IP addresses of trap receivers, but only one can be added at a time with
this command.
The MANAGER parameter specifies a management station to be allowed
SNMP management access to the switch using the community string. This
parameter applies only to community strings with a closed status. A
community string can have up to eight IP addresses of management
stations, but only one can be added at a time with this command.
To create a new community string, refer to “CREATE SNMP
COMMUNITY” on page 92. To view the current community strings, refer to
“SHOW SNMP” on page 106.
Ex a mpl e s
The following command permits access by a management station with the
IP address 149.212.11.22 to the switch through the “private” community
string:
add snmp community=private manager=149.212.11.22
90
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
The following command adds the IP address 149.212.10.11 as a trap
receiver to the “public” community string:
add snmp community=public traphost=149.212.10.11
Section I: Basic Features
91
Chapter 6: SNMPv2 and SNMPv2c Commands
CREATE SNMP COMMUNITY
Sy nt a x
create snmp community="community" [access=read|write]
[open=yes|no|on|off|true|false] [traphost=ipaddress]
[manager=ipaddress]
Pa r a me t e r s
community
Specifies a new community string. The maximum length
of a community string is 15 alphanumeric characters.
Spaces are allowed. The name must be enclosed in
double quotes if it includes a space or other special
character such as an exclamation point. Otherwise, the
quotes are optional. The string is case sensitive.
access
Specifies the access level of the new community string.
Options are “read” for read only access and “write” for
both read and write access. The default is “read.”
open
Specifies the open or closed status of the community
string. The options are:
yes, on, true The community string is open, meaning
any management station can use the
string to access the switch. These values
are equivalent.
no, off, false
92
The community string is closed, meaning
only those management stations whose
IP addresses are assigned to the string
can use it to access the switch. You can
assign a management IP address to the
string using the MANAGER option in this
command. The default setting for a
community string is closed. These
values are equivalent.
traphost
Specifies the IP address of a trap receiver to receive
system traps.
manager
Specifies the IP address of a management station that
can use the community string to access the switch. This
option applies if you specify the status of the community
string as closed. A community string can have up to
eight IP addresses of management stations, but only
one can be assigned with this option.
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
De s c r i pt i on
This command creates a new SNMP community string on the switch. The
switch comes with two default community strings, “public,” with an access
of read only, and “private,” with an access level of read and write. A switch
can support up to eight community strings.
The COMMUNITY parameter specifies the new community string. The
string can be up to 15 alphanumeric characters. The string is case
sensitive.
The ACCESS parameter defines the access level for the new community
string. The access level can be either read or read and write. The READ
option specifies the read access level and the WRITE option specifies the
read and write access level.
The OPEN parameters controls whether the string will have an open or
closed status. If you specify YES, ON or TRUE, the string will have an
open status. Any management station will be able to use the string to
access the switch. If you specify NO, OFF or FALSE, the string will have a
closed status and only those management stations whose IP addresses
are assigned to the switch will be able to use the string. This is the default.
The TRAPHOST parameter specifies the IP address of a trap receiver to
receive traps from the switch. A community string can have up to eight trap
receivers, but only one can be assigned when a community string is
created. To add IP addresses of trap receivers to an existing community
string, see “ADD SNMP COMMUNITY” on page 90.
The MANAGER parameter specifies the IP address of a management
station to be permitted SNMP access to the switch through the community
string. You use this parameter when you give a community string a closed
status. A community string with a closed status can only be used by those
management stations whose IP addresses have been assigned to the
string.
A community string can have up to eight manager IP addresses, but only
one can be assigned when a community string is created. To add IP
addresses of management stations to an existing community string, see
“ADD SNMP COMMUNITY” on page 90.
Ex a mpl e s
The following command creates the new community string “serv12” with
read access level and an access status of open:
create snmp community=serv12 access=read open=yes
The following command creates the new community string “wind11” with
read and write access level. To limit the use of the string, its access status
is specified as closed and it is assigned the IP address of the management
Section I: Basic Features
93
Chapter 6: SNMPv2 and SNMPv2c Commands
station that will use the string:
create snmp community=wind11 access=write open=no
manager=149.35.24.22
(The OPEN=NO parameter can be omitted from the example because
closed status is the default for a new community string.)
This command creates a community string called “serv12” with a closed
status. The command assigns the string the IP address of a management
that can use the string and also receive SNMP traps:
create snmp community=serv12 access=write open=no
traphost=149.35.24.22 manager=149.35.24.22
94
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
DELETE SNMP COMMUNITY
Syntax
delete snmp community=”community” traphost=ipaddress
manager=ipaddress
Parameters
community
Specifies the SNMP community string on the switch to
be modified. The community string must already exist
on the switch. This parameter is case sensitive. The
name must be enclosed in double quotes if it contains
a space or special character, such as an exclamation
point. Otherwise, the quotes are optional.
traphost
Specifies the IP address of a trap receiver to be
removed from the community string.
manager
Specifies the IP address of a management station to
be removed from the community string.
Description
This command removes the IP addresses of trap receivers and
management workstations from a community string.
The TRAPHOST parameter removes the IP address of a trap receiver
from an SNMP community string. Once an IP address is removed, the
switch will not send SNMP traps to the trap receiver represented by the
address.
The MANAGER parameter removes the IP address of a management
station from the community string. A management station removed from a
community string with a closed status can no longer use SNMP and the
community string to manage the switch. If you remove the last
management station IP address from a community string with a closed
status, no SNMP management station can access the switch using that
community string.
Examples
The following command deletes the IP address 149.212.11.22 of a
management station from the community string “private.”
delete snmp community=private
manager=149.212.11.22
Section I: Basic Features
95
Chapter 6: SNMPv2 and SNMPv2c Commands
The following command deletes the IP address 149.212.44.45 of a trap
receiver from the community string “public.”
delete snmp community=public traphost=149.212.44.45
96
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY SNMP COMMUNITY
Sy nt a x
destroy snmp community="community"
Pa r a me t e r
community
Specifies an SNMP community string to delete from the
switch. This parameter is case sensitive. The name
must be enclosed in double quotes if it contains a space
or special character, such as an exclamation point.
Otherwise, the quotes are optional.
De s c r i pt i on
This command deletes an SNMP community string from the switch. IP
addresses of management stations and SNMP trap receivers assigned to
the community string are deleted as well.
Ex a mpl e
The following command deletes the community string “wind44”:
destroy snmp community=wind44
Section I: Basic Features
97
Chapter 6: SNMPv2 and SNMPv2c Commands
DISABLE SNMP
Sy nt a x
disable snmp
Pa r a me t e r s
None.
De s c r i pt i on
This command disables SNMP on the switch. You cannot manage the unit
from an SNMP management station when SNMP is disabled. The default
setting for SNMP is disabled.
Ex a mpl e
The following command disables SNMP on the switch:
disable snmp
98
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE SNMP AUTHENTICATETRAP
Sy nt a x
disable snmp authenticatetrap|authenticate_trap
Pa r a me t e r s
None.
De s c r i pt i on
This command stops the switch from sending authentication failure traps
to trap receivers. However, the switch will continue to send other system
traps, such as alarm traps. The default setting for sending authentication
failure traps is disabled.
The AUTHENTICATETRAP and AUTHENTICATE_TRAP keywords are
equivalent.
To activate the authentication failure trap, refer to “ENABLE SNMP
AUTHENTICATETRAP” on page 102.
Ex a mpl e
The following command instructs the switch not to send authentication
failure traps to SNMP trap receivers:
disable snmp authenticatetrap
Section I: Basic Features
99
Chapter 6: SNMPv2 and SNMPv2c Commands
DISABLE SNMP COMMUNITY
Sy nt a x
disable snmp community="community"
Pa r a me t e r
community
Specifies an SNMP community string to disable on
the switch. This parameter is case sensitive. The
string must be enclosed in double quotes if it
contains a space or other special character such as
an exclamation point. Otherwise, the quotes are
optional.
De s c r i pt i on
This command disables a community string on the switch, while leaving
SNMP and all other community strings active. IP addresses of
management stations or trap receivers assigned to the community string
are also disabled. A disabled community string cannot be used by a
management station to access the switch.
Ex a mpl e
The following command deactivates the SNMP community string
“sw1200” and the IP addresses of any management stations and trap
receivers assigned to the community string:
disable snmp community=sw1200
100
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE SNMP
Sy nt a x
enable snmp
Pa r a me t e r s
None.
De s c r i pt i on
This command activates SNMP on the switch so that you can remotely
manage the unit with an SNMP application program from a management
station on your network. It also enables the switch to send SNMP traps to
trap receivers. The default setting for SNMP on the switch is disabled.
Ex a mpl e
The following command activates SNMP on the switch:
enable snmp
Section I: Basic Features
101
Chapter 6: SNMPv2 and SNMPv2c Commands
ENABLE SNMP AUTHENTICATETRAP
Sy nt a x
enable snmp authenticatetrap|authenticate_trap
Pa r a me t e r s
None.
De s c r i pt i on
This command configures the switch to send authentication failure traps to
trap receivers. The switch sends an authentication failure trap whenever a
SNMP management station attempts to access the switch using an
incorrect or invalid community string, or the management station’s IP
address has not been added to a community string that has a closed
access status.
The default setting for sending authentication failure traps is disabled.
Refer to “ADD SNMP COMMUNITY” on page 90 to enter the IP addresses
of the SNMP trap receivers.
The AUTHENTICATETRAP and AUTHENTICATE_TRAP keywords are
equivalent.
Ex a mpl e
The following command configures the switch to send authentication
failure traps to SNMP trap receivers:
enable snmp authenticatetrap
102
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE SNMP COMMUNITY
Sy nt a x
enable snmp community="community"
Pa r a me t e r
community
Specifies an SNMP community string. This
parameter is case sensitive. The name must be
enclosed in double quotes if it contains a space or
other special character such as an exclamation
point. Otherwise, the quotes are optional.
De s c r i pt i on
This command activates a community string on the switch. The default
setting for a new community string is enabled. You can use this command
to enable a community string that you disabled with the DISABLE SNMP
COMMUNITY command.
Ex a mpl e
The following command enables the SNMP community string “private”:
enable snmp community=private
Section I: Basic Features
103
Chapter 6: SNMPv2 and SNMPv2c Commands
SET SNMP COMMUNITY
Sy nt a x
set snmp community="community" [access=read|write]
[open=yes|no|on|off|true|false]
Pa r a me t e r s
community
Specifies the SNMP community string whose access
level or access status is to be changed. This community
string must already exist on the switch. This parameter
is case sensitive. The name must be enclosed in
double quotes if it contains a space or other special
character such as an exclamation point. Otherwise, the
quotes are optional.
access
Specifies the new access level. Options are “read” for
read only access and “write” for both read and write
access. If no access level is specified, the default is
“read.”
open
Specifies the open or closed access status of the
community string. The options are:
yes, on, true
The community string is open,
meaning that any management station
can use the string to access the switch.
These options are equivalent.
no, off, false
The community string is closed,
meaning that only those management
stations whose IP addresses are
assigned to the string can use it to
access the switch. To add IP
addresses of management stations to
a community string, refer to “ADD
SNMP COMMUNITY” on page 90. The
default setting for a community string is
closed. These options are equivalent.
De s c r i pt i on
This command changes the access level and access status of an existing
SNMP community string.
104
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
Ex a mpl e s
The following command changes the access status for the SNMP
community string “sw44” to closed:
set snmp community=sw44 open=no
The following command changes the access level for the SNMP
community string “serv12” to read and write with open access:
set snmp community=serv12 access=write open=yes
Section I: Basic Features
105
Chapter 6: SNMPv2 and SNMPv2c Commands
SHOW SNMP
Sy nt a x
show snmp [community="community"]
Pa r a me t e r
community
Specifies a community string on the switch. This
parameter is case sensitive. The name must be
enclosed in double quotes if it contains a space or
other special character such as an exclamation point.
Otherwise, the quotes are optional. Default
community strings are “public” and “private.”
De s c r i pt i on
This command displays the following SNMP information:
ˆ
SNMP status - The status will be enabled or disabled. If enabled, you
can manage the switch with an SNMP application program from a
remote management station. If disabled, you cannot remotely manage
the switch using SNMP. The default for SNMP is disabled. To enable
SNMP, refer “ENABLE SNMP” on page 101. To disable SNMP, refer to
“DISABLE SNMP” on page 98.
ˆ
Authentication failure traps - This status will be enabled or disabled. If
enabled, the switch sends out authentication failure traps to trap
receivers. If disabled, the switch will not send out authentication failure
traps, but will send out other system traps. The switch sends an
authentication failure trap whenever a SNMP management station
attempts to access the switch using an incorrect or invalid community
string, or the management station’s IP address has not been added to
a community string that has a closed access status. The default setting
is enabled.
To enable authentication failure traps, refer to “ENABLE SNMP
AUTHENTICATETRAP” on page 102. To disable the sending of this
trap, see “DISABLE SNMP AUTHENTICATETRAP” on page 99. To
add IP addresses of management stations to receive the trap, refer to
the “ADD SNMP COMMUNITY” on page 90.
106
ˆ
SNMP community strings - The switch comes with the two default
community strings public, which has read access, and private, which
has read and write access. To add new community strings, see
“CREATE SNMP COMMUNITY” on page 92. To delete community
strings, refer to “DESTROY SNMP COMMUNITY” on page 97.
ˆ
Management station IP addresses - These are the IP addresses of
management stations that can access the switch through a community
Section I: Basic Features
AT-S63 Management Software Command Line Interface User’s Guide
string that has a closed access status. (Management station IP
addresses are displayed only when you specify a specific community
string using the COMMUNITY parameter in this command.) To add IP
addresses of management stations to a community string, refer to
“ADD SNMP COMMUNITY” on page 90.
ˆ
Trap receiver IP addresses - These are the IP addresses of
management stations to receive SNMP traps from the switch. (IP
addresses or trap receivers are displayed only when you specify a
specific community string using the COMMUNITY parameter in this
command.) To add IP addresses to a community string, refer to “ADD
SNMP COMMUNITY” on page 90.
ˆ
Access Status - If a community string shows an Open Access with Yes,
the string has an open access status, meaning any management
stations can use the string. A string with a Open Access of No has a
closed access status; only those management stations whose IP
addresses have been assigned to the string can use it. To change the
access status, refer to “SET SNMP COMMUNITY” on page 104.
Ex a mpl e s
The following command displays the SNMP status and the community
strings on the switch:
show snmp
The following command displays specific information about the “private”
community string. The information includes the IP addresses of
management stations that can use the string and the IP addresses of
SNMP trap receivers:
show snmp community=private
Section I: Basic Features
107
Chapter 6: SNMPv2 and SNMPv2c Commands
108
Section I: Basic Features
Chapter 7
Port Parameter Commands
This chapter contains the following commands:
ˆ
“ACTIVATE SWITCH PORT” on page 110
ˆ
“DISABLE INTERFACE LINKTRAP” on page 111
ˆ
“DISABLE SWITCH PORT” on page 112
ˆ
“DISABLE SWITCH PORT FLOW” on page 113
ˆ
“ENABLE INTERFACE LINKTRAP” on page 114
ˆ
“ENABLE SWITCH PORT” on page 115
ˆ
“ENABLE SWITCH PORT FLOW” on page 116
ˆ
“PURGE SWITCH PORT” on page 117
ˆ
“RESET SWITCH PORT” on page 118
ˆ
“SET SWITCH PORT” on page 119
ˆ
“SET SWITCH PORT FILTERING” on page 123
ˆ
“SET SWITCH PORT RATELIMITING” on page 126
ˆ
“SHOW INTERFACE” on page 129
ˆ
“SHOW SWITCH PORT” on page 131
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 6, “Port Parameters” in
the AT-S63 Management Software Menus Interface User’s Guide.
109
Chapter 7: Port Parameter Commands
ACTIVATE SWITCH PORT
Syntax
activate switch port=port autonegotiate
Parameter
port
Specifies a port. You can specify more than one port at
a time. You can specify the ports individually (for
example, 5,7,22), as a range (for example, 18-23), or
both (for example, 1,5,14-22).
Description
This command prompts a port that is using Auto-Negotiation to
renegotiate its settings with its end node. The command can be helpful if
you believe that a port and an end node have not successfully negotiated
their settings.
Example
This command forces ports 1 and 4 to renegotiate their speed and duplex
mode:
activate switch port=1,4 autonegotiate
110
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE INTERFACE LINKTRAP
Syntax
disable interface=port linktrap
Parameter
port
Specifies the port on which you want to disable SNMP
link traps. You can specify more than one port at a time.
You can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both (for
example, 1,5,14-22).
Description
This command disables SNMP link traps on a port. When disabled, the
switch does not send an SNMP link trap when there is a change to the
status of a link on a port.
Note
In order for the switch to send SNMP traps to SNMP trap receivers,
you must activate SNMP on the unit and specify one or more trap
receivers.
Example
The following command disables link traps on port 21:
disable interface=21 linktrap
Section I: Basic Operations
111
Chapter 7: Port Parameter Commands
DISABLE SWITCH PORT
Syntax
disable switch port=port
Parameter
port
Specifies the port to disable. You can specify more than
one port at a time. You can specify the ports
individually (for example, 5,7,22), as a range (for
example, 18-23), or both (for example, 1,5,14-22).
Description
This command disables a port. When a port is disabled, it stops forwarding
traffic. The default setting for a port is enabled.
Example
The following command disables ports 12 and 24:
disable switch port=12,24
Equivalent Command
set switch port=port status=disable
For information, see “SET SWITCH PORT” on page 119.
112
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE SWITCH PORT FLOW
Syntax
disable switch port=port flow=pause
Parameter
port
Specifies the port where you want to deactivate flow
control. You can specify more than one port at a time.
You can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both (for
example, 1,5,14-22).
Description
This command deactivates flow control on a port. Flow control only applies
to ports operating in full duplex mode.
Example
The following command deactivates flow control on port 6:
disable switch port=6 flow=pause
Equivalent Command
set switch port=port flowcontrol=disable
For information, see “SET SWITCH PORT” on page 119.
Section I: Basic Operations
113
Chapter 7: Port Parameter Commands
ENABLE INTERFACE LINKTRAP
Syntax
enable interface=port linktrap
Parameter
port
Specifies the port on which you want to enable SNMP
link traps. You can specify more than one port at a time.
You can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both (for
example, 1,5,14-22).
Description
This command activates SNMP link traps on the port. When enabled, the
switch sends an SNMP link trap to an SNMP trap receiver whenever there
is a change to the status of a link on a port.
Note
In order for the switch to send SNMP traps, you must activate SNMP
on the unit and specify one or more trap receivers.
Example
The following command enables link traps on port 21:
enable interface=21 linktrap
114
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE SWITCH PORT
Syntax
enable switch port=port
Parameter
port
Specifies the port to enable. You can specify more than
one port at a time. You can specify the ports individually
(for example, 5,7,22), as a range (for example, 18-23),
or both (for example, 1,5,14-22).
Description
This command enables a port. When a port is enabled, it forwards traffic.
The default setting for a port is enabled.
Example
The following command enables ports 1 to 4:
enable switch port=1-4
Equivalent Command
set switch port=port status=enable
For information, see “SET SWITCH PORT” on page 119.
Section I: Basic Operations
115
Chapter 7: Port Parameter Commands
ENABLE SWITCH PORT FLOW
Syntax
enable switch port=port flow=pause
Parameter
port
Specifies the port where you want to activate flow
control. You can specify more than one port at a time.
You can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both (for
example, 1,5,14-22).
Description
This command activates flow control on a port. Flow control only applies to
ports operating in full duplex mode. When flow control is activated, a port
sends out a PAUSE packet whenever it wants the end node to stop
sending packets.
Example
The following command activates flow control on port 5:
enable switch port=5 flow=pause
Equivalent Command
set switch port=port flowcontrol=enable
For information, see “SET SWITCH PORT” on page 119.
116
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
PURGE SWITCH PORT
Syntax
purge switch port=port
Parameters
port
Specifies the port whose parameter settings are to be
returned to the default values. You can specify more
than one port at a time. You can specify the ports
individually (for example, 5,7,22), as a range (for
example, 18-23), or both (for example, 1,5,14-22).
Description
This command returns all of the parameter settings of a port to the factory
default values. To reset a port and retain its settings, use “RESET
SWITCH PORT” on page 118.
Example
The following example resets the settings for port 10 to the factory default
values:
purge switch port=10
Section I: Basic Operations
117
Chapter 7: Port Parameter Commands
RESET SWITCH PORT
Syntax
reset switch port=port
Parameter
port
Specifies the port to reset. You can specify more than
one port at a time. You can specify the ports
individually (for example, 5,7,22), as a range (for
example, 18-23), or both (for example, 1,5,14-22).
Description
This command resets a port. The reset takes less that a second to
complete. You might reset a port if it is experiencing a problem
establishing a link with its end node. The port retains its current operating
parameter settings. To reset a port to the factory default settings, use
“PURGE SWITCH PORT” on page 117.
Example
The following command resets ports 5 to 8:
reset switch port=5-8
Equivalent Command
set switch port=port softreset
For information, see “SET SWITCH PORT” on page 119.
118
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH PORT
Syntax
set switch port=port [description=”description”]
[status=enabled|disabled]
[speed=autonegotiate|10mhalf|10mfull|100mhalf|100mfull|
1000mfull]
[mdimode=mdi|mdix|auto]
[flowcontrol=disable|enable|auto]
[fctrllimit=value]
[backpressure=yes|no|on|off|true|false|enabled|
disabled]
[bplimit=value]
[holbplimit=value]
[renegotiation=auto]
[softreset]
Parameters
port
Specifies the port to be configured. You can
specify more than one port at a time, but the
ports must be of the same medium type. For
example, you cannot configure twisted pair and
fiber optic ports with the same command. You
can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both
(for example, 1,5,14-22).
description
A description for the port, from 1 to 15
alphanumeric characters. Spaces are allowed
but do not use special characters. If the name
contains spaces, it must be enclosed in double
quotes. Otherwise, the quotes are optional. You
cannot specify a description if you are
configuring more that one port.
status
Specifies the operating status of the port. The
options are:
speed
enabled
The port forwards network traffic.
This is the default setting.
disabled
The port does not forward network
traffic.
Sets the speed and duplex mode of the port.
The options are:
autonegotiate The port uses Auto-Negotiation
for both speed and duplex mode.
This is the default setting.
Section I: Basic Operations
119
Chapter 7: Port Parameter Commands
10mhalf
10 Mbps and half-duplex mode.
10mfull
10 Mbps and full-duplex mode.
100mhalf
100 Mbps and half-duplex mode.
100mfull
100 Mbps and full-duplex mode.
1000mfull
1000 Mbps and full-duplex mode.
(Applies only to 1000Base SFP
and GBIC modules. This
selection should not be used. An
SFP or GBIC module should use
Auto-Negotiation to set its speed
and duplex mode.)
Note
A 10/100/1000Base-T twisted pair port must be set to
Auto-Negotiation to operate at 1000 Mbps.
mdimode
flowcontrol
120
Sets the wiring configuration of the port. This
parameter applies to twisted pair ports, and only
when a port’s speed and duplex mode are set
manually. If a port is autonegotiating its speed
and duplex mode, the MDI/MDIX setting is
established automatically and cannot be
changed. The options are:
mdi
Sets the port’s configuration to MDI.
mdix
Sets the port’s configuration to MDI-X.
Specifies the flow control on the port. Flow
control applies only to ports operating in full
duplex mode. When flow control is activated, a
port sends out a PAUSE packet whenever it
wants the end node to stop sending packets.
The options are:
disabled
No flow control. This is the default
setting.
enabled
Flow control is activated.
fctrllimit
Specifies the number of cells for flow control. A
cell represents 128 bytes. The range is 1 to
7935 cells. The default value is 7935 cells.
backpressure
Controls backpressure on the port.
Backpressure applies only to ports operating in
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
half-duplex mode. The options are:
yes, on, true, enabled
Activates backpressure
on the port. These
options are equivalent.
no, off, false, disabled Deactivates
backpressure on the
port. This is the default.
These options are
equivalent.
bplimit
Specifies the number of cells for back pressure.
A cell represents 128 bytes. The range is 1 to
7935 cells. The default value is 7935 cells.
holbplimit
Specifies the threshold at which the switch
signals a head of line blocking event on a port.
The threshold is specified in cells. A cell is 128
bytes. The range is 1 to 61,440 cells; the default
is 7,168.
renegotiation
Prompts the port to renegotiate its speed and
duplex mode with the end node. This parameter
only works when the port is using
autonegotiation. The only option is:
auto
softreset
Renegotiates speed and duplex
mode with the end node.
Resets the port. This parameter does not
change any of a port’s operating parameters.
Description
This command configures the operating parameters of a port. You can set
more than one parameter at a time. For an explanation of the port
parameters, refer to Chapter 6, “Port Parameters” in the AT-S63
Management Software Menus Interface User’s Guide.
Examples
The following command disables ports 1 to 6:
set switch port=1-6 status=disabled
The following command configures port 8 to operate at 10 Mbps, half
duplex:
set switch port=8 speed=10mhalf
Section I: Basic Operations
121
Chapter 7: Port Parameter Commands
The following command sets the speed on ports 2 to 6 to 100 Mbps, the
duplex mode to full duplex, the wiring configuration to MDI-X, and flow
control to enabled:
set switch port=2-6 speed=100mfull mdimode=mdix
flowcontrol=enabled
The following command resets port 5:
set switch port=5 softreset
Equivalent Commands
disable switch port=port
For information, see “DISABLE SWITCH PORT” on page 112.
disable switch port=port flow=pause
For information, see “DISABLE SWITCH PORT FLOW” on page 113.
enable switch port=port
For information, see “ENABLE SWITCH PORT” on page 115.
enable switch port=port flow=pause
For information, see “ENABLE SWITCH PORT FLOW” on page 116.
reset switch port=port
For information, see “RESET SWITCH PORT” on page 118.
122
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH PORT FILTERING
Syntax
set switch port=port
[bcastfiltering=yes|no|on|off|true|false|enabled|
disabled]
[bcastegressfiltering=yes|no|on|off|true|false|enabled|
disabled]
[unkmcastfiltering=yes|no|on|off|true|false]
[unkmcastegressfiltering=yes|no|on|off|true|false]
[unkucastfiltering=yes|no|on|off|true|false]
[unkucastegressfiltering=yes|no|on|off|true|false]
Parameters
port
Specifies the port you want to configure. You
can specify more than one port at a time. You
can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both
(for example, 1,5,14-22).
bcastfiltering
Controls the ingress broadcast frame filter. The
options are:
yes, on, true, enabled The port discards all
ingress broadcast
frames. These options
are equivalent.
no, off, false, disabled The port forwards all
ingress broadcast
frames. This is the
default. These options
are equivalent.
bcastegressfiltering
Controls the egress broadcast frame filter. The
options are:
yes, on, true, enabled The port discards all
egress broadcast
frames. These options
are equivalent.
no, off, false, disabled The port forwards all
egress broadcast
frames. This is the
default. These options
are equivalent.
Section I: Basic Operations
123
Chapter 7: Port Parameter Commands
unkmcastfiltering
Controls the unknown ingress multicast frame
filter. The options are:
yes, on, true, enabled The port discards all
unknown ingress
multicast frames. These
options are equivalent.
no, off, false, disabled The port forwards all
unknown ingress
multicast frames. This is
the default. These
options are equivalent.
unkmcastegressfiltering Controls the unknown egress multicast frame
filter. The options are:
yes, on, true, enabled The port discards all
unknown egress
multicast frames. These
options are equivalent.
no, off, false, disabled The port forwards all
unknown egress
multicast frames. These
options are equivalent.
unkucastfiltering
Controls the unknown ingress unicast frame
filter. The options are:
yes, on, true, enabled The port discards all
unknown ingress
unicast frames. These
options are equivalent.
no, off, false, disabled The port forwards all
unknown ingress
unicast frames. This is
the default. These
options are equivalent.
unkucastegressfiltering
Controls the unknown egress unicast frame
filter. The options are:
yes, on, true, enabled The port discards all
unknown egress unicast
frames. These options
are equivalent.
no, off, false, disabled The port forwards all
unknown egress unicast
124
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
frames. This is the
default. These options
are equivalent.
Description
This command discards ingress and egress broadcast packets as well as
unknown unicast and multicast packets on a port. When you activate this
feature on a port, the port discards all ingress or egress packets of the
type specified. The default setting for each type of packet filter is disabled.
Examples
The following command activates the ingress broadcast filter on ports 4
and 23 so that the ports discard all ingress broadcast packets:
set switch port=4,23 bcastfiltering=yes
The following command activates the unknown egress multicast and
unicast filters on ports 3 and 6 so that the ports discard all unknown egress
multicast and unicast packets:
set switch port=3,6 unkmcastegressfiltering=yes
unkucastegressfiltering=yes
This command disables the unknown ingress unicast filter on port 24 so
that the port again accepts all unknown ingress unicast packets:
set switch port=24 unkucastfiltering=no
Section I: Basic Operations
125
Chapter 7: Port Parameter Commands
SET SWITCH PORT RATELIMITING
Syntax
set switch port=port
[bcastratelimiting=yes|no|on|off|true|false|enabled|
disabled]
[bcastrate=value]
[mcastratelimiting=yes|no|on|off|true|false|enabled|
disabled]
[mcastrate=value]
[unkucastratelimiting=yes|no|on|off|true|false|enabled|
disabled]
[unkucastrate=value]
Parameters
port
Specifies the port you want to configure. You can
specify more than one port at a time, but the ports
must be of the same medium type. For example,
you cannot configure twisted pair and fiber optic
ports with the same command. You can specify the
ports individually (for example, 5,7,22), as a range
(for example, 18-23), or both (for example, 1,5,1422).
bcastratelimiting
Enables or disables rate limit for ingress broadcast
packets. The options are:
bcastrate
126
yes, on, true, enabled
Activates broadcast
packet rate limiting on the
port. The options are
equivalent. The rate limit
is set with the
BCASTRATE parameter.
no, off, false, disabled
Deactivates broadcast
packet rate limit on the
port. This is the default.
The options are
equivalent.
Specifies the maximum number of ingress
broadcast packets a switch port accepts each
second. The range is 0 to 262,134 packets. The
default is 262,134 packets
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
mcastratelimiting
mcastrate
Enables or disables a rate limit for ingress multicast
packets. The options are:
yes, on, true, enabled
Activates multicast
packet rate limit on
the port. The options
are equivalent.
no, off, false, disabled
Deactivates multicast
packet rate limit on
the port. This is the
default. The options
are equivalent.
Specifies the maximum number of ingress multicast
packets a switch port accepts each second. The
range is 0 to 262,134 packets. The default is
262,134 packets.
unkucastratelimiting Enables or disables rate limit for unknown ingress
unicast packets. The options are:
unkucastrate
yes, on, true, enabled
Activates unknown
unicast packet rate
limit on the port. The
options are
equivalent.
no, off, false, disabled
Deactivates unknown
unicast packet rate
limit on the port. This
is the default. The
options are
equivalent.
Specifies the maximum number of ingress unknown
unicast packets a switch port accepts each second.
The range is 0 to 262,134 packets. The default is
262,134 packets.
Description
This command sets the maximum number of ingress packets a port
accepts each second. Packets exceeding the threshold are discarded.
You can enable the rate limiting threshold independently for broadcast,
multicast and unknown unicast packets.
Section I: Basic Operations
127
Chapter 7: Port Parameter Commands
Examples
The following command activates rate limiting for ingress broadcast and
multicast packets on port 6. It sets a threshold of 20,000 packets per
second for broadcast packets and 100,000 for multicast packets:
set switch port=6 bcastratelimiting=yes bcastrate=20000
mcastratelimiting=yes mcastrate=100000
The following command sets a threshold of 150,000 packets per second
for unknown ingress unicast packets on ports 15 and 17:
set switch port=15,17 unkucastratelimiting=yes
unkucastrate=150000
The following command disables the rate limiting feature for ingress
broadcast packets on port 24:
set switch port=24 bcastratelimiting=no
128
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW INTERFACE
Syntax
show interface[=port]
Parameter
port
Specifies the port whose interface information you want
to display. You can specify more than one port at a
time. You can specify the ports individually (for
example, 5,7,22), as a range (for example, 18-23), or
both (for example, 1,5,14-22). All ports are displayed if
you omit the port number.
Description
This command displays the contents of the interface MIB for a specific
port. An example of the information displayed by this command is shown
in Figure 6.
ifIndex..............................
ifMtu................................
ifSpeed..............................
ifAdminStatus........................
ifOperStatus.........................
ifLinkUpDownTrapEnable...............
1
9198
100000000
Up
Up
Enabled
Figure 6. SHOW INTERFACE Command
This command provides the following information about a port:
ˆ
ifIndex - The index of the interface in the interface table.
ˆ
ifMTU - The size, in octets, of the largest packet that can be
transmitted on the port.
ˆ
ifSpeed - An estimate of the port’s current bandwidth, in bits per
second. This MIB object is zero (0) when the port does not have a link
to an end node.
ˆ
ifAdminStatus - The configured state of the port, one of the following:
Up - The port is up.
Down - The port is down.
ˆ
ifOperStatus - The current operational status of the port, one of the
following:
Up - A valid link exists between the port and the end node.
Section I: Basic Operations
129
Chapter 7: Port Parameter Commands
Down - The port and the end node have not established a link.
unknown - The port status is unknown.
ˆ
ifLinkUpDownTrapEnable - Whether or not link traps have been
enabled for the port, one of the following:
Enabled - Link traps are enabled. To disable link traps, see “DISABLE
INTERFACE LINKTRAP” on page 111.
Disabled - Link traps are disabled. To enable link traps, see “ENABLE
INTERFACE LINKTRAP” on page 114.
Example
The following command displays information about port 21:
show interface=21
130
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SWITCH PORT
Syntax
show switch port[=port]
Parameter
port
Specifies the port whose parameter settings you want
to view. You can specify more than one port at a time.
You can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both (for
example, 1,5,14-22). All ports are displayed if you
omit the port number.
Description
This command displays a port’s current operating specifications, such as
speed and duplex mode. The command displays the following port
information. (For an example of the information displayed by this
command, see Figure 7 on page 135.)
Section I: Basic Operations
ˆ
Port Description - Displays the name of the port. The default name is
“Port_” followed by the port number. To configure a port’s name, refer
to “SET SWITCH PORT” on page 119.
ˆ
Port Type - Displays the IEEE standard of a port. For example, the port
type for a twisted pair port on an AT-9424Ti/SP switch is 10/100/
1000Base-T.
ˆ
Status - Displays whether the port is currently enabled or disabled.
When disabled, a port does not forward network traffic. The default is
enabled. To disable or enable a port, refer to “DISABLE SWITCH
PORT” on page 112, “ENABLE SWITCH PORT” on page 115, or “SET
SWITCH PORT” on page 119.
ˆ
Link State - Displays the current link state between the port and the
end node. If the port has established a link with an end node, link state
will be “Up.” If there is no link, link state will be “Down.”
ˆ
Configured Speed/Duplex - Displays the current configured settings for
speed and duplex mode on the port. The setting of “Auto” indicates the
port has been set to Auto-Negotiation, the default setting. To adjust a
port’s speed and duplex mode, refer to “SET SWITCH PORT” on
page 119.
ˆ
Configured MDI Crossover - Displays the current configured setting for
MDI/MDIX on the port. If the port is set to Auto-Negotiation, this field
displays N/A, because the MDI/MDIX setting is set automatically on
the port. A value only appears in this field if you disable AutoNegotiation on a twisted pair port and set MDI/MDIX manually. This
131
Chapter 7: Port Parameter Commands
field does not apply to a fiber optic port. To adjust a port’s MDI/MDIX
setting, refer to “SET SWITCH PORT” on page 119.
132
ˆ
Actual Speed/Duplex - Displays the current operating speed and
duplex mode of a port. This field displays no value (—) if the port does
not have a link to an end node or has been disabled.
ˆ
Actual MDI Crossover- Displays the current operating MDI/MDIX
setting of a twisted pair port. This field displays no value (—) if the port
does not have a link to an end node or has been disabled. This field
does not apply to a fiber optic port.
ˆ
Flow Control Status and Flow Control Threshold - Displays the status
of flow control on a port. Flow control applies to ports operating in full
duplex mode and is used by a port to stop an end node from sending
packets when its ingress buffer is full. The default setting is disabled.
The threshold marks the point at which flow control is activated. The
threshold is measured in cells of 128 bytes. The range is 1 to 7935
cells. The default value is 7935 cells.To set flow control, refer to
“DISABLE SWITCH PORT FLOW” on page 113, “ENABLE SWITCH
PORT FLOW” on page 116, or “SET SWITCH PORT” on page 119.
ˆ
Backpressure Status and Backpressure Threshold - Displays the
status of backpressure on a port. Backpressure applies to ports
operating in half duplex mode. A port uses backpressure to stop an
end node from sending packets when its ingress buffer is full. The
default setting is disabled. The threshold marks the point at which
backpressure is activated. The threshold is measured in cells of 128
bytes. The range is 1 to 7935 cells. The default value is 7935 cells.To
set backpressure, refer to “SET SWITCH PORT” on page 119.
ˆ
HOL Blocking Prevention Threshold - Displays the threshold at which
the switch signals a head of line blocking event. This event occurs
when switch ports are unable to forward packets to another switch port
because its egress queues are full. The switch responds to this event
by instructing the other switch ports to discard any packets in their
ingress queues that are destined for the oversubscribed port. The
threshold is measured in cells of 128 bytes. The range is 0 to 8191
cells. The default is 682.
ˆ
Broadcast Ingress Filtering - Displays the status of ingress broadcast
filtering. If enabled, the port discards all ingress broadcast packets.
The default is disabled. To configure this parameter, refer to “SET
SWITCH PORT FILTERING” on page 123.
ˆ
Broadcast Egress Filtering - Displays the status of egress broadcast
filtering. If enabled, the port discards all egress broadcast packets. The
default is disabled. To configure this parameter, refer to “SET SWITCH
PORT FILTERING” on page 123.
ˆ
Unknown Multicast Ingress Filtering - Displays the status of unknown
ingress multicast filtering. If enabled, the port discards all unknown
ingress multicast packets. The default is disabled. To configure this
parameter, refer to “SET SWITCH PORT FILTERING” on page 123.
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Section I: Basic Operations
ˆ
Unknown Multicast Egress Filtering - Displays the status of unknown
egress multicast filtering. If enabled, the port discards all unknown
egress multicast packets. The default is disabled. To configure this
parameter, refer to “SET SWITCH PORT FILTERING” on page 123.
ˆ
Unknown Unicast Ingress Filtering - Displays the status of unknown
ingress unicast filtering. If enabled, the port discards all unknown
ingress unicast packets. The default is disabled. To configure this
parameter, refer to “SET SWITCH PORT FILTERING” on page 123.
ˆ
Unknown Unicast Egress Filtering - Displays the status of unknown
egress unicast filtering. If enabled, the port discards all unknown
egress unicast packets. The default is disabled. To configure this
parameter, refer to “SET SWITCH PORT FILTERING” on page 123.
ˆ
Broadcast Rate Limiting Status and Broadcast Rate - Displays the
status of the broadcast rate limiting feature. If enabled, the port limits
the number of ingress broadcast packets per second to the rate
specified. Ingress broadcast packets that exceed the threshold are
discarded by the port. The default setting for this feature is disabled.
The default rate is 262,143 packets per second. To set this feature,
refer to “SET SWITCH PORT RATELIMITING” on page 126.
ˆ
Multicast Rate Limiting Status and Multicast Rate - Displays the status
of the multicast rate limiting feature. If enabled, the port limits the
number of ingress multicast packets per second to the rate specified.
Ingress multicast packets that exceed the threshold are discarded by
the port. The default setting for this feature is disabled. The default rate
is 262,143 packets per second. To set this feature, refer to “SET
SWITCH PORT RATELIMITING” on page 126.
ˆ
Unknown Unicast Rate Limiting Status and Unknown Unicast Rate Displays the status of the unicast rate limiting feature. If enabled, the
port limits the number of unknown ingress unicast packets per second
to the rate specified. Unknown ingress unicast packets that exceed the
threshold are discarded by the port. The default setting for this feature
is disabled. The default rate is 262,143 packets per second. To set this
feature, refer to “SET SWITCH PORT RATELIMITING” on page 126.
ˆ
PVID - Displays the port’s VLAN ID number. This number is equivalent
to the VID of the VLAN where the port is currently an untagged
member. The default is 1, the VID of the Default_VLAN. To add a port
to an existing VLAN or to create a new VLAN, refer to “ADD VLAN” on
page 490 and “CREATE VLAN” on page 493.
ˆ
Port Priority - Displays the Class of Service priority assigned to the
port. This priority level applies to all ingress untagged packets received
on the port. The default setting is 0. At the default setting, all ingress
untagged packets received on the port are stored in the egress port’s
Q1 egress queue. To set this parameter, refer to “SET SWITCH PORT
PRIORITY OVERRIDEPRIORITY” on page 284. To adjust the
mappings of priority levels to egress queues, see “SET QOS COSP”
on page 281.
133
Chapter 7: Port Parameter Commands
ˆ
Override Priority - Displays whether the Class of Service priority level
in ingress tagged packets is ignored when determining the egress
queue for storing the packets. If this parameter is displaying Yes, the
switch ignores the priority level in tagged packets and uses the priority
level assigned to the port to determine the egress queue. The default
setting is No. At the default setting the priority level in tagged packets
is used to determine the appropriate egress queue. To set this
parameter, refer to “SET SWITCH PORT PRIORITY
OVERRIDEPRIORITY” on page 284. To adjust the mappings of
priority levels to egress queues, see “SET QOS COSP” on page 281.
ˆ
Mirroring State - Displays the state of port mirroring on the switch. If
port mirroring has been activated on the switch, this field will contain
Enabled. If port mirroring has not been activated on the switch, the
default setting, this field will contain Disabled. To configure port
mirroring, refer to “SET SWITCH MIRROR” on page 182 and “SET
SWITCH PORT MIRROR” on page 183.
ˆ
Is this mirror port mirror - Displays whether the port is functioning as
the destination port of a port mirror. This field only appears if port
mirroring has been activated on the switch. This field displays No if the
port is not the destination port and Yes if it is the destination port.
For further details on port parameters, refer to Chapter 6, “Port
Parameters” in the AT-S63 Management Software Menus Interface User’s
Guide.
Note
The information for an SFP or GBIC module includes additional
nonadjustable operating specifications of the module.
An example of the information displayed by this command is shown in
Figure 7 on page 135.
134
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Port #11 Information:
Port Description .....................
Port Type ............................
Status ...............................
Link State ...........................
Configured Speed/Duplex ..............
Configured MDI Crossover .............
Actual Speed/Duplex ..................
Actual MDI Crossover .................
Flow Control Status ..................
Flow Control Threshold ...............
Backpressure Status ..................
Backpressure Threshold ...............
HOL Blocking Prevention Threshold ....
Broadcast Ingress Filtering ..........
Broadcast Egress Filtering ...........
Unknown Multicast Ingress Filtering ..
Unknown Multicast Egress Filtering ...
Unknown Unicast Ingress Filtering ....
Unknown Unicast Egress Filtering .....
Broadcast Rate Limiting Status .......
Broadcast Rate .......................
Multicast Rate Limiting Status .......
Multicast Rate .......................
Unknown Unicast Rate Limiting Status .
Unknown Unicast Rate .................
PVID .................................
Port Priority (0-7) 0=Low 7=High......
Override Priority ....................
Mirroring State.......................
Port_11
10/100/1000Base-T
Enabled
Up
Auto
N/A
100 Mbps/Full Duplex
MDIX
Disabled
7935 cells
Disabled
7935 cells
682 cells
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
262143 packet/second
Disabled
262143 packet/second
Disabled
262143 packet/second
1
0
No
Disabled
Figure 7. SHOW SWITCH PORT Command
Examples
The following command displays the operating settings for all ports:
show switch port
The following command displays the operating settings for port 14:
show switch port=14
Section I: Basic Operations
135
Chapter 7: Port Parameter Commands
136
Section I: Basic Operations
Chapter 8
Port Statistics Commands
This chapter contains the following commands:
ˆ
“RESET SWITCH PORT COUNTER” on page 138
ˆ
“SHOW SWITCH COUNTER” on page 139
ˆ
“SHOW SWITCH PORT COUNTER” on page 142
Note
For background information on port statistics, refer to Chapter 6,
“Port Parameters” in the AT-S63 Management Software Menus
Interface User’s Guide.
137
Chapter 8: Port Statistics Commands
RESET SWITCH PORT COUNTER
Syntax
reset switch port=port counter
Parameter
port
Specifies the port whose statistics counters you want to
return to zero. You can specify more than one port at a
time. You can specify the ports individually (for
example, 5,7,22), as a range (for example, 18-23), or
both (for example, 1,5,14-22).
Description
This command returns a port’s statistics counters to zero.
Example
The following command returns the counters on ports 14 and 15 to zero:
reset switch port=14-15 counter
138
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SWITCH COUNTER
Syntax
show switch counter
Parameters
None.
Description
This command displays operating statistics, such as the number of
packets received and transmitted, and the number of CRC errors, for the
entire switch. An example of the display is shown in Figure 8.
Port: All
Bytes Rx .........
Frames Rx ........
Bcast Frames Rx...
Mcast Frames Rx ..
Frames 64 ........
Frames 128-255 ...
Frames 512-1023 ..
CRC Error ........
No. of Rx Errors .
UnderSize Frames .
Fragments ........
Frames 1519-1522 .
983409801
815423
107774
11429
110509
1928
157796
0
0
0
0
0
Bytes Tx .........
Frames Tx ........
Bcast Frames Tx ..
Mcast Frames Tx ..
Frames 65-127 ....
Frames 256-511 ...
Frames 1024-1518..
Jabber ...........
No. of Tx Errors .
OverSize Frames ..
Collision ........
Dropped Frames ...
965734443
691396
1853
0
15192
442
1221024
0
0
0
0
0
Figure 8. SHOW SWITCH COUNTER Command
The command provides the following information:
Bytes Rx
Number of bytes received by the switch.
Bytes Tx
Number of bytes transmitted by the switch.
Frames Rx
Number of frames received by the switch.
Frames Tx
Number of frames transmitted by the switch.
Bcast Frames Rx
Number of broadcast frames received by the switch.
Section I: Basic Operations
139
Chapter 8: Port Statistics Commands
Bcast Frames Tx
Number of broadcast frames transmitted by the switch.
Mcast Frames Rx
Number of multicast frames received by the switch.
Mcast Frames Tx
Number of multicast frames transmitted by the switch.
Frames 64
Frames 65-127
Frames 128-255
Frames 256-511
Frames 512-1023
Frames 1024-1518
Frames 1519-1522
Number of frames transmitted from the port, grouped by size.
CRC Error
Number of frames with a cyclic redundancy check (CRC) error but with the
proper length (64-1518 bytes) received by the switch.
Jabber
Number of occurrences of corrupted data or useless signals appearing on
the switch.
No. of Rx Errors
Number of receive errors.
No. of Tx Errors
Number of transmit errors.
Undersize Frames
Number of frames that were less than the minimum length specified by
IEEE 802.3 (64 bytes including the CRC) received by the switch.
Oversize Frames
Number of frames exceeding the maximum specified by IEEE 802.3 (1518
bytes including the CRC) received by the switch.
Fragments
Number of undersized frames, frames with alignment errors, and frames
with frame check sequence (FCS) errors (CRC errors) received by the
switch.
Collision
Number of collisions that have occurred on the switch.
Dropped Frames
Number of frames successfully received and buffered by the switch, but
discarded and not forwarded.
140
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following command displays the switch’s operating statistics:
show switch counter
Section I: Basic Operations
141
Chapter 8: Port Statistics Commands
SHOW SWITCH PORT COUNTER
Syntax
show switch port=port counter
Parameter
port
Specifies the port whose statistics you want to view.
You can specify more than one port at a time. To view
all ports, do not specify a port.
Description
This command displays the operating statistics for a port on the switch.
Examples of the statistics include the number of packets transmitted and
received, and the number of CRC errors. For an example of the display
and definitions of the statistics, refer to “SHOW SWITCH COUNTER” on
page 139.
Examples
The following command displays the operating statistics for port 14:
show switch port=14 counter
The following command displays the operating statistics for all ports:
show switch port counter
142
Section I: Basic Operations
Chapter 9
MAC Address Table Commands
This chapter contains the following commands:
ˆ
“ADD SWITCH FDB|FILTER” on page 144
ˆ
“DELETE SWITCH FDB|FILTER” on page 146
ˆ
“RESET SWITCH FDB” on page 148
ˆ
“SET SWITCH AGINGTIMER|AGEINGTIMER” on page 149
ˆ
“SHOW SWITCH AGINGTIMER|AGEINGTIMER” on page 150
ˆ
“SHOW SWITCH FDB” on page 151
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 7, “MAC Address
Table” in the AT-S63 Management Software Menus Interface User’s
Guide.
143
Chapter 9: MAC Address Table Commands
ADD SWITCH FDB|FILTER
Syntax
add switch fdb|filter destaddress|macaddress=macaddress
port=port vlan=name|vid
Note
The FDB and FILTER keywords are equivalent.
Parameters
destaddress or
macaddress
Specifies the static unicast or multicast address to be
added to the switch’s MAC address table. The
parameters are equivalent. The address can be
entered in either of the following formats:
xxxxxxxxxxxx or xx:xx:xx:xx:xx:xx
port
Specifies the port(s) where the MAC address is to be
assigned. You can specify only one port when adding
a unicast address. You can specify more than one
port when adding a multicast address.
vlan
Specifies the name or VID of the VLAN where the
node designated by the MAC address is a member.
Description
This command adds static unicast and multicast MAC addresses to the
switch’s MAC address table. A MAC address added with this command is
never timed out from the MAC address table, even when the end node or,
in the case of a multicast address, the multicast application is inactive.
If you are entering a static multicast address, the address must be
assigned to the port when the multicast application is located and to the
ports where the host nodes are connected. Assigning the address to only
the port where the multicast application is located will result in the failure
of the multicast packets to be properly forwarded to the host nodes.
Examples
The following command adds the static MAC address 00:A0:D2:18:1A:11
to port 7. It assumes the port where the MAC address is to be assigned is
a member of the Default_VLAN:
add switch fdb macaddress=00A0D2181A11 port=7
vlan=default_vlan
144
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
The following command adds the multicast MAC address 01:00:51:00:00
10 to ports 1 to 5. The ports belong to the Engineering VLAN:
add switch fdb macaddress=010051000010 port=1-5
vlan=Engineering
Section I: Basic Operations
145
Chapter 9: MAC Address Table Commands
DELETE SWITCH FDB|FILTER
Syntax
delete switch fdb|filter
macaddress|destaddress=macaddress vlan=name|vid
type|status=static|staticunicast|staticmulticast|dynamic|
dynamicunicast|dynamicmulticast
Note
The FDB and FILTER keywords are equivalent.
Parameters
macaddress or Deletes a dynamic or static unicast or multicast MAC
destaddress
address from the MAC address table. The address can
be entered in either of the following formats:
xxxxxxxxxxxx or xx:xx:xx:xx:xx:xx
This parameter must be accompanied with the VLAN
parameter.
146
vlan
Specifies the VLAN containing the port(s) where the
address was learned or assigned. The VLAN can be
specified by name or VID. This parameter must be used
with the MACADDRESS and DESTADDRESS
parameters.
type or
status
Deletes specific types of MAC addresses. Options are:
static
Deletes all static unicast and
multicast MAC addresses.
staticunicast
Deletes all static unicast addresses.
staticmulticast
Deletes all static multicast
addresses.
dynamic
Deletes all dynamic unicast and
multicast MAC addresses.
dynamicunicast
Deletes all dynamic unicast
addresses.
dynamicmulticast
Deletes all dynamic multicast
addresses.
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Description
This command deletes dynamic and static unicast and multicast
addresses from the switch’s MAC address table.
Note
You cannot delete a switch’s MAC address, an STP BPDU MAC
address, or a broadcast address.
Examples
The following command deletes the static MAC address
00:A0:D2:18:1A:11 from the table. The port where the address was
learned or assigned is part of the Default_VLAN, which has a VID of 1:
delete switch fdb macaddress=00A0D2181A11 vlan=1
The following command deletes the MAC address 00:A0:C1:11:22:44 from
the table. The port where the address was learned or assigned is part of
the Sales VLAN:
delete switch fdb macaddress=00a0c1112244 vlan=sales
The following command deletes all dynamic MAC addresses learned on
the ports of the Default_VLAN:
delete switch fdb macaddress=dynamic vlan=default_vlan
The following command deletes all dynamic MAC addresses:
delete switch fdb type=dynamic
The following command deletes all static unicast MAC addresses:
delete switch fdb type=staticunicast
Section I: Basic Operations
147
Chapter 9: MAC Address Table Commands
RESET SWITCH FDB
Syntax
reset switch fdb [port=port]
Parameter
port
Specifies the port whose dynamic MAC addresses are to
be deleted from the MAC address table. You can specify
more than one port at a time.
Description
This command deletes all of the dynamic MAC addresses learned by the
entire switch or on a specific port. After a port’s dynamic MAC addresses
have been deleted, the port begins to learn new addresses.
Examples
The following command deletes all the dynamic MAC addresses in the
switch’s MAC address table:
reset switch fdb
The following command deletes all the dynamic MAC addresses learned
on port 5:
reset switch fdb port=5
148
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH AGINGTIMER|AGEINGTIMER
Syntax
set switch agingtimer|ageingtimer=value
Parameter
agingtimer or
ageingtimer
Specifies the aging timer for the MAC address table.
The value is in seconds. The range is 0 to 1048575.
The default is 300 seconds (5 minutes). The
parameters are equivalent.
Description
The switch uses the aging timer to delete inactive dynamic MAC
addresses from the MAC address table. When the switch detects that no
packets have been sent to or received from a particular MAC address in
the table after the period specified by the aging time, the switch deletes the
address. This prevents the table from becoming full of addresses of nodes
that are no longer active.
Setting the aging timer to 0 disables the timer. No dynamic MAC
addresses are aged out and the table stops learning new addresses after
reaching its maximum capacity.
To view the current setting for the MAC address aging timer, refer to
“SHOW SWITCH AGINGTIMER|AGEINGTIMER” on page 150.
Example
The following command sets the aging timer to 120 seconds (2 minutes):
set switch agingtimer=120
Section I: Basic Operations
149
Chapter 9: MAC Address Table Commands
SHOW SWITCH AGINGTIMER|AGEINGTIMER
Syntax
show switch agingtimer|ageingtimer
Parameters
None.
Description
This command displays the current setting for the aging timer. The switch
uses the aging timer to delete inactive dynamic MAC addresses from the
MAC address table. To set the aging timer, refer to “SET SWITCH
AGINGTIMER|AGEINGTIMER” on page 149.
Figure 9 illustrates the information displayed by this command.
Aging interval: 300 second(s)
Figure 9. SHOW SWITCH AGINGTIMER|AGEINGTIMER Command
Example
The following command displays the current setting for the MAC address
aging timer:
show switch agingtimer
150
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SWITCH FDB
Syntax
show switch fdb [macaddress|destaddress=macaddress]
[port=port] [type|status=static|staticunicast|
staticmulticast|dynamic|dynamicunicast|dynamicmulticast]
[vlan=name]
Parameters
address
Specifies a MAC address. Use this parameter to determine
the port on the switch on which a particular MAC address
was learned (dynamic) or assigned (static). The address can
be entered in either of the following formats:
xxxxxxxxxxxx or xx:xx:xx:xx:xx:xx
port
Specifies a port on the switch. Use this parameter to view all
addresses learned on a particular port. You can specify more
than one port.
type or
status
Displays specific types of MAC addresses. Options are:
vlan
static
Displays all static unicast and multicast
MAC addresses.
staticunicast
Displays all static unicast addresses.
staticmulticast
Displays all static multicast addresses.
dynamic
Displays all dynamic unicast and
multicast MAC addresses.
dynamicunicast
Displays all dynamic unicast addresses.
dynamicmulticast
Displays all dynamic multicast
addresses.
Specifies a VLAN name. Use this parameter to view the MAC
addresses learned or assigned to the ports of a particular
VLAN on the switch.
Note
You can specify more than one parameter at a time with this
command.
Section I: Basic Operations
151
Chapter 9: MAC Address Table Commands
Description
This command displays the unicast and multicast MAC addresses learned
or assigned to the ports on the switch and stored in the switch’s MAC
address table.
Figure 10 is an example of the information displayed by this command for
unicast addresses.
Switch Forwarding Database
Total Number of MAC Addresses: 121
VLAN ID MAC Address
Port
Status
-----------------------------------------------------------0
01:80:C1:00:02:01
0
Static (fixed, non-aging)
1
00:a0:d2:18:1a:c8
1
Dynamic
1
00:a0:c4:16:3b:80
2
Dynamic
1
00:a0:12:c2:10:c6
3
Dynamic
1
00:a0:c2:09:10:d8
4
Dynamic
1
00:a0:33:43:a1:87
4
Dynamic
1
00:a0:12:a7:14:68
4
Dynamic
1
00:a0:d2:22:15:10
4
Dynamic
1
00:a0:d4:18:a6:89
4
Dynamic
Figure 10. SHOW SWITCH FDB Command - Unicast Addresses
Note
The first address in the unicast MAC address table is the address of
the switch.
The columns are defined here:
ˆ
VLAN ID - The ID number of the VLAN where the port is an untagged
member.
ˆ
MAC - The dynamic or static unicast MAC address learned on or
assigned to the port.
ˆ
Port - The port where the address was learned or assigned. The MAC
address with port 0 is the address of the switch.
ˆ
Status - The type of address: static or dynamic.
Figure 11 is an example of a multicast address.
Multicast Switch Forwarding Database
Total Number of MCAST MAC Addresses: 1
MAC Address
VLANID Type
Port Maps (U:Untagged T:Tagged)
---------------------------------------------------------------01:00:51:00:00:01 1
Static U:1-4
T:
Figure 11. SHOW SWITCH FDB Command - Multicast Addresses
152
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
The columns are defined here:
ˆ
MAC Address - The static or dynamic unicast MAC address.
ˆ
VLAN ID - The ID number of the VLAN where the port is an untagged
member.
ˆ
Type - The type of the address: static or dynamic.
ˆ
Port Maps - The tagged and untagged ports on the switch that are
members of a multicast group. This column is useful in determining
which ports belong to different groups.
Examples
The following command displays all the static and dynamic unicast MAC
addresses in the switch’s MAC address table:
show switch fdb
The following command displays just the static unicast MAC addresses:
show switch fdb type=static
The following command displays the static and dynamic multicast
addresses:
show switch fdb type=multicast
The following command displays just the static multicast addresses:
show switch fdb type=staticmulticast
The following command displays the port where the MAC address
00:A0:D2:18:1A:11 was learned (dynamic) or added (static):
show switch fdb address=00A0D2181A11
The following command displays the MAC addresses learned on port 2:
show switch fdb port=2
The following command displays the MAC addresses learned on the ports
in the Sales VLAN:
show switch fdb vlan=sales
The following command displays the static MAC addresses on port 17:
show switch fdb port=17 type=static
Section I: Basic Operations
153
Chapter 9: MAC Address Table Commands
154
Section I: Basic Operations
Chapter 10
Static Port Trunking Commands
This chapter contains the following commands:
ˆ
“ADD SWITCH TRUNK” on page 156
ˆ
“CREATE SWITCH TRUNK” on page 158
ˆ
“DELETE SWITCH TRUNK” on page 160
ˆ
“DESTROY SWITCH TRUNK” on page 161
ˆ
“SET SWITCH TRUNK” on page 162
ˆ
“SHOW SWITCH TRUNK” on page 163
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information and guidelines on static port trunking,
refer to Chapter 8, “Static and LACP Port Trunks” in the AT-S63
Management Software Menus Interface User’s Guide.
155
Chapter 10: Static Port Trunking Commands
ADD SWITCH TRUNK
Syntax
add switch trunk=name [tgid=id_number] port=port
Parameters
trunk
Specifies the name of the static port trunk to be
modified.
tgid
Specifies the ID number of the static port trunk to be
modified. The range is 1 to 6. This parameter is
optional.
port
Specifies the port to be added to the port trunk. You can
add more than one port at a time. You can specify the
ports individually (for example, 5,7,22), as a range (for
example, 18-20), or both (for example, 1,14-16).
Description
This command adds ports to an existing static port trunk. To initially create
a static port trunk, refer to “CREATE SWITCH TRUNK” on page 158.
Caution
Disconnect all network cables from the ports of the trunk on the
switch before using this command. Adding a port to a port trunk
without first disconnecting the cables may result in loops in your
network topology, which can produce broadcast storms and poor
network performance.
Note
If the port you are adding will be the lowest numbered port in the
trunk, its parameter settings will overwrite the settings of the existing
ports in the trunk. Consequently, you check to see if its settings are
appropriate prior to adding it to the trunk. If the port will not be the
lowest numbered port, then its settings are changed to match the
settings of the existing ports in the trunk.
Note
If the port to be added to a trunk is already a member of another
static trunk, you must first remove it from its current trunk
assignment. To remove ports from a trunk, see “DELETE SWITCH
TRUNK” on page 160.
156
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following command adds port 5 to a port trunk called load22:
add switch trunk=load22 port=5
Section I: Basic Operations
157
Chapter 10: Static Port Trunking Commands
CREATE SWITCH TRUNK
Syntax
create switch trunk=name port=ports
[select=macsrc|macdest|macboth|ipsrc|ipdest|ipboth]
Parameters
trunk
Specifies the name of the trunk. The name can be up to
16 alphanumeric characters. No spaces or special
characters are allowed.
port
Specifies the ports to be added to the port trunk. You
can specify the ports individually (for example, 5, 7, 22),
as a range (for example, 18-23), or both (for example,
1, 5, 14-22).
select
Specifies the load distribution method. Options are:
macsrc
Source MAC address.
macdest
Destination MAC address.
macboth
Source address/destination MAC
address.
ipsrc
Source IP address.
ipdest
Destination IP address.
ipboth
Source address/destination IP
address.
Description
This command creates a static port trunk. To create the trunk, you specify
the ports on the switch that will constitute the trunk.
Caution
Do not connect the cables to the trunk ports on the switches until
after you have created the trunk in the management software.
Connecting the cables before configuring the software will create a
loop in your network topology. Data loops can result in broadcast
storms and poor network performance.
158
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
Note
Before creating a static port trunk, examine the speed, duplex mode,
and flow control settings of the lowest numbered port to be in the
trunk. Check to be sure that the settings are correct for the end node
to which the trunk will be connected. When you create the trunk, the
AT-S63 management software copies the settings of the lowest
numbered port in the trunk to the other ports so that all the settings
are the same.
You should also check to be sure that the ports are untagged
members of the same VLAN. You cannot create a trunk of ports that
are untagged members of different VLANs.
Note
All ports in a trunk must operate at the same speed. When you
include port 23R or 24R in a trunk and the port transitions to
redundant uplink status, the port speed is automatically adjusted to
1000 Mbps. If the other ports in the trunk are operating at a different
speed, port trunking may be unpredictable. Because of these port
speed variables, Allied Telesyn suggests that you not include port
23R or 24R in a port trunk.
Note
If the ports that are to constitute the new trunk are already members
of another static trunk, you must first remove them from their current
trunk assignment. To remove ports from a static trunk, see “DELETE
SWITCH TRUNK” on page 160.
Examples
The following command creates a static port trunk using ports 3 through 6.
The command names the trunk “load22” and sets the load distribution
method to destination MAC address.
create switch trunk=load22 port=3-6 select=macdest
The following command creates a port trunk consisting of ports 15,17, and
22. The command names the trunk “trunk4”. No load distribution method is
specified, so the default source and destination MAC addresses method is
used:
create switch trunk=trunk4 port=15,17,22
Section I: Basic Operations
159
Chapter 10: Static Port Trunking Commands
DELETE SWITCH TRUNK
Syntax
delete switch trunk=name port=port
Parameters
trunk
Specifies the name of the static port trunk to be
modified.
port
Specifies the port to be removed from the existing port
trunk. You can specify more than one port at a time.
Description
This command removes ports from a static port trunk. To completely
remove a port trunk from a switch, see “DESTROY SWITCH TRUNK” on
page 161.
Caution
Disconnect all data cables from the ports of the trunk on the switch
before using this command. Removing a port from a port trunk
without first disconnecting the cables may result in loops in your
network topology, which can produce broadcast storms and poor
network performance.
Note
You cannot remove ports from a trunk that has only two ports
because a static trunk must have a minimum of two ports.
Example
The following command removes port 9 from a port trunk called
Dev_trunk:
delete switch trunk=Dev_trunk port=9
160
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY SWITCH TRUNK
Syntax
destroy switch trunk=name
Parameter
trunk
Specifies the name of the trunk to be deleted.
Description
This command deletes a static port trunk from a switch. After a port trunk
has been deleted, the ports that made up the trunk can be connected to
different end nodes.
Caution
Disconnect the cables from the port trunk on the switch before
destroying the trunk. Deleting a port trunk without first disconnecting
the cables can create loops in your network topology. Data loops
can result in broadcast storms and poor network performance.
Example
The following command deletes the trunk called load22 from the switch:
destroy switch trunk=load22
Section I: Basic Operations
161
Chapter 10: Static Port Trunking Commands
SET SWITCH TRUNK
Syntax
set switch trunk=name
select=macsrc|macdest|macboth|ipsrc|ipdest|ipboth
Parameters
trunk
Specifies the name of the static port trunk.
select
Specifies the load distribution method. Options are:
macsrc
Source MAC address.
macdest
Destination MAC address.
macboth
Source address/destination MAC
address.
ipsrc
Source IP address.
ipdest
Destination IP address.
ipboth
Source address/destination IP
address.
Description
This command changes the load distribution method of an existing static
port trunk.
Example
The following command changes the load distribution method of a trunk
named “Load11” to source MAC address:
set switch trunk=Load11 select=macsrc
162
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SWITCH TRUNK
Syntax
show switch trunk
Parameters
None.
Description
This command displays the names, ports, and load distribution methods of
the static port trunks on the switch. An example of the command is shown
in Figure 12.
Trunk group ID ............
Trunk status ...........
Trunk group name .......
Trunk method ...........
Ports ..................
2
UP
Server11
SRC/DST MAC
12-16
Figure 12. SHOW SWITCH TRUNK Command
The command displays the following information:
ˆ
Trunk group ID - The ID number of the static port trunk.
ˆ
Trunk status - The operational status of the trunk. If the trunk has
established a link with the other device, status will be UP. If the trunk
has not establish a link or the ports in the trunk are disabled, status will
be DOWN.
ˆ
Trunk group name - The name of the static port trunk.
ˆ
Trunk method - One of the following load distribution methods:
ˆ
Section I: Basic Operations
SRC MAC
Source MAC address.
DST MAC
Destination MAC address.
SRC/DST MAC
Source address/destination MAC address.
SRC IP
Source IP address.
DST IP
Destination IP address.
SRC/DST IP
Source address/destination IP address.
Ports - The ports of the static port trunk.
163
Chapter 10: Static Port Trunking Commands
Example
The following command displays port trunking information:
show switch trunk
164
Section I: Basic Operations
Chapter 11
LACP Port Trunking Commands
This chapter contains the following commands:
ˆ
“ADD LACP PORT” on page 166
ˆ
“CREATE LACP AGGREGATOR” on page 167
ˆ
“DELETE LACP PORT” on page 169
ˆ
“DESTROY LACP AGGREGATOR” on page 170
ˆ
“DISABLE LACP” on page 171
ˆ
“ENABLE LACP” on page 172
ˆ
“SET LACP AGGREGATOR” on page 173
ˆ
“SET LACP SYSPRIORITY” on page 175
ˆ
“SET LACP STATE” on page 176
ˆ
“SHOW LACP” on page 177
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information and guidelines on LACP port trunks,
refer to Chapter 8, “Static and LACP Port Trunks” in the AT-S63
Management Software Menus Interface User’s Guide.
165
Chapter 11: LACP Port Trunking Commands
ADD LACP PORT
Syntax
add lacp aggregator=name port=port
Parameters
aggregator
Specifies the name of the aggregator. The name is
case-sensitive.
port
Specifies the port to be added to the aggregator. You
can add more than one port at a time. You can specify
the ports individually (for example, 5,7,22), as a range
(for example, 18-20), or both (for example, 1,14-16).
Description
This command adds ports to an existing aggregator. You must identify the
aggregator by its name. To display the names of the aggregators on the
switch, refer to “SHOW LACP” on page 177. To create an aggregator,
refer to “CREATE LACP AGGREGATOR” on page 167.
Caution
A network cable should not be connected to a port on the switch
until after the port is added to the aggregator. Connecting the cable
before the port is a part of an aggregator can result in loops in your
network topology, which can result in broadcast storms and poor
network performance.
Note
Before adding a port to an aggregator, verify that the port’s speed is
set to Auto-Negotiation or 100 Mbps, full-duplex. Aggregate trunks
do not support half-duplex mode.
Examples
The following command adds ports 8 and 22 to an aggregator named
“agg_1”:
add lacp aggregator=agg_1 port=8,22
166
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
CREATE LACP AGGREGATOR
Syntax
create lacp aggregator=name|adminkey=0xkey port=port
[distribution=macsrc|macdest|macboth|ipsrc|ipdest|ipboth]
Parameters
aggregator
Specifies a name for the new aggregator. The name
can be up to 20 alphanumeric characters. No spaces or
special characters are allowed. If no name is specified,
the default name is DEFAULT_AGG followed by a
number.
adminkey
Specifies an adminkey number for the aggregator. This
is a hexadecimal number in the range of 0x1 to 0xffff. If
this parameter is omitted, the default adminkey of the
lowest numbered port in the aggregator is used.
port
Specifies the ports of the aggregator. You can specify
the ports individually (for example, 5,7,22), as a range
(for example, 18-20), or both (for example, 1,14-16).
distribution
Specifies the load distribution method, which can be
one of the following:
macsrc
Source MAC address.
macdest
Destination MAC address.
macboth
Source and destination MAC
addresses. This is the default.
ipsrc
Source IP address.
ipdest
Destination IP address.
ipboth
Source and destination IP addresses.
If this parameter is omitted, the source and destination
MAC addresses load distributed method is selected by
default.
Section I: Basic Operations
167
Chapter 11: LACP Port Trunking Commands
Description
This command creates an LACP aggregator. Note the following when
creating a new aggregator:
ˆ
You can specify either a name or an adminkey but not both when
creating a new aggregator.
ˆ
When you create a new aggregator by specifying a name, the
adminkey is based on the operator key of the lowest numbered port in
the aggregator.
ˆ
When you create an aggregator by specifying an adminkey, the
aggregator’s default name is DEFAULT_AGG followed by the port
number of the lowest numbered port in the aggregator. For instance,
an aggregator of ports 12 to 16 is given the name DEFAULT_AGG12.
ˆ
Before creating an aggregator, you should verify that the ports that will
be members of the aggregator are set to Auto-Negotiation or 100
Mbps, full-duplex. Aggregate trunks do not support half-duplex mode.
ˆ
All the ports of an aggregator must be untagged ports of the same
VLAN.
ˆ
You cannot change the name or adminkey of an existing aggregator.
That function requires deleting the aggregator and recreating it.
Caution
Do not connect the cables to the ports of the aggregator on the
switch until after you have configured LACP and the aggregators on
both devices that will be interconnected by the trunk. Connecting the
cables before configuring the aggregators and activating the
protocol will create a loop in your network topology. Data loops can
result in broadcast storms and poor network performance.
Examples
The following command creates an LACP aggregator named “sw_agg_1”
of ports 1 through 4. The load distribution method is source MAC address.
Since the aggregator is being created by name, the default operator key
for port 1, the lowest numbered port in the aggregator, becomes the
adminkey:
create lacp aggregator=sw_agg_1 port=1-4 distribution=macsrc
The following command creates an LACP aggregator of ports 10, 12, 15 to
18 with an adminkey number of 0x7A. The default name for the aggregator
is DEFAULT_AGG10 because the command specifies an adminkey and
because port 10 is the lowest numbered port in the aggregator. Since no
load distribution method is specified, the source and destination MAC
addresses load distributed method is used by default:
create lacp adminkey=0x7A port=10,12,15-18
168
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
DELETE LACP PORT
Syntax
delete lacp aggregator=name port=port
Parameters
aggregator
Specifies the name of the aggregator. The name is
case-sensitive.
port
Specifies the port to delete from an aggregator. You can
delete more than one port at a time. You can specify the
ports individually (for example, 5,7,22), as a range (for
example, 18-20), or both (for example, 1,14-16).
Description
This command removes a port from an aggregator. You must identify the
aggregator by its name. To display the names of the aggregators on the
switch, refer to “SHOW LACP” on page 177. To completely remove an
aggregator, see “DESTROY LACP AGGREGATOR” on page 170.
Caution
Disconnect the network cable from a port before removing it from an
aggregator. Removing a port without first disconnecting the cable
can result in loops in your network topology, which can result in
broadcast storms and poor network performance.
Example
The following command removes port 9 from the “lacp_server” aggregator:
delete lacp aggregator=lacp_server port=9
Section I: Basic Operations
169
Chapter 11: LACP Port Trunking Commands
DESTROY LACP AGGREGATOR
Syntax
destroy lacp aggregator=name|adminkey=0xkey
Parameter
aggregator
Specifies the name of the aggregator. The name is
case-sensitive.
adminkey
Specifies the adminkey number of the aggregator. This
is a hexadecimal number between 0x1 and 0xffff.
Description
This command deletes an LACP aggregator from the switch. You can
identify the aggregator by its name or adminkey number. To display the
names and adminkeys of the aggregators on the switch, refer to “SHOW
LACP” on page 177.
Caution
Disconnect the network cables from the ports of the aggregator
before performing this command. Deleting the aggregator without
first disconnecting the cables can result in loops in your network
topology, which can result in broadcast storms and poor network
performance.
Example
The following command deletes an aggregator named “agg_15”:
destroy lacp aggregator=agg_15
The following command deletes an aggregator with an adminkey number
of 0x1A:
destroy lacp adminkey=0x1a
170
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE LACP
Syntax
disable lacp
Parameters
None.
Description
This command disables LACP on the switch. The default is disabled.
Caution
Do not disable LACP if there are defined aggregators without first
disconnecting all cables connected to the aggregate trunk ports.
Otherwise, a network loop may occur, resulting in a broadcast storm
and poor network performance.
Example
The following command disables LACP on the switch:
disable lacp
Equivalent Command
set lacp state=disable
For information, see “SET LACP STATE” on page 176.
Section I: Basic Operations
171
Chapter 11: LACP Port Trunking Commands
ENABLE LACP
Syntax
enable lacp
Parameters
None.
Description
This command activates LACP on the switch. The default is disabled.
Example
The following command activates LACP:
enable lacp
Equivalent Command
set lacp state=enable
For information, see “SET LACP STATE” on page 176.
172
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET LACP AGGREGATOR
Syntax
set lacp aggregator=name|adminkey=key
[distribution=macsrc|macdest|macboth|ipsrc|ipdest|ipboth]
Parameters
aggregator
Specifies the name of the aggregator you want to
modify. The name is case-sensitive.
adminkey
Specifies the adminkey number of the aggregator you
want to modify. This is a hexadecimal number between
0x1 and 0xffff.
distribution
Specifies one of the following load distribution methods:
macsrc
Source MAC address.
macdest
Destination MAC address.
macboth
Source address/destination MAC
address. This is the default.
ipsrc
Source IP address.
ipdest
Destination IP address.
ipboth
Source address/destination IP
address.
Description
This command modifies the load distribution method of an existing LACP
aggregator. You can identify the aggregator by its name or adminkey. To
display the names and adminkeys of the aggregators on the switch, refer
to “SHOW LACP” on page 177.
Note
You cannot change the name or adminkey of an existing aggregator.
Examples
The following command changes the load distribution method of an LACP
aggregator titled “agg_5” to the source MAC address method:
set lacp aggregator=agg_5 distribution=macsrc
Section I: Basic Operations
173
Chapter 11: LACP Port Trunking Commands
The following command changes the load distribution method of an LACP
aggregator with the adminkey 0x22 to the destination MAC address
method:
set lacp adminkey=0x22 distribution=macdest
174
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET LACP SYSPRIORITY
Syntax
set lacp syspriority=0xpriority
Parameters
syspriority
Specifies the LACP system priority value for a switch.
This is a hexadecimal value from 0x1 to 0xffff. The
lower the number, the higher the priority. The default is
0x0080.
Description
This command sets the LACP priority of the switch. LACP uses the priority
to resolve conflicts between two switches to decide which switch makes
the decision about which ports to aggregate.
Example
The following command sets the LACP priority on the switch to 0x8000:
set lacp syspriority=0x8000
Section I: Basic Operations
175
Chapter 11: LACP Port Trunking Commands
SET LACP STATE
Syntax
set lacp state=enable|disable
Parameters
state
Specifies the state of LACP on the switch. The options are:
enable
Enables LACP.
disable
Disables LACP. This is the default.
Description
This command enables or disables LACP on the switch.
Caution
Do not disable LACP if there are defined aggregators without first
disconnecting all cables connected to the aggregate trunk ports.
Otherwise, a network loop might occur, resulting in a broadcast
storm and poor network performance.
Example
The following command activates LACP on the system:
set lacp state=enable
Equivalent Commands
disable lacp
For information, see “DISABLE LACP” on page 171.
enable lacp
For information, see “ENABLE LACP” on page 172.
176
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW LACP
Syntax
show lacp [port=port] [aggregator] [machine=port]
Parameter
port
Specifies the port(s) to display. You can specify the
ports individually (for example, 5,7,22), as a range (for
example, 18-20), or both (for example, 1,14-16).
aggregator
Displays information about the aggregators.
machine
Specifies the LACP machine state for a port or ports on
the system.
Description
This command displays the configuration and/or machine states of the
ports, and/or the aggregators. Entering the command without any
parameters displays general LACP status information. Figure 13 illustrates
the information displayed by this command.
Status ...........................:
Mac Address .......................:
Priority
........................:
Collector delay ..................:
Enable
00-21-46-A7-B4-43
0x0080
0 Seconds
Figure 13. SHOW LACP Command
The command displayed the following information:
Section I: Basic Operations
ˆ
Status - Whether the LACP protocol is enabled or disabled on the
switch.
ˆ
MAC Address - The MAC address of the switch.
ˆ
Priority - The LACP system priority value assigned to the switch.
177
Chapter 11: LACP Port Trunking Commands
The PORT parameter displays LACP port information. Figure 14 illustrates
the information displayed by this parameter. For definitions, refer to the
IEEE 802.3ad standard.
Port ............. 05
Aggregator ....... LACP sw22
ACTOR
PARTNER
============================================
Actor Port ............. 05
Partner Port .........
Selected ............... SELECTED
Partner System .......
Oper Key ............... 0xf705
Oper Key ............
Oper Port Priority .... 0x0005
Oper Port Priority ...
Individual ............. NO
Individual ...........
Synchronized............ YES
Synchronized..........
Collecting ............ YES
Collecting ...........
Distributing ........... YES
Distributing .........
Defaulted .............. NO
Defaulted ............
Expired ................ NO
Expired ..............
Actor Churn
.......... YES
Partner Churn ........
00
00-30-84-AB-EF-CD
0xff07
0x0007
NO
YES
YES
YES
NO
NO
YES
Figure 14. SHOW LACP Command with the PORT Parameter
The AGGREGATOR parameter displays information about each existing
aggregator. Figure 15 illustrates the information displayed by this
parameter.
Aggregator # 1 .....
Admin Key ..........
Oper Key ...........
Speed ..............
Distribution Mode ..
Ports configured ...
Ports in LAGID......
Aggregated Port ....
DEFAULT_AGG5
0x0001
0x0045
1000 Mbps
MACBoth
5-8
5-8
5-8
Figure 15. SHOW LACP Command with the AGGREGATOR Parameter
Examples
The following command displays general LACP status information:
show lacp
The following command displays the LACP configuration for ports 13 and
16:
show lacp port=13,16
178
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
The following command displays the configuration of the aggregators on
the system:
show lacp aggregator
The following command displays the LACP machine states for each port
on the system:
show lacp machine
Section I: Basic Operations
179
Chapter 11: LACP Port Trunking Commands
180
Section I: Basic Operations
Chapter 12
Port Mirroring Commands
This chapter contains the following commands:
ˆ
“SET SWITCH MIRROR” on page 182
ˆ
“SET SWITCH PORT MIRROR” on page 183
ˆ
“SHOW SWITCH MIRROR” on page 184
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 9, “Port
Mirroring” in the AT-S63 Management Software Menus Interface
User’s Guide.
181
Chapter 12: Port Mirroring Commands
SET SWITCH MIRROR
Syntax
set switch mirror=port
Parameter
mirror
Specifies the destination port for the port mirror. This is the port
where the traffic from the source ports will be copied. You can
specify only one port as the destination port. Specifying “0”
(zero) stops port mirroring so that the destination port can
again be used as a normal networking port.
Description
This command enables mirroring and specifies the destination port, or
stops port mirroring. To select the source ports, refer to “SET SWITCH
PORT MIRROR” on page 183.
Examples
The following command enables mirroring and makes port 11 the
destination port:
set switch mirror=11
The following command stops port mirroring:
set switch mirror=0
182
Section I: Basic Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH PORT MIRROR
Syntax
set switch port=port mirror=none|rx|tx|both
Parameters
port
Specifies the source port of a port mirror. You can
specify more than one port. You can specify the ports
individually (for example, 5, 7, 22), as a range (for
example, 18-23), or both (for example, 1, 5, 14-22).
mirror
Specifies which traffic on the source ports is to be
mirrored to the destination port. The options are:
rx
Specifies ingress mirroring.
tx
Specifies egress mirroring.
both
Specifies both ingress and egress mirroring.
none
Removes a port as a source port.
Description
This command specifies the source ports of a port mirror. If the port mirror
already has source ports, the new source ports are added to the existing
ports. You can also use the command to remove source ports.
You must set the destination port before you can select the source ports.
To set the destination port, refer to “SET SWITCH MIRROR” on page 182.
Examples
The following command specifies ports 16 and 17 as new source ports for
the port mirror. Only the ingress traffic is mirrored:
set switch port=16-17 mirror=rx
The following command removes ports 5, 7, and 10 as source ports of a
port mirror:
set switch port=5,7,10 mirror=none
Section I: Basic Operations
183
Chapter 12: Port Mirroring Commands
SHOW SWITCH MIRROR
Syntax
show switch mirror
Parameters
None.
Description
This command displays the source and destination ports of a port mirror
on the switch. An example is shown in Figure 16.
Port Mirroring:
Mirroring State .....................
Mirror-To (Destination) Port ........
Ingress (Rx) Mirror (Source) Ports ..
Egress (Tx) Mirror (Source) Ports ...
Enabled
22
1,3
1,3,11-13
Figure 16. SHOW SWITCH MIRROR Command
The command provides the following information about the port mirror:
ˆ
Mirroring State - The port mirroring status, Enabled or Disabled. If port
mirroring is disabled on the switch, only this line is displayed by the
command.
ˆ
Mirror-To (Destination) Port - The port functioning as the destination
port.
ˆ
Ingress (Rx) Mirror (Source) Port - The port(s) whose ingress
(received) traffic is mirrored.
ˆ
Egress (Tx) Mirror (Source) Port - The port(s) whose egress
(transmitted) traffic is mirrored.
Example
The following command displays the status and ports of a port mirror:
show switch mirror
184
Section I: Basic Operations
Section II
Advanced Operations
The chapters in this section contain the commands for advanced switch
setup using the AT-S63 management software. The chapters include:
Section II: Advanced Operations
ˆ
Chapter 13, “File System Commands” on page 187
ˆ
Chapter 14, “File Download and Upload Commands” on page 203
ˆ
Chapter 15, “Event Log and Syslog Server Commands” on page 227
ˆ
Chapter 16, “Classifier Commands” on page 255
ˆ
Chapter 17, “Access Control List Commands” on page 267
ˆ
Chapter 18, “Class of Service (CoS) Commands” on page 277
ˆ
Chapter 19, “Quality of Service (QoS) Commands” on page 289
ˆ
Chapter 20, “Denial of Service Defense Commands” on page 333
185
186
Section II: Advanced Operations
Chapter 13
File System Commands
This chapter contains the following commands:
ˆ
“COPY” on page 188
ˆ
“CREATE CONFIG” on page 190
ˆ
“DELETE FILE” on page 191
ˆ
“FORMAT DEVICE” on page 193
ˆ
“RENAME” on page 194
ˆ
“SET CFLASH DIR” on page 196
ˆ
“SET CONFIG” on page 197
ˆ
“SHOW CFLASH” on page 199
ˆ
“SHOW CONFIG” on page 200
ˆ
“SHOW FILE” on page 201
ˆ
“SHOW FLASH” on page 202
Note
For background information on this feature, refer to Chapter 10, “File
System” in the AT-S63 Management Software Menus Interface
User’s Guide.
187
Chapter 13: File System Commands
COPY
Syntax
copy [cflash:]sourcefile.ext [cflash:]destinationfile.ext
Parameters
sourcefile.ext
Specifies the name of the source file. If the file is
stored on a compact memory flash card, precede
the name with “cflash:”. If the filename contains
spaces, enclose it in double quotes. Otherwise, the
quotes are optional.
destinationfile.ext
Specifies the name of the destination file. To store
the copy on a compact memory flash card, precede
the name with “cflash:”. If the filename contains
spaces, enclose in double quotes. Otherwise, the
quotes are optional.
Description
This command creates a copy of an existing file. It also copies files
between the switch’s file system and a compact flash memory card, for
those switches that support the card.
Note the following before using this command:
ˆ
This command does not accept a directory path. When copying a file
to or from a compact flash card, you must first change to the
appropriate directory on the card. For instructions, refer to “SET
CFLASH DIR” on page 196. The default location is the root of the flash
card.
ˆ
Files with the extension UKF are encryption key pairs. These files
cannot be copied, renamed, or deleted from the file system.
ˆ
The new filename must be a valid filename from 1 to 16 alphanumeric
characters. The name of the copy must be unique from the other files
in the file system.
ˆ
ext is the three-letter file extension, and can be any of the types listed
in Table 6. You must give the copy the same extension as the original
file.
Table 6. File Extensions and File Types
Extension
.cfg
188
File Type
Configuration file
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Table 6. File Extensions and File Types
Extension
File Type
.cer
Certificate file
.csr
Certificate enrollment request
.key
Public encryption key
.log
Event log
Examples
The following command creates a copy of the configuration file “admin.cfg”
in the switch’s file system and names the copy “admin2.cfg”:
copy admin.cfg admin2.cfg
The following command creates a copy of the configuration file “switch
12.cfg” in the file system and names the copy “backup.cfg”:
copy "switch 12.cfg" backup.cfg
The following command copies the configuration file “9408switches.cfg”
from the switch’s file system to a compact flash card:
copy 9408switches.cfg cflash:9408switches.cfg
The following command copies the configuration file “sales sw12.cfg” from
a compact flash card to the switch’s file system and renames the file
“presales_4.cfg”:
copy cflash:”sales sw12.cfg” presales_4.cfg
Section II: Advanced Operations
189
Chapter 13: File System Commands
CREATE CONFIG
Syntax
create config=[cflash:]filename.cfg
Parameter
config
Specifies the name of a new configuration file. If the
filename contains spaces, enclose it in double quotes.
Otherwise, the quotes are optional. To store the
configuration file on a flash memory card, precede the
name with “cflash:”.
Description
This command creates a new configuration file. The file contains the
commands necessary to recreate the current configuration of the switch.
The CONFIG parameter specifies the name for the configuration file. The
file extension must be “.cfg”. If the file already exists, it is replaced. If the
file does not exist it is created.
The filename can be from 1 to 16 alphanumeric characters, not including
the “.cfg” extension. Spaces are allowed. Be sure to enclose the name in
double quotes if you include a space in the name. Wildcards are not
allowed.
This command does not change the assignment of the active boot
configuration file, which is the file the switch uses to configure itself the
next time it is reset or power cycled. To change the active boot
configuration file, refer to “SET CONFIG” on page 197.
Examples
The following command creates the new configuration file Switch12.cfg in
the switch’s file system. The file will contain all of the commands
necessary to recreate the switch’s current configuration:
create config=Switch12.cfg
The following command creates a configuration file named “l2
switches.cfg” and stores it on a compact flash card:
create config=cflash:”l2 switches.cfg”
190
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
DELETE FILE
Syntax
delete file=[cflash:]filename
Parameter
file
Specifies the name of the file to be deleted. A name
with spaces must be enclosed in double quotes.
Otherwise, the quotes are optional. If the file is stored
on a compact memory flash card, precede the name
with “cflash:”.
Description
This command deletes a file from the file system or from a compact flash
memory card.
Note the following before using this command:
ˆ
Deleting the configuration file that is acting as the active boot
configuration file causes the switch to use its default settings the next
time you reboot or power cycle the switch, unless you select another
active boot configuration file. For instructions on how to change the
active boot configuration file, refer to see “SET CONFIG” on page 197.
ˆ
To delete a PKI certificate, you must first remove the certificate from
the certificate database using “DELETE PKI CERTIFICATE” on
page 665.
ˆ
This command does not accept a directory path. To delete a file on a
compact flash card, you must first change to the directory where the
file is stored. For instructions, refer to “SET CFLASH DIR” on
page 196.
ˆ
Files with a “.ukf” extension cannot be deleted with this command.
These files are encryption key pairs. To delete an encryption key pair
from the switch, refer to “DESTROY ENCO KEY” on page 654.
To list the files in the file system, refer to “SHOW FILE” on page 201.
Examples
The following command deletes the certificate enrollment request
SW55a.csr:
delete file=SW55a.csr
Section II: Advanced Operations
191
Chapter 13: File System Commands
The following command deletes the configuration file named “Switch
12.cfg” on a compact flash card:
delete file=cflash:"Switch 12.cfg"
192
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
FORMAT DEVICE
Syntax
format device=flash
Parameter
device
Specifies the device to format. The only option is “Flash” for
the switch’s file system.
Description
This command formats the flash memory in the switch.
Caution
Formatting the flash memory deletes ALL files from the switch,
including the active configuration file, encryption keys, and
certificates. Only the AT-S63 image file in the application block is
retained.
Caution
This procedure causes a system reset. Some network traffic may be
lost while the switch initializes the AT-S63 management software.
Example
The following example formats the flash memory in the switch:
format device=flash
Section II: Advanced Operations
193
Chapter 13: File System Commands
RENAME
Syntax
rename [cflash:]filename1.ext [cflash:]filename2.ext
Parameters
filename1.ext
Specifies the name of the file to be renamed.
If the name contains spaces, enclose it in
double quotes. Otherwise, the quotes are
optional. If the file is stored on a compact
memory card, precede the name with
“cflash:”.
filename2.ext
Specifies the new name for the file. The
filename can be from 1 to 16 alphanumeric
characters, not including the filename
extension. Spaces are allowed. If the name
contains spaces, it must be enclosed in
double quotes. The filename extension must
be the same as in the original filename. The
new name must be unique in the file system.
If the file is stored on a compact memory card,
precede the name with “cflash:”.
Description
This command renames a file in a switch’s file system or on a compact
flash memory card. The source and destination file extensions must be the
same.
Note the following before using this command:
194
ˆ
Files with the extension UKF are encryption key pairs. These files
cannot be copied, renamed, or deleted from the file system.
ˆ
Renaming the active boot configuration file and then resetting the
switch returns the unit to its default parameter settings, unless you
save the current configuration or select another active boot
configuration file. For instructions on how to change the active boot
configuration file, see “SET CONFIG” on page 197.
ˆ
The command does not accept a directory path. To rename a file on a
compact flash card, you must first change to the directory where the
file is stored. For instructions, refer to “SET CFLASH DIR” on
page 196.
ˆ
The source and destination locations must be the same.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command renames the file “Switch12.cfg” in the switch’s file
system to “Sw 44a.cfg”:
rename Switch12.cfg "Sw 44a.cfg"
This command renames the file “sales_sw.cfg” on a flash memory card to
“sales sw5.cfg”:
rename cflash:sales_sw.cfg cflash:”sales sw5.cfg”
Section II: Advanced Operations
195
Chapter 13: File System Commands
SET CFLASH DIR
Syntax
set cflash dir=directory
Parameter
dir
Specifies the directory path.
Description
This command changes the current directory on the compact flash card.
Note
You cannot create directories on a compact flash card from the
AT-S63 management software.
Example
The following command changes the current directory on a compact flash
card to “configs”:
set cflash dir=configs
This command changes the current directory back to the root on the
compact flash card:
set cflash dir=\
196
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET CONFIG
Syntax
set config=[cflash:]filename.cfg|none
Parameter
config
Specifies the name of the configuration file to act as the
active configuration file for the switch. The name can be
from 1 to 16 alphanumeric characters, not including the
extension “.cfg”. If the filename contains spaces,
enclose it in double quotes.
Description
This command specifies the active configuration file on a switch. The
switch uses the active configuration file to save its parameter settings
when the SAVE CONFIGURATION command is issued and to configure
its settings when reset or power cycled.
Before using this command, note the following:
Section II: Advanced Operations
ˆ
To view the name of the currently active configuration file, see “SHOW
CONFIG” on page 200.
ˆ
The configuration file must already exist. To view the files, see “SHOW
FILE” on page 201. Configuration files have a “.cfg” extension. To
create an entirely new configuration file, refer to “CREATE CONFIG”
on page 190.
ˆ
Changing the active boot configuration file does not change the current
operating configuration of the switch. You must reset or power cycle
the switch after specifying the new active boot configuration file if you
want the switch to use the settings in the file.
ˆ
If you specify a new active configuration file and enter the SAVE
CONFIGURATION command without resetting the switch, the current
settings of the switch overwrite the settings in the file.
ˆ
The NONE option does the following:
–
It removes the currently active configuration file without
assigning a new one.
–
The switch continues to operate with its existing configuration
settings.
–
You may make further parameter changes, but you cannot
save them.
–
If you reset the switch, it uses the BOOT.CFG file to configure
its settings.
197
Chapter 13: File System Commands
–
To be able to save configuration changes again, you must
assign a new active boot configuration file.
ˆ
For those systems that support a flash memory card, you can specify a
configuration file on a flash card as the active boot configuration file for
a switch. However, the configuration file is not copied to the switch’s
file system, but is instead used and updated directly from the card. If
you remove the card and reset the switch, the management software
uses its default settings.
ˆ
If the file is on a flash memory card, you must change to the directory
where the file is stored before performing this command. The
command does not accept a directory path. To change directories on a
flash card, see “SET CFLASH DIR” on page 196. The default location
is the root of the flash card.
Examples
The following command selects the file switch22.cfg as the new active
boot configuration file for the switch:
set config=switch22.cfg
If you want the switch to use the settings in the file, you reset or power
cycle the unit. If, instead, you want to overwrite the settings in the file with
the switch’s current settings, you enter the SAVE CONFIGURATION
command.
The following command uses the NONE option to remove the current
active boot configuration file without specifying a new one. The switch
does not allow you to save any further changes to the switch’s
configuration, though you can continue to make changes. If you reset the
unit, it uses the BOOT.CFG file to configure its settings:
set config=none
The following command specifies the file “sw sales.cfg” on a flash memory
card as the switch’s active boot configuration file:
set config=cflash:”sw sales.cfg”
198
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW CFLASH
Syntax
show cflash
Parameter
None
Description
This command displays information about the compact flash card including
the current directory, the number of files, how much space is used, and
amount of space available. An example is shown in Figure 17.
Compact Flash:
--------------------------------------------------Current Directory: \
Number of files ............ 6
Number of directories ...... 3
Bytes used ................. 4468
Card Information:
Hardware detected ..........
Serial Number ..............
Size .......................
Used .......................
Free .......................
Yes
F000530211
124666 KB
22 KB (8 files)
124644 KB
Figure 17. SHOW CFLASH Command
Example
show cflash
Section II: Advanced Operations
199
Chapter 13: File System Commands
SHOW CONFIG
Syntax
show config [dynamic]
Parameter
dynamic
Displays the settings for all the switch and port
parameters in command line format.
Description
This command, when used without the DYNAMIC parameter, displays two
pieces of information. The first is the “Boot configuration file.” This is the
configuration file the switch uses the next time it is reset or power cycled.
This is also the configuration file the switch uses to save your
configuration changes when you use the SAVE CONFIGURATION
command. To change the boot configuration file, refer to “SET CONFIG”
on page 197.
The second piece of information is the “Current Configuration.” This is the
boot configuration file the switch used the last time it was reset or power
cycled.
An example of the information displayed by the command is shownn in
Figure 18.
Boot configuration file .............. "SalesSw4a.cfg" (Exists)
Current configuration ................ "SalesSw4a.cfg"
Figure 18. SHOW CONFIG Command
The DYNAMIC parameter displays all the switch settings in command line
format for those switch parameters that have been changed from their
default settings. For an example of the information displayed by the
command, refer to Figure 2 on page 60.
Example
The following command displays the names of the active and current
configuration files:
show config
200
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW FILE
Syntax
show file[=[cflash:]filename.ext]
Parameter
file
Specifies the name of the file to be displayed. Use
double quotes to enclose the name if it contains
spaces. Otherwise, the quotes are optional. To view a
file on a flash memory card, precede the name with
“cflash”.
If you do not specify a file name, the command
displays a list of all files in flash memory as well as on
the compact flash card.
Description
This command displays a list of the files in the switch’s file system. You
can use the wildcard “*” to replace any part of the filename to allow a more
selective display.
You can also use this command to view the contents of a configuration file.
Examples
The following command displays all the files in the switch’s file system and
the current directory of the flash memory card:
show file
The following command displays all the configuration files on the switch:
show file=*.cfg
The following command displays the contents of the configuration file
sw12.cfg in the switch’s file system:
show file=sw12.cfg
The following command displays the contents of the configuration file
boot.cfg on a compact flash card:
show file=cflash:boot.cfg
Section II: Advanced Operations
201
Chapter 13: File System Commands
SHOW FLASH
Syntax
show flash
Parameter
None
Description
This command displays information about the file system in the switch.
The information includes the number of files stored in the file system, how
much space is used, and the amount of space available. An example of
the information displayed by this command is shown in Figure 19.
Flash:
--------------------------------------------------------Files ..............
12288 bytes (5 files)
Free .............. 8211456 bytes
Total .............. 8223744 bytes
---------------------------------------------------------
Figure 19. SHOW FLASH Command
Example
show flash
202
Section II: Advanced Operations
Chapter 14
File Download and Upload Commands
This chapter contains the following commands:
ˆ
“LOAD METHOD=LOCAL” on page 204
ˆ
“LOAD METHOD=TFTP” on page 206
ˆ
“LOAD METHOD=XMODEM” on page 211
ˆ
“UPLOAD METHOD=LOCAL” on page 215
ˆ
“UPLOAD METHOD=REMOTESWITCH” on page 217
ˆ
“UPLOAD METHOD=TFTP” on page 221
ˆ
“UPLOAD METHOD=XMODEM” on page 224
Note
For background information on this feature, refer to Chapter 11, “File
Downloads and Uploads” in the AT-S63 Management Software
Menus Interface User’s Guide..
203
Chapter 14: File Download and Upload Commands
LOAD METHOD=LOCAL
Sy nt a x
load method=local destfile=appblock srcfile|file=filename
Pa r a me t e r s
method
Specifies a local download.
destfile
Specifies the application block (APPBLOCK) of the
switch’s flash memory. This is the area of memory
reserved for the switch’s active AT-S63 image file.
srcfile or file
Specifies the filename of the AT-S63 image file in the file
system that you want to download into the application
block. If the filename contains a space, enclose it in
double quotes. These parameters are equivalent.
De s c r i pt i on
This command downloads an AT-S63 image file from the switch’s file
system into the application block, which is the section of flash memory
reserved for the active AT-S63 running image. This function makes the
AT-S63 file the new active image file on the switch. This command
assumes that at some earlier point you downloaded a new version of the
AT-S63 image file into the file system of a switch and now want to make it
the switch’s active image file.
When performing a local download, note the following:
204
ˆ
The AT-S63 management image file must already be stored in the
switch’s file system.
ˆ
The command must include the DESTFILE parameter with the
APPBLOCK option.
ˆ
Use the SRCFILE or FILE parameter to specify the name of the
AT-S63 image file as it is stored in the switch’s file system.
ˆ
The current configuration of a switch is retained when a new AT-S63
software image copied to the application block.
ˆ
After downloading an image file from the file system to the application
block, you can delete the image file from the file system to free up
space for other files.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Caution
After downloading an AT-S63 image file into the application block
from its file system, the switch resets and initializes its management
software. The entire process can take a minute or so to complete.
Do not interrupt the process by resetting or power cycling the switch.
Some network traffic may be lost during the reset process.
Example
This command downloads an AT-S63 image file stored in the switch’s file
system into the application block, the area of flash memory reserved for
the active running image. This makes the file the active image file on the
switch. The name of the image file in the file system in this example is
“ats63v2.img”:
load method=local destfile=appblock srcfile=”ats63v2.img”
A confirmation prompt is displayed. Type Y for yes to transfer the file to the
application block or N for no to cancel the procedure.
Section II: Advanced Operations
205
Chapter 14: File Download and Upload Commands
LOAD METHOD=TFTP
Sy nt a x
load method=tftp destfile=[cflash:]filename|appblock
server=ipaddress srcfile|file=filename
Pa r a me t e r s
method
Specifies a TFTP download.
destfile
Specifies the destination filename for the file. This is the
name given to the file when it is stored in the switch’s file
system. The name can be from 1 to 15 alphanumeric
characters, not including the three-letter extension. If the
name includes spaces, enclose it in double quotes. The
name must be unique from any files already stored in the
file system. The command will not overwrite a preexisting
file with the same name.
To download a file onto a flash memory card in a switch
rather than the file system, precede the name with
“cflash:”.
The APPBLOCK option specifies the application block of
the switch’s flash memory. This is the area of memory
reserved for the switch’s active AT-S63 image file. The
APPBLOCK option is used to download a new AT-S63
image file from a TFTP server to the application block of
the switch so that it functions as the new active image file
on the switch.
server
Specifies the IP address of the TFTP server on the
network.
srcfile or file
Specifies the filename of the file on the TFTP server to
download onto the switch. If the filename contains a
space, enclose the name in double quotes. These
parameters are equivalent.
De s c r i pt i on
A TFTP download uses the TFTP client software on the switch to
download files onto the unit from a TFTP server on your network. For
example, you might use the command to update a switch’s AT-S63 image
file, or to download a different boot configuration file or a SSL public key
certificate. You can also use this command to download a file from a TFTP
server to a flash memory card in a switch.
206
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Note
In earlier versions of the AT-S63 management software this
command also performed switch to switch file transfers for copying
files from a master switch to other switches in an enhanced stack.
That function is now part of “UPLOAD
METHOD=REMOTESWITCH” on page 217
The DESTFILE parameter specifies a name for the file when it is stored in
the file system or a flash memory card in the switch. Enclose the name in
double quotes if it contains a space. When specifying the new name of a
downloaded file, be sure to give it the correct three-letter extension that
corresponds to its file type. The extensions are shown in Table 7.
Table 7. File Name Extensions - Downloading Files
Extension
File Type
.cfg
AT-S63 configuration file
.cer
CA certificate
.img
AT-S63 management software image
(An AT-S63 image file is assigned a
named only if you are downloading
the file into the switch’s file system
instead of the application block.)
To store a file in a flash memory card, the destination filename must be
preceded with “cflash:”.
The APPBLOCK option of the DESTFILE parameter refers to the switch’s
application block, which is the portion of flash memory reserved for the
active AT-S63 image. The application block is separate from the file
system. The APPBLOCK option downloads a new version of the AT-S63
image file into the application block, making it the active image file on the
switch.
Note
The APPBLOCK option can only be used to download a new
AT-S63 image file.
The equivalent FILE and SCRFILE parameters specify the name of the file
on the TFTP server to download onto the switch.
Before downloading a file onto a switch using TFTP, note the following:
ˆ
Section II: Advanced Operations
A TFTP download is supported from a local, Telnet or SSH
management session.
207
Chapter 14: File Download and Upload Commands
ˆ
There must be a node on your network that contains TFTP server
software and the file to be downloaded must be stored on the server.
ˆ
You should start the TFTP server software before performing the
download command.
ˆ
For AT-9400 Series switches running AT-S63 version 2.0.0 or later, the
switch must have a routing interface on the local subnet from where it
reaches the TFTP server. The switch uses the interface’s IP address
as its source address during the file transfer with the server. This rule
applies equally to master and slave switches in an enhanced stack.
For AT-9400 Series switches without a routing interface, you can
perform an Xmodem download from a local management session or,
alternatively, a switch to switch upload using “UPLOAD
METHOD=REMOTESWITCH” on page 217.
ˆ
For AT-9400 Series switches running AT-S63 version 1.3.0 or earlier,
the switch must be able to access the TFTP server through its
management VLAN.
ˆ
If you are upgrading an AT-9400 Series switch from AT-S63 version
1.3.0 or earlier and the switch has an IP address, the upgrade process
automatically creates a routing interface on the switch to preserve the
device’s IP configuration. If the switch has a static address, the
interface is assigned the same address. If the unit obtained its IP
configuration from a DHCP or BOOTP server, the interface is created
with its DHCP or BOOTP client activated. The interface is given the
interface number 0 and assigned to the preexisting management
VLAN. Furthermore, the interface is designated as the local interface
on the switch.
For example, if the switch has the static IP address 149.44.44.44 and
the management VLAN has a VID of 12, the upgrade process
automatically creates a routing interface with the same IP address and
names it VLAN12-0. It assigns the interface to the VLAN with the VID
of 12 and designates it as the switch’s local interface.
208
ˆ
If you are downloading a configuration file, the switch does not
automatically designate it as its active boot configuration file. To
designate a configuration file as the active boot file after you have
downloaded it onto the switch, refer to “SET CONFIG” on page 197.
ˆ
The AT-S63 software image can be downloaded only onto an AT-9400
Series switch.
ˆ
The current configuration of a switch is retained when a new AT-S63
software image is installed.
ˆ
The AT-S63 image file contains the bootloader for the switch. You
cannot load the image file and bootloader separately.
ˆ
If you download a new AT-S63 image file and enter a filename for the
DESTFILE parameter instead of APPBLOCK, the file is stored in the
switch’s file system. To copy the image file from the file system to the
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
application block so that its used by the switch as its active image file,
refer to “UPLOAD METHOD=LOCAL” on page 215.
Note
Downloading an AT-S63 image file into a switch’s file system rather
than into the application block should be perform with care. The file
will take up 2 megabytes of space in the file system.
ˆ
If you download a file onto a flash memory card in the switch and later
want to copy the file from the card to a switch’s file system, refer to
“COPY” on page 188.
Examples
The following command downloads a new version of the AT-S63 software
image directly to the switch’s application block, making it the active image
file on the switch. The IP address of the TFTP server is 149.11.11.11 and
the name of the image file on the server is “ats63v2.img”:
load method=tftp destfile=appblock server=149.11.11.11
srcfile=ats63v2.img
Caution
After downloading an AT-S63 image file and writing it to the
application block portion of flash memory, the switch resets and
initializes its management software. The entire process can take a
minute or so to complete. Do not interrupt the process by resetting or
power cycling the switch. Some network traffic may be lost during
the process.
The following command downloads a new configuration file into the
switch’s file system using TFTP. The configuration file is stored as “sw
111.cfg” on the TFTP server and is given the name “sw56a.cfg” when
stored in the switch’s file system. The TFTP server has the IP address
149.55.55.55:
load method=tftp destfile=sw56a.cfg server=149.55.55.55
srcfile=”sw 111.cfg”
The following command downloads an SSL certificate to the switch’s file
system. The name of the file on the TFTP server is “sw12_ssl.cer”. The
same name is used for the file in the switch’s file system:
load method=tftp destfile=sw12_ssl.cer server=149.44.44.44
srcfile=sw12_ssl.cer
The following command downloads a new version of the AT-S63 image file
from a TFTP server to the switch’s file system, changing the name from
“ats63v1_2_0.img” to “ats63.img”:
Section II: Advanced Operations
209
Chapter 14: File Download and Upload Commands
load method=tftp destfile=ats63.img server=149.11.11.11
srcfile=ats63v1_2_0.img
Since the file is downloaded to the switch’s file system and not to the
application block, it is not used as the switch’s active image file. If, at some
point in the future, you want to make it the active image file, refer to
“UPLOAD METHOD=LOCAL” on page 215.
This command downloads a configuration file called “sw12.cfg onto a flash
memory card in the switch. The configuration file retains the same name
when stored on the card. The TFTP server has the IP address
149.142.44.44:
load method=tftp destfile=cflash:sw12.cfg
server=149.142.44.44 srcfile=sw12.cfg
This command downloads an AT-S63 image file from a TFTP server to a
flash memory card in the switch:
load method=tftp destfile=cflash:ats63.img
server=149.11.11.11 srcfile=ats63.img
210
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
LOAD METHOD=XMODEM
Sy nt a x
load method=xmodem destfile=[cflash:]filename|appblock
Pa r a me t e r s
method
Specifies an Xmodem download.
destfile
Specifies the destination filename for the file. This is the
name given to the file when it is stored in the switch’s file
system. The name can be from 1 to 15 alphanumeric
characters, not including the three-letter extension. If the
name includes spaces, enclose it in double quotes. The
name must be unique from any files already stored in the
file system. The command will not overwrite a preexisting
file with the same name.
To download a file onto a flash memory card in a switch
rather than the file system, precede the name with
“cflash:”.
The APPBLOCK option specifies the application block of
the switch’s flash memory. This is the area of memory
reserved for the switch’s active AT-S63 image file. The
APPBLOCK option is used to download a new AT-S63
image file into the application block so that it functions as
the new active image file on the switch.
De s c r i pt i on
An XMODEM download uses the XMODEM utility to download files onto a
switch from a terminal or computer with a terminal emulator program
connected to the switch’s RS232 Terminal Port. You might use the
command to update a switch’s AT-S63 image file, or to download a
different boot configuration file or a SSL public key certificate.
Note
In previous versions of the AT-S63 management software this
command also performed switch to switch file transfers for copying
files from a master switch to other switches in an enhanced stack.
That function is now part of “UPLOAD
METHOD=REMOTESWITCH” on page 217
The DESTFILE parameter specifies a name for the file. This is the name
the file will be stored as in the file system on the switch. Enclose the name
in double quotes if it contains a space. When specifying the new name of a
Section II: Advanced Operations
211
Chapter 14: File Download and Upload Commands
downloaded file, you must be sure to give it the correct three-letter
extension, depending on the file type. The extensions are shown in
Table 7 on page 207.
To download the file onto a flash memory card in the switch, precede the
name with “cflash:”.
The APPBLOCK option of the DESTFILE parameter refers to the switch’s
application block, which is the portion of flash memory reserved for the
active AT-S63 image. This option downloads a new version of the AT-S63
image file into the application block, making it the active image file on the
switch.
Note
The APPBLOCK option should only be used when downloading a
new AT-S63 image file, and not with any other file type.
Before downloading a file onto a switch using Xmodem, note the following:
212
ˆ
You must use a local management session to download a file using
Xmodem.
ˆ
You can only use Xmodem to download a file onto the switch where
you started the local management session. You cannot use it to
download a file onto a switch accessed through enhanced stacking.
ˆ
You must store the file to be downloaded on the computer or terminal
connected to the RS232 Terminal Port on the switch.
ˆ
The transfer protocol can be Xmodem or 1K Xmodem.
ˆ
The switch does not automatically designate a newly downloaded
configuration file as its active boot configuration file. To designate the
active boot file, refer to “SET CONFIG” on page 197.
ˆ
The AT-S63 software image is only supported on AT-9400 Series
switches.
ˆ
The current configuration of a switch is retained when a new AT-S63
software image is installed.
ˆ
The AT-S63 image file also contains the bootloader for the switch. You
cannot load the image file and bootloader separately.
ˆ
If you download a new AT-S63 image file and enter a filename for the
DESTFILE parameter instead of APPBLOCK, the file is stored in the
switch’s file system. To copy an image file from the file system to the
switch’s application block, refer to “LOAD METHOD=LOCAL” on
page 204.
ˆ
If you download a file onto a flash memory card in the switch and later
want to copy the file from the card to a switch’s file system, refer to
“COPY” on page 188.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
ˆ
If you are upgrading an AT-9400 Series switch from AT-S63 version
1.3.0 or earlier and the switch has an IP address, the upgrade process
automatically creates a routing interface on the switch to preserve the
device’s IP configuration. If the switch has a static address, the
interface is assigned the same address. If the unit obtained its IP
configuration from a DHCP or BOOTP server, the interface is created
with its DHCP or BOOTP client activated. The interface is given the
interface number 0 and assigned to the preexisting management
VLAN. Furthermore, the interface is designated as the local interface
on the switch.
For example, if the switch has the static IP address 149.44.44.44 and
the management VLAN has a VID of 12, the upgrade process
automatically creates a routing interface with the same IP address and
names it VLAN12-0. It assigns the interface to the VLAN with the VID
of 12 and designates it as the switch’s local interface.
Ex a mpl e s
The following command uses the APPBLOCK option of the DESTFILE
parameter to download a new version of the AT-S63 software image
directly to the application block, making it the active image file on the
switch:
load method=xmodem destfile=appblock
Caution
After downloading an AT-S63 image file and writing it to the
application block portion of flash memory, the switch resets itself and
initializes the software. The entire process can take a minute or so to
complete. Do not interrupt the process by resetting or power cycling
the switch. Some network traffic may be lost during the reset
process.
The following command downloads a new configuration file onto the
switch. The configuration file is given the name “switch12.cfg” in the
switch’s file system:
load method=xmodem destfile=switch12.cfg
The source file is not specified when downloading a file using Xmodem.
Rather, after you enter the command, the management software displays
a confirmation prompt followed by another prompt instructing you to begin
the file transfer. To start the transfer, you use your terminal emulation
program to specify the file on your workstation that you want to download.
The following command uses Xmodem to download an SSL certificate into
the switch’s file system and assigns it the name sw12 ssl.cer:
load method=xmodem destfile=”sw12 ssl.cer”
Section II: Advanced Operations
213
Chapter 14: File Download and Upload Commands
The following command downloads a configuration file onto a flash
memory card in the switch. The configuration file is given the name
“product_sw.cfg” on the card:
load method=xmodem destfile=cflash:product_sw.cfg
The following command downloads a new version of the AT-S63 image
file to the switch’s file system instead of the application block. It does this
by replacing the APPBLOCK option with a filename, in this case
“ats63v1_2_0.img”. The image file is stored in the switch’s file system with
this name:
load method=xmodem destfile=ats63v1_2_0.img
Since the file is stored in the switch’s file system and not the application
block, the switch does not use it as its active image file. If, at some point in
the future, you want to make it the active image file, use “LOAD
METHOD=LOCAL” on page 204.
214
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
UPLOAD METHOD=LOCAL
Syntax
upload method=local destfile=[cflash:]filename
srcfile|file=appblock
Pa r a me t e r s
method
Specifies a local upload.
destfile
Specifies a filename for the AT-S63 image file. If the
name contains spaces, enclose the name in quotes. To
upload the active image file to a flash memory card in the
switch, precede the name with “cflash:”.
srcfile or file
Specifies the application block (APPBLOCK), where the
active AT-S63 image file is stored.
De s c r i pt i on
This command copies the switch’s active AT-S63 image file from the
application block, where the active AT-S63 image is stored, into the
switch’s file system or to a flash memory card.
Note
It is unlikely you will ever need to perform this type of upload.
The DESTFILE parameter specifies a name for the file. This is the name
given to the AT-S63 image file when it is stored in the file system or on a
compact flash memory card. The name should include the suffix “.img”.
The equivalent SRCFILE and FILE parameters specify APPBLOCK, for
application block.
Example
The following command uploads the active AT-S63 image from the
switch’s application block to the file system and assigns it the name “sw12
s63 image.img”:
upload method=local destfile=”sw12 s63 image.img”
srcfile=appblock
This command uploads the active AT-S63 image from the switch’s
application block to a flash memory card in the switch and assigns the
name “s63.img” to the file:
Section II: Advanced Operations
215
Chapter 14: File Download and Upload Commands
upload method=local destfile=cflash:s63.img”
srcfile=appblock
216
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
UPLOAD METHOD=REMOTESWITCH
Syntax
upload method=remoteswitch
srcfile|file=filename|appblock|switchcfg
switchlist=switches [verbose=yes|no|on|off|true|false]
Pa r a me t e r s
method
Specifies a switch to switch upload.
srcfile or file
Specifies the file to be uploaded from the master switch.
Options are:
filename
Uploads a configuration file from the
master switch’s file system.
appblock
Uploads the master switch’s AT-S63
image file.
switchcfg
Uploads the master switch’s active boot
configuration file.
switchlist
Specifies the switches in an enhanced stack to receive
the uploaded file. To view the switches, refer to “SHOW
REMOTELIST” on page 74. You can specify more than
one switch at a time (for example, 1,3,4).
verbose
Specifies whether to display details of the upload
operation. The options are:
yes, on, true Display the upload details. The options are
equivalent.
no, off, false
Do not display the upload details. The
options are equivalent.
De s c r i pt i on
This command uploads the AT-S63 file image or a boot configuration file
from a master switch to other switches in an enhanced stack. This is refer
to as a switch to switch upload. You can use this command to simplify the
task of updating the AT-S63 image file in the switches of an enhanced
stack. By updating the image file on the master switch first, you can
instruct the master switch with this command to update the other switches
in the stack, automatically.
You can also use this command to distribute a configuration file on the
master switch to other switches when switches are to share a similar
Section II: Advanced Operations
217
Chapter 14: File Download and Upload Commands
configuration.
The equivalent SRCFILE and FILE parameters specify the name of the file
to be uploaded from the switch. You have three options:
ˆ
filename - Uploads a configuration file from the master switch’s file
system. The filename must include the “.cfg” suffix.
ˆ
APPBLOCK - Uploads the master switch’s active AT-S63 image file.
ˆ
SWITCHCFG - Uploads the master switch’s active boot configuration
file. You can use this option in place of the filename option when
uploading the active boot configuration file on the master switch.
The SWITCHLIST parameter specifies the switches in the enhanced stack
to receive the uploaded file. You display the switch numbers using “SHOW
REMOTELIST” on page 74.
The optional VERBOSE parameter displays information about the
progress of the upload process.
When performing a switch to switch upload, note the following:
218
ˆ
The command can be performed from a local, Telnet, or SSH
management session of a master switch.
ˆ
You must perform the SHOW REMOTELIST command prior to this
command to display the switch numbers and allow the management
software to determine the number of switches in the enhanced stack.
For instructions, refer to “SHOW REMOTELIST” on page 74.
ˆ
This command can upload the master switch’s active AT-S63 image
file or a configuration file to another switch. This command cannot
upload any other type of file, such as an encryption key or SSL
certificate.
ˆ
An uploaded configuration file retains its original name.
ˆ
The manager and operator passwords are included in the upload of a
configuration file.
ˆ
When uploading the master switch’s active AT-S63 image file, the file
is copied directly to the application block on the other switch. This
automatically designates it as the switch’s active image file. The switch
receiving the image file resets and initializes the new image file. Some
network traffic may be lost during the reset process.
ˆ
If you are upgrading an AT-9400 Series switch from AT-S63 version
1.3.0 or earlier and the switch has an IP address, the upgrade process
automatically creates a routing interface on the switch to preserve the
device’s IP configuration. If the switch has a static address, the
interface is assigned the same address. If the unit obtained its IP
configuration from a DHCP or BOOTP server, the interface is created
with its DHCP or BOOTP client activated. The interface is given the
interface number 0 and assigned to the preexisting management
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
VLAN. Furthermore, the interface is designated as the local interface
on the switch.
For example, if the switch has the static IP address 149.44.44.44 and
the management VLAN has a VID of 12, the upgrade process
automatically creates a routing interface with the same IP address and
names it VLAN12-0. It assigns the interface to the VLAN with the VID
of 12 and designates it as the switch’s local interface.
ˆ
After receiving a configuration file, a switch automatically marks it as its
active boot configuration file and resets. Some network traffic may be
lost while the switch initializes its operating software. After the reset is
complete, the switch operates with the parameter settings contained in
the uploaded configuration file.
ˆ
If the file system of a switch receiving a configuration file already
contains a file with the same name, the existing file is overwritten.
ˆ
Uploading the same configuration file onto more than one switch can
cause an IP address conflict among the device if the file contains
commands for creating routing interfaces. To resolve the issue, after
uploading the file you must modify the interfaces on the switches by
changing the IP addresses.
ˆ
A configuration file should only be uploaded onto a switch of the same
model as the unit where the file was created (for example, AT-9408LC/
SP to AT-9408LC/SP). Allied Telesyn does not recommend uploading
a configuration file onto a switch of a different model (for example,
AT-9408LC/SP to AT-9424T/SP). Undesirable switch behavior may
result.
ˆ
This command does not support uploading files to or from a compact
flash memory card.
Examples
The following command uploads the AT-S63 image file on a master switch
to switch 2 in an enhanced stack. (Switch numbers are displayed with
“SHOW REMOTELIST” on page 74.)
upload method=remoteswitch srcfile=appblock switchlist=2
The active AT-S63 image file on the master switch is indicated with the
APPBLOCK option of the SRCFILE parameter.
Caution
After receiving the AT-S63 image file, the switch resets and
initializes its software. The entire process can take a minute or so to
complete. Do not interrupt the process by resetting or power cycling
the switch. Some network traffic may be lost during the process.
Section II: Advanced Operations
219
Chapter 14: File Download and Upload Commands
You can upload the AT-S63 image file from the master switch to more
than one switch at a time. The following command uploads the image file
to switches 4, 8, and 15:
upload method=remoteswitch srcfile=appblock
switchlist=4,8,15
The following command uploads the switch active boot configuration file
from the master switch to switch 11:
upload method=remoteswitch srcfile=switchcfg switchlist=11
Caution
After receiving the configuration file the switch resets and initializes
the software. The entire process can take a minute or so to
complete. Do not interrupt the process by resetting or power cycling
the switch. Some network traffic may be lost during the process.
The following command uploads the configuration file “sales_switches.cfg”
from a master switch to switch 4:
upload method=remoteswitch srcfile=sales_switches.cfg
switchlist=4
Caution
After receiving the configuration file the switch resets and initializes
the software. The entire process can take a minute or so to
complete. Do not interrupt the process by resetting or power cycling
the switch. Some network traffic may be lost during the process.
220
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
UPLOAD METHOD=TFTP
Syntax
upload method=tftp destfile=filename server=ipaddress
srcfile|file=switchcfg|[cflash:]filename|appblock
Pa r a me t e r s
method
Specifies a TFTP upload.
destfile
Specifies a filename for the uploaded file. This is the
name given the file when it is stored on the TFTP server.
If the name contains spaces, enclose it in quotes.
server
Specifies the IP address of the network node containing
the TFTP server software.
srcfile or file
Specifies the file to be uploaded. Options are:
switchcfg
Uploads the switch’s active boot
configuration file.
filename
Uploads a file from the switch’s file
system. If the file is stored on a compact
flash card, precede the name with
“cflash:”.
appblock
Uploads the switch’s active AT-S63
image file.
De s c r i pt i on
A TFTP upload uses the TFTP client software on the switch to upload files
from the file system on the system to a TFTP server on the network. You
can use the command to upload a switch’s active boot configuration file or
any other file from the file system, such as an SSL certificate enrollment
request or a public encryption key. This command can also upload a file
from a compact flash memory card in the switch to a TFTP server. You
can also use the command to upload the switch’s active AT-S63 software
image from the application block to a TFTP server, though it is unlikely you
would ever have need for that function.
When performing a TFTP upload, note the following:
Section II: Advanced Operations
ˆ
A TFTP upload is supported from a local, Telnet, or SSH management
session.
ˆ
There must be a node on your network that contains the TFTP server
software. The uploaded file will be stored on the server.
221
Chapter 14: File Download and Upload Commands
ˆ
Start the TFTP server software before you perform the command.
ˆ
The AT-9400 Series switch must have a routing interface on the local
subnet from where it is reaching the TFTP server. The switch uses the
interface’s IP address as its source address during the file transfer with
the server. This rule applies equally to master and slave switches in an
enhanced stack. The server can be located on any interface on the
switch, not just the local interface. For an AT-9400 Series switch
without a routing interface, you can perform an Xmodem upload from a
local management session or, alternatively, a switch to switch upload
using “UPLOAD METHOD=REMOTESWITCH” on page 217.
The DESTFILE parameter specifies a name for the file. This is a name for
the file when it is stored on the TFTP server. The uploaded file should be
given the same three-letter extension as the original file. The extensions
are listed in Table 8.
Table 8. File Name Extensions - Uploaded Files
Extension
File Type
.cfg
Switch configuration file
.csr
CA certificate enrollment request
.log
Event log
.key
Public encryption key
.img
AT-S63 management software image
The SERVER parameter specifies the IP address of the network node with
the TFTP server software where the uploaded file will be stored.
The equivalent SRCFILE and FILE parameters specify the name of the file
to be uploaded from the switch. You have three options:
222
ˆ
SWITCHCFG - Uploads the switch’s active boot configuration file to
the TFTP server.
ˆ
filename - Uploads a file from the switch’s file system to the TFTP
server. This differs from the SWITCHCFG parameter in that the latter
uploads just the active boot configuration file, while this parameter can
upload any file in the file system. If the file to be uploaded is stored on
a compact flash memory card in the switch, precede the name with
“cflash:”.
ˆ
APPBLOCK - Uploads the switch’s active AT-S63 image file to the
TFTP server.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Note
It is unlikely you will ever need to upload the active AT-S63 image
file from a switch to a TFTP server. If you need the image file to
transfer to another switch, you can simplify the process with a switch
to switch upload using “UPLOAD METHOD=REMOTESWITCH” on
page 217. Alternatively, you can obtain the latest version of the
image file from the Allied Telesyn web site.
Examples
The following command uses TFTP to upload a configuration file called
“sw22 boot.cfg” from the switch’s file system to a TFTP server with an IP
address of 149.88.88.88. The command stores the file on the server with
the same name that it has on the switch:
upload method=tftp destfile="sw22 boot.cfg"
server=149.88.88.88 srcfile="sw22 boot.cfg"
The following command uses TFTP to upload the switch’s active
configuration file from the file system to a TFTP server with the IP address
149.11.11.11. The active boot file is signified with the SWITCHCFG option
rather than by its filename. This option is useful in situations where you do
not know the name of the active boot configuration file. The file is stored as
“master112.cfg” on the TFTP server:
upload method=tftp destfile=master112.cfg
server=149.11.11.11 srcfile=switchcfg
The following command uploads a SSL certificate enrollment request form
titled “sw12_ssl_enroll.csr” from the file system to the TFTP server. It
changes the name of the file to “slave5b enroll.csr”:
upload method=tftp destfile="slave5b enroll.csr"
server=149.11.11.11 srcfile=sw12_ssl_enroll.csr
The following command uploads a configuration file called “sales2.cfg”
from a compact flash memory card in the switch to a TFTP server with an
IP address of 149.124.88.88. The command stores the file on the server
with the same name that it has on the card:
upload method=tftp destfile=sales2.cfg server=149.124.88.88
srcfile=cflash:sales2.cfg
The following command uploads the switch’s active AT-S63 image file to a
TFTP server with an IP addresses 149.55.55.55. The file is given the
name “ats63 sw12.img”:
upload method=tftp destfile="ats63 sw12.img"
server=149.55.55.55 srcfile=appblock
Section II: Advanced Operations
223
Chapter 14: File Download and Upload Commands
UPLOAD METHOD=XMODEM
Syntax
upload method=xmodem
srcfile|file=switchcfg|[cflash:]filename|appblock
Pa r a me t e r s
method
Specifies an Xmodem upload.
srcfile or file
Specifies the file to be uploaded. Options are:
switchcfg
Uploads the switch’s active boot
configuration file.
filename
Specifies the name of a file to upload
from the switch’s file system or compact
flash card. If the file is stored on a
compact flash card, precede the name
with “cflash:”.
appblock
Uploads the switch’s active AT-S63
image file.
De s c r i pt i on
An XMODEM upload uses the Xmodem utility to upload a file from the
switch’s file system to a terminal or computer with a terminal emulator
program connected to the serial terminal port on the switch. You can use
the command to upload a switch’s active boot configuration file or any
other file from the file system, such as an SSL certificate enrollment
request or a public encryption key. You can also use this command to
upload a file on a compact flash memory card to your workstation. The
command also allows you to upload the switch’s active AT-S63 software
image from the application block to a your terminal or workstation, though
it is unlikely you would ever have need for that function.
When performing an Xmodem upload, note the following:
224
ˆ
An Xmodem upload must be performed from a local management
session.
ˆ
Xmodem can only upload a file from the switch where you started the
local management session. Xmodem cannot upload a file from a
switch accessed through enhanced stacking.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
The equivalent SRCFILE and FILE parameters specify the name of the file
to upload from the switch. You have three options:
ˆ
SWITCHCFG - Uploads the switch’s active boot configuration file.
ˆ
filename - Uploads a file from the switch’s file system or a compact
flash memory card. This differs from the SWITCHCFG parameter in
that the latter can upload just the active boot configuration file, while
this parameter can upload any file on the switch. If the file is stored on
a flash memory card in the switch, precede the filename with “cflash:”.
ˆ
APPBLOCK - Uploads the switch’s active AT-S63 image file.
Note
It is unlikely you will ever need to upload the active AT-S63 image
file from a switch to your workstation. If you need the image file to
transfer to another switch, you can simplify the process with a switch
to switch upload using “UPLOAD METHOD=REMOTESWITCH” on
page 217. Alternatively, you can obtain the latest version of the
image file from the Allied Telesyn web site.
Examples
The following command uses Xmodem to upload a configuration file called
“sw22 boot.cfg” from the switch’s file system to your workstation:
upload method=xmodem srcfile="sw22 boot.cfg"
An Xmodem upload command does not include a destination filename.
After entering the command, use your terminal emulator program to
indicate where to store the file on your workstation and its filename.
The following command uploads the switch’s active configuration file from
the file system to your workstation. The active boot file is signified with the
SWITCHCFG option rather than by its filename. This option is useful in
situations where you do not know the name of the active boot
configuration file:
upload method=xmodem srcfile=switchcfg
The following command uploads a SSL certificate enrollment request
named “sw12_ssl_enroll.csr” from the switch’s file system to the
workstation:
upload method=xmodem srcfile=sw12_ssl_enroll.csr
The following command uses Xmodem to upload a configuration file called
“pre10.cfg” from a flash memory card to the workstation where you are
running the local management session:
upload method=xmodem srcfile=cflash:pre10.cfg
Section II: Advanced Operations
225
Chapter 14: File Download and Upload Commands
The following command uploads the switch’s active AT-S63 image file to
the workstation:
upload method=xmodem srcfile=appblock
226
Section II: Advanced Operations
Chapter 15
Event Log and Syslog Server Commands
This chapter contains the following commands:
ˆ
“ADD LOG OUTPUT” on page 228
ˆ
“CREATE LOG OUTPUT” on page 230
ˆ
“DESTROY LOG OUTPUT” on page 234
ˆ
“DISABLE LOG” on page 235
ˆ
“DISABLE LOG OUTPUT” on page 236
ˆ
“ENABLE LOG” on page 237
ˆ
“ENABLE LOG OUTPUT” on page 238
ˆ
“PURGE LOG” on page 239
ˆ
“SAVE LOG” on page 240
ˆ
“SET LOG FULLACTION” on page 242
ˆ
“SET LOG OUTPUT” on page 243
ˆ
“SHOW LOG” on page 246
ˆ
“SHOW LOG OUTPUT” on page 251
ˆ
“SHOW LOG STATUS” on page 253
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on these features, refer to Chapter 12,
“Event Logs and Syslog Servers” in the AT-S63 Management
Software Menus Interface User’s Guide.
227
Chapter 15: Event Log and Syslog Server Commands
ADD LOG OUTPUT
Syntax
add log output=output-id module=[all|module]
severity=[all|severity]
Parameters
output
Specifies the output definition ID number.
module
Specifies what AT-S63 events to filter. The available
options are:
severity
all
Sends events for all modules. This is the
default.
module
Sends events for specific module(s). You
can select more than one module at a
time, for example, MAC,PACCESS. For a
list of modules, see Table 11, “AT-S63
Modules” on page 247.
Specifies the severity of events to be sent. The
options are:
all
Sends events of all severity levels.
severity
Sends events of a particular severity.
Choices are I for Informational, E for Error,
W for Warning, and D for Debug. You can
select more than one severity at a time (for
example, E,W). For a definition of the
severity levels, see Table 12, “Event Log
Severity Levels” on page 249. The default
is I, E, and W.
Description
This command configures an output definition.
Note
This version of the AT-S63 management software supports only
syslog servers as output definitions.
There are two steps to creating a output definition from the command line
interface. The first is to create the definition using “CREATE LOG
OUTPUT” on page 230. With that command you assign the definition an
ID number, the IP address of the syslog server, and other information.
228
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
The second step is to customize the definition by specifying which event
messages generated by the switch are to be sent. This is accomplished
with this command. You can customize the definition so that the switch
sends all of its event messages or limit it to just a selection of events from
particular modules in the AT-S63 management software. An alternative
method to configuring a definition is with “SET LOG OUTPUT” on
page 243.
Note
The default configuration for a new output definition is no event
messages. The switch does not send any events until you customize
the definition with this command or “SET LOG OUTPUT” on
page 243.
The OUTPUT parameter specifies the ID number of the output definition
you want to configure. The range is 2 to 20. The definition must already
exist on the switch. To view the existing definitions and their ID numbers,
refer to “SHOW LOG OUTPUT” on page 251.
The MODULE parameter specifies the modules whose events you want
the switch to send. The AT-S63 management software consists of a
number of modules. Each module is responsible for a different part of
switch operation and generates its own events. The MODULE parameter’s
ALL option sends the events from all the modules. You can also specify
individual modules, which are listed in Table 11 on page 247.
The SEVERITY parameter specifies the severity of the events to be sent.
For example, you might configure the switch to send only error events of
all the modules. Or, you might configure a definition so that the switch
sends only warning events from a couple of the modules, such as the
spanning tree protocol and the MAC address table. For a list of severity
levels, refer to Table 12 on page 249.
Examples
The following command configures output definition 5 to send event
messages from all modules and all severity levels:
add log output=3 module=all severity=all
The following command configures output definition 3 to send only
messages related to enhanced stacking and the MAC address table with
an error severity level:
add log output=3 module=estack,mac severity=e
Section II: Advanced Operations
229
Chapter 15: Event Log and Syslog Server Commands
CREATE LOG OUTPUT
Syntax
create log output=output-id destination=syslog
server=ipaddress
[facility=default|local1|local2|local3|local4|local5|local6
|local7] [syslogformat=extended|normal]
Parameters
output
destination
Specifies an ID number that identifies the output
definition. The possible output IDs are:
0
Reserved for permanent (nonvolatile)
storage. You cannot change or delete
this ID.
1
Reserved for temporary (dynamic)
storage. You cannot change or delete
this ID.
2 - 20
Available to be used for other outputs.
Specifies the destination for the log messages. The
only option currently supported is:
syslog
Forwards log messages in syslog format
to a syslog server.
server
Specifies the IP address of the syslog server.
facility
Specifies a facility level to be added to the events.
default
Adds a facility level based on the
functional groupings defined in the RFC
3164 standard. The codes applicable to
the AT-S63 management software and
its modules are shown in Table 9 on
page 232. This is the default setting.
local1 to local7
Adds a set facility code of 17 (LOCAL1)
to 23 (LOCAL7) to all event messages.
For a list of the levels and their
corresponding codes, refer to Table 10
on page 233.
230
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
syslogformat
Specifies the format of the generated messages. The
possible options are:
extended
Messages include the date, time, and
system name. This is the default.
normal
Messages do not include the date, time,
and system name.
Description
This command creates a new output definition. The switch uses the
definition to send event messages to a device on your network. You can
create up to nineteen output definitions.
Note
This version of the AT-S63 management software supports only
syslog servers as output definitions.
Note
The switch must communicate with a syslog server through a local
network or subnet that has a routing interface. The switch uses the
IP address of the interface as its source address when sending
packets to the server. For background information, refer to “Routing
Interfaces and Management Features” on page 557. For instructions
on how to add a routing interface to the switch, refer to “ADD IP
INTERFACE” on page 570.
After creating a output definition with this command, you must customize it
by defining which event messages you want the switch to send. You can
customize a definition so that the switch sends all of its event messages or
limit it to just a selection of events from particular modules in the AT-S63
management software. Customizing a definition is accomplished with
“ADD LOG OUTPUT” on page 228 or “SET LOG OUTPUT” on page 243.
Note
The default configuration for a new output definition is no event
messages. The switch does not send events until you customize the
definition.
The OUTPUT parameter specifies the ID number for the new output
definition. The range is 2 to 20. Every definition must have a unique ID
number.
The SERVER parameter specifies the IP address of the syslog server.
Section II: Advanced Operations
231
Chapter 15: Event Log and Syslog Server Commands
The FACILITY parameter adds a numerical code to the entries as they are
sent to the syslog server. You can use this code to group entries on the
syslog server according to the management module or switch that
produced them. This is of particular value when a syslog server is
collecting events from several difference network devices. You can specify
only one facility level for a syslog server definition.
There are two approaches to using this parameter. The first is to use the
DEFAULT option. At this setting, the code is based on the functional
groupings defined in the RFC 3164 standard. The codes that are
applicable to the AT-S63 management software and its modules are
shown in Table 9.
Table 9. Default Syslog Facilities
Facility
Number
Syslog Protocol
Definition
Mapped Event Log Modules and
Events
4
Security/
authorization
messages
Security and authorization
messages from the following
modules: DOS, ENCO, PACCESS
(802.1x), PKI, PSEC (port security),
RADIUS, SSH, SSL, TACACS+,
and system events such as user
login and logout.
9
Clock daemon
Time-based activities and events
from the following modules: TIME,
SNTP, and RTC.
16
Local use 0
All other modules and events.
22
Local use 6
Physical interface and data link
events from the following modules:
PCFG (port configuration), PMIRR
(port mirroring), PTRUNK (port
trunking), STP, and VLANs.
23
Local use 7
System events related to major
exceptions.
For example, the setting of DEFAULT assigns port mirroring events a
code of 22 and encryption key events a code of 4.
Another option is to assign all events from a switch the same numerical
code using the LOCAL1 to LOCAL2 options. Each option represents a
predefined RFC 3164 numerical code. The code mappings are listed in
Table 10.
232
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Table 10. Numerical Code and Facility Level Mappings
Numerical
Code
Facility Level Setting
17
LOCAL1
18
LOCAL2
19
LOCAL3
20
LOCAL4
21
LOCAL5
22
LOCAL6
23
LOCAL7
For example, selecting LOCAL2 as the facility level assigns the numerical
code of 18 to all events sent to the syslog server by the switch.
The SYSLOGFORMAT parameter defines the content of the events.
Examples
The following command creates output definition number 10, sends the
messages to a syslog server in normal format with a facility level setting of
LOCAL6:
create log output=10 destination=syslog server=149.65.10.99
facility=local6 syslog format=normal
The following command creates output definition number 18 and sends all
of the messages to the syslog server. Because the FORMAT option is
omitted from the command, the messages are sent in extended format,
which is the default:
create log output=18 destination=syslog server=149.65.10.101
Section II: Advanced Operations
233
Chapter 15: Event Log and Syslog Server Commands
DESTROY LOG OUTPUT
Syntax
destroy log output=output-id
Parameters
output
Specifies the output definition ID number.
Description
This command deletes the specified output definition. To disable the
output definition without deleting it, see “DISABLE LOG OUTPUT” on
page 236.
Example
The following command destroys output definition number 3:
destroy log output=3
234
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE LOG
Syntax
disable log
Parameters
None.
Description
This command disables the event log module. When the log module is
disabled, the AT-S63 management software stops storing events in the
event logs and sending events to output definitions. The default setting for
the event logs is enabled.
Note
The event log module, even when disabled, still logs all AT-S63
initialization events that occur when the switch is reset or power
cycled. Any switch events that occur after AT-S63 initialization are
recorded only if the event log module is enabled.
Examples
The following command disables the event log on the switch:
disable log
Section II: Advanced Operations
235
Chapter 15: Event Log and Syslog Server Commands
DISABLE LOG OUTPUT
Syntax
disable log output[=output-id]
Parameters
output
Specifies the output definition ID number to disable.
Not specifying an output definition disables all
definitions.
Description
This command disables an output definition. When disabled, no event
messages are sent to the specified device, although the definition still
exists. To permanently remove an output definition, see “DESTROY LOG
OUTPUT” on page 234. To enable the output definition again, see
“ENABLE LOG OUTPUT” on page 238.
Example
The following command disables (but does not delete) output definition
number 7:
disable log output=7
The following command disables all configured definitions:
disable log output
236
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE LOG
Syntax
enable log
Parameters
None.
Description
This command activates the event logs. After the log is activated, the
switch immediately starts to store events in the event logs and send
events to defined outputs. The default setting for the event log is enabled.
Example
The following command activates the event log module on the switch:
enable log
Section II: Advanced Operations
237
Chapter 15: Event Log and Syslog Server Commands
ENABLE LOG OUTPUT
Syntax
enable log output[=output-id]
Parameters
output
Specifies the output definition ID number to enable.
The range is 2 to 20.
Description
This command enables an output definition that was disabled using
“DISABLE LOG OUTPUT” on page 236.
Example
The following command enables output definition number 4:
enable log output=4
The following command enables all output definitions:
enable log output
238
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
PURGE LOG
Syntax
purge log[=permanent|temporary]
Parameter
log
Specifies the type of memory on the switch where the
log file you want to purge is located. The options are:
permanent
Permanent (nonvolatile) memory.
Deletes all events stored in nonvolatile
memory, which can contain up to
2,000 events.
temporary
Temporary memory. Deletes all events
stored in temporary memory, which
can contain up to 4,000 events. This is
the default if you do not specify the
“permanent” option.
Description
This command deletes all the entries stored in an event log.
Example
The following command deletes all the entries in the event log stored in
temporary memory:
purge log=temporary
The following command deletes all the entries in both event logs:
purge log
Section II: Advanced Operations
239
Chapter 15: Event Log and Syslog Server Commands
SAVE LOG
Syntax
save log[=permanent|temporary] filename=filename.log [full]
[module=module] [reverse] [severity=all|severity]
[overwrite]
Parameters
log
Specifies the source of the events you want to save
to the log file. The options are:
permanent
Permanent (nonvolatile) memory.
Saves events stored in nonvolatile
memory, which can contain up to
2,000 events.
temporary
Temporary memory. Saves events
stored in temporary memory, which
can contain up to 4,000 events. This is
the default.
filename
Specifies the filename for the log. The name can be
up to 16 alphanumeric characters, followed by the
extension ”.log.” Spaces are allowed. The filename
must be enclosed in quotes if it contains spaces.
Otherwise, the quotes are optional.
full
Specifies the amount of information saved to the log.
Without this option, the log saves only the time,
module, severity, and description for each entry. With
it, the log also saves the filename, line number, and
event ID.
module
Specifies the AT-S63 module whose events are to be
saved. For a list of modules, refer to Table 11 on
page 247. Omitting this parameter saves the events
from all the modules.
reverse
Specifies the order of the events in the log. Without
this option, the events are saved oldest to newest.
With this option, the events are saved newest to
oldest.
severity
Specifies the severity of events to be saved. The
options are:
all
240
Saves events of all severity levels.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
severity
overwrite
Saves events of a particular severity.
Choices are I for Informational, E for Error,
W for Warning, and D for Debug. You can
select more than one severity at a time (for
example, E,W). For a definition of the
severity levels, see Table 12, “Event Log
Severity Levels” on page 249. The default
is E, W, I.
Overwrites the file if it already exists. Without this
option, the command displays an error if a file with the
same name already exists in the switch’s file system.
Description
This command saves the current entries in an event log to a file in the file
system. The parameters in the command allow you to specify which
events you want saved in the log file.
Examples
The following command saves the event messages stored in the
permanent event log to a file called “switch2.log”. Because the MODULE
and SEVERITY parameters are not included in the command, the defaults
are used, which is events from all modules with an informational, error, or
warning severity level:
save log=permanent filename=switch2.log
The following command saves the error messages of the VLAN module
stored in the temporary event log in a file called “sw14.log.”:
save log=temporary filename=sw14.log module=vlan severity=e
The following command saves informational messages from all modules in
a file called “sw56.log” and overwrites the file of the same name if it
already exists in the file system:
save log=permanent filename=sw56.log severity=i overwrite
Section II: Advanced Operations
241
Chapter 15: Event Log and Syslog Server Commands
SET LOG FULLACTION
Syntax
set log fullaction [temporary=halt|wrap]
[permanent=halt|wrap]
Parameters
fullaction
Specifies what happens when a log reaches
maximum capacity. You can set the action separately
for each log. The possible actions are:
halt
The log stops storing new events.
wrap
The log deletes the oldest entries as new
ones are added. This is the default.
Description
This command defines the action of an event log when it has stored its
maximum number of entries. The HALT option instructs the log to stop
storing new entries. If the event log has already reached its maximum
capacity, it immediately stops entering new entries. The WRAP option
instructs the log to delete the oldest entries as new entries are added.
To view the current actions of the event logs, refer to “SHOW LOG
OUTPUT” on page 251.
Example
The following command configures the event log in permanent memory to
stop storing new entries after it has stored the maximum number of
allowed entries:
set log fullaction permanent=halt
242
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET LOG OUTPUT
Syntax
set log output=output-id [destination=syslog]
server=ipaddress
[facility=default|local1|local2|local3|local4|local5|local6
|local7] [syslogformat=extended|normal] [module=all|module]
[severity=all|severity-list]
Parameters
output
destination
Specifies an ID number that identifies the output
definition to be modified. The possible output IDs are:
0
Reserved for permanent (nonvolatile)
storage. You cannot change or delete
this ID.
1
Reserved for temporary (dynamic)
storage. You cannot change or delete
this ID.
2 - 20
Available to be used for other outputs.
Specifies the destination for the log messages. The
only option currently supported is:
syslog
Forwards log messages in syslog format
to a syslog server.
server
Specifies a new IP address for the syslog server.
facility
Specifies a facility level to be added to the events.
default
Adds a facility level based on the
functional groupings defined in the RFC
3164 standard. The codes applicable to
the AT-S63 management software and
its modules are shown in Table 9 on
page 232. This is the default setting.
local1 to local7
Adds a set facility code of 17 (LOCAL1)
to 23 (LOCAL7) to all event messages.
For a list of the levels and their
corresponding codes, refer to Table 10
on page 233.
Section II: Advanced Operations
243
Chapter 15: Event Log and Syslog Server Commands
syslogformat
module
severity
Specifies the format of the generated messages. The
possible options are:
extended
Messages include the date, time, and
system name. This is the default.
normal
Messages do not include the date, time,
and system name.
Specifies what AT-S63 events to filter. The available
options are:
all
Sends events for all modules. This is the
default.
module
Sends events for specific module(s). You
can select more than one module at a
time, for example, MAC,PACCESS. For a
list of modules, see Table 11, “AT-S63
Modules” on page 247.
Specifies the severity of events to be sent. The
options are:
all
Sends events of all severity levels.
severity
Sends events of a particular severity.
Choices are I for Informational, E for Error,
W for Warning, and D for Debug. You can
select more than one severity at a time (for
example, E,W). For a definition of the
severity levels, see Table 12, “Event Log
Severity Levels” on page 249. The
defaults are I, E, and W.
Description
This command modifies an existing output definition. For further
information on the FACILITY and SYSLOGFORMAT parameters, see
“CREATE LOG OUTPUT” on page 230. For further information about the
MODULE and SEVERITY parameters, see “ADD LOG OUTPUT” on
page 228.
Note
This version of the AT-S63 management software supports only
syslog servers as output definitions.
244
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command changes the IP address for output definition
number 5 to 149.55.55.55:
set log output=5 server=149.55.55.55
The following command modifies output definition number 6 to only send
messages from the RADIUS module of all severity levels:
set log output=6 module=radius severity=all
The following command changes the facility level and message format for
output definition 4. The facility level is changed to LOCAL1 (numerical
code 17) and the format to normal so that the messages include only
severity, module, and description:
set log output=11 facility=local1 syslogformat=normal
The following command changes syslog server definition 11 to send only
spanning tree and IGMP snooping events with a severity level of error or
warning:
set log output=11 module=stp,igmpsnooping severity=e,w
Section II: Advanced Operations
245
Chapter 15: Event Log and Syslog Server Commands
SHOW LOG
Syntax
show log[=permanent|temporary] [full] [module=module]
[reverse] [severity=severity]
Parameters
log
246
Specifies which of the two event logs you want to
view. The options are:
permanent
Displays the events stored in
permanent memory.
temporary
Displays the events stored in
temporary memory. This is the
default.
full
Specifies the amount of information displayed by the
log. Without this option, the log displays the time,
module, severity, and description for each entry. With
it, the log also displays the filename, line number, and
event ID.
module
Specifies the AT-S63 module whose events you want
displayed. For a list of modules, refer to Table 11 on
page 247.
reverse
Specifies the order of the events in the log. Without
this option, the events are displayed oldest to newest.
With this option, the events are displayed newest to
oldest.
severity
Specifies the severity of events to be displayed. The
options are:
all
Displays events of all severity levels.
severity
Displays events of a particular severity.
Choices are I for Informational, E for Error,
W for Warning, and D for Debug. You can
select more than one severity at a time (for
example, E,W). For a definition of the
severity levels, see Table 12, “Event Log
Severity Levels” on page 249. The
defaults are I, E, and W.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Description
This command displays the entries stored in an event log.
An event log can display entries in two modes: normal and full. In the
normal mode, a log displays the time, module, severity, and description for
each entry. In the full mode, a log also displays the filename, line number,
and event ID. If you want to view the entries in the full mode, use the FULL
parameter. To view entries in the normal mode, omit the parameter.
The MODULE parameter displays entries generated by a particular
AT-S63 module. You can specify more than one module at a time. If you
omit this parameter, the log displays the entries for all the modules.
Table 11 lists the modules and their abbreviations.
Table 11. AT-S63 Modules
Module Name
Section II: Advanced Operations
Description
ALL
All modules
ACL
Port access control list
CFG
Switch configuration
CLASSIFIER
Classifiers used by ACL and QoS
CLI
Command line interface commands
DOS
Denial of service defense
ENCO
Encryption keys
ESTACK
Enhanced stacking
EVTLOG
Event log
FILE
File system
GARP
GARP GVRP
HTTP
Web server
IGMPSNOOP
IGMP snooping
IP
System IP configuration
LACP
Link Aggregation Control Protocol
MAC
MAC address table
MGMTACL
Management access control list
MLDSNOOP
MLD snooping
PACCESS
802.1x port-based access control
247
Chapter 15: Event Log and Syslog Server Commands
Table 11. AT-S63 Modules (Continued)
Module Name
Description
PCFG
Port configuration
PKI
Public Key Infrastructure
PMIRR
Port mirroring
PSEC
MAC address-based port security
PTRUNK
Static port trunking
QOS
Quality of Service
RADIUS
RADIUS authentication protocol
RPS
Redundant power supply
RRP
RRP snooping
RTC
Real time clock
SNMP
SNMP
SSH
Secure Shell protocol
SSL
Secure Sockets Layer protocol
STP
Spanning Tree, Rapid Spanning, and Multiple
Spanning Tree protocols
SYSTEM
Hardware status; manager and operator log in
and log off events.
TACACS
TACACS+ authentication protocol
TELNET
Telnet
TFTP
TFTP
TIME
System time and SNTP
VLAN
Port-based and tagged VLANs, and multiple
VLAN modes
WATCHDOG
Watchdog timer
The log can display its entries in chronological order (oldest to newest), or
reverse chronological order. The default is chronological order. To reverse
the order, use the REVERSE parameter.
The SEVERITY parameter displays entries of a particular severity.
Table 12 defines the different severity levels. You can specify more than
one severity level at a time. The default is to display error, warning, and
informational messages.
248
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Table 12. Event Log Severity Levels
Value
Severity Level
Description
E
Error
Switch operation is severely impaired.
W
Warning
An issue may require manager attention.
I
Informational
Useful information that can be ignored
during normal operation.
D
Debug
Messages intended for technical support
and software development.
An example of the event log is shown in Figure 20. The example uses
the full display mode.
S Date
Time
EventID
Source File:Line Number
Event
-----------------------------------------------------------------I 2/01/04 09:11:02 073001
garpmain.c:259
garp: GARP initialized
I 2/01/04 09:55:15 083001
portconfig.c:961
pcfg: PortConfig initialized
I 2/01/04 10:22:11 063001
vlanapp.c:444
vlan: VLAN initialization succeeded
I 2/01/04 12:24:12 093001
mirrorapp.c:158
pmirr: Mirror initialization succeeded
I 2/01/04 12:47:08 043016
macapp.c:1431
mac: Delete Dynamic MAC by Port[2] succeeded
Figure 20. Event Log Example
The columns in the log are described below:
Section II: Advanced Operations
ˆ
S (Severity) - The event’s severity. Refer to Table 12 on page 249.
ˆ
Date/Time - The date and time the event occurred.
ˆ
Event - The module within the AT-S63 software that generated the
event followed by a brief description of the event. For a list of the
AT-S63 modules, see Table 11 on page 247.
ˆ
Event ID - A unique number that identifies the event. (Displayed only in
the full display mode.)
ˆ
Filename and Line Number - The subpart of the AT-S63 module and
the line number that generated the event. (Displayed only in the full
display mode.)
249
Chapter 15: Event Log and Syslog Server Commands
Examples
The following command displays all the entries in the event log stored in
permanent memory:
show log=permanent
The following command displays the events stored in temporary memory
in the full display mode, which adds more information:
show log=temporary full
The following command displays only those entries stored in temporary
memory and associated with the AT-S63 modules FILE and QOS:
show log=permanent module=file,qos
The following command displays the error and warning entries for the
AT-S63 module VLAN. Because the log is not specified, the temporary log
is displayed by default:
show log module=vlan severity=e,w
250
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW LOG OUTPUT
Syntax
show log output[=output-id] [full]
Parameters
output
Specifies the output definition ID number. If an output
ID number is not specified, all output definitions
currently configured on the switch are displayed.
full
Displays the details of the output definition. If not
specified, only a summary is displayed.
Description
This command displays output definition details. An example of the
information displayed by this command is shown in Figure 21.
OutputID
Type
Status
Details
----------------------------------------------------------0
Permanent
Enabled
Wrap on Full
1
Temporary
Enabled
Wrap on Full
2
Syslog
Enabled
169.55.55.55
3
Syslog
Enabled
149.88.88.88
Figure 21. SHOW LOG OUTPUT Command
The columns in the display are described below:
Section II: Advanced Operations
ˆ
Output ID - The ID number of the output definition. The permanent
event log has the ID 0 and the temporary log has the ID 1. Syslog
server definitions start with ID 2.
ˆ
Type - The type of output definition. Permanent is the permanent event
log and Temporary is the temporary event log. Syslog indicates a
syslog server definition.
ˆ
Status - The status of the output definition, which can be enabled or
disabled.
ˆ
Details - The event log full action or a syslog server’s IP address. For
an event log, this column contains the log’s full action. Wrap on Full
indicates that the log adds new entries by deleting old entries when it
reaches maximum capacity. Halt on Full means the log stops adding
entries after reaching maximum capacity. To configure the full action
for an event log, refer to “SET LOG FULLACTION” on page 242. For a
syslog definition, this column contains the IP address of the syslog
server.
251
Chapter 15: Event Log and Syslog Server Commands
An example of the information displayed by this command with the FULL
parameter is shown in Figure 22.
Output ID ....................
Output Type ..................
Status .......................
Server IP Address ............
Message Format ...............
Facility Level ...............
Event Severity ...............
Event Module .................
2
Syslog
Enabled
149.88.88.88
Extended
DEFAULT
E,W,I
All
Figure 22. SHOW LOG OUTPUT Command with the FULL Parameter
For definitions of the parameters, refer to “SET LOG OUTPUT” on
page 243.
Examples
The following command lists all the output definitions:
show log output
The following command displays the details of output definition number 5:
show log output=5 full
252
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW LOG STATUS
Syntax
show log status
Parameter
None.
Description
This command displays information about the event log feature. Figure 23
is an example of the information displayed by this command.
Event Log Configuration:
Event Logging .................... Enabled
Number of Output Definitions ..... 4
Figure 23. SHOW LOG STATUS Command
The Event Logging field indicates whether the feature is enabled or
disabled. If enabled, the switch stores events in the event logs and sends
events to defined outputs. If disabled, no events are stored in the event
logs or sent to defined outputs. To enable and disable the event logs, refer
to “ENABLE LOG” on page 237 and “DISABLE LOG” on page 235.
The Number of Output Definitions is the sum of the two event logs plus
any output definitions that you might have created. For instance, the
number 4 for Number of Output Definitions in the above example indicates
the existence of two output definitions in addition to the two event logs. To
create new output definitions, refer to “CREATE LOG OUTPUT” on
page 230 and “ADD LOG OUTPUT” on page 228.
Example
The following command displays event log status information:
show log status
Section II: Advanced Operations
253
Chapter 15: Event Log and Syslog Server Commands
254
Section II: Advanced Operations
Chapter 16
Classifier Commands
This chapter contains the following commands:
ˆ
“CREATE CLASSIFIER” on page 256
ˆ
“DESTROY CLASSIFIER” on page 260
ˆ
“PURGE CLASSIFIER” on page 261
ˆ
“SET CLASSIFIER” on page 262
ˆ
“SHOW CLASSIFIER” on page 265
Note
Remember to use the SAVE CONFIGURATION command to save
your changes on the switch.
Note
For background information, refer to Chapter 13, “Classifiers” in the
AT-S63 Management Software Menus Interface User’s Guide.
255
Chapter 16: Classifier Commands
CREATE CLASSIFIER
Syntax
create classifier=idnumber [description=”string”]
[macdaddr=macaddress|any] [macsaddr=macaddress|any]
[ethformat=ethii-untagged|ethii-tagged|802.2untagged|802.2-tagged|any]
[priority=integer|any] [vlan=name|1..4094|any]
[protocol=ip|arp|rarp|number|any] [iptos=integer|any]
[ipdscp=integer] [ipprotocol=protocol|number|any]
[ipdaddr=ipaddress/mask|any]
[ipsaddr=ipaddress/mask|any] [tcpsport=integer|any]
[tcpdport=integer|any] [udpsport=integer|any]
[udpdport=integer|any]
[tcpflags=[urg|ack|psh|rst|syn|fin|any]
Parameters
classifier
Specifies the ID number of the classifier. The number can
be from 1 to 9999. Each classifier must be assigned a
unique ID number. This parameter is required.
description
Specifies a description of the classifier. A description can
be up to fifteen alphanumeric characters. Spaces are
allowed. If it contains spaces, it must be enclosed in double
quotes. Otherwise, the quotes are optional.
macdaddr
Defines a traffic flow by a destination MAC address. The
address can be entered in either of the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
macsaddr
Defines a traffic flow by a source MAC address. The
address can be entered in either of the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
ethformat
Defines a traffic flow by the type of Ethernet frame. The
options are:
ethII-untagged
ethII-tagged
802.2-untagged
802.2-tagged
priority
256
Defines a traffic flow by the user priority level in a tagged
Ethernet frame. The value can be 0 to 7.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
vlan
Defines a traffic flow of a tagged or port-based VLAN by its
name or VID number.
protocol
Defines a traffic flow by the protocol specified in the
Ethertype field of the MAC header in an Ethernet II frame.
Options are:
IP
ARP
RARP
You can specify the protocol by entering the protocol
number in either decimal or hexadecimal format. If the
latter, precede the number with “0x”. The range is 1536
(0x600) to 65535 (0xFFFF).
iptos
Defines a traffic flow by the Type of Service value. The
range is 0 to 7.
ipdscp
Defines a traffic flow by the DSCP value. The range is 0 to
63.
ipprotocol
Defines a traffic flow of a Layer 3 protocol. Options are:
TCP
UDP
ICMP
IGMP
You can specify the protocol by entering the protocol
number in either decimal or hexadecimal format. If the
latter, precede the number with “0x”. The range is 0 (0x0) to
255 (0xFF).
Section II: Advanced Operations
ipdaddr
Defines a traffic flow by a destination IP address. The
address can be of a specific node or a subnet. To filter
using the IP address of a subnet, you must include a mask.
A mask is a decimal number that represents the number of
bits in the address, from left to right, that constitute the
network portion of the address. For example, the subnet
address 149.11.11.0 would have a mask of “24” for the
twenty-four bits that represent the network section of the
address. The address and mask are separated by a slash (/
); for example, “IPDADDR=149.11.11.0/24”. No mask is
necessary for the IP address of a specific end node.
ipsaddr
Defines a traffic flow by a source IP address. The address
can be of a specific node or a subnet. If the latter, a mask
must be included to indicate the subnet portion of the
address. For an explanation of the mask, refer to the
IPDADDR parameter.
257
Chapter 16: Classifier Commands
tcpsport
Defines a traffic flow by a source TCP port.
tcpdport
Defines a traffic flow by a destination TCP port.
udpsport
Defines a traffic flow by a source UDP port.
udpdport
Defines a traffic flow by a destination UDP port.
tcpflags
Defines a traffic flow by a TCP flag. Options are
URG - Urgent
ACK - Acknowledgement
RST - Reset
PSH - Push
SYN - Synchronization
FIN - Finish
Description
This command creates a classifier. A classifier defines a traffic flow. A
traffic flow consists of packets that share one or more characteristics. A
traffic flow can range from being very broad to very specific. An example
of the former might be all IP traffic while an example of the latter could be
packets with specific source and destination MAC addresses.
You use classifiers with access control lists (ACL) and Quality of Service
policies to define the traffic flow to be affected by the ACL or QoS.
If you create a classifier without any parameters, then all incoming packets
are classified.
The ANY option of a parameter is used when you want to delete the
current setting of a parameter without setting a new value. This leaves the
parameter blank so that it applies to all packets.
Note
For definitions and restrictions on the classifier variables, refer to the
Chapter 13, “Classifiers” in the AT-S63 Management Software
Menus Interface User’s Guide.
Examples
This command creates a classifier for all IP traffic:
create classifier=4 description=”IP flow” protocol=ip
This command creates a classifier for all traffic originating from the subnet
149.22.22.0 destined to the device with the IP address 149.44.44.11:
258
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
create classifier=4 description=”subnet flow”
ipsaddr=149.22.22.0/24 ipdaddr=149.44.44.11
This command creates a classifier for all HTTPS web traffic with a
destination IP address of 149.44.44.44:
create classifier=7 description=”HTTPS flow”
ipdaddr=149.44.44.44 tcpdport=443
Section II: Advanced Operations
259
Chapter 16: Classifier Commands
DESTROY CLASSIFIER
Sy nt a x
destroy classifier=idnumber
Pa r a me t e r s
classifier
Specifies the ID number of the classifier to be deleted. The
number can be from 1 to 9999. You can delete more than
one classifier at a time. You can specify the classifiers
individually (e.g., 2,5,7) as a range (e.g., 11-14), or both
(e.g., 2,4-8,12).
De s c r i pt i on
This command deletes a classifier from the switch. To delete a classifier,
you need to know its ID number. To display the ID numbers of the
classifiers, refer to “SHOW CLASSIFIER” on page 265.
You cannot delete a classifier if it is assigned to an ACL or QoS policy.
You must remove the classifier from the ACL or policy before you can
delete it.
Ex a mpl e
This command deletes classifiers 2 and 4:
destroy classifier=2,4
260
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
PURGE CLASSIFIER
Sy nt a x
purge classifier
Pa r a me t e r s
None.
De s c r i pt i on
This command deletes all classifiers from the switch. You cannot delete
the classifier if they are assigned to an ACL or QoS policy. You must first
remove the classifiers from the ACL and policies before you can delete
them.
Ex a mpl e
This command deletes all classifiers on the switch:
purge classifier
Section II: Advanced Operations
261
Chapter 16: Classifier Commands
SET CLASSIFIER
Sy nt a x
set classifier=idnumber [description=”string”]
[macdaddr=macaddress|any] [macsaddr=macaddress|any]
[priority=value] [vlan=name|1..4094|any]
[protocol=ip|arp|rarp|number|any] [iptos=value|any]
[ipdscp=value|any] [ipprotocol=protocol|number|any]
[ipdaddr=ipaddress/mask|any] [ipsaddr=ipaddress/
mask|any] [tcpsport=value|any] [tcpdport=value|any]
[udpsport=value|any] [udpdport=value|any]
[tcpflags=[urg|ack|psh|rst|syn|fin|any]
Pa r a me t e r s
classifier
Specifies the ID number of the classifier to be modified.
You can modify only one classifier at a time. The number
can be from 1 to 9999.
description
Specifies a description of the classifier. A description can
be up to fifteen alphanumeric characters. Spaces are
allowed. If it contains spaces, it must be enclosed in double
quotes. Otherwise, the quotes are optional.
macdaddr
Specifies a destination MAC address. The address can be
entered in either of the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
macsaddr
Specifies a source MAC address. The address can be
entered in either of the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
priority
Specifies the user priority level in a tagged Ethernet frame.
The value can be 0 to 7.
vlan
Specifies a tagged or port-based VLAN by its name or VID
number.
protocol
Specifies a Layer 2 protocol. Options are:
IP
ARP
RARP
You can specify additional Layer 2 protocols by entering
the protocol number in either decimal or hexadecimal
format. For the latter, precede the number with “0x”.
262
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
iptos
Specifies a Type of Service value. The range is 0 to 7.
ipdscp
Specifies a DSCP value. The range is 0 to 63.
ipprotocol
Specifies a Layer 3 protocol. Options are:
TCP
UDP
ICMP
IGMP
You can specify other Layer 3 protocols by entering the
protocol number in either decimal or hexadecimal format. If
you use the latter, precede the number with “0x”.
ipdaddr
Specifies a destination IP address. The address can be of a
specific node or a subnet. To filter using the IP address of a
subnet, you must include a mask. A mask is a decimal
number that represents the number of bits in the address,
from left to right, that constitute the network portion of the
address. For example, the Class C subnet address
149.11.11.0 would have a mask of “24” for the twenty-four
bits that represent the network section of the address. The
address and mask are separated by a slash (/); for
example, “IPDADDTR=149.11.11.0/24”. No mask is
necessary for the IP address of a specific end node.
ipsaddr
Specifies a source IP address. The address can be of a
specific node or a subnet. If the latter, a mask must be
included to indicate the subnet portion of the address. For
an explanation of the mask, refer to the IPDADDR
parameter.
tcpsport
Specifies a source TCP port.
tcpdport
Specifies a destination TCP port.
udpsport
Specifies a source UDP port.
udpdport
Specifies a destination UDP port.
tcpflags
Specifies a TCP flag. Options are
URG - Urgent
ACK - Acknowledgement
RST - Reset
PSH - Push
SYN - Synchronization
FIN - Finish
Section II: Advanced Operations
263
Chapter 16: Classifier Commands
De s c r i pt i on
This command modifies an existing classifier. The only setting of a
classifier you cannot change is its ID number.
Specifying a new value for a variable that already has a value overwrites
the current value with the new one. The ANY option removes a variable’s
value without assigning it a new value.
You cannot modify a classifier if it belongs to an ACL or QoS policy that is
assigned to a port. You must first remove the port assignments from the
ACL or policy before you can modify the it.
Ex a mpl e s
This command adds the destination IP address 149.22.22.22 and the
source subnet IP address 149.44.44.0 to classifier ID 4:
set classifier=4 ipdaddr=149.22.22.22
ipsaddr=149.44.44.0/24
This command adds the Layer 3 protocol IGMP to classifier ID 6:
set classifier=6 ipprotocol=igmp
This command removes the current setting for the UDP destination port
variable from classifier ID 5 without assigning a new value:
set classifier=5 udpdport=any
264
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW CLASSIFIER
Sy nt a x
show classifier[=idnumber]
Pa r a me t e r s
classifier
Specifies the ID of the classifier you want to view. You can
specify more than one classifier at a time.
De s c r i pt i on
This command displays the classifiers on a switch. Figure 24 is an
example of the information displayed by this command.
--------------------------------------------Classifier ID: .................. 1
Description: .................... IP traffic
Protocol: ....................... 0x800 (IP)
Number of References: ........... 4
Number of Active Associations: .. 3
--------------------------------------------Classifier ID: .................. 2
Description: .................... subnet 214
Dst IP/Mask: .................... 169.254.44.214
Number of References: ........... 1
Number of Active Associations: .. 1
---------------------------------------------
Figure 24. SHOW CLASSIFIER Command
The information displayed by this command is described here:
Section II: Advanced Operations
ˆ
ID - The classifier’s ID number.
ˆ
Description - The description of the classifier.
ˆ
The Description is followed by the parameter settings of the classifier.
Only those parameters that have been assigned a value are displayed.
For an explanation of the parameters, refer to “CREATE CLASSIFIER”
on page 256 or “SET CLASSIFIER” on page 262.
ˆ
Number of References - The number of active and inactive ACL and
QoS policy assignments where the classifier is currently assigned. An
active ACL or QoS policy is assigned to at least one switch port while
an inactive ACL or policy is not assigned to any ports. If this number is
0 (zero), the classifier has not been assigned to any ACLs or policies.
265
Chapter 16: Classifier Commands
ˆ
Number of Active Associations - The number of active ACLs and QoS
policy assignments where the classifier is currently assigned. An
active ACL or policy is assigned to at least one switch port.
You can use this number together with the Number of References to
determine the number of inactive ACLs and policies for a classifier. For
example, if Number of References for a classifier is 4 and the Number
of Active Associations is 3, one of the ACL or QoS policy assignments
for the classifier is not assigned to a switch port.
Ex a mpl e s
This command displays all of the classifiers on the switch:
show classifier
This command displays the details for just classifier ID 12:
show classifier=12
266
Section II: Advanced Operations
Chapter 17
Access Control List Commands
This chapter contains the following commands:
ˆ
“CREATE ACL” on page 268
ˆ
“DESTROY ACL” on page 270
ˆ
“PURGE ACL” on page 271
ˆ
“SET ACL” on page 272
ˆ
“SHOW ACL” on page 274
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 14,
“Access Control Lists” in the AT-S63 Management Software Menus
Interface User’s Guide.
267
Chapter 17: Access Control List Commands
CREATE ACL
Sy nt a x
create acl=value [description=”string”]
[action=deny|permit] classifierlist=value
[portlist=ports]
Pa r a me t e r s
acl
Specifies an ID number for the ACL. The number can be
from 0 to 255. Each ACL must have a unique ID number.
description
Specifies a description for the ACL. A description can be up
to 15 alphanumeric characters. Spaces are allowed. If the
description contains spaces, it must be enclosed in double
quotes. Otherwise, the quotes are optional.
action
Specifies the action to be taken by the port when a ingress
packet matches a classifier attached to the ACL. Options
are:
permit
The port accepts the packet.
deny
The port discards the packet, provided that the
packet does not match the classifier of a permit
ACL assigned to the same port. This is the
default action.
classifierlist
Specifies the ID numbers of the classifiers to be assigned
to the ACL. When entering multiple ID numbers, separate
the numbers with a comma (e.g., 4,6,7). The classifiers
must already exist on the switch. The order in which you
specify the classifiers is not important. An ACL must have
at least one classifier.
portlist
Specifies the port where this ACL is to be assigned. You
can assign an ACL to more than one port. When entering
multiple ports, the ports can be listed individually (e.g.,
2,5,7), as a range (e.g., 8-12) or both (e.g., 1-4,6,8).
De s c r i pt i on
This command creates an ACL. An ACL is used to filter ingress packets
on a port.
268
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Ex a mpl e s
The following command creates an ACL that discards the ingress traffic
flow specified in classifier ID 18 and applies the ACL to port 4:
create acl=12 description=”IP flow deny” action=deny
classifierlist=18 portlist=4
The following command creates an ACL that discards the ingress traffic
flows specified in classifier ID 2 and 17 and applies the ACL to ports 2 and
6:
create acl=6 description=”subnet flow deny”
action=deny classifierlist=2,17 portlist=2,6
The following command creates an ACL that permits the ingress traffic
flow specified in classifier ID 18 and applies the ACL to ports 8 to 10:
create acl=24 description=”subnet flow deny”
action=permit classifierlist=18 portlist=8-10
Section II: Advanced Operations
269
Chapter 17: Access Control List Commands
DESTROY ACL
Sy nt a x
destroy acl=value
Pa r a me t e r s
acl
Specifies ID number of the ACL you want to delete. You
can delete more than ACL at a time.
De s c r i pt i on
This command deletes an ACL from the switch.
Ex a mpl e
The following command deletes ACL IDs 14 and 17:
destroy acl=14,17
270
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
PURGE ACL
Sy nt a x
purge acl
Pa r a me t e r s
None.
De s c r i pt i on
This command deletes all ACLs on the switch.
Ex a mpl e
This command deletes all ACLs on the switch:
purge acl
Section II: Advanced Operations
271
Chapter 17: Access Control List Commands
SET ACL
Sy nt a x
set acl=value [description=string]
[action=deny|permit] [classifierlist=value]
[portlist=ports|none]
Pa r a me t e r s
272
acl
Specifies the ID number of the ACL you want to modify.
The number can be from 0 to 255. You can modify only
one ACL at a time.
description
Specifies a new description for the ACL. A description
can be up to 15 alphanumeric characters. Spaces are
allowed. If the description contains a space, it must be
enclosed in double quotes. Otherwise, the quotes are
optional.
action
Specifies the new action to be taken by the port when
an ingress packet matches a classifier attached to the
ACL. Options are:
permit
The port accepts the packet.
deny
The port discards the packet, provided that
the packet does not match the classifier of a
permit ACL assigned to the same port.
classifierlist
Specifies the new ID numbers of the classifiers to be
assigned to the ACL. Any classifier IDs already
assigned to the ACL are overwritten. When entering
multiple ID numbers, separate the numbers with a
comma (e.g., 4,6,7). The classifiers must already exist
on the switch. The order in which you specify the
classifiers is not important. An ACL must be assigned at
least one classifier.
portlist
Specifies the new ports to be assigned this ACL. Any
ports to which the ACL is assigned are overwritten. You
can assign an ACL to more than one port. When
entering multiple ports, the ports can be listed
individually (e.g., 2,5,7), as a range (e.g., 8-12) or both
(e.g., 1-4,6,8). Entering NONE removes all ports to
which the ACL is already assigned without assigning
any new ports. An ACL without assigned ports exists,
but remains nonfunctional until assigned to a port.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
De s c r i pt i on
This command modifies an ACL. You can use the command to change the
description, action, classifiers, and ports of an ACL.
Ex a mpl e s
This command changes the description of ACL ID 4:
set acl=4 description=”ARP flow”
This command changes the action of ACL ID 6 to permit and reassigns it
to ports 4 to 7:
set acl=6 action=permit portlist=4-7
This command changes the classifiers of ACL ID 41:
set acl=41 classifierlist=22,24,36
Section II: Advanced Operations
273
Chapter 17: Access Control List Commands
SHOW ACL
Sy nt a x
show acl[=id_number]
Pa r a me t e r s
acl
Specifies the ID number of the ACL you want to view.
You can specify more than one ACL at a time.
De s c r i pt i on
This command displays the ACLs on the switch. An example of the
information displayed by this command is shown in Figure 25.
--------------------------------------------ACL ID .............. 1
Description ......... IP
Action .............. Deny
Classifier List ..... 1
Port List ........... 2-3
Is Active ........... Yes
--------------------------------------------ACL ID .............. 2
Description ......... Subnets 211, 214
Action .............. Permit
Classifier List ..... 2,3
Port List ........... 2
Is Active ........... Yes
--------------------------------------------ACL ID .............. 3
Description ......... Subnet 211
Action .............. Permit
Classifier List ..... 3
Port List ...........
Is Active ........... No
---------------------------------------------
Figure 25. SHOW ACL Command
The command displays the following information:
274
ˆ
ACL ID - The ACL’s ID number.
ˆ
Description - The description of the ACL.
ˆ
Action - The action of the ACL. An active of Permit means that the
port(s) where the ACL is assigned accepts those packets that meet the
criteria of the classifiers. An action of Deny means that the port(s)
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
discards the packets provided that the packets do not also meet the
criteria of a classifier of a Permit ACL assigned to the same port.
ˆ
Classifier List - The classifiers assigned to the ACL.
ˆ
Port List - The ports where the ACL is assigned.
ˆ
Is Active - The status of the ACL. An ACL is active if it is assigned to at
least one port, and inactive if it is not assigned to any ports.
Ex a mpl e s
This command displays all of the ACLs on the switch:
show acl
This command displays ACL ID 22:
show acl=22
Section II: Advanced Operations
275
Chapter 17: Access Control List Commands
276
Section II: Advanced Operations
Chapter 18
Class of Service (CoS) Commands
This chapter contains the following commands:
ˆ
“MAP QOS COSP” on page 278
ˆ
“PURGE QOS” on page 280
ˆ
“SET QOS COSP” on page 281
ˆ
“SET QOS SCHEDULING” on page 282
ˆ
“SET SWITCH PORT PRIORITY OVERRIDEPRIORITY” on page 284
ˆ
“SHOW QOS CONFIG” on page 286
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 15, “Class of Service”
in the AT-S63 Management Software Menus Interface User’s Guide.
277
Chapter 18: Class of Service (CoS) Commands
MAP QOS COSP
Syntax
map qos cosp=priority-number qid=queue-number
Parameters
cosp
Specifies a Class of Service (CoS) priority level. The CoS
priority levels are 0 through 7, with 0 as the lowest priority
and 7 as the highest. You can specify more than one
priority to assign to the same egress queue.
qid
Specifies the egress queue number. The egress queues
are numbered 0 through 7, with queue 0 as the lowest
priority and 7 as the highest.
Description
This command maps CoS priorities to port egress queues. You must
specify both the priority and the queue ID. You can specify more than one
priority to assign to the same egress queue. Table 13 lists the default
mappings between the eight CoS priority levels and the eight egress
queues of a switch port.
Table 13. Default Mappings of IEEE 802.1p Priority Levels to Priority
Queues
IEEE 802.1p Priority
Level
278
Port Priority Queue
0
Q1
1
Q0 (lowest)
2
Q2
3
Q3
4
Q4
5
Q5
6
Q6
7
Q7 (highest)
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following command maps priorities 4 and 5, to queue 3:
map qos cosp=4,5 qid=3
Equivalent Command
set qos cosp=priority-number qid=queue-number
For information, see “SET QOS COSP” on page 281.
Section II: Advanced Operations
279
Chapter 18: Class of Service (CoS) Commands
PURGE QOS
Syntax
purge qos
Parameters
None
Description
This command destroys all policies, traffic classes, and flow groups;
resets the CoS priorities to port egress queues to the default values; and
sets the scheduling mode and egress weight queues to their default
values.
Example
The following command resets QoS to the default values:
purge qos
280
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET QOS COSP
Syntax
set qos cosp=priority-number qid=queue-number
Parameters
cosp
Specifies a Class of Service (CoS) priority level. The CoS
priority levels are 0 through 7, with 0 as the lowest priority
and 7 as the highest. You can specify more than one
priority to assign to the same egress queue.
qid
Specifies the egress queue number. The egress queues
are numbered 0 through 7, with queue 0 as the lowest
priority and 7 as the highest.
Description
This command maps CoS priorities to port egress queues. You must
specify both the priority and the queue ID. You can assign more than one
priority to an egress queue. Table 13 on page 278 lists the default
mappings between the eight CoS priority levels and the eight egress
queues of a switch port.
Example
The following command maps priorities 5 and 6 to egress queue 1:
set qos cosp=5,6 qid=1
Equivalent Command
map qos cosp=priority-number qid=queue-number
For information, see “MAP QOS COSP” on page 278.
Section II: Advanced Operations
281
Chapter 18: Class of Service (CoS) Commands
SET QOS SCHEDULING
Syntax
set qos scheduling=strict|wrr weights=weights
Parameters
scheduling
weights
Specifies the type of scheduling. The options are:
strict
Strict priority. The port transmits all packets
out of the higher priority queues before it
transmits any from the low priority queues.
This is the default.
wrr
Weighted round robin. The port transmits a
set number of packets from each queue in a
round robin manner.
Specifies the weight given to each of a port’s eight
egress priority queues. You must specify the weights if
scheduling will be weighted round robin. The range for
Q0 to Q6 is 1 to 15 packets. The range for Q7 is 0 to 15
packets. A setting of 0 of Q7 means that its packets
always take priority over the packets in the other
queues, and that packets are transmitted from the other
queues only when Q7 is empty.
The weights are specified in the following order: Q0,
Q1, Q2, Q3, Q4, Q5, Q6, Q7. For example, to assign
Q0 and Q1 a weight of 1, Q2 and Q3 a weight of 5, Q4
and Q5 a weight of 10, and Q6 and Q7 a weight of 15,
you enter this parameter as
weights=1,1,5,5,10,10,15,15. The parameter must
include all eight queues.
The default setting for all queues is 1. At the default
setting, all queues have the same weight.
Description
Sets the QoS scheduling method and the weights for round robin
scheduling.
Examples
The following command sets the scheduling to strict:
set qos scheduling=strict
282
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
The following command sets the scheduling to weighted round robin and
gives egress priority queues Q0 to Q3 a weight of 1, and Q4 to Q7 a
weight of 15:
set qos scheduling=wrr weights=1,1,1,1,15,15,15,15
Section II: Advanced Operations
283
Chapter 18: Class of Service (CoS) Commands
SET SWITCH PORT PRIORITY OVERRIDEPRIORITY
Syntax
set switch port=port [priority=value]
[overridepriority=yes|no|on|off|true|false]
Parameters
port
Specifies the port you want to configure. You
can specify more than one port at a time, but the
ports must be of the same medium type. For
example, you cannot configure twisted pair and
fiber optic ports with the same command. You
can specify the ports individually (for example,
5,7,22), as a range (for example, 18-23), or both
(for example, 1,5,14-22).
priority
Specifies a temporary priority level for all
ingress untagged packets received on the port.
If you include the OVERRIDEPRIORITY
parameter, the temporary priority level will also
apply to all ingress tagged packets. The range is
0 to 7; 0 is the lowest priority, and 7 is the
highest. The default is 0.Table 13 on page 278
lists the default mappings between the priority
levels and the egress queues:
overridepriority
Determines if a port should ignore the priority
level in tagged packets and instead use the
temporary priority level assigned to the port with
the PRIORITY parameter. The options are:
yes, on, true Overrides the priority level in
tagged packets and uses the
temporary priority level. This is
the default. The options are
equivalent.
no, off, false Does not override the priority in
tagged packets. The options are
equivalent.
Description
This command can change a port’s temporary priority level. It can also be
used to determine whether a port receiving tagged packets should use the
priority level in the frames or instead use a temporary priority level
assigned to the port.
284
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
This command allows you to override the priority level mappings at the
port level by assigning the packets a temporary priority. Note that this
assignment is made when a packet is received on the ingress port and
before the frame is forwarded to the egress port. Consequently, you need
to configure this feature on the ingress port.
For example, you can configure a switch port so that all ingress frames are
assigned a temporary priority level of 5, regardless of the actual priority
levels that might be in the frames themselves, as found in tagged frames.
A temporary priority level applies only while a frame traverses the
switching matrix. Tagged frames, which can contain a priority level, leave
the switch with the same priority level they had when they entered the
switch.
Examples
The following command changes the temporary priority level on ports 5, 8,
and 12 to 5:
set switch port=5,8,12 priority=5
The following command activates the priority override feature on port 6 so
that all ingress tagged packets use the port’s temporary priority level:
set switch port=6 overridepriority=yes
Section II: Advanced Operations
285
Chapter 18: Class of Service (CoS) Commands
SHOW QOS CONFIG
Syntax
show qos config
Parameters
None.
Description
Displays the CoS priority queues and scheduling. Figure 26 is an example
of the information displayed by this command.
QoS Configuration information:
Number of CoS Queues .......... 8
CoS
CoS
CoS
CoS
CoS
CoS
CoS
CoS
0
1
2
3
4
5
6
7
Priority
Priority
Priority
Priority
Priority
Priority
Priority
Priority
Queue
Queue
Queue
Queue
Queue
Queue
Queue
Queue
..........
..........
..........
..........
..........
..........
..........
..........
Scheduling Mode ...............
Queue 0 Weight ................
Queue 1 Weight ................
Queue 2 Weight ................
Queue 3 Weight ................
Queue 4 Weight ................
Queue 5 Weight ................
Queue 6 Weight ................
Queue 7 Weight ................
Q1
Q0
Q2
Q3
Q4
Q5
Q6
Q7
Strict Priority
0
0
0
0
0
0
0
0
Figure 26. SHOW QOS CONFIG Command
The current mapping of CoS priorities to port egress queues is displayed
in the top section. As an example, at the default setting packets with a
CoS priority of 3 are stored in egress queue 3 of a port.
The bottom section of the display shows the scheduling method of the
switch ports. In strict priority, a port transmits all packets out of the higher
priority queues before transmitting any from the low priority queues. This
is the default. In weighted round robin, a port transmits a set number of
packets from each queue. The weights only show a value when a port is
286
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
using weighted round robin and specify how many packets a port transmits
from a queue before moving to the next queue.
Example
The following command displays the CoS priority queues and scheduling:
show qos config
Section II: Advanced Operations
287
Chapter 18: Class of Service (CoS) Commands
288
Section II: Advanced Operations
Chapter 19
Quality of Service (QoS) Commands
This chapter contains the following commands:
ˆ
“ADD QOS FLOWGROUP” on page 290
ˆ
“ADD QOS POLICY” on page 291
ˆ
“ADD QOS TRAFFICCLASS” on page 292
ˆ
“CREATE QOS FLOWGROUP” on page 293
ˆ
“CREATE QOS POLICY” on page 296
ˆ
“CREATE QOS TRAFFICCLASS” on page 303
ˆ
“DELETE QOS FLOWGROUP” on page 308
ˆ
“DELETE QOS POLICY” on page 309
ˆ
“DELETE QOS TRAFFICCLASS” on page 310
ˆ
“DESTROY QOS FLOWGROUP” on page 311
ˆ
“DESTROY QOS POLICY” on page 312
ˆ
“DESTROY QOS TRAFFICCLASS” on page 313
ˆ
“PURGE QOS” on page 314
ˆ
“SET QOS FLOWGROUP” on page 315
ˆ
“SET QOS POLICY” on page 318
ˆ
“SET QOS PORT” on page 321
ˆ
“SET QOS TRAFFICCLASS” on page 322
ˆ
“SHOW QOS FLOWGROUP” on page 327
ˆ
“SHOW QOS POLICY” on page 329
ˆ
“SHOW QOS TRAFFICCLASS” on page 331
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to the Chapter 16,
“Quality of Service,” in the AT-S63 Management Software Menus
Interface User’s Guide.
289
Chapter 19: Quality of Service (QoS) Commands
ADD QOS FLOWGROUP
Syntax
add qos flowgroup=value classifierlist=values
Parameter
flowgroup
Specifies the ID number of the flow group you want to
modify. You can modify only one flow group at a time.
classifierlist
Specifies the new classifiers for the flow group. The new
classifiers are added to any classifiers already assigned to
the flow group. Separate multiple classifiers with commas
(e.g., 4,11,12).
Description
This command adds classifiers to an existing flow group. The classifiers
must already exist. Any classifiers already assigned to the flow group are
retained by the group. If you want to add classifiers while removing the
those already assigned, refer to “SET QOS FLOWGROUP” on page 315.
Example
This command adds the classifiers 4 and 7 to flow group 12:
add qos flowgroup=12 classifierlist=4,7
290
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
ADD QOS POLICY
Syntax
add qos policy=value trafficclasslist=values
Parameter
policy
Specifies the ID number of the policy you want to
modify. You can modify only one policy at a time.
trafficclasslist
Specifies the new traffic classes of the policy. Traffic
classes already assigned to the policy are retained.
Separate multiple traffic classes with commas (e.g.,
4,11,12).
Description
This command adds traffic classes to an existing policy. The traffic classes
must already exist. Any traffic classes already assigned to the policy are
retained by the policy. To add traffic classes while removing those already
assigned, refer to “SET QOS POLICY” on page 318.
Example
This command adds the traffic class 16 to policy 11:
add qos policy=11 trafficclasslist=16
Section II: Advanced Operations
291
Chapter 19: Quality of Service (QoS) Commands
ADD QOS TRAFFICCLASS
Syntax
add qos trafficclass=value flowgrouplist=values
Parameter
trafficclass
Specifies the ID number of the traffic class you want to
modify. You can modify only one traffic class at a time.
flowgrouplist
Specifies the new flow groups of the traffic class. The
new flow groups are added to any flow groups already
assigned to the flow group. Separate multiple flow
groups with commas (e.g., 4,11,12).
Description
This command adds flow groups to an existing traffic class. The flow
groups must already exist. Any flow groups already assigned to the traffic
class are retained by the class. If you want to add flow groups while
removing those already assigned, refer to “SET QOS TRAFFICCLASS”
on page 322.
Examples
This command adds flow group 21 to traffic class 17:
add qos trafficclass=17 flowgrouplist=21
292
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
CREATE QOS FLOWGROUP
Syntax
create qos flowgroup=value [description=”string”]
[markvalue=value|none] [priority=value|none]
[remarkpriority=yes|no|on|off|true|false]
[tos=value|none]
[movetostopriority=yes|no|on|off|true|false]
[moveprioritytotos=yes|no|on|off|true|false]
[classifierlist=values|none]
Parameters
flowgroup
Specifies an ID number for the flow group. Each flow
group on the switch must have a unique number. The
range is 0 to 1023. The default is 0. This parameter is
required.
description
Specifies a description for the flow group. The
description can be from 1 to 15 alphanumeric
characters. Spaces are allowed. This parameter is
optional, but recommended. Names can help you
identify the groups on the switch. The description must
be enclosed in double quotes if it contains spaces.
Otherwise, the quotes are optional.
markvalue
Specifies a replacement value to write into the DSCP
(TOS) field of the packets. The range is 0 to 63. If the
NONE option is used, the frame’s current DSCP value
is not overwritten. The default is NONE.
A new DSCP value can be set at all three levels: flow
group, traffic class, and policy. A DSCP value specified
in a flow group overrides a DSCP value specified at the
traffic class or policy level.
priority
Specifies a new user priority value for the packets. The
range is 0 to 7. If you want packets to retain the new
value when they exit the switch, use the
REMARKPRIORITY parameter. If the NONE option is
used, the frame’s current priority value is not
overridden. The default is NONE.
A new priority can be set at both the flow group and
traffic class levels. If it is set in both places, the value in
the flow group overrides the value in the traffic class.
Section II: Advanced Operations
293
Chapter 19: Quality of Service (QoS) Commands
remarkpriority
Replaces the user priority value in the packets with the
new value specified with the PRIORITY parameter.
This parameter is ignored if the PRIORITY parameter is
omitted or set to NONE. Options are:
yes, on, true Replaces the user priority value in the
packets with the new value specified
with the PRIORITY parameter.
no, off, false
tos
Does not replace the user priority value
in the packets with the new value
specified in with the PRIORITY
parameter. This is the default.
Specifies a replacement value to write into the Type of
Service (ToS) field of IPv4 packets. The range is 0 to 7.
A new ToS value can be set at all three levels: flow
group, traffic class, and policy. A ToS value specified in
a flow group overrides a ToS value specified at the
traffic class or policy level.
movetostopriority Replaces the value in the 802.1p priority field with the
value in the ToS priority field on IPv4 packets. Options
are:
yes, on, true Replaces the value in the 802.1p priority
field with the value in the ToS priority
field on IPv4 packets.
no, off, false
Does not replace the preexisting 802.1p
priority level This is the default.
moveprioritytotos Replaces the value in the ToS priority field with the
802.1p priority field on IPv4 packets. Options are:
yes, on, true Replaces the value in the ToS priority
field with the 802.1p priority field on IPv4
packets.
no, off, false
classifierlist
294
Does not replace the ToS priority field.
This is the default.
Specifies the classifiers to be assigned to the flow
group. Separate multiple classifiers with commas (e.g.,
4,7,8). The classifiers must already exist.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Description
This command creates a new flow group.
Note
For examples of command sequences used to create entire QoS
policies, refer to “CREATE QOS POLICY” on page 296.
Examples
This command creates a flow group with an ID of 10 and a description “ of
VoIP flow”. The flow group is assigned a priority level of 7 and defined by
classifiers 15 and 17. In this example, the packets of the flow group leave
the switch with the same priority level as when they entered. The new
priority level is relevant only as the packets traverse the switch. To alter
the packets so that they leave containing the new level, you would include
the REMARKPRIORITY parameter:
create qos flowgroup=10 description=”VoIP flow”
priority=7 classifierlist=15,17
This command creates a similar flow group as in the previous example.
The REMARKPRIORITY parameter is added so that the tagged packets of
the flow group leave the switch with the new priority level of 7:
create qos flowgroup=10 description=”VoIP flow”
priority=7 remarkpriority=yes classifierlist=15,17
This command creates a flow group whose DSCP value is changed to 59.
The MARKVALUE parameter overwrites the current DSCP value in the
packets, meaning the packets leave the switch with the new value. The
classifiers of the flow group are 3, 14, and 24:
create qos flowgroup=10 description=”DSCP 59 flow”
markvalue=59 classifierlist=3,14,24
Section II: Advanced Operations
295
Chapter 19: Quality of Service (QoS) Commands
CREATE QOS POLICY
Syntax
create qos policy=value [description=“string”]
[indscpoverwrite=value|none] [remarkindscp=all|none]
[tos=value|none]
[movetostopriority=yes|no|on|off|true|false]
[moveprioritytotos=yes|no|on|off|true|false]
[sendtomirror=yes|no|on|off|true|false]
[trafficclasslist=values|none]
[redirectport=value|none]
[ingressport=port|all|none] [egressport=port|none]
Parameters
policy
Specifies an ID number for the policy. Each policy on
the switch must be assigned a unique number. The
range is 0 to 255. The default is 0. This parameter is
required.
description
Specifies a description for the policy. The description
can be from 1 to 15 alphanumeric characters. Spaces
are allowed. If the description contains spaces, it must
be enclosed in double quotes. Otherwise, the quotes
are optional. This parameter is optional, but
recommended. Names can help you identify the
policies on the switch.
indscpoverwrite
Specifies a replacement value to write into the DSCP
(TOS) field of the packets. The range is 0 to 63. If None
is specified, the DSCP value in the packets is not
changed. The default is None.
A new DSCP value can be set at all three levels: flow
group, traffic class, and policy. A DSCP value specified
in a flow group overrides a DSCP value specified at the
traffic class or policy level. A DSCP value specified at
the policy level is used only if no value has been
specified at the flow group and traffic class levels.
296
remarkindscp
Specifies whether the DSCP value in ingress packets is
overwritten. If All is specified, all packets are remarked.
If None is specified, the function is disabled. The default
is None.
tos
Specifies a replacement value to write into the Type of
Service (ToS) field of IPv4 packets. The range is 0 to 7.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
A new ToS value can be set at all three levels: flow
group, traffic class, and policy. A ToS value specified in
a flow group overrides a ToS value specified at the
traffic class or policy level.
movetostopriority Replaces the value in the 802.1p priority field with the
value in the ToS priority field on IPv4 packets. Options
are:
yes, on, true Replaces the value in the 802.1p priority
field with the value in the ToS priority
field on IPv4 packets.
no, off, false
Does not replace the preexisting 802.1p
priority level This is the default.
moveprioritytotos Replaces the value in the ToS priority field with the
802.1p priority field on IPv4 packets. Options are:
yes, on, true Replaces the value in the ToS priority
field with the 802.1p priority field on IPv4
packets.
no, off, false
sendtomirror
Does not replace the ToS priority field.
This is the default.
Copies the traffic that meets the criteria of the classifiers
to a destination mirror port. Options are:
yes, on, true Copies the traffic that meets the criteria
of the classifiers to a destination mirror
port. You must specify the destination
port by creating a port mirror, as
explained in Chapter 12, “Port Mirroring
Commands” on page 181.
no, off, false
Section II: Advanced Operations
Does not copy the traffic to a destination
mirror port. This is the default.
trafficclasslist
Specifies the traffic classes to be assigned to the policy.
The specified traffic classes must already exist.
Separate multiple IDs with commas (e.g., 4,11,13).
redirectport
Specifies the port to which the classified traffic from the
ingress ports is redirected. The options are:
value
Specifies a port number.
none
No redirect port specified.
297
Chapter 19: Quality of Service (QoS) Commands
ingressport
Specifies the ingress ports to which the policy is to be
assigned. Ports can be identified individually (e.g.,
5,7,22), as a range (e.g., 18-23), or both (e.g., 1,5,1422).
A port can be an ingress port of only one policy at a
time. If a port is already an ingress port of a policy, you
must remove the port from its current policy assignment
before adding it to another policy.
egressport
Specifies the egress port to which the policy is to be
assigned. You can enter only one egress port. The
egress port must be within the same port block as the
ingress ports. On switches with 24 ports (plus uplinks),
ports 1-26 form a port block. On switches with 48 ports
(plus uplinks), ports 1-24 and 49 form one port block
and ports 25-48 and 50 form a second port block.
A port can be an egress port of only one policy at a
time. If a port is already an egress port of a policy, you
must remove the port from its current policy assignment
before adding it to another policy.
Description
This command creates a new QoS policy.
Examples
This command creates a policy with an ID of 75 and the description “DB
flow.” The policy is appointed the traffic classes 12 and 25 and is assigned
to ingress port 5:
create qos policy=75 description=”DB flow”
trafficclasslist=12,25 ingressport=5
This command creates a policy with an ID of 23 and the description
“Video.” The ID of the traffic class for the policy is 19. The DSCP value is
replaced with the value 50 for all ingress packets of the traffic class. The
policy is assigned to port 14:
create qos policy=23 description=video
indscpoverwrite=50 remarkindscp=all
trafficclasslist=19 ingressport=14
298
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
QoS Command Sequence Examples
Creating a QoS policy involves a command sequence that creates one or
more classifiers, a flow group, a traffic class, and finally the policy. The
following sections contain examples of the command sequences for
different types of policies.
Ex a mpl e 1 : Voi c e Appl i c a t i on
Voice applications typically require a small bandwidth but it must be
consistent. They are sensitive to latency (interpacket delay) and jitter
(delivery delay). Voice applications can be set up to have the highest
priority.
This example creates two policies that ensure low latency for all traffic sent
by and destined to a voice application located on a node with the IP
address 149.44.44.44. The policies raise the priority level of the packets to
7, the highest level. Policy 6 is for traffic from the application that enter the
switch on port 1. Policy 11 is for traffic arriving on port 8 going to the
application.
Policy 6 Commands:
create classifier=22 description=”VoIP flow”
ipsadddr=149.44.44.44
create qos flowgroup=14 description=”VoIP flow”
priority=7 classifierlist=22
create qos trafficclass=18 description=”VoIP flow”
flowgrouplist=14
create qos policy=6 description=”VoIP flow”
trafficclasslist=18 ingressport=1
Policy 11 Commands:
create classifier=23 description=”VoIP flow”
ipdadddr=149.44.44.44
create qos flowgroup=17 description=”VoIP flow”
priority=7 classifierlist=23
create qos trafficclass=15 description=”VoIP flow”
flowgrouplist=17
create qos policy=11 description=”VoIP flow”
trafficclasslist=15 ingressport=8
Section II: Advanced Operations
299
Chapter 19: Quality of Service (QoS) Commands
The parts of the policies are:
ˆ
Classifiers - Define the traffic flow by specifying the IP address of the
node with the voice application. The classifier for Policy 6 specifies the
address as a source address since this classifier is part of a policy
concerning packets coming from the application. The classifier for
Policy 11 specifies the address as a destination address since this
classifier is part of a policy concerning packets going to the application.
ˆ
Flow Groups - Specify the new priority level of 7 for the packets. It
should be noted that in this example the packets leave the switch with
the same priority level they had when they entered. The new priority
level is relevant only as the packets traverse the switch. To alter the
packets so that they leave containing the new level, you would use the
REMARKPRIORITY option in the CREATE QOS FLOWGROUP
command.
ˆ
Traffic Classes - No action is taken by the traffic classes, other than to
specify the flow groups. Traffic class has a priority setting that can be
used to override the priority level of packets, just as in a flow group. If
you enter a priority value both in the flow group and the traffic class,
the value in the flow group overrides the value in the traffic class.
ˆ
Policies - Specify the traffic class and the port to which the policy is to
be assigned. Policy 6 is applied to port 1 since this is where the
application is located. Policy 11 is applied to port 8 since this is where
traffic going to the application will be received on the switch.
Example 2: Video Application
Video applications typically require a larger bandwidth than voice
applications. Video applications can be set up to have a high priority and
buffering, depending on the application.
This example creates policies with low latency and jitter for video streams
(for example, net conference calls). The policies assign the packets a
priority level of 4. The policies also limit the bandwidth for the video
streams to 5 Mbps to illustrate how you can combine a change to the
priority level with bandwidth restriction to further define traffic control. The
node containing the application has the IP address 149.44.44.44. Policy
17 is assigned to port 1, where the application is located, and Policy 32 is
assigned to port 8 where packets destined to the application enter the
switch.
Policy 17 Commands:
create classifier=16 description=”video flow”
ipsadddr=149.44.44.44
create qos flowgroup=41 description=”video flow”
priority=4 classifierlist=16
300
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
create qos trafficclass=19 description=”video flow”
maxbandwidth=5 flowgrouplist=41
create qos policy=17 description=”video flow”
trafficclasslist=19 ingressport=1
Policy 32 Commands:
create classifier=42 description=”video flow”
ipdadddr=149.44.44.44
create qos flowgroup=36 description=”video flow”
priority=4 classifierlist=42
create qos trafficclass=21 description=”video flow”
maxbandwidth=5 flowgrouplist=36
create qos policy=32 description=”video flow”
trafficclasslist=21 ingressport=8
The parts of the policies are:
ˆ
Classifiers - Specify the IP address of the node with a video
application. The classifier for Policy 17 specifies the address as a
source address since this classifier is part of a policy concerning
packets sent by the application. The classifier for Policy 32 specifies
the address as a destination address since this classifier is part of a
policy concerning packets going to the application.
ˆ
Flow Groups - Specify the new priority level of 4 for the packets. As
with the previous example, the packets leave the switch with the same
priority level they had when they entered. The new priority level is
relevant only while the packets traverse the switch. To alter the packets
so that they leave containing the new level, you would change option
5, Remark Priority, to Yes.
ˆ
Traffic Classes - Specify a maximum bandwidth of 5 Mbps for the
packet stream. Bandwidth assignment can only be made at the traffic
class level.
ˆ
Policies - Specify the traffic class and the port where the policy is to be
assigned.
Example 3: Critical Database
Critical databases typically require a high bandwidth. They also typically
require less priority than either voice or video.
The policies in this example assign 50 Mbps of bandwidth, with no change
to priority, to traffic going to and from a database. The database is located
on a node with the IP address 149.44.44.44 on port 1 of the switch.
Section II: Advanced Operations
301
Chapter 19: Quality of Service (QoS) Commands
Policy 15 Commands:
create classifier=42 description=database
ipsadddr=149.44.44.44
create qos flowgroup=36 description=database
classifierlist=42
create qos trafficclass=21 description=database
maxbandwidth=50 flowgrouplist=36
create qos policy=15 description=database
trafficclasslist=21 ingressport=1
Policy 17 Commands:
create classifier=10 description=database
ipdadddr=149.44.44.44
create qos flowgroup=12 description=database
classifierlist=10
create qos trafficclass=17 description=database
maxbandwidth=50 flowgrouplist=12
create qos policy=17 description=database
trafficclasslist=17 ingressport=8
302
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
CREATE QOS TRAFFICCLASS
Syntax
create qos trafficclass=value [description=”string”]
[exceedaction=drop|remark]
[exceedremarkvalue=value|none] [markvalue=value|none]
[maxbandwidth=value|none] [burstsize=value|none]
[priority=value|none]
[remarkpriority=yes|no|on|off|true|false]
[tos=value|none]
[movetostopriority=yes|no|on|off|true|false]
[moveprioritytotos=yes|no|on|off|true|false]
[flowgrouplist=values|none]
Parameters
Section II: Advanced Operations
trafficclass
Specifies an ID number for the flow group. Each
flow group on the switch must be assigned a unique
number. The range is 0 to 511. The default is 0. This
parameter is required.
description
Specifies a description for the traffic class. The
description can be from 1 to 15 alphanumeric
characters. Spaces are allowed. This parameter is
optional, but recommended. Names can help you
identify the traffic classes on the switch.
exceedaction
Specifies the action to be taken if the traffic of the
traffic class exceeds the maximum bandwidth,
specified with the MAXBANDWIDTH parameter.
There are two possible exceed actions, drop and
remark. If drop is selected, traffic exceeding the
bandwidth is discarded. If remark is selected, the
packets are forwarded after replacing the DSCP
value with the new value specified in option 4,
Exceed Remark Value. The default is drop.
exceedremarkvalue
Specifies the DSCP replacement value for traffic
that exceeds the maximum bandwidth. This value
takes precedence over the DSCP value set with the
MARKVALUE parameter. The range is 0 to 63. The
default is 0.
markvalue
Specifies a replacement value to write into the
DSCP (TOS) field of the packets. The range is 0 to
63.
303
Chapter 19: Quality of Service (QoS) Commands
A new DSCP value can be set at all three levels:
flow group, traffic class, and policy. A DSCP value
specified in a flow group overrides a DSCP value
specified at the traffic class or policy level. A DSCP
value specified at the traffic class level is used only
if no value has been specified at the flow group
level. It will override any value set at the policy level.
maxbandwidth
Specifies the maximum bandwidth available to the
traffic class. This parameter determines the
maximum rate at which the ingress port accepts
data belonging to this traffic class before either
dropping or remarking occurs, depending on the
EXCEEDACTION parameter. If the sum of the
maximum bandwidth for all traffic classes on a
policy exceeds the (ingress) bandwidth of the port
to which the policy is assigned, the bandwidth for
the port takes precedence and the port discards
packets before they can be classified. The range is
0 to 1016 Mbps.
The value for this parameter is rounded up to the
nearest Mbps value when this traffic class is
assigned to a policy on a 10/100 port, and up to the
nearest 8 Mbps value when assigned to a policy on
a gigabit port (for example, on a gigabit port, 1 Mbps
is rounded to 8 Mbps, and 9 is rounded to 16).
burstsize
Specifies the size of a token bucket for the traffic
class. The token bucket is used in situations where
you have set a maximum bandwidth for a class, but
where traffic activity may periodically exceed the
maximum. A token bucket can provide a buffer for
those periods where the maximum bandwidth is
exceeded.
Tokens are added to the bucket at the same rate as
the traffic class’ maximum bandwidth, set with the
MAXBANDWIDTH parameter. For example, a
maximum bandwidth of 50 Mbps adds tokens to the
bucket at that rate.
If the amount of the traffic flow matches the
maximum bandwidth, no traffic is dropped because
the number of tokens added to the bucket matches
the number being used by the traffic. However, no
unused tokens will accumulate in the bucket. If the
traffic increases, the excess traffic will be discarded
since no tokens are available for handling the
increase.
304
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
If the traffic is below the maximum bandwidth,
unused tokens will accumulate in the bucket since
the actual bandwidth falls below the specified
maximum. The unused tokens will be available for
handling excess traffic should the traffic exceed the
maximum bandwidth. Should an increase in traffic
continue to the point where all the unused tokens
are used up, packets will be discarded.
Unused tokens accumulate in the bucket until the
bucket reaches maximum capacity, set by this
parameter. Once the maximum capacity of the
bucket is reached, no extra tokens are added. The
range is 4 to 512 Kbps.
This parameter must be used with the
MAXBANDWIDTH parameter. Specifying a token
bucket size without also specifying a maximum
bandwidth serves no function.
priority
Specifies the priority value in the IEEE 802.1p tag
control field that traffic belonging to this traffic class
is assigned. Priority values range from 0 to 7 with 0
being the lowest priority and 7 being the highest
priority. Incoming frames are mapped into one of
eight Class of Service (CoS) queues based on the
priority value.
If you want the packets to retain the new value
when they exit the switch, use the
REMARKPRIORITY parameter.
A new priority can be set at both the flow group and
traffic class levels. If it is set in both places, the
value in the flow group overrides the value in the
traffic class.
remarkpriority
Section II: Advanced Operations
Replaces the user priority value in the packets with
the new value specified with the PRIORITY
parameter. This parameter is ignored if the
PRIORITY parameter is omitted or set to NONE.
Options are:
yes, on, true
Replaces the user priority value in
the packets with the new value
specified with the PRIORITY
parameter.
no, off, false
Does not replace the user priority
value in the packets with the new
value specified in with the PRIORITY
305
Chapter 19: Quality of Service (QoS) Commands
parameter. This is the default.
tos
Specifies a replacement value to write into the Type
of Service (ToS) field of IPv4 packets. The range is
0 to 7.
A new ToS value can be set at all three levels: flow
group, traffic class, and policy. A ToS value
specified in a flow group overrides a ToS value
specified at the traffic class or policy level.
movetostopriority
moveprioritytotos
flowgrouplist
Replaces the value in the 802.1p priority field with
the value in the ToS priority field on IPv4 packets.
Options are:
yes, on, true
Replaces the value in the 802.1p
priority field with the value in the ToS
priority field on IPv4 packets.
no, off, false
Does not replace the preexisting
802.1p priority level This is the
default.
Replaces the value in the ToS priority field with the
802.1p priority field on IPv4 packets. Options are:
yes, on, true
Replaces the value in the ToS
priority field with the 802.1p priority
field on IPv4 packets.
no, off, false
Does not replace the ToS priority
field. This is the default.
Specifies the flow groups to be assigned to the
traffic class. The specified flow groups must already
exist. Separate multiple IDs with commas (e.g.,
4,11,13).
Description
This command creates a new traffic class.
Note
For examples of command sequences used to create entire QoS
policies, refer to “CREATE QOS POLICY” on page 296.
306
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command creates a traffic class with an ID number of 25 and
the description “Database flow”. The only parameter in the traffic class is
the identification of the flow group, which is 11:
create qos trafficclass=25 description=”Database flow”
flowgrouplist=11
This command creates a traffic class with the ID number of 41 and
description “Video flow”. The traffic class is assigned the flow group 3 and
is given a maximum bandwidth of 5 Mbps:
create qos trafficclass=41 description=”Video flow”
maxbandwidth=5 flowgrouplist=3
This command creates a traffic class with the ID number of 51 and
description “DB Eng”. It assigns flow group 5 a maximum bandwidth of 50
Mbps. The DSCP value in all flow traffic that exceeds the maximum
bandwidth is changed to 35:
create qos trafficclass=51 description=”DB Eng”
exceedaction=remark exceedremarkvalue=35
maxbandwidth=50 flowgrouplist=5
Section II: Advanced Operations
307
Chapter 19: Quality of Service (QoS) Commands
DELETE QOS FLOWGROUP
Syntax
delete qos flowgroup=value classifierlist=values
Parameter
flowgroup
Specifies the ID number of the flow group you want to
modify. You can modify only one flow group at a time.
classifierlist
Specifies the classifiers you want to remove from the flow
group. Separate multiple classifiers with commas (e.g.,
4,11,12). (The online help for this command includes a
NONE option for this parameter. Specifying the NONE
option does not remove any classifiers. Since the purpose
of this command is to remove classifiers from a flow group,
it is unlikely you would ever use that option.)
Description
This command removes classifiers from a flow group.
Example
This command removes classifier 6 from flow group 22:
delete qos flowgroup=22 classifierlist=6
308
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
DELETE QOS POLICY
Syntax
delete qos policy=value trafficclasslist=values
Parameter
policy
Specifies the ID number of the policy you want to
modify. You can modify only one policy at a time.
trafficclasslist
Specifies the IDs of the traffic classes you want to
remove from the policy. Separate multiple traffic class
with commas (e.g., 4,11,12). (The online help for this
command includes a NONE option for this parameter.
Specifying the NONE option does not remove any traffic
classes. Since the purpose of this command is to
remove traffic classes from a policy, it is unlikely you
would ever use that option.)
Description
This command removes traffic classes from policies.
Example
This command removes traffic class 17 from policy 1:
delete qos policy=1 trafficclasslist=17
Section II: Advanced Operations
309
Chapter 19: Quality of Service (QoS) Commands
DELETE QOS TRAFFICCLASS
Syntax
delete qos trafficclass=value flowgrouplist=values
Parameter
flowgroup
Specifies the ID number of the traffic class you want to
modify. You can modify only one traffic class at a time.
flowgrouplist
Specifies the IDs of the flow groups you want to remove
from the traffic class. Separate multiple flow groups with
commas (e.g., 4,11,12). (The online help for this
command includes a NONE option for this parameter.
Specifying the NONE option does not remove any flow
groups. Since the purpose of this command is to
remove flow groups from a traffic class, it is unlikely you
would ever use that option.)
Description
This command removes flow groups from traffic classes.
Example
This command removes flow group 5 from traffic class 22:
delete qos trafficclass=22 flowgrouplist=5
310
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY QOS FLOWGROUP
Syntax
destroy qos flowgroup=value
Parameter
flowgroup
Specifies the ID number of the flow group you want to
delete. You can delete more than one flow group at a time.
You can specify the flow groups individually, as a range, or
both.
Description
This command deletes flow groups.
Examples
This command deletes the flow group 22:
destroy qos flowgroup=22
This command deletes the flow groups 16 to 20 and 23:
destroy qos flowgroup=16-20,23
Section II: Advanced Operations
311
Chapter 19: Quality of Service (QoS) Commands
DESTROY QOS POLICY
Syntax
destroy qos policy=value
Parameter
flowgroup
Specifies the ID number of the policy you want to delete.
You can delete more than one policy at a time. You can
specify the flow groups individually, as a range, or both.
Description
This command deletes QoS policies.
Examples
This command deletes policy 41:
destroy qos policy=41
This command deletes policies 5 and 23:
destroy qos policy=5,23
312
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY QOS TRAFFICCLASS
Syntax
destroy qos trafficclass=value
Parameter
trafficclass
Specifies the ID number of the traffic class you want to
delete. You can delete more than one traffic class at a time.
You can specify the flow groups individually, as a range, or
both.
Description
This command deletes traffic classes.
Examples
This command deletes traffic class 22:
destroy qos trafficclass=22
This command deletes traffic classes 16 to 20 and 23:
destroy qos trafficclass=16-20,23
Section II: Advanced Operations
313
Chapter 19: Quality of Service (QoS) Commands
PURGE QOS
Syntax
purge qos
Parameters
None
Description
This command destroys all policies, traffic classes, and flow groups;
resets the CoS priorities to port egress queues to the default values; and
sets the scheduling mode and egress weight queues to their default
values.
Example
The following command resets QoS to the default values:
purge qos
314
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET QOS FLOWGROUP
Syntax
set qos flowgroup=value [description=string]
[markvalue=value|none] [priority=value|NONE]
[remarkpriority=yes|no|on|off|true|false]
[tos=value|none]
[movetostopriority=yes|no|on|off|true|false]
[moveprioritytotos=yes|no|on|off|true|false]
[classifierlist=values|none]
Parameters
flowgroup
Specifies the ID number of the flow group you want to
modify. The range is 0 to 1023.
description
Specifies a new description for the flow group. The
description can be from 1 to 15 alphanumeric
characters. Spaces are allowed. This parameter is
optional, but recommended. Names can help you
identify the groups on the switch. The description must
be enclosed in double quotes if it contains spaces.
Otherwise, the quotes are optional.
markvalue
Specifies a replacement value to write into the DSCP
(TOS) field of the packets. The range is 0 to 63. If the
NONE option is used, the frame’s current DSCP value
is not overwritten. The default is NONE.
A new DSCP value can be set at all three levels: flow
group, traffic class, and policy. A DSCP value specified
in a flow group overrides a DSCP value specified at the
traffic class or policy level.
priority
Specifies a new user priority value for the packets. The
range is 0 to 7. You can specify only one value. If you
want packets to retain the new value when they exit the
switch, use the REMARKPRIORITY parameter. If the
NONE option is used, the frame’s current priority value
is not overridden The default is NONE.
If you specify a new priority in a flow group and a traffic
class, the value in the flow group overrides the value in
the traffic class.
remarkpriority
Section II: Advanced Operations
Replaces the user priority value in the packets with the
new value specified with the PRIORITY parameter. This
parameter is ignored if the PRIORITY parameter is
315
Chapter 19: Quality of Service (QoS) Commands
omitted or set to NONE. Options are:
tos
yes, on, true
Replaces the user priority value in the
packets with the new value specified
with the PRIORITY parameter.
no, off, false
Does not replace the user priority value
in the packets with the new value
specified in with the PRIORITY
parameter. This is the default.
Specifies a replacement value to write into the Type of
Service (ToS) field of IPv4 packets. The range is 0 to 7.
A new ToS value can be set at all three levels: flow
group, traffic class, and policy. A ToS value specified in
a flow group overrides a ToS value specified at the
traffic class or policy level.
movetostopriority Replaces the value in the 802.1p priority field with the
value in the ToS priority field on IPv4 packets. Options
are:
yes, on, true Replaces the value in the 802.1p priority
field with the value in the ToS priority
field on IPv4 packets.
no, off, false
Does not replace the preexisting 802.1p
priority level This is the default.
moveprioritytotos Replaces the value in the ToS priority field with the
802.1p priority field on IPv4 packets. Options are:
yes, on, true Replaces the value in the ToS priority
field with the 802.1p priority field on IPv4
packets.
no, off, false
classifierlist
316
Does not replace the ToS priority field.
This is the default.
Specifies the classifiers to be assigned to the flow
group. The specified classifiers replace any classifiers
already assigned to the flow group. Separate multiple
classifiers with commas (e.g., 4,7,8). The classifiers
must already exist. The NONE options removes all
classifiers currently assigned to the flow group without
assigning any new ones. To add classifiers without
replacing those already assigned, see “ADD QOS
FLOWGROUP” on page 290.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Description
This command modifies the specifications of an existing flow group. The
only parameter you cannot change is a flow group’s ID number. To initially
create a flow group, refer to “CREATE QOS FLOWGROUP” on page 293.
Note
For examples of command sequences used to create entire QoS
policies, refer to “CREATE QOS POLICY” on page 296.
When modifying a flow group, note the following:
ˆ
You cannot change a flow group’s ID number.
ˆ
Specifying an invalid value for a parameter that already has a value
causes the parameter to revert to its default value.
Examples
This command changes the user priority value to 6 in flow group 15:
set qos flowgroup=15 priority=6
This command assigns classifiers 23 and 41 to flow group 25. Any
classifiers already assigned to the flow group are replaced:
set qos flowgroup=25 classifierlist=23,41
This command returns the MARKVALUE setting in flow group 41 back to
the default setting of NONE. At this setting, the flow group will not
overwrite the ToS setting in the packets:
set qos flowgroup=41 markvalue=none
Section II: Advanced Operations
317
Chapter 19: Quality of Service (QoS) Commands
SET QOS POLICY
Syntax
set qos policy=value [description=string]
[indscpoverwrite=value|none] [remarkindscp=[all|none]]
[tos=value|none]
[movetostopriority=yes|no|on|off|true|false]
[moveprioritytotos=yes|no|on|off|true|false]
[sendtomirror=yes|no|on|off|true|false]
[trafficclasslist=values|none]
[redirectport=value|none] [ingressport=port|all|none]
[egressport=port|none]
Parameters
policy
Specifies an ID number for the policy. Each policy on
the switch must be assigned a unique number. The
range is 0 to 255. The default is 0. This parameter is
required.
description
Specifies a description for the policy. The description
can be from 1 to 15 alphanumeric characters. Spaces
are allowed. If the description contains spaces, it must
be enclosed in double quotes. Otherwise, the quotes
are optional. This parameter is optional, but
recommended. Names can help you identify the
policies on the switch.
indscpoverwrite
Specifies a replacement value to write into the DSCP
(TOS) field of the packets. The range is 0 to 63.
A new DSCP value can be set at all three levels: flow
group, traffic class, and policy. A DSCP value specified
in a flow group overrides a DSCP value specified at the
traffic class or policy level. A DSCP value specified at
the policy level is used only if no value has been
specified at the flow group and traffic class levels.
remarkindscp
Specifies the conditions under which the ingress DSCP
value is overwritten. If All is specified, all packets are
remarked. If None is specified, the function is disabled.
The default is None.
tos
Specifies a replacement value to write into the Type of
Service (ToS) field of IPv4 packets. The range is 0 to 7.
A new ToS value can be set at all three levels: flow
group, traffic class, and policy. A ToS value specified in
318
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
a flow group overrides a ToS value specified at the
traffic class or policy level.
movetostopriority Replaces the value in the 802.1p priority field with the
value in the ToS priority field on IPv4 packets. Options
are:
yes, on, true Replaces the value in the 802.1p priority
field with the value in the ToS priority
field on IPv4 packets.
no, off, false
Does not replace the preexisting 802.1p
priority level This is the default.
moveprioritytotos Replaces the value in the ToS priority field with the
802.1p priority field on IPv4 packets. Options are:
yes, on, true Replaces the value in the ToS priority
field with the 802.1p priority field on IPv4
packets.
no, off, false
sendtomirror
Does not replace the ToS priority field.
This is the default.
Copies the traffic that meets the criteria of the classifiers
to a destination mirror port. Options are:
yes, on, true Copies the traffic that meets the criteria
of the classifiers to a destination mirror
port. You must specify the destination
port by creating a port mirror, as
explained in Chapter 12, “Port Mirroring
Commands” on page 181.
no, off, false
Section II: Advanced Operations
Does not copy the traffic to a destination
mirror port. This is the default.
trafficclasslist
Specifies the traffic classes to be assigned to the policy.
The specified traffic classes must already exist.
Separate multiple IDs with commas (e.g., 4,11,13).
redirectport
Specifies the port to which the classified traffic from the
ingress ports is redirected.
ingressport
Specifies the ingress ports to which the policy is to be
assigned. Ports can be identified individually (e.g.,
5,7,22), as a range (e.g., 18-23), or both (e.g., 1,5,1422). The NONE option removes the policy from all
ingress ports to which it has been assigned. The ALL
option adds it to all ports.
319
Chapter 19: Quality of Service (QoS) Commands
A port can be an ingress port of only one policy at a
time. If a port is already an ingress port of a policy, you
must remove the port from its current policy assignment
before adding it to another policy. Alternatively, you can
use “SET QOS PORT” on page 321, which removes a
port from a policy and adds it to another policy with one
command.
egressport
Specifies the egress port to which the policy is to be
assigned. You can enter only one egress port. The
NONE option removes the policy from all egress ports
to which it has been assigned. The ALL option adds it to
all ports.
A port can be an egress port of only one policy at a
time. If a port is already an egress port of a policy, you
must remove the port from its current policy assignment
before adding it to another policy. Alternatively, you can
use “SET QOS PORT” on page 321, which removes a
port from a policy and adds it to another policy with one
command.
Description
This command modifies an existing policy. To initially create a policy, refer
to “CREATE QOS POLICY” on page 296.
Note
For examples of command sequences used to create entire QoS
policies, refer to “CREATE QOS POLICY” on page 296.
When modifying a policy, note the following:
ˆ
You cannot change a policy’s ID number.
ˆ
Specifying an invalid value for a parameter that already has a value
causes the parameter to revert to its default value.
Examples
This command changes the ingress port for policy 8 to port 23:
set qos policy=8 ingressport=8
This command changes the traffic classes assigned to policy 41:
set qos policy=41 trafficclasslist=12,23
320
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET QOS PORT
Syntax
set qos port=value type=ingress|egress
policy=value|none
Parameter
port
Specifies the port to which the policy is to be assigned or
removed. You can specify more than one port at a time if
the port is an ingress port of the traffic flow. Ports can be
identified individually (e.g., 5,7,22), as a range (e.g., 18-23),
or both (e.g., 1,5,14-22). You can specify only one port if
the port is functioning as an egress port for the flow.
type
Specifies whether the port is an ingress or egress port for
the traffic flow of the policy. The default is ingress.
policy
Specifies the policy to the assigned to the port. You can
specify only one policy. The NONE option removes the
currently assigned policy from a port.
Description
This command adds and removes ports from policies.
A port can be an ingress or egress port of only one policy at a time.
However, a port can be an ingress port and an egress port of different
policies, simultaneously. If a port is already a port of a policy, this
command automatically removes it from its current policy assignment
before adding it to another policy.
Examples
This command assigns QoS policy 12 to ingress ports 5 through 8:
set qos port=5-8 type=ingress policy=12
This command removes the currently assigned policy to egress ports 1
and 5:
set qos port=1,5 type=egress policy=none
Section II: Advanced Operations
321
Chapter 19: Quality of Service (QoS) Commands
SET QOS TRAFFICCLASS
Syntax
set qos trafficclass=value [description=”string”]
[exceedaction=drop|remark]
[exceedremarkvalue=value|none] [markvalue=value|none]
[maxbandwidth=value|none] [burstsize=value|none]
[priority=value|none]
[remarkpriority=yes|no|on|off|true|false]
[tos=value|none]
[movetostopriority=yes|no|on|off|true|false]
[moveprioritytotos=yes|no|on|off|true|false]
[flowgrouplist=values|none]
Parameters
322
trafficclass
Specifies an ID number for the flow group. Each
flow group on the switch must be assigned a unique
number. The range is 0 to 511. The default is 0. This
parameter is required.
description
Specifies a description for the traffic class. The
description can be from 1 to 15 alphanumeric
characters. Spaces are allowed. If the description
contains spaces, it must be enclosed in double
quotes. Otherwise, the quotes are optional. This
parameter is optional, but recommended. Names
can help you identify the traffic classes on the
switch.
exceedaction
Specifies the action to be taken if the flow group of
the traffic class exceeds the maximum bandwidth,
specified with the MAXBANDWIDTH parameter.
There are two possible exceed actions, drop and
remark. If drop is selected, traffic exceeding the
bandwidth is discarded. If remark is selected, the
packets are forwarded after replacing the DSCP
value with the new value specified with the
EXCEEDREMARKVALUE parameter. The default
is drop.
exceedremarkvalue
Specifies the DSCP replacement value for traffic
that exceeds the maximum bandwidth. This value
takes precedence over the DSCP value set with the
MARKVALUE parameter. The range is 0 to 63. The
default is 0.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
markvalue
Specifies a replacement value to write into the
DSCP (TOS) field of the packets. The range is 0 to
63.
A new DSCP value can be set at all three levels:
flow group, traffic class, and policy. A DSCP value
specified in a flow group overrides a DSCP value
specified at the traffic class or policy level. A DSCP
value specified at the traffic class level is used only
if no value has been specified at the flow group
level. It will override any value set at the policy level.
maxbandwidth
Specifies the maximum bandwidth available to the
traffic class. This parameter determines the
maximum rate at which the ingress port accepts
data belonging to this traffic class before either
dropping or remarking occurs, as specified with the
EXCEEDACTION parameter. If the sum of the
maximum bandwidth for all traffic classes on a
policy exceeds the (ingress) bandwidth of the port to
which the policy is assigned, the bandwidth for the
port takes precedence and the port discards
packets before they can be classified. The range is
0 to 1016 Mbps.
The value for this parameter is rounded up to the
nearest Mbps value when this traffic class is
assigned to a policy on a 10/100 port, and up to the
nearest 8 Mbps value when assigned to a policy on
a gigabit port (for example, on a gigabit port, 1 Mbps
is rounded to 8 Mbps, and 9 is rounded to 16).
burstsize
Specifies the size of a token bucket for the traffic
class. The token bucket is used in situations where
you have set a maximum bandwidth for a class, but
where traffic activity may periodically exceed the
maximum. A token bucket can provide a buffer for
those periods where the maximum bandwidth is
exceeded.
Tokens are added to the bucket at the same rate as
the traffic class’ maximum bandwidth, set with the
MAXBANDWIDTH parameter. For example, a
maximum bandwidth of 50 Mbps adds tokens to the
bucket at that rate.
If the amount of the traffic flow matches the
maximum bandwidth, no traffic is dropped because
the number of tokens added to the bucket matches
the number being used by the traffic. However, no
Section II: Advanced Operations
323
Chapter 19: Quality of Service (QoS) Commands
unused tokens will accumulate in the bucket. If the
traffic increases, the excess traffic will be discarded
since no tokens are available for handling the
increase.
If the traffic is below the maximum bandwidth,
unused tokens will accumulate in the bucket since
the actual bandwidth falls below the specified
maximum. The unused tokens will be available for
handling excess traffic should the traffic exceed the
maximum bandwidth. Should an increase in traffic
continue to the point where all the unused tokens
are used up, packets will be discarded.
Unused tokens accumulate in the bucket until the
bucket reaches maximum capacity, set by this
parameter. Once the maximum capacity of the
bucket is reached, no extra tokens are added. The
range is 4 to 512 Kbps.
This parameter should be used with the
MAXBANDWIDTH parameter. Specifying a token
bucket size without also specifying a maximum
bandwidth serves no function.
priority
Specifies the priority value in the IEEE 802.1p tag
control field that traffic belonging to this traffic class
is assigned. Priority values range from 0 to 7 with 0
being the lowest priority and 7 being the highest
priority. Incoming frames are mapped into one of
eight Class of Service (CoS) queues based on the
priority value.
If you want the packets to retain the new value
when they exit the switch, change option 9, Remark
Priority, to Yes.
If you specify a new priority in a flow group and a
traffic class, the value in the flow group overrides
the value in the traffic class.
324
remarkpriority
Replaces the user priority value in the packets with
the new value specified with the PRIORITY
parameter, if set to Yes. If set to No, which is the
default, the packets retain their preexisting priority
level when they leave the switch.
tos
Specifies a replacement value to write into the Type
of Service (ToS) field of IPv4 packets. The range is
0 to 7.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
A new ToS value can be set at all three levels: flow
group, traffic class, and policy. A ToS value
specified in a flow group overrides a ToS value
specified at the traffic class or policy level.
movetostopriority
moveprioritytotos
flowgrouplist
Replaces the value in the 802.1p priority field with
the value in the ToS priority field on IPv4 packets.
Options are:
yes, on, true
Replaces the value in the 802.1p
priority field with the value in the ToS
priority field on IPv4 packets.
no, off, false
Does not replace the preexisting
802.1p priority level This is the
default.
Replaces the value in the ToS priority field with the
802.1p priority field on IPv4 packets. Options are:
yes, on, true
Replaces the value in the ToS
priority field with the 802.1p priority
field on IPv4 packets.
no, off, false
Does not replace the ToS priority
field. This is the default.
Specifies the flow groups to be assigned to the
traffic class. Any flow groups already assigned to
the traffic class are replaced. The specified flow
groups must already exist. Separate multiple IDs
with commas (e.g., 4,11,13).
Description
This command modifies an existing traffic class. To initially create a traffic
class, refer to “CREATE QOS TRAFFICCLASS” on page 303. The only
parameter you cannot change is a traffic classes ID number.
Note
For examples of command sequences used to create entire QoS
policies, refer to “CREATE QOS POLICY” on page 296.
When modifying a traffic class, note the following:
Section II: Advanced Operations
ˆ
You cannot change a traffic class’ ID number.
ˆ
Specifying an invalid value for a parameter that already has a value
causes the parameter to revert to its default value.
325
Chapter 19: Quality of Service (QoS) Commands
Examples
This command changes the exceed action in traffic class 18 to remark and
specifies a remark value of 24. This command changes the DSCP value in
traffic that exceeds the maximum bandwidth to 24:
set qos trafficclass=18 exceedaction=remark
exceedremarkvalue=24
This command changes the user priority value to 17 for traffic belonging to
traffic class 42:
set qos trafficclass=42 priority=17
This command changes the maximum bandwidth for traffic class 41 to 80
Mbps and the burst size to 400 Kbps.
set qos trafficclass=41 maxbandwidth=80 burstsize=400
326
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW QOS FLOWGROUP
Syntax
show qos flowgroup[=idnumber]
Parameters
flowgroup
Specifies the ID of the flow group you want to view. You can
specify more than one classifier at a time.
Description
This command displays the flow groups on a switch. An example is shown
in Figure 27.
Flow Group ID ..............
Description ................
DSCP value .................
Priority ...................
Remark Priority ............
ToS ........................
Move ToS to Priority .......
Move Priority to ToS .......
Classifier List ............
Parent Traffic Class ID ....
Is Active ..................
2
Video1
0
6
No
No
No
11
4
Yes
Figure 27. SHOW QOS FLOWGROUP Command
The command displays the following information about a flow group:
Section II: Advanced Operations
ˆ
Flow Group ID - The flow group’s ID number.
ˆ
Description - The flow group’s description.
ˆ
DSCP value - The replacement value to write into the DSCP (TOS)
field of the packets.
ˆ
Priority - The new user priority value for the packets.
ˆ
Remark Priority - Replaces the user priority value in the packets with
the Priority value.
ˆ
ToS - Specifies a replacement value to write into the Type of Service
(ToS) field of IPv4 packets. The range is 0 to 7.
ˆ
Move ToS to Priority - If set to Yes, replaces the value in the 802.1p
priority field with the value in the ToS priority field on IPv4 packets. If
set to No, which is the default, the packets retain their preexisting
802.1p priority level.
ˆ
Move Priority to ToS - If set to Yes, replaces the value in the ToS
priority field with the value in the 802.1p priority field on IPv4 packets. If
327
Chapter 19: Quality of Service (QoS) Commands
set to No, which is the default, the packets retain their preexisting ToS
priority level.
ˆ
Classifier List - The classifiers assigned to the policy.
ˆ
Parent Traffic Class ID - The ID number of the traffic class to which the
flow group is assigned. A flow group can belong to only one traffic
class at a time.
ˆ
Is Active - The status of the flow group. If the flow group is part of a
QoS policy that is assigned to one or more ports, the flow group is
deemed active. If the flow group has not been assigned to a policy or if
the policy has not been assigned to any ports, the flow group is
considered inactive.
For further information about the parameters, refer to “CREATE QOS
FLOWGROUP” on page 293.
Examples
This command displays all of the flow groups:
show qos flowgroup
This command displays flow group 12:
show qos flowgroup=12
328
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW QOS POLICY
Syntax
show qos policy[=idnumber]
Parameter
policy
Specifies the ID of the policy you want to view. You can
specify more than one policy at a time. Separate multiple
policies with commas (e.g., 4,5,10).
Description
This command displays the policies on a switch. An example is shown in
Figure 28.
Policy ID ................
Description ..............
Remark DSCP ..............
In DSCP overwrite ........
ToS ......................
Move ToS to Priority .....
Move Priority to ToS .....
Send to Mirror Port ......
Traffic Class List .......
Redirect Port ............
Ingress Port List ........
Egress Port ..............
Is Active ................
11
policy_ca2
All
42
No
No
No
15
Yes
Figure 28. SHOW QOS POLICY Command
This command provides the following information:
Section II: Advanced Operations
ˆ
Policy ID - The policy’s ID number.
ˆ
Description - The policy’s description.
ˆ
Remark DSCP - Specifies whether the DSCP value of ingress packets
is overwritten. If All is specified, all packets are remarked. If None is
specified, the function is disabled. The default is None.
ˆ
In DSCP overwrite - The replacement value to write into the DSCP
(TOS) field of the packets.
ˆ
ToS - Specifies a replacement value to write into the Type of Service
(ToS) field of IPv4 packets. The range is 0 to 7. A ToS value specified
at the policy level is used only if no value has been specified at the flow
group and traffic class levels.
ˆ
Move ToS to Priority - If set to yes, replaces the value in the 802.1p
priority field with the value in the ToS priority field on IPv4 packets. If
set to No, which is the default, the packets retain their preexisting
329
Chapter 19: Quality of Service (QoS) Commands
802.1p priority level.
ˆ
Move Priority to ToS - If set to yes, replaces the value in the ToS
priority field with the value in the 802.1p priority field on IPv4 packets.
If set to No, which is the default, the packets retain their preexisting
ToS priority level.
ˆ
Send to Mirror Port - Copies the traffic that meets the criteria of the
classifiers to a destination mirror port. If set to yes, you must specify
the destination port of the port mirror with “SET SWITCH MIRROR” on
page 182.
ˆ
Traffic Class List - The traffic classes assigned to the policy.
ˆ
Redirect Port - The egress port to which the classified traffic from the
ingress port is reassigned.
ˆ
Ingress Port List - The ingress ports to which the policy is assigned.
ˆ
Egress Port - The egress port to which the policy is assigned.
ˆ
Active - The status of the policy. A policy that is assigned to one or
more ports is deemed active while a policy that is not assigned to any
ports is deemed inactive.
For further information about the parameters, refer to “CREATE QOS
POLICY” on page 296.
Examples
This command displays all of the policies:
show qos policy
This command displays policy 54:
show qos policy=54
330
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SHOW QOS TRAFFICCLASS
Syntax
show qos trafficclass[=idnumber]
Parameter
trafficclass
Specifies the ID of the traffic class you want to view. You
can specify more than one traffic class at a time. Separate
multiple traffic classes with commas (e.g., 4,5,10).
Description
This command displays the traffic classes on a switch. An example is
shown in Figure 29.
Traffic Class ID ..........
Description ...............
Exceed Action .............
Exceed Remark Value .......
DSCP value ................
Max bandwidth .............
Burst Size ................
Priority ..................
Remark Priority ...........
ToS .......................
Move ToS to Priority ......
Move Priority to ToS ......
Flow Group List ...........
Parent Policy ID ..........
Is Active .................
0
Dev Database
Drop
0
0
50
0
0
No
No
No
11
2
Yes
Figure 29. DISPLAY QOS TRAFFICCLASS Command
This command provides the following information about a traffic class:
Section II: Advanced Operations
ˆ
Traffic Class ID - The traffic class’ ID number.
ˆ
Description - The description of the traffic class.
ˆ
Exceed Action - The action taken if the traffic of the traffic class
exceeds the maximum bandwidth.
ˆ
Exceed Remark Value - The DSCP replacement value for traffic that
exceeds the maximum bandwidth.
ˆ
DSCP value - The replacement value to write into the DSCP (TOS)
field of the packets.
ˆ
Max Bandwidth - The maximum bandwidth available to the traffic
class.
ˆ
Burst Size - The size of a token bucket for the traffic class.
331
Chapter 19: Quality of Service (QoS) Commands
ˆ
Priority - The priority value in the IEEE 802.1p tag control field
assigned to the traffic that belongs to this traffic class.
ˆ
Remark Priority - Replaces the user priority value in the packets with
the Priority value.
ˆ
ToS - Specifies a replacement value to write into the Type of Service
(ToS) field of IPv4 packets. The range is 0 to 7.
ˆ
Move ToS to Priority - If set to yes, replaces the value in the 802.1p
priority field with the value in the ToS priority field on IPv4 packets. If
set to No, which is the default, the packets retain their preexisting
802.1p priority level.
ˆ
Move Priority to ToS - If set to yes, replaces the value in the ToS
priority field with the value in the 802.1p priority field on IPv4 packets.
If set to No, which is the default, the packets retain their preexisting
ToS priority level.
ˆ
Flow Group List - The flow groups assigned to the traffic class.
ˆ
Parent Policy ID - The ID number of the policy where the traffic class is
assigned. A traffic class can belong to only one policy at a time.
ˆ
Is Active - The status of the traffic class. If the traffic class is part of a
QoS policy that is assigned to one or more ports, the traffic class is
deemed active. If the traffic class has not been assigned to a policy or
if the policy has not been assigned to any ports, the traffic class is
deemed inactive.
For further information about the parameters, refer to “CREATE QOS
TRAFFICCLASS” on page 303.
Examples
This command displays all of the traffic classes:
show qos trafficclass
This command displays traffic class 14:
show qos trafficclass=14
332
Section II: Advanced Operations
Chapter 20
Denial of Service Defense Commands
This chapter contains the following command:
ˆ
“SET DOS” on page 334
ˆ
“SET DOS IPOPTION” on page 335
ˆ
“SET DOS LAND” on page 337
ˆ
“SET DOS PINGOFDEATH” on page 338
ˆ
“SET DOS SMURF” on page 340
ˆ
“SET DOS SYNFLOOD” on page 341
ˆ
“SET DOS TEARDROP” on page 342
ˆ
“SHOW DOS” on page 344
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 17,
“Denial of Service Defense” in the AT-S63 Management Software
Menus Interface User’s Guide.
333
Chapter 20: Denial of Service Defense Commands
SET DOS
Syntax
set dos ipaddress=ipaddress subnet=mask uplinkport=port
Parameters
ipaddress
Specifies the IP address of one of the devices
connected to the switch, preferably the lowest IP
address.
subnet
Specifies the subnet mask of the LAN. A binary “1”
indicates the switch should filter on the corresponding
bit of the address, while a “0” indicates that it should
not.
uplinkport
Specifies the port on the switch that is connected to a
device (for example, a DSL router) that leads outside
the network. You can specify only one port. This
parameter is required only for the Land defense. The
default port is the highest numbered existing port in
the switch.
Description
This command is required for the SMURF and Land defenses. The
SMURF defense uses the LAN address and mask to determine the
broadcast address of your network. The Land defense uses this
information to determine which traffic is local and which is remote to your
network.
As an example, assume that the devices connected to a switch are using
the IP address range 149.11.11.1 to 149.11.11.50. The IP address would
be 149.11.11.1 and the mask would be 0.0.0.63.
Examples
The following command sets the IP address to 149.11.11.1 and the mask
to 0.0.0.63:
set dos ipaddress=149.11.11.1 subnet=0.0.0.63
The following command sets the IP address to 149.22.22.1, the mask to
0.0.0.255, and the uplink port for the Land defense to port 24:
set dos ipaddress=149.22.22.1 subnet=0.0.0.255 uplinkport=24
334
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET DOS IPOPTION
Syntax
set dos ipoption port=port state=enable|disable
[mirroring=yes|no|on|off|true|false|enabled|disabled]
Parameters
port
Specifies the switch port where you want to enable or
disable the IP Option defense. You can specify more
than one port at a time.
state
Specifies the state of the IP Option defense. The
options are:
mirroring
enable
Activates the defense.
disable
Deactivates the defense. This is the default.
Specifies whether the examined traffic is copied to a
mirror port. Options are:
yes, on, true
enabled
Traffic is mirrored. These values are
equivalent.
no, off, false
disabled
Traffic is not mirrored. This is the
default. These values are equivalent.
Description
This command enables and disables the IP Option DoS defense.
This type of attack occurs when an attacker sends packets containing bad
IP options to a victim node. There are many different types of IP options
attacks and the AT-S63 management software does not try to distinguish
between them. Rather, a switch port where this defense is activated
counts the number of ingress IP packets containing IP options. If the
number exceeds 20 packets per second, the switch considers this a
possible IP options attack and does the following occurs:
ˆ
The switch sends a trap to the management stations.
ˆ
The switch blocks all traffic on the port for one minute.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.
Section II: Advanced Operations
335
Chapter 20: Denial of Service Defense Commands
You can use the MIRRORING parameter to copy the examined traffic to a
destination port mirror for analysis with a data analyzer. To define the
destination port, refer to “SET SWITCH MIRROR” on page 182.
Example
The following command activates the IP Options defense on ports 5, 7,
and 10:
set dos ipoption port=5,7,10 state=enable
The following command activates the IP Options defense on port 6 as well
as the mirroring feature so the examined traffic is copied to a destination
port mirror.
set dos ipoption port=6 state=enable mirroring=yes
The following command disables the IP Options defense on ports 5 and 7:
set dos ipoption port=5,7 state=disable
336
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET DOS LAND
Syntax
set dos land port=port state=enable|disable
[mirroring=yes|no|on|off|true|false|enabled|disabled]
Parameters
port
Specifies the switch port on which you want to enable
or disable the Land defense. You can specify more than
one port at a time.
state
Specifies the state of the Land defense. The options
are:
mirroring
enable
Activates the defense.
disable
Deactivates the defense. This is the default.
Specifies whether the examined traffic is copied to a
mirror port. Options are:
yes, on, true
enabled
Traffic is mirrored. These values are
equivalent.
no, off, false
disabled
Traffic is not mirrored. This is the
default. These values are equivalent.
Description
This command enables and disables the Land DoS defense. For an
explanation of this attack and the AT-S63 defense mechanism, refer to
Chapter 17, “Denial of Service Defense” in the AT-S63 Management
Software Menus Interface User’s Guide.
You can use the MIRRORING parameter to copy the intruding traffic to a
destination port mirror for analysis with a data analyzer. To define the
destination port, refer to “SET SWITCH MIRROR” on page 182.
Example
The following command activates the Land defense on ports 5 and 7:
set dos land port=5,7 state=enable
Section II: Advanced Operations
337
Chapter 20: Denial of Service Defense Commands
SET DOS PINGOFDEATH
Syntax
set dos pingofdeath port=port state=enable|disable
[mirroring=yes|no|on|off|true|false|enabled|disabled]
Parameters
port
Specifies the switch ports on which to enable or disable
the Ping of Death defense. You can specify more than
one port at a time.
state
Specifies the state of the IP Option defense. The
options are:
mirroring
enable
Activates the defense.
disable
Deactivates the defense. This is the default.
Specifies whether the examined traffic is copied to a
mirror port. Options are:
yes, on, true
enabled
Traffic is mirrored. These values are
equivalent.
no, off, false
disabled
Traffic is not mirrored. This is the
default. These values are equivalent.
Description
This command activates and deactivates the Ping of Death DoS defense.
In this DoS, an attacker sends an oversized, fragmented Ping packet to
the victim, which, if lacking a policy for handling oversized packets, may
freeze.
To defend against this form of attack, a switch port searches for the last
fragment of a fragmented Ping request and examines its offset to
determine if the packet size is greater than 63,488 bits. If it is, the fragment
is forwarded to the switch’s CPU for final packet size determination. If the
switch determines that the packet is oversized, the following occurs:
338
ˆ
The switch sends a trap to the management stations.
ˆ
The switch blocks all traffic on the port for one minute.
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
Note
This defense mechanism requires some involvement by the switch’s
CPU, though not as much as the Teardrop defense. This will not
impact the forwarding of traffic between the switch ports, but it can
affect the handling of CPU events, such as the processing of IGMP
packets and spanning tree BPDUs. For this reason, Allied Telesyn
recommends that you strictly limit the use of this defense, activating
it only on those ports where an attack is most likely to originate.
You can use the MIRRORING parameter to copy the offending traffic to a
destination port mirror for analysis with a data analyzer. To define the
destination port, refer to “SET SWITCH MIRROR” on page 182.
Example
The following command activates the defense on ports 1 and 5:
set dos pingofdeath port=1,5 state=enable
Section II: Advanced Operations
339
Chapter 20: Denial of Service Defense Commands
SET DOS SMURF
Syntax
set dos smurf port=port state=enable|disable
Parameters
port
Specifies the switch ports on which you want to enable
or disable SMURF defense. You can select more than
one port at a time.
state
Specifies the state of the SMURF defense. The options
are:
enable
Activates the defense.
disable
Deactivates the defense. This is the default.
Description
This command activates and deactivates the SMURF DoS defense.
This DoS attack is instigated by an attacker sending a Ping request
containing a broadcast address as the destination address and the
address of the victim as the source of the Ping. This overwhelms the
victim with a large number of Ping replies from other network nodes.
A switch port defends against this form of attack by examining the
destination addresses of ingress Ping packets and discarding those that
contain a broadcast address as a destination address.
To implement this defense, you need to specify the IP address of any
device on your network, preferably the lowest IP address, and a mask
using “SET DOS” on page 334. The switch uses the combination of the
two to determine your network’s broadcast address. Any ingress Ping
packets containing the broadcast address are discarded.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without having it negatively
impact switch performance.
Example
The following command activates this defense on port 17:
set dos smurf port=17 state=enable
340
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
SET DOS SYNFLOOD
Syntax
set dos synflood port=port state=enable|disable
Parameters
port
Specifies the switch ports on which you want to enable
or disable this DoS defense. You can select more than
one port at a time.
state
Specifies the state of the DoS defense. The options
are:
enable
Activates the defense.
disable
Deactivates the defense. This is the default.
Description
This command activates and deactivates the SYN ACK Flood DoS
defense.
In this type of attack, an attacker, seeking to overwhelm a victim with TCP
connection requests, sends a large number of TCP SYN packets with
bogus source addresses to the victim. The victim responds with SYN ACK
packets, but since the original source addresses are bogus, the victim
node does not receive any replies. If the attacker sends enough requests
in a short enough period, the victim may freeze operations once the
requests exceed the capacity of its connections queue.
To defend against this form of attack, a switch port monitors the number of
ingress TCP-SYN packets it receives. If a port receives more 60 TCP-SYN
packets per second, the following occurs.
ˆ
The switch sends a trap to the management stations
ˆ
The switch blocks all traffic on the port for one minute.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.
Example
The following command activates the defense on ports 18 to 20:
set dos synflood port=18-20 state=enable
Section II: Advanced Operations
341
Chapter 20: Denial of Service Defense Commands
SET DOS TEARDROP
Syntax
set dos teardrop port=port state=enable|disable
[mirroring=yes|no|on|off|true|false|enabled|disabled]
Parameters
port
Specifies the switch ports on which you want to enable
or disable this DoS defense. You can select more than
one port at a time.
state
Specifies the state of the DoS defense. The options
are:
mirroring
enable
Activates the defense.
disable
Deactivates the defense. This is the default.
Specifies whether the examined traffic is copied to a
mirror port. Options are:
yes, on, true
enabled
Traffic is mirrored. These values are
equivalent.
no, off, false
disabled
Traffic is not mirrored. This is the
default. These values are equivalent.
Description
This command activates and deactivates the Teardrop DoS defense.
In this DoS attack, an attacker sends a packet in several fragments with a
bogus offset value, used to reconstruct the packet, in one of the fragments
to a victim. This results in the victim being unable to reassemble the
packet, possibly causing it to freeze operations.
The defense mechanism for this type of attack has all ingress IP traffic
received on a port sent to the switch’s CPU. The CPU samples related,
consecutive fragments, checking for fragments with invalid offset values. If
one is found, the following occurs:
ˆ
The switch sends a trap to the management stations.
ˆ
The switch blocks all traffic on the port for one minute.
Because the CPU examines only a sampling of the ingress IP traffic on a
port, there is no guarantee that the switch will catch or prevent all
occurrences of this attack.
342
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
You can use the MIRRORING parameter to copy the offending traffic to a
destination port mirror for analysis with a data analyzer. To define the
destination port, refer to “SET SWITCH MIRROR” on page 182.
Caution
This defense is extremely CPU intensive and should be used with
caution. Unrestricted use can cause a switch to halt operations if the
CPU becomes overwhelmed with IP traffic. To prevent this, Allied
Telesyn recommends that you activate this defense on only one port
at a time and where ingress fragments comprise only a small
percentage of the port’s total traffic.
Example
The following command activates the defense on port 22:
set dos teardrop port=22 state=enable
Section II: Advanced Operations
343
Chapter 20: Denial of Service Defense Commands
SHOW DOS
Syntax 1
show dos [ipaddress] [subnet] [uplinkport]
Syntax 2
show dos defense port=port
Parameters
ipaddress
Displays the IP address of the LAN.
subnet
Displays the subnet mask.
uplinkport
Displays the uplink port for the Land defense.
defense
Displays the status of a specified defense for a
particular port. Defense can be any of the following:
synflood
smurf
land
teardrop
ipoption
pingofdeath
port
Specifies the port whose DoS status you want to
view. You can specify only one port.
Description
These commands display DoS status information. Syntax 1 displays the
current settings for the IP address, subnet mask, and uplink port
parameters. Syntax 2 displays DoS status information for a specific
defense mechanism on a specific port.
Examples
The following command displays the IP address and subnet mask for the
Land and SMURF defenses:
show dos ipaddress subnet
344
Section II: Advanced Operations
AT-S63 Management Software Command Line Interface User’s Guide
The following command displays the status of the SMURF defense on port
4:
show dos smurf port=4
Section II: Advanced Operations
345
Chapter 20: Denial of Service Defense Commands
346
Section II: Advanced Operations
Section III
IGMP Snooping, MLD Snooping, and
RRP Snooping
The chapters in this section contain the commands for IGMP, MLD, and
RRP snooping. The chapters include:
ˆ
Chapter 21, “IGMP Snooping Commands” on page 349
ˆ
Chapter 22, “MLD Snooping Commands” on page 359
ˆ
Chapter 23, “RRP Snooping Commands” on page 369
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
347
348
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
Chapter 21
IGMP Snooping Commands
This chapter contains the following commands:
ˆ
“DISABLE IGMPSNOOPING” on page 350
ˆ
“ENABLE IGMPSNOOPING” on page 351
ˆ
“SET IP IGMP” on page 352
ˆ
“SHOW IGMPSNOOPING” on page 355
ˆ
“SHOW IP IGMP” on page 356
Note
Remember to use the SAVE CONFIGURATION command to save
your changes on the switch.
Note
For background information on this feature, refer to Chapter 18,
“IGMP Snooping” in the AT-S63 Management Software Menus
Interface User’s Guide.
349
Chapter 21: IGMP Snooping Commands
DISABLE IGMPSNOOPING
Syntax
disable igmpsnooping
Parameters
None.
Description
This command deactivates IGMP snooping on the switch.
Example
The following command deactivates IGMP snooping:
disable igmpsnooping
Equivalent Command
set ip igmp snoopingstatus=disabled
For information, refer to “SET IP IGMP” on page 352.
350
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE IGMPSNOOPING
Syntax
enable igmpsnooping
Parameters
None.
Description
This command activates IGMP snooping on the switch.
Example
The following command activates IGMP snooping:
enable igmpsnooping
Equivalent Command
set ip igmp snoopingstatus=enabled
For information, refer to “SET IP IGMP” on page 352.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
351
Chapter 21: IGMP Snooping Commands
SET IP IGMP
Syntax
set ip igmp [snoopingstatus=enabled|disabled]
[hoststatus=singlehost|multihost] [timeout=value]
[numbermulticastgroups=value]
[routerport=port|all|none|auto]
Parameters
snoopingstatus
hoststatus
timeout
Activates and deactivates IGMP snooping
on the switch. The options are:
enabled
Activates IGMP snooping.
disabled
Deactivates IGMP snooping.
This is the default setting.
Specifies the IGMP host node topology.
Options are:
singlehost
Activates the Single-Host/Port
setting, which is appropriate
when there is only one host
node connected to a port on
the switch. This is the default
setting.
multihost
Activates the Multi-Host
setting, which is appropriate if
there is more than one host
node connected to a switch
port.
Specifies the time period in seconds at
which the switch determines that a host
node is inactive. An inactive host node is a
node that has not sent an IGMP report
during the specified time interval. The range
is from 0 second to 86,400 seconds (24
hours). The default is 260 seconds. If you
set the timeout to zero (0), the timer never
times out, and the timeout interval is
essentially disabled.
This parameter also controls the time
interval used by the switch in determining
whether a multicast router is still active. The
switch makes the determination by watching
352
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
for queries from the router. If the switch does
not detect any queries from a multicast
router during the specified time interval, the
router is assumed to be no longer active on
the port.
The actual timeout may be ten seconds less
that the specified value. For example, a
setting of 25 seconds can result in the switch
classifying a host node or multicast router as
inactive after just 15 seconds. A setting of 10
seconds or less can result in the immediate
timeout of an inactive host node or router.
numbermulticastgroups
Specifies the maximum number of multicast
addresses the switch can learn. This
parameter is useful with networks that
contain a large number of multicast groups.
You can use the parameter to prevent the
switch’s MAC address table from filling up
with multicast addresses, leaving no room
for dynamic or static MAC addresses. The
range is 0 to 255 addresses; the default is
64 addresses.
Note
The combined maximum number of multicast address groups for
IGMP and MLD snooping cannot exceed 255.
routerport
Specifies the port(s) on the switch
connected to a multicast router. Options are:
port
Specifies the router port(s)
manually.
all
Specifies all of the switch ports.
none
Sets the mode to manual
without any router ports
specified.
auto
Activates auto-detect, where
the switch automatically
determines the ports with
multicast routers.
Description
This command configures the IGMP snooping parameters.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
353
Chapter 21: IGMP Snooping Commands
Examples
The following command activates IGMP snooping, sets the IGMP topology
to Multi-Host, and sets the timeout value to 120 seconds:
set ip igmp snoopingstatus=enabled hoststatus=multihost
timeout=120
The following command changes the topology to Single-Host:
set ip igmp hoststatus=singlehost
The following command disables IGMP snooping:
set ip igmp snoopingstatus=disabled
Equivalent Commands
disable igmpsnooping
For information, refer to “DISABLE IGMPSNOOPING” on page 350.
enable igmpsnooping
For information, refer to “ENABLE IGMPSNOOPING” on page 351.
354
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
SHOW IGMPSNOOPING
Syntax
show igmpsnooping
Parameters
None.
Description
This command displays the IGMP parameters. Figure 30 illustrates the
information that is displayed by this command.
IGMP Snooping Configuration:
IGMP Snooping Status ...............
Host Topology ......................
Host/Router Timeout Interval .......
Maximum IGMP Multicast Groups ......
Router Port(s) .....................
Disabled
Single-Host/Port (Edge)
260 seconds
64
Auto Detect
Figure 30. SHOW IGMPSNOOPING Command
For an explanation of these parameters, refer to “SET IP IGMP” on
page 352.
Examples
The following command displays the current IGMP parameter settings:
show igmpsnooping
Equivalent Command
show ip igmp
For information, see “SHOW IP IGMP” on page 356.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
355
Chapter 21: IGMP Snooping Commands
SHOW IP IGMP
Syntax
show ip igmp [hostlist] [routerlist]
Parameters
hostlist
Displays a list of the multicast groups learned by
the switch, as well as the ports on the switch that
are connected to host nodes. This parameter
displays information only when there are active
host nodes.
routerlist
Displays the ports on the switch where multicast
routers are detected. This parameter displays
information only when there are active multicast
routers.
Description
This command displays the IGMP parameters. Figure 31 illustrates the
information that is displayed by this command without the optional
parameters.
IGMP Snooping Configuration:
IGMP Snooping Status ...............
Host Topology ......................
Host/Router Timeout Interval .......
Maximum IGMP Multicast Groups ......
Router Port(s) .....................
Disabled
Single-Host/Port (Edge)
260 seconds
64
Auto Detect
Figure 31. SHOW IP IGMP Command
For an explanation of these parameters, refer to “SET IP IGMP” on
page 352.
An example of the information displayed by the HOSTLIST parameter is
shown in Figure 32.
Number of IGMP Multicast Groups: 1
MulticastGroup ......... 01:00:5E:00:01:01
VLAN ID ................ 1
Port/TrunkID ........... 6
HostIP ................. 172.16.10.51
Version ................ v2
Time ..................... 21
Figure 32. SHOW IP IGMP Command with HOSTLIST Parameter
356
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
The HOSTLIST parameter displays the following information:
ˆ
Number of IGMP Multicast Groups - The number of IGMP multicast
groups with active host nodes on the switch.
ˆ
Multicast Group - The multicast address of the group.
ˆ
VLAN - The VID of the VLAN where the port or trunk is an untagged
member.
ˆ
Port/Trunk - The port on the switch where the host node is connected.
If the host node is connected to the switch through a trunk, the trunk ID
number instead of the port number is displayed.
ˆ
HostIP - The IP address of the host node connected to the port.
ˆ
IGMP Ver. - The version of IGMP being used by the host.
ˆ
Exp. Time - The number of seconds remaining before the host is timed
out if no further IGMP reports are received from it.
An example of the information displayed by the ROUTERLIST parameter
is shown in Figure 33.
VLAN ............ 1
Port/Trunk ID ... 14
RouterIP ........ 172.16.01.1
Figure 33. SHOW IP IGMP Command with ROUTERLIST Parameter
The ROUTERLIST parameter displays the following information:
ˆ
VLAN - The VID of the VLAN in which the port is an untagged member.
ˆ
Port/Trunk ID - The port on the switch where the multicast router is
connected. If the switch learned the router on a port trunk, the trunk ID
number instead of the port number is displayed.
ˆ
Router IP - The IP address of the multicast router.
Examples
The following command displays the current IGMP parameter settings:
show ip igmp
The following command displays a list of active host nodes connected to
the switch:
show ip igmp hostlist
The following command displays a list of active multicast routers:
show ip igmp routerlist
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
357
Chapter 21: IGMP Snooping Commands
Equivalent Command
show igmpsnooping
This command does not display the router and host lists. For information,
see “SHOW IGMPSNOOPING” on page 355.
358
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
Chapter 22
MLD Snooping Commands
This chapter contains the following commands:
ˆ
“DISABLE MLDSNOOPING” on page 360
ˆ
“ENABLE MLDSNOOPING” on page 361
ˆ
“SET IPV6 MLDSNOOPING” on page 362
ˆ
“SHOW MLDSNOOPING” on page 364
ˆ
“SHOW IPV6 MLDSNOOPING” on page 366
Note
Remember to use the SAVE CONFIGURATION command to save
your changes on the switch.
Note
For background information on this feature, refer to Chapter 19,
“MLD Snooping” in the AT-S63 Management Software Menus
Interface User’s Guide.
359
Chapter 22: MLD Snooping Commands
DISABLE MLDSNOOPING
Syntax
disable mldsnooping
Parameters
None.
Description
This command deactivates MLD snooping on the switch.
Example
The following command deactivates MLD snooping:
disable mldsnooping
Equivalent Command
set ipv6 mldsnooping snoopingstatus=disabled
For information, refer to “SET IPV6 MLDSNOOPING” on page 362.
360
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE MLDSNOOPING
Syntax
enable mldsnooping
Parameters
None.
Description
This command activates MLD snooping on the switch.
Example
The following command activates MLD snooping:
enable mldsnooping
Equivalent Command
set ipv6 mldsnooping snoopingstatus=enabled
For information, refer to “SET IPV6 MLDSNOOPING” on page 362.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
361
Chapter 22: MLD Snooping Commands
SET IPV6 MLDSNOOPING
Syntax
set ipv6 mldsnooping [snoopingstatus=enabled|disabled]
[hoststatus=singlehost|multihost] [timeout=value]
[numbermulticastgroups=value]
[routerport=port|all|none|auto]
Parameters
snoopingstatus
hoststatus
362
Activates and deactivates MLD snooping on
the switch. The options are:
enabled
Activates MLD snooping.
disabled
Deactivates MLD snooping.
This is the default setting.
Specifies the MLD host node topology.
Options are:
singlehost
Activates the Single-Host/Port
setting, which is appropriate
when there is only one host
node connected to a port on
the switch. This is the default
setting.
multihost
Activates the Multi-Host
setting, which is appropriate if
there is more than one host
node connected to a switch
port.
timeout
Specifies the time period, in seconds, used
by the switch in determining inactive host
nodes. An inactive host node is a node that
has not sent an MLD report during the
specified time interval. The range is 1 to
86,400 seconds (24 hours); the default is
260 seconds.
numbermulticastgroups
Specifies the maximum number of multicast
addresses the switch learns. This parameter
is useful with networks that contain a large
number of multicast groups. You can use
the parameter to prevent the switch’s MAC
address table from filling up with multicast
addresses, leaving no room for dynamic or
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
static MAC addresses. The range is 1 to 255
addresses; the default is 64 addresses.
Note
The combined number of multicast address groups for IGMP and
MLD snooping cannot exceed 255.
routerport
Specifies the port(s) on the switch
connected to a multicast router. Options are:
port
Specifies the router port(s)
manually.
all
Specifies all of the switch ports.
none
Sets the mode to manual
without any router ports
specified.
auto
Activates auto-detect, where
the switch automatically
determines the ports with
multicast routers.
Description
This command configures the MLD snooping parameters.
Example
The following command activates MLD snooping, sets the MLD topology
to Multi-Host, and sets the timeout value to 120 seconds:
set ipv6 mldsnooping snoopingstatus=enabled
hoststatus=multihost timeout=120
The following command changes the topology to Single-Host:
set ipv6 mldsnooping hoststatus=singlehost
The following command disables MLD snooping:
set ipv6 mldsnooping snoopingstatus=disabled
Equivalent Commands
disable mldsnooping
For information, see “DISABLE MLDSNOOPING” on page 360.
enable mldsnooping
For information, see “ENABLE MLDSNOOPING” on page 361.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
363
Chapter 22: MLD Snooping Commands
SHOW MLDSNOOPING
Syntax
show mldsnooping
Parameters
None.
Description
This command displays the following MLD parameters:
ˆ
MLD snooping status
ˆ
Multicast host topology
ˆ
Host/router timeout interval
ˆ
Maximum multicast groups
ˆ
Host and router lists
To set the MLD parameters, refer to “SET IPV6 MLDSNOOPING” on
page 362.
This command displays the information in Figure 34.
MLD Snooping Configuration:
MLD Snooping Status ................
Host Topology ......................
Host/Router Timeout Interval .......
Maximum MLD Multicast Groups .......
Router Port(s) .....................
Enabled
Single-Host/Port (Edge)
260 seconds
64
Auto Detect
Host List:
Number of MLD Multicast Groups: 1
MulticastGroup
VLAN
Port/
ID
TrunkID
Exp.
HostIP
Time
----------------------------------------------------------------------------------------33:33:00:00:00:ab 1
6
fe80:0000:0000:0000:0208:74ff:feff:bf08
21
Router List:
VLAN
Port/Trunk ID
RouterIP
----------------------------------------------------------------------------------------1
14
fe80:0000:0000:0000:0200:cdff:fe12:bf08
Figure 34. SHOW MLDSNOOPING Command
The parameters in the MLD Snooping Configuration section are explained
“SET IPV6 MLDSNOOPING” on page 362.
364
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
The Host List section displays the following information:
ˆ
Multicast Group - The multicast address of the group.
ˆ
VLAN - The VID of the VLAN where the port is an untagged member.
ˆ
Port/TrunkID - The port on the switch where the host node is
connected. If the host node is connected to the switch through a trunk,
the trunk ID number, not the port number, is displayed.
ˆ
HostIP - The IP address of the host node connected to the port.
ˆ
Exp. Time - The number of seconds remaining before the host is timed
out if no further MLD reports are received from it.
The Router List section displays this information:
ˆ
VLAN - The VID of the VLAN in which the port is an untagged member.
ˆ
Port/Trunk ID - The port on the switch where the multicast router is
connected. If the switch learned the router on a port trunk, the trunk ID
number, not the port number, is displayed.
ˆ
Router IP - The IP address of the multicast router.
Example
The following command displays the current MLD parameter settings,
along with the host and router lists:
show mldsnooping
Equivalent Command
show ipv6 mldsnooping hostlist routerlist
For information, see “SHOW IPV6 MLDSNOOPING” on page 366.
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
365
Chapter 22: MLD Snooping Commands
SHOW IPV6 MLDSNOOPING
Syntax
show ipv6 mldsnooping [hostlist] [routerlist]
Parameters
hostlist
Displays a list of the multicast groups learned by
the switch, as well as the ports on the switch that
are connected to host nodes. This parameter
displays information only when there are active
host nodes.
routerlist
Displays the ports on the switch where multicast
routers are detected. This parameter displays
information only when there are active multicast
routers.
Description
This command displays the following MLD parameters:
ˆ
MLD snooping status
ˆ
Multicast host topology
ˆ
Host/router timeout interval
ˆ
Maximum multicast groups
ˆ
Multicast router port(s)
ˆ
Host and router lists
For instructions on how to set the MLD parameters, refer to “SET IPV6
MLDSNOOPING” on page 362.
This command without optional parameters displays the information in
Figure 35.
MLD Snooping Configuration:
MLD Snooping Status ................
Host Topology ......................
Host/Router Timeout Interval .......
Maximum MLD Multicast Groups .......
Router Port(s) .....................
Enabled
Single-Host/Port (Edge)
260 seconds
64
Auto Detect
Figure 35. SHOW IPV6 MLDSNOOPING Command
366
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
Refer to “SET IPV6 MLDSNOOPING” on page 362 for an explanation of
the parameters.
The HOSTLIST option displays the information in Figure 36.
Host List:
Number of MLD Multicast Groups: 1
VLAN
Port/
Exp.
MulticastGroup
ID
TrunkID
HostIP
Time
-------------------------------------------------------------------------------------------33:33:00:00:00:ab
1
6
fe80:0000:0000:0000:0208:74ff:feff:bf08
21
Figure 36. SHOW IPV6 MLDSNOOPING Command with HOSTLIST
Option
The information is described here:
ˆ
Multicast Group - The multicast address of the group.
ˆ
VLAN - The VID of the VLAN where the port is an untagged member.
ˆ
Port/TrunkID - The port on the switch where the host node is
connected. If the host node is connected to the switch through a trunk,
the trunk ID number, not the port number, is displayed.
ˆ
HostIP - The IP address of the host node connected to the port.
ˆ
Exp. Time - The number of seconds remaining before the host is timed
out if no further MLD reports are received from it.
The ROUTERLIST option displays the information in Figure 37.
Router List:
VLAN
Port/Trunk ID
RouterIP
-------------------------------------------------------------1
14
fe80:0000:0000:0000:0200:cdff:fe12:bf08
Figure 37. SHOW IPV6 MLDSNOOPING Command with ROUTERLIST
Option
The information displayed by the option is described here:
ˆ
VLAN - The VID of the VLAN in which the port is an untagged member.
ˆ
Port/Trunk ID - The port on the switch where the multicast router is
connected. If the switch learned the router on a port trunk, the trunk ID
number, not the port number, is displayed.
ˆ
Router IP - The IP address of the multicast router.
Examples
The following command displays the current MLD parameter settings:
show ipv6 mldsnooping
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
367
Chapter 22: MLD Snooping Commands
The following command displays a list of active host nodes connected to
the switch:
show ipv6 mldsnooping hostlist
The following command displays a list of active multicast routers:
show ipv6 mldsnooping routerlist
Equivalent Command
show mldsnooping
For information, see “SHOW MLDSNOOPING” on page 364.
368
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
Chapter 23
RRP Snooping Commands
This chapter contains the following commands:
ˆ
“DISABLE RRPSNOOPING” on page 370
ˆ
“ENABLE RRPSNOOPING” on page 371
ˆ
“SHOW RRPSNOOPING” on page 372
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 20,
“RRP Snooping” in the AT-S63 Management Software Menus
Interface User’s Guide.
369
Chapter 23: RRP Snooping Commands
DISABLE RRPSNOOPING
Syntax
disable rrpsnooping
Parameters
None.
Description
This command disables RRP snooping. This is the default setting.
Example
The following command disables RRP snooping:
disable rrpsnooping
370
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE RRPSNOOPING
Syntax
enable rrpsnooping
Parameters
None.
Description
This command enables RRP snooping.
Example
The following command activates RRP snooping on the switch:
enable rrpsnooping
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
371
Chapter 23: RRP Snooping Commands
SHOW RRPSNOOPING
Syntax
show rrpsnooping
Parameter
None.
Description
This command displays the status of RRP snooping, enabled or disabled.
Example
The following command displays the status of RRP snooping:
show rrpsnooping
372
Section III: IGMP Snooping, MLD Snooping, and RRP Snooping
Section IV
SNMPv3
The chapter in this section contains the commands for SNMPv3. The
chapter is:
ˆ
Section III: SNMPv3
Chapter 24, “SNMPv3 Commands” on page 375
373
374
Section III: SNMPv3
Chapter 24
SNMPv3 Commands
This chapter contains the following commands:
ˆ
“ADD SNMPV3 USER” on page 377
ˆ
“CREATE SNMPV3 ACCESS” on page 379
ˆ
“CREATE SNMPV3 COMMUNITY” on page 382
ˆ
“CREATE SNMPV3 GROUP” on page 384
ˆ
“CREATE SNMPV3 NOTIFY” on page 386
ˆ
“CREATE SNMPV3 TARGETADDR” on page 388
ˆ
“CREATE SNMPV3 TARGETPARAMS” on page 390
ˆ
“CREATE SNMPV3 VIEW” on page 392
ˆ
“DELETE SNMPV3 USER” on page 394
ˆ
“DESTROY SNMPv3 ACCESS” on page 395
ˆ
“DESTROY SNMPv3 COMMUNITY” on page 397
ˆ
“DESTROY SNMPv3 GROUP” on page 398
ˆ
“DESTROY SNMPv3 NOTIFY” on page 399
ˆ
“DESTROY SNMPv3 TARGETADDR” on page 400
ˆ
“DESTROY SNMPv3 TARGETPARMS” on page 401
ˆ
“DESTROY SNMPV3 VIEW” on page 402
ˆ
“PURGE SNMPV3 ACCESS” on page 403
ˆ
“PURGE SNMPV3 COMMUNITY” on page 404
ˆ
“PURGE SNMPV3 NOTIFY” on page 405
ˆ
“PURGE SNMPV3 TARGETADDR” on page 406
ˆ
“PURGE SNMPV3 VIEW” on page 407
ˆ
“SET SNMPV3 ACCESS” on page 408
ˆ
“SET SNMPV3 COMMUNITY” on page 410
ˆ
“SET SNMPV3 GROUP” on page 412
ˆ
“SET SNMPV3 NOTIFY” on page 414
ˆ
“SET SNMPV3 TARGETADDR” on page 416
ˆ
“SET SNMPV3 TARGETPARAMS” on page 418
ˆ
“SET SNMPV3 USER” on page 420
ˆ
“SET SNMPV3 VIEW” on page 422
375
Chapter 24: SNMPv3 Commands
ˆ
“SHOW SNMPV3 ACCESS” on page 424
ˆ
“SHOW SNMPV3 COMMUNITY” on page 425
ˆ
“SHOW SNMPv3 GROUP” on page 426
ˆ
“SHOW SNMPV3 NOTIFY” on page 427
ˆ
“SHOW SNMPV3 TARGETADDR” on page 428
ˆ
“SHOW SNMPV3 TARGETPARAMS” on page 429
ˆ
“SHOW SNMPV3 USER” on page 430
ˆ
“SHOW SNMPV3 VIEW” on page 431
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 21,
“SNMPv3” in the AT-S63 Management Software Menus Interface
User’s Guide.
376
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
ADD SNMPV3 USER
Syntax
add snmpv3 user=user [authentication=md5|sha]
authpassword=password privpassword=password
[storagetype=volatile|nonvolatile]
Parameters
user
Specifies the name of an SNMPv3 user, up to 32
alphanumeric characters.
authentication
Specifies the authentication protocol that is used to
authenticate this user with an SNMP entity
(manager or NMS). If you do not specify an
authentication protocol, this parameter is
automatically set to None. The options are:
md5
The MD5 authentication protocol.
SNMPv3 Users are authenticated
with the MD5 authentication protocol
after a message is received.
sha
The SHA authentication protocol.
Users are authenticated with the
SHA authentication protocol after a
message is received.
Note: You must specify the
authentication protocol before you
specify the authentication password.
authpassword
Specifies a password for the authentication
protocol, up to 32 alphanumeric characters. If you
specify an authentication protocol, then you must
configure an authentication protocol password.
privpassword
Specifies a password for the 3DES privacy, or
encryption protocol, up to 32 alphanumeric
characters. This is an optional parameter.
Note: If you specify a privacy password, the privacy
protocol is set to DES. You must also specify an
authentication protocol and password.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Section IV: SNMPv3
Does not allow you to save the table
377
Chapter 24: SNMPv3 Commands
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 User Table entry.
Examples
The following command creates an SNMPv3 user with the name
“steven142” with an authentication protocol of MD5, an authentication
password of “99doublesecret12”, a privacy password of “encrypt178” and
a storage type of nonvolatile.
add snmpv3 user=steven142 authentication=md5
authpassword=99doublesecret12 privpassword=encrypt178
storagetype=nonvolatile
The following command creates an SNMPv3 user with the name “77hoa”
an authentication protocol of SHA, an authentication password of
“youvegottobekidding88” and a storage type of nonvolatile.
add snmpv3 user=77hoa authentication=sha
authpassword=youvegottobekidding88 storagetype=nonvolatile
378
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
CREATE SNMPV3 ACCESS
Syntax
create snmpv3 access=access [securitymodel=v1|v2c|v3]
[securitylevel=noauthentication|authentication|
privacy] readview=readview writeview=writeview
notifyview=notifyview [storagetype=volatile|nonvolatile]
Parameters
access
Specifies the name of the security group, up to 32
alphanumeric characters.
securitymodel
Specifies the security model. The options are:
securitylevel
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
Specifies the security level. The options are:
noauthentication This option provides no
authentication protocol and no
privacy protocol.
authentication
Section IV: SNMPv3
This option provides an
authentication protocol, but no
privacy protocol.
privacy
This option provides an authentication protocol and
the privacy protocol.
readview
Specifies a Read View Name that allows the users
assigned to this Group Name to view the
information specified by the View Table entry. This
is an optional parameter. If you do not assign a
value to this parameter, then the readview
parameter defaults to none.
writeview
Specifies a Write View Name that allows the users
assigned to this Security Group to write, or modify,
the information in the specified View Table. This is
an optional parameter. If you do not assign a value
to this parameter, then the writeview parameter
379
Chapter 24: SNMPv3 Commands
defaults to none.
notifyview
Specifies a Notify View Name that allows the users
assigned to this Group Name to send traps
permitted in the specified View. This is an optional
parameter. If you do not assign a value to this
parameter, then the notifyview parameter defaults to
none.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 Access Table entry.
Examples
The following command creates a security group called “testengineering”
with a security model of SNMPv3 and a security level of privacy. The
security group has a read view named “internet,” a write view named
private, and a notify view named “internet.” The storage type is nonvolatile
storage.
create snmpv3 access=testengineering securitymodel=v3
securitylevel=privacy readview=internet writeview=private
notifyview=internet storage=nonvolatile
The following command creates a security group called “swengineering”
with a security model of SNMPv3 and a security level of authentication. In
addition, the security group has a read view named “internet,” a write view
named experimental, and a notify view named “mgmt” (management).
The storage type group is nonvolatile storage.
create snmpv3 access=swengineering securitymodel=v3
securitylevel=authentication readview=internet
writeview=experimental notifyview=mgmt storage=nonvolatile
The following command creates a security group called “hwengineering”
with a security model of SNMPv3 and a security level of noauthentication.
In addition, the security group has a read view named “internet.”
create snmpv3 access=hwengineering securitymodel=v3
securitylevel=authentication readview=internet
380
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
Note
In the above example, the storage type has not been specified. As a
result, the storage type for the hwengineering security group is
volatile storage.
Section IV: SNMPv3
381
Chapter 24: SNMPv3 Commands
CREATE SNMPV3 COMMUNITY
Syntax
create snmpv3 community index=index
communityname=communityname securityname=securityname
transporttag=transporttag
[storagetype=volatile|nonvolatile]
Parameters
index
Specifies the name of this SNMPv3 Community
Table entry, up to 32 alphanumeric characters.
communityname
Specifies a password for this community entry, up to
32 alphanumeric characters.
securityname
Specifies the name of an SNMPv1 and SNMPv2
user, up to 32 alphanumeric characters.
transporttag
Specifies the transport tag, up to 32 alphanumeric
characters. This is an optional parameter.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 Community Table entry.
Examples
The following command creates an SNMP community with an index of
1213 and a community name of “sunnyvale145.” The user is “chitra34”
and the transport tag is “testengtag.” The storage type for this community
is nonvolatile storage.
create snmpv3 community index=1213
communityname=sunnyvale145 securityname=chitra34
transporttag=testengtag storagetype=nonvolatile
382
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
The following command creates an SNMP community with an index of 95
and a community name of “12sacramento49.” The user is “regina” and the
transport tag “trainingtag.” The storage type for this community is
nonvolatile storage.
create snmpv3 community index=95
communityname=12sacramento49 securityname=regina
transporttag=trainingtag storagetype=nonvolatile
Section IV: SNMPv3
383
Chapter 24: SNMPv3 Commands
CREATE SNMPV3 GROUP
Syntax
create snmpv3 group username=username
[securitymodel=v1|v2c|v3] groupname=groupname
[storagetype=volatile|nonvolatile]
Parameter
username
Specifies a user name configured in the SNMPv3
User Table.
securitymodel
Specifies the security model of the above user
name. The options are:
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
groupname
Specifies a group name configured in the SNMPv3
Access Table with the access parameter. See
“CREATE SNMPV3 ACCESS” on page 379.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 SecurityToGroup Table entry.
Examples
The following command creates the SNMPv3 SecurityToGroup Table
entry for a user named Nancy. The security model is set to the SNMPv3
protocol. The group name, or security group, for this user is the “admin”
group. The storage type is set to nonvolatile storage.
384
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
create snmpv3 group username=Nancy securitymodel=v3
groupname=admin storagetype=nonvolatile
The following command creates the SNMPv3 SecurityToGroup Table
entry for a user named princess. The security model is set to the SNMPv3
protocol. The group name, or security group, for this user is the “training”
group. The storage type is set to nonvolatile storage.
create snmpv3 group username=princess securitymodel=v3
groupname=training storagetype=nonvolatile
Section IV: SNMPv3
385
Chapter 24: SNMPv3 Commands
CREATE SNMPV3 NOTIFY
Syntax
create snmpv3 notify=notify tag=tag [type=trap|inform]
[storagetype=volatile|nonvolatile]
Parameters
notify
Specifies the name of an SNMPv3 Notify Table
entry, up to 32 alphanumeric characters.
tag
Specifies the notify tag name, up to 32
alphanumeric characters. This is an optional
parameter.
type
Specifies the message type. This is an optional
parameter. The options are:
storagetype
trap
Trap messages are sent, with no
response expected from another entity
(NMS or manager). This is the default.
inform
Inform messages are sent, with a
response expected from another entity
(NMS or manager).
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 Notify Table entry.
Examples
The following command creates the SNMPv3 Notify Table entry called
“testengtrap1” and the notify tag is “testengtag1.” The message type is
defined as a trap message and the storage type for this entry is nonvolatile
storage.
create snmpv3 notify=testengtrap1 tag=testengtag1 type=trap
storagetype=nonvolatile
386
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
The following command creates the SNMPv3 Notify Table entry called
“testenginform5” and the notify tag is “testenginformtag5.” The message
type is defined as an inform message and the storage type for this entry is
nonvolatile storage.
create snmpv3 notify=testenginform5 tag=testenginformtag5
type=inform storagetype=nonvolatile
Section IV: SNMPv3
387
Chapter 24: SNMPv3 Commands
CREATE SNMPV3 TARGETADDR
Syntax
create snmpv3 targetaddr=targetaddr params=params
ipaddress=ipaddress udpport=udpport timeout=timeout
retries=retries taglist=taglist
[storagetype=volatile|nonvolatile]
Parameters
targetaddr
Specifies the name of the SNMP manager, or host,
that manages the SNMP activity on the switch, up to
32 alphanumeric characters.
params
Specifies the target parameters name, up to 32
alphanumeric characters.
ipaddress
Specifies the IP address of the host.
udpport
Specifies the UDP port in the range of 0 to 65535.
The default UDP port is 162. This is an optional
parameter.
timeout
Specifies the timeout value in milliseconds. The
range is 0 to 2,147,483,647 milliseconds, and the
default is 1500 milliseconds. This is an optional
parameter.
retries
Specifies the number of times the switch resends
an inform message. The default is 3. This is an
optional parameter.
taglist
Specifies a tag or list of tags, up to 256
alphanumeric characters. Use a space to separate
entries. This is an optional parameter.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 Target Address Table entry.
388
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
Examples
In the following command, the name of the Target Address Table entry is
“snmphost1.” In addition, the params parameter is assigned to
“snmpv3manager” and the IP address is 198.1.1.1. The tag list consists of
“swengtag,” “hwengtag,” and “testengtag.” The storage type for this table
entry is nonvolatile storage.
create snmpv3 targetaddr=snmphost1 params=snmpv3manager
ipaddress=198.1.1.1 taglist=swengtag hwengtag testengtag
storagetype=nonvolatile
In the following command, the name of the Target Address Table entry is
snmphost99. The params parameter is “snmpmanager7” and the IP
address is 198.1.2.2. The tag list is “trainingtag.” The storage type for this
table entry is nonvolatile storage.
create snmpv3 targetaddr=snmphost99 params=snmpmanager7
ipaddress=198.1.2.2 taglist=trainingtag
storagetype=nonvolatile
Section IV: SNMPv3
389
Chapter 24: SNMPv3 Commands
CREATE SNMPV3 TARGETPARAMS
Syntax
create snmpv3 targetparams=targetparams username=username
[securitymodel=v1|v2c|v3] [messageprocessing=v1|v2c|v3]
[securitylevel=noauthentication|authentication|
privacy] [storagetype=volatile|nonvolatile]
Parameters
targetparams
Specifies the name of the SNMPv3 Target
Parameters Table entry, up to 32 alphanumeric
characters.
username
Specifies a user name configured in the SNMPv3
User Table.
securitymodel
Specifies the security model of the above user
name. The options are:
messageprocessing
390
v1
Associates the User Name, or Security
Name, with the SNMPv1 protocol.
v2c
Associates the User Name, or Security
Name, with the SNMPv2c protocol.
v3
Associates the User Name, or Security
Name, with the SNMPv3 protocol.
Specifies the SNMP protocol that is used to
process, or send messages. Configure this
parameter only if you have selected the SNMPv1 or
SNMPv2c protocols as the security model. If you
have selected the SNMPv3 protocol as the security
model, message processing is automatically set to
the SNMPv3 protocol. The options are:
v1
Messages are processed with the SNMPv1
protocol.
v2c
Messages are processed with the SNMPv2c
protocol.
v3
Messages are processed with the SNMPv3
protocol.
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
securitylevel
Specifies the security level. The options are:
noauthentication This option provides no
authentication protocol and no
privacy protocol.
storagetype
authentication
This option provides an
authentication protocol, but no
privacy protocol.
privacy
This option provides an
authentication protocol and the
privacy protocol.
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 Target Parameters Table entry.
Examples
In the following command, the Target Parameters Table entry is called
“snmpv3mgr13” and user name is “user444.” The security model is set to
the SNMPv3 protocol. In addition, the security level is set to privacy and
the storage type is nonvolatile.
create snmpv3 targetparams=snmpv3mgr13 username=user444
securitymodel=v3 securitylevel=privacy
storagetype=nonvolatile
In the following command, the Target Parameters Table entry is called
“snmpmanager” and the user name is “pat365.” The security model is set
to SNMPv3 protocol. In addition, the security level is set to authentication
and the storage type is nonvolatile.
create snmpv3 targetparams=snmpmanager username=pat365
securitymodel=v3 securitylevel=authentication
storagetype=nonvolatile
Section IV: SNMPv3
391
Chapter 24: SNMPv3 Commands
CREATE SNMPV3 VIEW
Syntax
create snmpv3 view=view [subtree=OID|text] mask=mask
[type=included|excluded]
[storagetype=volatile|nonvolatile]
Parameters
view
Specifies the name of the view, up to 32
alphanumeric characters.
subtree
Specifies the view of the MIB Tree. The options are:
OID
A numeric value in hexadecimal
format.
text
Text name of the view.
mask
Specifies the subtree mask, in hexadecimal format.
type
Specifies the view type. This is an optional
parameter. The options are:
storagetype
included
Permits a user to view the specified
subtree. This is the default.
excluded
Does not permit a user to view the
specified subtree.
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command creates an SNMPv3 View Table entry.
Examples
The following command creates an SNMPv3 View Table entry called
“internet1” with a subtree value of the Internet MIBs and a view type of
included. The storage type for this table entry is nonvolatile storage.
392
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
create snmpv3 view=internet1 subtree=internet type=included
storagetype=nonvolatile
The following command creates an SNMPv3 View Table entry called
“tcp1” with a subtree value of the TCP/IP MIBs and a view type of
excluded. The storage type for this table entry is nonvolatile storage.
create snmpv3 view=tcp1 subtree=tcp type=excluded
storagetype=nonvolatile
Section IV: SNMPv3
393
Chapter 24: SNMPv3 Commands
DELETE SNMPV3 USER
Syntax
delete snmpv3 user=user
Parameters
user
Specifies the name of an SNMPv3 user to delete
from the switch.
Description
This command deletes an SNMPv3 User Table entry. After you delete an
SNMPv3 user from the switch, you cannot recover it.
Examples
The following command deletes the user named “wilson890.”
delete snmpv3 user=wilson890
The following command deletes the user named “75murthy75.”
delete snmpv3 user=75murthy75
394
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY SNMPv3 ACCESS
Syntax
destroy snmpv3 access=access [securitymodel=v1|v2c|v3]
[securitylevel=noauthentication|authentication|
privacy]
Parameter
access
Specifies an SNMPv3 Access Table entry.
securitymodel
Specifies the security model of the user name
specified above. The options are:
securitylevel
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
Specifies the security level. The options are:
noauthentication This option provides no
authentication protocol and no
privacy protocol.
authentication
This option provides an
authentication protocol, but no
privacy protocol.
privacy
This option provides an
authentication protocol and the
privacy protocol.
Description
This command deletes an SNMPv3 Access Table entry. After you delete
an SNMPv3 Access Table entry, you cannot recover it.
Examples
The following command deletes the SNMPv3 Access Table entry called
“swengineering” with a security model of the SNMPv3 protocol and a
security level of authentication.
Section IV: SNMPv3
395
Chapter 24: SNMPv3 Commands
destroy snmpv3 access=swengineering securitymodel=v3
securitylevel=authentication
The following command deletes the SNMPv3 Access Table entry called
“testengineering” with a security model of the SNMPv3 protocol and a
security level of privacy.
destroy snmpv3 access=testengineering securitymodel=v3
securitylevel=privacy
396
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY SNMPv3 COMMUNITY
Syntax
destroy snmpv3 community index=index
Parameter
index
Specifies the name of this SNMPv3 Community
Table entry, up to 32 alphanumeric characters.
Description
This command deletes an SNMPv3 Community Table entry. After you
delete an SNMPv3 Community Table entry, you cannot recover it.
Examples
The following command deletes an SNMPv3 Community Table entry with
an index of 1001.
destroy snmpv3 community index=1001
The following command deletes an SNMPv3 Community Table entry with
an index of 5.
destroy snmpv3 community index=5
Section IV: SNMPv3
397
Chapter 24: SNMPv3 Commands
DESTROY SNMPv3 GROUP
Syntax
destroy snmpv3 group username=username
[securitymodel=v1|v2c|v3]
Parameter
username
Specifies a user name configured in the SNMPv3
User Table.
securitymodel
Specifies the security model of the above user
name. The options are:
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
Description
This command deletes an SNMPv3 SecurityToGroup Table entry. After
you delete an SNMPv3 SecurityToGroup Table entry, you cannot recover
it.
Examples
The following command deletes an SNMPv3 User Table entry for a user
called Dave with an security model of the SNMPv3 protocol:
destroy snmpv3 group username=Dave securitymodel=v3
The following command deletes an SNMPv3 User Table entry for a user
called May with an security model of the SNMPv3 protocol:
destroy snmpv3 group username=May securitymodel=v3
398
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY SNMPv3 NOTIFY
Syntax
destroy snmpv3 notify=notify
Parameter
notify
Specifies an SNMPv3 Notify Table entry.
Description
This command deletes an SNMPv3 Notify Table entry. After you delete an
SNMPv3 Notify Table entry, you cannot recover it.
Examples
The following command deletes an SNMPv3 Notify Table entry called
“systemtestnotifytrap.”
destroy snmpv3 notify=systemtestnotifytrap
The following command deletes an SNMPv3 Notify Table entry called
“engineeringinform1.”
destroy snmpv3 notify=engineeringinform1
Section IV: SNMPv3
399
Chapter 24: SNMPv3 Commands
DESTROY SNMPv3 TARGETADDR
Syntax
destroy snmpv3 targetaddr=target
Parameter
targetaddr
Specifies an SNMPv3 Target Address table entry.
Description
This command deletes an SNMPv3 Target Address Table entry. After you
delete an SNMPv3 Target Address Table entry, you cannot recover it.
Example
The following command deletes an SNMPv3 Address Table entry called
“snmpmanager.”
destroy snmpv3 targetaddr=snmpmanager
400
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY SNMPv3 TARGETPARMS
Syntax
destroy snmpv3 targetparams=targetparams
Parameter
targetparams
Specifies an SNMPv3 Target Parameters table
entry.
Description
This command deletes an SNMPv3 Target Parameters Table entry. After
you delete an SNMPv3 Target Parameters Table entry, you cannot
recover it.
Examples
The following command deletes the SNMPv3 Target Parameters Table
entry called “targetparameter1.”
destroy snmpv3 targetparams=targetparameter1
The following command deletes the SNMPv3 Target Parameters Table
entry called “snmpmanager.”
destroy snmpv3 targetparams=snmpmanager
Section IV: SNMPv3
401
Chapter 24: SNMPv3 Commands
DESTROY SNMPV3 VIEW
Syntax
destroy snmpv3 view=view [subtree=OID|text]
Parameters
view
Specifies the name of the view, up to 32
alphanumeric characters.
subtree
Specifies the view subtree view. The options are:
OID
A numeric value in hexadecimal format.
text
Text name of the view.
Description
This command deletes an SNMPv3 View Table entry. After you delete an
SNMPv3 View Table entry, you cannot recover it.
Examples
The following command deletes the SNMPv3 View Table entry named
“experimental. “ The subtree value of this table entry is experimental.
destroy snmpv3 view=experimental subtree=experimental
The following command deletes the SNMPv3 View Table entry named
“directory.” The subtree value of this table entry is 1.3.6.1.3.
destroy snmpv3 view=directory subtree=1.3.6.1.3
402
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
PURGE SNMPV3 ACCESS
Syntax
purge snmpv3 access
Parameters
None
Description
This command resets the SNMPv3 Access Table to its default value by
removing all the access table entries. To remove a single entry, use
“DESTROY SNMPv3 ACCESS” on page 395.
Example
The following example removes all the SNMPv3 Access Table entries:
purge snmpv3 access
Section IV: SNMPv3
403
Chapter 24: SNMPv3 Commands
PURGE SNMPV3 COMMUNITY
Syntax
purge snmpv3 community
Parameters
None
Description
This command resets the SNMPv3 Community Table to its default value
by removing all the community table entries. To remove a single entry, use
“DESTROY SNMPv3 COMMUNITY” on page 397.
Example
The following example removes all the SNMPv3 Community Table entries:
purge snmpv3 community
404
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
PURGE SNMPV3 NOTIFY
Syntax
purge snmpv3 notify
Parameters
None
Description
This command resets the SNMPv3 Notify Table to its default value by
removing all the notify table entries. To remove a single entry, use
“DESTROY SNMPv3 NOTIFY” on page 399.
Example
The following example removes all the entries from the SNMPv3 Notify
Table:
purge snmpv3 notify
Section IV: SNMPv3
405
Chapter 24: SNMPv3 Commands
PURGE SNMPV3 TARGETADDR
Syntax
purge snmpv3 targetaddr
Parameters
None
Description
This command resets the SNMPv3 Target Address Table to its default
values by removing all the target address table entries. To remove a single
entry, use “DESTROY SNMPv3 TARGETADDR” on page 400.
Example
The following example removes all the entries from the SNMPv3 Target
Address Table:
purge snmpv3 targetaddr
406
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
PURGE SNMPV3 VIEW
Syntax
purge snmpv3 view
Parameters
None
Description
This command resets the SNMPv3 View Table to its default values by
removing all the view table entries. To remove a single entry, use
“DESTROY SNMPV3 VIEW” on page 402.
Example
The following example removes all the entries from the SNMPv3 View
Table:
purge snmpv3 view
Section IV: SNMPv3
407
Chapter 24: SNMPv3 Commands
SET SNMPV3 ACCESS
Syntax
set snmpv3 access=access [securitymodel=v1|v2c|v3]
[securitylevel=noauthentication|authentication|
privacy] readview=readview writeview=writeview
notifyview=notifyview [storagetype=volatile|nonvolatile]
Parameters
access
Specifies the name of the group, up to 32
alphanumeric characters.
securitymodel
Specifies the security model. Options are:
securitylevel
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
Specifies the security level. The options are:
noauthentication This option provides no
authentication protocol and no
privacy protocol.
408
authentication
This option provides an
authentication protocol, but no
privacy protocol.
privacy
This option provides an
authentication protocol and the
privacy protocol.
readview
Specifies a Read View Name that allows the users
assigned to this Group Name to view the
information specified by the View Table entry.
writeview
Specifies a Write View Name that allows the users
assigned to this Security Group to write, or modify,
the information in the specified View Table.
notifyview
Specifies a Notify View Name that allows the users
assigned to this Group Name to send traps
permitted in the specified View.
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command modifies an SNMPv3 Access Table entry.
Examples
The following command modifies the group called engineering. The new
read view is the Internet MIBs and the storage type is volatile storage.
set snmpv3 access=engineering securitymodel=v3
securitylevel=authentication readview=internet
storagetype=volatile
The following command modifies the group called training. The read view,
write view, and notify view are set to the Internet MIBs. The storage type is
nonvolatile storage.
set snmpv3 access=training securitymodel=v3
securitylevel=privacy readview=internet writeview=internet
notifyview=internet storagetype=nonvolatile
Section IV: SNMPv3
409
Chapter 24: SNMPv3 Commands
SET SNMPV3 COMMUNITY
Syntax
set snmpv3 community index=index communityname=communityname
securityname=securityname transporttag=transporttag
[storagetype=volatile|nonvolatile]
Parameters
index
Specifies the name of this SNMPv3 Community
Table entry, up to 32 alphanumeric characters.
communityname
Specifies a password of this community, up to 32
alphanumeric characters.
securityname
Specifies the name of an SNMPv1 and SNMPv2
user, up to 32 alphanumeric characters.
transporttag
Specifies the transport tag, up to 32 alphanumeric
characters.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command modifies an SNMPv3 Community Table entry.
Examples
The following command modifies the community table entry with an index
of 1001. The community has a password of “secretpassword98” and a
security name of “user451.” The transport tag is set to “sampletag4” and
the storage type is set to nonvolatile storage.
set snmpv3 community index=1001
communityname=secretpassword98 securityname=user451
transporttag=sampletag4 storagetype=nonvolatile
The following command modifies the community table entry with an index
of 52. The community has a password of “oldmiss71” and a security name
of “jjhuser234.” The transport tag is set to “testtag40.”
410
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
set snmpv3 community index=52 communityname=oldmiss71
securityname=jjhuser234 transporttag=testtag40
Section IV: SNMPv3
411
Chapter 24: SNMPv3 Commands
SET SNMPV3 GROUP
Syntax
set snmpv3 group username=username [securitymodel=v1|v2c|v3]
groupname=groupname [storagetype=volatile|nonvolatile]
Parameter
username
Specifies a user name configured in the SNMPv3
User Table.
securitymodel
Specifies the security model of the above user
name. The options are:
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
groupname
Specifies a group name configured in the SNMPv3
Access Table.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table entry to the
configuration file on the switch. This is the default.
nonvolatile
Allows you to save the table entry to the
configuration file on the switch.
Description
This command modifies an SNMPv3 SecurityToGroup Table entry.
Examples
The following command modifies the SecurityToGroup Table entry with a
user name of “nancy28.” The security model is the SNMPv3 protocol. and
the group name is set to engineering.
set snmpv3 group username=nancy28 securitymodel=v3
groupname=engineering
412
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
The following command modifies the SecurityToGroup Table entry with a
user name of “nelvid.” The security model is the SNMPv3 protocol and the
group name “systemtest.”
set snmpv3 group username=nelvid securitymodel=v3
groupname=systemtest
Section IV: SNMPv3
413
Chapter 24: SNMPv3 Commands
SET SNMPV3 NOTIFY
Syntax
set snmpv3 notify=notify tag=tag [type=trap|inform]
[storagetype=volatile|nonvolatile]
Parameters
notify
Specifies the name associated with the trap
message, up to 32 alphanumeric characters.
tag
Specifies the notify tag name, up to 32
alphanumeric characters.
type
Specifies the message type. Options are:
storagetype
trap
Trap messages are sent, with no
response expected from the host.
inform
Inform messages are sent, with a
response expected from the host.
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command modifies an SNMPv3 Notify Table entry.
Examples
The following command modifies an SNMPv3 Notify Table entry called
“systemtesttrap2.” The notify tag is “systemtesttag2” and the message
type is a trap message.
set snmpv3 notify=systemtesttrap2 tag=systemtesttag2
type=trap
414
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
The following command modifies an SNMPv3 Notify Table entry called
“systemtestinform5.” The notify tag is “systemtestinform5tag” and the
message type is an inform message.
set snmpv3 notify=systemtestinform5 tag=systemtestinform5tag
type=inform
Section IV: SNMPv3
415
Chapter 24: SNMPv3 Commands
SET SNMPV3 TARGETADDR
Syntax
set snmpv3 targetaddr=targetaddr params=params
ipaddress=ipaddress udpport=udpport timeout=timeout
retries=retries taglist=taglist
[storagetype=volatile|nonvolatile]
Parameters
416
targetaddr
Specifies the name of the SNMP entity (NMS or
manager) that manages the SNMP activity on the
switch, up to 32 alphanumeric characters.
params
Specifies the target parameters name, up to 32
alphanumeric characters. This is an optional
parameter.
ipaddress
Specifies the IP address of the host. This is an
optional parameter.
udpport
Specifies the UDP port in the range of 0 to 65535.
The default UDP port is 162. This is an optional
parameter.
timeout
Specifies the timeout value in milliseconds. The
range is 0 to 2,147,483,647 milliseconds, and the
default is 1500 milliseconds. This is an optional
parameter.
retries
Specifies the number of times the switch retries to
send an inform message. The default is 3. This is
an optional parameter.
taglist
Specifies a tag or list of tags, up to 256
alphanumeric characters. Use a space to separate
entries. This is an optional parameter.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
Description
This command modifies an SNMPv3 Target Address Table entry.
Examples
The following command modifies the Target Address Table entry with a
value of “snmphost.” The params parameter is set to “targetparameter7”
and the IP address is 198.1.1.1. The taglist is set to “systemtesttraptag”
and “systemtestinformtag.”
set snmpv3 targetaddr=snmphost params=targetparameter7
ipaddress=198.1.1.1 taglist=systemtesttraptag
systemtestinformtag
The following command modifies the Target Address Table entry with a
value of “host.” The params parameter is set to “targetparameter22” and
the IP address is 198.1.1.198. The taglist is set to “engineeringtraptag”
and “engineeringinformtag.”
set snmpv3 targetaddr=host params=targetparameter22
ipaddress=198.1.1.198 taglist=engineeringtraptag
engineeringinformtag
Section IV: SNMPv3
417
Chapter 24: SNMPv3 Commands
SET SNMPV3 TARGETPARAMS
Syntax
set snmpv3 targetparams=targetparams username=username
[securitymodel=v1|v2c|v3] [messageprocessing=v1|v2c|v3]
[securitylevel=noauthentication|authentication|
privacy] [storagetype=volatile|nonvolatile]
Parameters
targetparams
Specifies the target parameters name, up to 32
alphanumeric characters.
username
Specifies the user name.
securitymodel
Specifies the security model of the above user
name. The options are:
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
messageprocessing Specifies the SNMP protocol that is used to
process, or send messages. Configure this
parameter only if you have selected the SNMPv1 or
SNMPv2c protocols as the security model. If you
have selected the SNMPv3 protocol as the security
model, message processing is automatically set to
the SNMPv3 protocol. The options are:
securitylevel
v1
Messages are processed with the SNMPv1
protocol.
v2c
Messages are processed with the
SNMPv2c protocol.
v3
Messages are processed with the SNMPv3
protocol.
Specifies the security level. The options are:
noauthentication This option provides no
authentication protocol and no
privacy protocol.
418
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
authentication This option provides an
authentication protocol, but no
privacy protocol.
privacy
storagetype
This option provides an
authentication protocol and the
privacy protocol.
Specifies the storage type of this table entry.
This is an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile Allows you to save the table entry to
the configuration file on the switch.
Description
This command modifies a Target Parameters Table entry.
Examples
The following command modifies the Target Parameters Table entry called
“host23.” The user name is “user7990” and the security model is the
SNMPv3 protocol. The security level is set to the privacy level.
set snmpv3 targetparams=host23 username=loan1
securitymodel=v3 securitylevel=privacy
The following command modifies the Target Parameters Table entry called
“manager9”. The user name is “loan1” and the security model is the
SNMPv3 protocol. The security level is set to the authentication protocol.
set snmpv3 targetparams=manager9 username=loan1
securitymodel=v3 securitylevel=authentication
Section IV: SNMPv3
419
Chapter 24: SNMPv3 Commands
SET SNMPV3 USER
Syntax
set snmpv3 user=user [authentication=md5|sha]
authpassword=password privpassword=password
[storagetype=volatile|nonvolatile]
Parameters
user
Specifies the name of an SNMPv3 user, up to 32
alphanumeric characters.
authentication
Specifies the authentication protocol that is used to
authenticate this user with an SNMPv3 entity (or
NMS). The default is no authentication. The options
are:
md5
The MD5 authentication protocol.
Users are authenticated with the
MD5 authentication protocol after a
message is received.
sha
The SHA authentication protocol.
Users are authenticated with the
SHA authentication protocol after a
message is received.
authpassword
Specifies a password for the authentication
protocol, up to 32 alphanumeric characters.
privpassword
Specifies a password for the 3DES privacy, or
encryption protocol, up to 32 alphanumeric
characters. Configuring a privacy protocol
password, turns on the DES privacy protocol.
storagetype
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command modifies an SNMPv3 User Table entry.
420
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command modifies a User Table entry called “atiuser104”.
The authentication protocol is set to the MD5 protocol and the
authentication password is “atlanta45denver.” The DES privacy protocol is
on and the privacy password is “denvertoatlanta3.”
set snmpv3 user=atiuser104 authentication=md5
authpassword=atlanta45denver privpassword=denvertoatlanta3
The following command modifies a User Table entry called “atiuser104.”
The authentication protocol is set to the MD5 protocol and the
authentication password is “nycbostonwash56.” The privacy protocol is on
and the privacy password is “bostontoamherst7.” The storage type is set to
nonvolatile storage.
set snmpv3 user=atiuser104 authentication=md5
authpassword=nycbostonwash56 privpassword=bostontoamherst7
storagetype=nonvolatile
Section IV: SNMPv3
421
Chapter 24: SNMPv3 Commands
SET SNMPV3 VIEW
Syntax
set snmpv3 view=view [subtree=OID|text] mask=mask
[type=included|excluded]
[storagetype=volatile|nonvolatile]
Parameters
view
Specifies the name of the view, up to 32
alphanumeric characters.
subtree
Specifies the view subtree view. Options are:
OID
A numeric value in hexadecimal format.
text
Text name of the view.
mask
Specifies the subtree mask, in hexadecimal format.
type
Specifies the view type. Options are:
storagetype
included
Permits the user assign to this View
Name to see the specified subtree.
excluded
Does not permit the user assigned
to this View Name to see the
specified subtree.
Specifies the storage type of this table entry. This is
an optional parameter. The options are:
volatile
Does not allow you to save the table
entry to the configuration file on the
switch. This is the default.
nonvolatile
Allows you to save the table entry to
the configuration file on the switch.
Description
This command modifies an SNMPv3 View Table entry.
Examples
The following command modifies the view called “internet1.” The subtree
is set to the Internet MIBs and the view type is included.
set snmpv3 view=internet1 subtree=internet type=included
422
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
The following command modifies the view called system. The subtree is
set to 1.3.6.1.2.1 (System MIBs) and the view type is excluded.
set snmpv3 view=system subtree=1.3.6.1.2.1 type=excluded
Section IV: SNMPv3
423
Chapter 24: SNMPv3 Commands
SHOW SNMPV3 ACCESS
Syntax
show snmpv3 access=access
Parameter
access
Specifies an SNMPv3 Access Table entry.
Description
This command displays the SNMPv3 Access Table. You can display one
or all of the table entries.
Examples
The following command displays the SNMPv3 Access Table entry called
“production.”
show snmpv3 access=production
The following command displays all of the SNMPv3 Access Table entries:
show snmpv3 access
424
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SNMPV3 COMMUNITY
Syntax
show snmpv3 community index=index
Parameter
index
Specifies the name of this SNMPv3 Community
Table entry, up to 32 alphanumeric characters.
Description
This command displays the SNMPv3 Community Table. You can display
one or all of the SNMPv3 Community Table entries.
Examples
The following command displays the Community Table entry with an index
of 246:
show snmpv3 community index=246
The following command displays all of the Community Table entries:
show snmpv3 community
Section IV: SNMPv3
425
Chapter 24: SNMPv3 Commands
SHOW SNMPv3 GROUP
Syntax
show snmpv3 group username=username
[securitymodel=v1|v2c|v3]
Parameter
username
Specifies a user name configured in the SNMPv3
User Table.
securitymodel
Specifies the security model of the above user
name. The options are:
v1
Associates the Security Name, or User
Name, with the SNMPv1 protocol.
v2c
Associates the Security Name, or User
Name, with the SNMPv2c protocol.
v3
Associates the Security Name, or User
Name, with the SNMPv3 protocol.
Description
This command displays SNMPv3 SecurityToGroup Table entries. You can
display one or all of the table entries.
Example
The following command displays the SNMPv3 SecurityToGroup Table
entry for a user named Dave who is assigned a security model of the
SNMPv3 protocol.
show snmpv3 group username=Dave securitymodel=v3
The following command displays all of the SNMPv3 SecurityToGroup
Table entries:
show snmpv3 group
426
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SNMPV3 NOTIFY
Syntax
show snmpv3 notify=notify
Parameter
notify
Specifies an SNMPv3 Notify Table entry.
Description
This command displays SNMPv3 Notify Table entries. You can display
one or all of the table entries.
Examples
The following command displays the SNMPv3 Notify Table entry called
“testengtrap1”:
show snmpv3 notify=testengtrap1
The following command displays all of the SNMPv3 Notify Table entries:
show snmpv3 notify
Section IV: SNMPv3
427
Chapter 24: SNMPv3 Commands
SHOW SNMPV3 TARGETADDR
Syntax
show snmpv3 targetaddr=targetaddr
Parameter
targetaddr
Specifies an SNMPv3 Target Address Table entry.
Description
This command displays SNMPv3 Target Address Table entries. You can
display one or all of the table entries.
Examples
The following command displays the SNMPv3 Target Address Table entry
called “snmpv3host55”:
show snmpv3 targetaddr=snmpv3host55
The following command displays all of the SNMPv3 Target Address Table
entries:
show snmpv3 targetaddr
428
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SNMPV3 TARGETPARAMS
Syntax
show snmpv3 targetparams=targetparams
Parameter
targetparams
Specifies an SNMPv3 Target Parameters Table entry.
Description
This command displays SNMPv3 Target Parameters Table entries. You
can display one or all of the table entries.
Examples
The following command displays the SNMPv3 Target Parameters Table
entry called “snmpv3manager95”:
show snmpv3 targetparams=snmpv3manager95
The following command displays all of the SNMPv3 Target Parameters
Table entries:
show snmpv3 targetparams
Section IV: SNMPv3
429
Chapter 24: SNMPv3 Commands
SHOW SNMPV3 USER
Syntax
show snmpv3 user=user
Parameters
userSpecifies the name of an SNMPv3 user, up to 32 alphanumeric
characters.
Description
This command displays SNMPv3 User Table entries. You can display one
or all of the table entries.
Examples
The following command displays the SNMPv3 User Table entry for a user
name of Robert:
show snmpv3 user=Robert
The following command displays all of the SNMPv3 User Table entries:
show snmpv3 user
430
Section IV: SNMPv3
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SNMPV3 VIEW
Syntax
show snmpv3 view=view [subtree=OID|text]
Parameter
view
Specifies an SNMPv3 View Table entry.
subtree
Specifies the view subtree view. Options are:
OID
A numeric value in hexadecimal format.
text
Text name of the view.
Description
This command displays the SNMPv3 View Table entries. You can display
one or all of the table entries.
Examples
The following command displays the SNMPv3 View Table entry called
“snmpv3manager95”:
show snmpv3 targetparams=snmpv3manager95
The following command displays all the SNMPv3 View Table entries:
show snmpv3 targetparams
Section IV: SNMPv3
431
Chapter 24: SNMPv3 Commands
432
Section IV: SNMPv3
Section V
Spanning Tree Protocols
The chapters in this section contain the commands for the spanning tree
protocols. The chapters include:
Section V: Spanning Tree Protocols
ˆ
Chapter 25, “Spanning Tree Protocol Commands” on page 435
ˆ
Chapter 26, “Rapid Spanning Tree Protocols Commands” on page 449
ˆ
Chapter 27, “Multiple Spanning Tree Protocol Commands” on page
463
433
434
Section V: Spanning Tree Protocols
Chapter 25
Spanning Tree Protocol Commands
This chapter contains the following commands:
ˆ
“ACTIVATE STP” on page 436
ˆ
“DISABLE STP” on page 437
ˆ
“ENABLE STP” on page 438
ˆ
“PURGE STP” on page 439
ˆ
“SET STP” on page 440
ˆ
“SET STP PORT” on page 443
ˆ
“SET SWITCH MULTICASTMODE” on page 445
ˆ
“SHOW STP” on page 447
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 22,
“Spanning Tree and Rapid Spanning Tree Protocols” in the AT-S63
Management Software Menus Interface User’s Guide.
435
Chapter 25: Spanning Tree Protocol Commands
ACTIVATE STP
Syntax
activate stp
Parameters
None.
Description
Use this command to designate STP as the active spanning tree on the
switch. You cannot enable STP or configure its parameters until you have
designated it as the active spanning tree with this command.
Only one spanning tree protocol, STP, RSTP, or MSTP, can be active on
the switch at a time.
Example
The following command designates STP as the active spanning tree:
activate stp
436
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE STP
Syntax
disable stp
Parameters
None.
Description
This command disables the Spanning Tree Protocol on the switch. The
default setting for STP is disabled. To view the current status of STP, refer
to “SHOW STP” on page 447.
Example
The following command disables STP:
disable stp
Section V: Spanning Tree Protocols
437
Chapter 25: Spanning Tree Protocol Commands
ENABLE STP
Syntax
enable stp
Parameters
None.
Description
This command enables the Spanning Tree Protocol on the switch. The
default setting for STP is disabled. To view the current status of STP, refer
to “SHOW STP” on page 447.
Note
You cannot enable STP until after you have activated it with
“ACTIVATE STP” on page 436.
Example
The following command enables STP on the switch:
enable stp
438
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
PURGE STP
Syntax
purge stp
Parameters
None.
Description
This command returns all STP bridge and port parameters to the default
settings. STP must be disabled in order for you to use this command. To
disable STP, see “DISABLE STP” on page 437.
Example
The following command resets the STP parameter settings to their default
values:
purge stp
Equivalent Command
set stp default
For information, see “SET STP” on page 440.
Section V: Spanning Tree Protocols
439
Chapter 25: Spanning Tree Protocol Commands
SET STP
Syntax
set stp [default] [priority=priority] [hellotime=hellotime]
[forwarddelay=forwarddelay] [maxage=maxage]
Parameters
default
Disables STP and returns all bridge and port STP
settings to the default values. This parameter cannot be
used with any other command parameter and can only
be used when STP is disabled. (This parameter
performs the same function as the PURGE STP
command.)
priority
Specifies the priority number for the bridge. This
number is used in determining the root bridge for STP.
The bridge with the lowest priority number is selected
as the root bridge. If two or more bridges have the
same priority value, the bridge with the numerically
lowest MAC address becomes the root bridge.
The range is 0 to 61,440 in increments of 4,096. The
range is divided into sixteen increments, as shown in
Table 14. You specify the increment that represents the
desired bridge priority value. The default value is
32,768 (increment 8).
Table 14. Bridge Priority Value Increments
Bridge
Priority
Increment
440
Increment
Bridge
Priority
0
0
8
32768
1
4096
9
36864
2
8192
10
40960
3
12288
11
45056
4
16384
12
49152
5
20480
13
53248
6
24576
14
57344
7
28672
15
61440
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
hellotime
Specifies the time interval between generating and
sending configuration messages by the bridge. This
parameter can be from 1 to 10 seconds. The default is 2
seconds.
forwarddelay
Specifies the waiting period before a bridge changes to
a new state, for example, becomes the new root bridge
after the topology changes. If the bridge transitions too
soon, all links may not have had time to adapt to the
change, resulting in network loops. The range is 4 to 30
seconds. The default is 15 seconds.
maxage
Specifies the length of time after which stored bridge
protocol data units (BPDUs) are deleted by the bridge.
All bridges in a bridged LAN use this aging time to test
the age of stored configuration messages called bridge
protocol data units (BPDUs). For example, if you use
the default 20, all bridges delete current configuration
messages after 20 seconds. The range is 6 to 40
seconds. The default is 20 seconds.
Note
The value for the maxage parameter must be greater than
(2 x (hellotime +1)) and less than (2 x (forwarddelay -1)).
Description
This command sets the following STP parameters:
ˆ
Bridge priority
ˆ
Hello time
ˆ
Forwarding delay
ˆ
Maximum age time
This command can also disable STP and return the STP parameters to
their default settings.
Note
You can use this command only if STP is designated as the active
spanning tree protocol on the switch. See “ACTIVATE STP” on
page 436.
Section V: Spanning Tree Protocols
441
Chapter 25: Spanning Tree Protocol Commands
Examples
The following command sets the switch’s bridge priority value to 45,056
(increment 11):
set stp priority=11
The following command sets the hello time to 7 seconds and the
forwarding delay to 25 seconds:
set stp hellotime=7 forwarddelay=25
The following command returns all STP parameters on the switch to the
default values:
set stp default
Equivalent Command
purge stp
For information, see “PURGE STP” on page 439.
442
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SET STP PORT
Syntax
set stp port=port [pathcost|portcost=auto|portcost]
[portpriority=portpriority]
Parameters
port
Specifies the port you want to configure. You can
configure more than one port at a time. You can specify
the ports individually (for example, 5, 7, 22), as a range
(for example, 18-23), or both (for example, 1, 5, 14-22).
pathcost or
portcost
Specifies the port’s cost. The parameters are
equivalent. The spanning tree algorithm uses the cost
parameter to decide which port provides the lowest cost
to the root bridge for that LAN. This parameter can take
the range of 1 to 65,535, or AUTO. The default setting
is AUTO, for Automatic Update, which automatically
sets port cost according to the speed of the port.
Table 15 lists the STP port costs with Auto-Detect.
Table 15. STP Auto-Detect Port Costs
Port Speed
Port Cost
10 Mbps
100
100 Mbps
10
1000 Mbps
4
Table 16 lists the STP port costs with Auto-Detect when
a port is part of a port trunk.
Table 16. Auto-Detect Port Trunk Costs
Port Speed
portpriority
Section V: Spanning Tree Protocols
Port Cost
10 Mbps
4
100 Mbps
4
1000 Mbps
1
Specifies the port’s priority. This parameter is used as a
tie breaker when two or more ports are determined to
have equal costs to the root bridge. The range is 0 to
240 in increments of 16, for a total of 16 increments as
443
Chapter 25: Spanning Tree Protocol Commands
shown in Table 17. You specify the increment of the
desired value. The default is 128 (increment 8).
Table 17. Port Priority Value Increments
Port
Priority
Increment
Increment
Port
Priority
0
0
8
128
1
16
9
144
2
32
10
160
3
48
11
176
4
64
12
192
5
80
13
208
6
96
14
224
7
112
15
240
Description
This command configures the following STP parameter settings for a
switch port:
ˆ
Port cost
ˆ
Port priority
Examples
The following command sets the port cost to 15 and the port priority to 192
(increment 12) for port 6:
set stp port=6 portcost=15 portpriority=12
The following command sets the port cost to auto-detect on ports 7 to 10:
set stp port=7-10 portcost=auto
444
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH MULTICASTMODE
Syntax
set switch multicastmode=[a|b|c|d]
Parameter
multicast mode
Specifies the multicast mode. The options are:
a
Discards all ingress spanning tree BPDU and
802.1x EAPOL packets on all ports.
b
Forwards ingress spanning tree BPDU and
802.1x EAPOL packets across all VLANs and
ports.
c
Forwards ingress BPDU and EAPOL packets
only among the untagged ports of the VLAN
where the ingress port is a member.
d
Forwards ingress BPDU and EAP packets on
both tagged and untagged ports of the VLAN
where the ingress port is a member.
Description
This command controls the behavior of the switch when forwarding
ingress spanning tree BPDU packets and 802.1x port-based access
control EAPOL packets when these features are disabled on the switch.
Note the following when setting this parameter:
ˆ
You can only set this parameter from this command. You cannot
configure it from the menus or web browser interface.
ˆ
The mode is set at the switch level. You cannot configure it on a perport basis.
ˆ
A switch can have only one mode active at a time.
ˆ
The mode setting applies to spanning tree protocol BPDUs when STP,
RSTP, and MSTP are disabled on the switch.
ˆ
The mode setting applies to 802.1x port-based access control EAPOL
packets when 802.1x is disabled.
ˆ
There are four possible states: A, B, C, and D:
A - Discards all ingress spanning tree BPDU and 802.1x EAPOL packets
on all ports. The switch behaves as follows:
ˆ
Section V: Spanning Tree Protocols
If STP, RSTP, and MSTP are disabled, all ingress BPDUs are
discarded.
445
Chapter 25: Spanning Tree Protocol Commands
ˆ
If 802.1x port-based access control is disabled, all ingress EAPOL
packets are discarded.
B - Forwards ingress spanning tree BPDU and 802.1x EAPOL packets
across all VLANs and ports. This is the default setting. The switch
behaves as follows:
ˆ
If STP, RSTP, and MSTP are disabled, ingress BPDUs are flooded
on all ports.
ˆ
If STP, RSTP, MSTP, and 802.1x are disabled on the switch,
BPDUs and EAPOL packets are flooded on all ports.
ˆ
If the switch is running STP or RSTP and 802.1x is disabled,
EAPOL packets are flooded on all ports, except ports in the
blocking state.
ˆ
If the switch is running MSTP and 802.1x is disabled, EAPOL
packets are flooded on all ports, including ports in the blocking
state.
C - Forwards ingress BPDU and EAPOL packets only on untagged ports
of the VLAN where the ingress port is a member. Packets are not
forwarded from tagged ports. The VLAN is identified by the PVID assigned
to the ingress port.
D - Forwards ingress BPDU and EAP packets from both tagged and
untagged ports of the VLAN where the ingress port is a member. The
VLAN is identified by the PVID assigned to the ingress port.
Example
The following command sets the switch’s mode to A to discard all ingress
BPDUs and 802.1 EAPOL packets:
set switch multicastmode=a
446
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SHOW STP
Syntax
show stp [port=port]
Parameter
port
Specifies the port whose STP parameters you want to
view. You can view more than one port at a time.You
can specify the ports individually (for example, 5, 7,
22), as a range (for example, 18-23), or both (for
example, 1, 5, 14-22).
Description
This command displays the current values for the STP parameters. An
example of the display is shown in Figure 38.
Status ......................
Bridge Priority .............
Bridge Hello Time ...........
Bridge Forwarding Delay .....
Bridge Max Age ..............
Bridge Identifier ...........
Root Bridge .................
Root Path Cost ..............
Enabled
32768 (In multiples of 4096: 8)
2/2 (Configured/Actual)
15/15 (Configured/Actual)
20/20 (Configured/Actual)
32768/00:21:46:A7:B4:11
32768/00:21:46:A7:B4:11
0
Figure 38. SHOW STP Command
The bridge priority, bridge hello time, and bridge max age parameters
display two values when STP is enabled on the switch (for example,
Bridge Forwarding Delay .. 15/15). The first number is the configured value
on the switch for the parameter and the second is the value the switch
obtained from the root bridge and is actually using for the parameter. The
switch displays only the configured values when spanning tree is not
activated on the switch.
The Status parameter displays whether STP is enabled or disabled on the
switch.
For definitions of the bridge priority, hello time, forwarding delay, and max
age parameters, refer to “SET STP” on page 440.
The bridge Identifier parameter consists of the switch’s bridge priority
value and MAC address, separated by a slash (/). To change the switch’s
priority value, refer to “SET STP” on page 440. The MAC address of the
switch cannot be changed.the MAC address of the switch.
Section V: Spanning Tree Protocols
447
Chapter 25: Spanning Tree Protocol Commands
The root bridge parameter specifies the bridge identifier of the root bridge
of the spanning tree domain. The identifier consists of the bridge priority
value and MAC address of the root switch, separated by a slash (/). This
parameter only appears when STP is activated on the switch.
The root path cost parameter displays the path cost from the switch to the
root bridge of the spanning tree domain. If the switch is the root bridge, the
path cost is 0. This parameter only appears when STP is activated on the
switch.
The PORT parameter allows you to view the STP parameter settings for
the switch ports: An example of the display is shown in Figure 39.
Port State
Cost
Priority
---------------------------------------------1
Forwarding
4
128
2
Forwarding
4
128
3
Forwarding
4
128
4
Forwarding
4
128
5
Forwarding
4
128
6
Forwarding
4
128
7
Forwarding
4
128
8
Forwarding
4
128
9
Forwarding
4
128
10
Forwarding
4
128
11
Forwarding
4
128
Figure 39. SHOW STP PORT Command
Port is the port number.
State is the current state of a port. The possible states are Listening,
Learning, Forwarding, or Blocking when spanning tree is enabled on the
switch. When spanning tree is not enabled on the switch or if a port is not
being used, its state will be disabled.
Cost is the port cost of the port.
Priority is the port’s priority value. The number is used as a tie breaker
when two or more ports have equal costs to the root bridge.
Examples
The following command displays the switch’s STP settings:
show stp
The following command displays the STP settings for ports 1 to 4:
show stp port=1-4
448
Section V: Spanning Tree Protocols
Chapter 26
Rapid Spanning Tree Protocols
Commands
This chapter contains the following commands:
ˆ
“ACTIVATE RSTP” on page 450
ˆ
“DISABLE RSTP” on page 451
ˆ
“ENABLE RSTP” on page 452
ˆ
“PURGE RSTP” on page 453
ˆ
“SET RSTP” on page 454
ˆ
“SET RSTP PORT” on page 457
ˆ
“SHOW RSTP” on page 460
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 22,
“Spanning Tree and Rapid Spanning Tree Protocols” in the AT-S63
Management Software Menus Interface User’s Guide.
449
Chapter 26: Rapid Spanning Tree Protocols Commands
ACTIVATE RSTP
Syntax
activate rstp
Parameters
None.
Description
Use this command to designate RSTP as the active spanning tree on the
switch. After you have selected RSTP, you can enable or disable it using
the ENABLE RSTP and DISABLE RSTP commands. RSTP is active on a
switch only after you have designated it as the active spanning tree with
this command and enabled it with the ENABLE RSTP command.
Only one spanning tree protocol, STP, RSTP, or MSTP, can be active on
the switch at a time.
Example
The following command designates RSTP as the active spanning tree:
activate rstp
450
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE RSTP
Syntax
disable rstp
Parameters
None.
Description
This command disables the Rapid Spanning Tree Protocol on the switch.
To view the current status of RSTP, use “SHOW RSTP” on page 460.
Example
The following command disables RSTP:
disable rstp
Section V: Spanning Tree Protocols
451
Chapter 26: Rapid Spanning Tree Protocols Commands
ENABLE RSTP
Syntax
enable rstp
Parameters
None.
Description
This command enables the Rapid Spanning Tree Protocol on the switch.
The default setting for RSTP is disabled. To view the current status of
RSTP, use “SHOW RSTP” on page 460.
You cannot enable RSTP until you have activated it with the ACTIVATE
RSTP command.
Example
The following command enables RSTP:
enable rstp
452
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
PURGE RSTP
Syntax
purge rstp
Parameters
None.
Description
This command returns all RSTP bridge and port parameters to the default
settings. RSTP must be disabled before you can use this command. To
disable RSTP, refer to “DISABLE RSTP” on page 451.
Example
The following command resets RSTP:
purge rstp
Equivalent Command
set rstp default
For information, refer to “SET RSTP” on page 454.
Section V: Spanning Tree Protocols
453
Chapter 26: Rapid Spanning Tree Protocols Commands
SET RSTP
Syntax
set rstp [default] [priority=priority] [hellotime=hellotime]
[forwarddelay=forwarddelay] [maxage=maxage]
[rstptype|forceversion=stpcompatible|
forcestpcompatible|normalrstp]
Parameters
default
Returns all bridge and port RSTP settings to the default
values. This parameter cannot be used with any other
command parameter and only when RSTP is disabled.
(This parameter performs the same function as the
PURGE RSTP command.)
priority
Specifies the priority number for the bridge. This
number is used in determining the root bridge for
RSTP. The bridge with the lowest priority number is
selected as the root bridge. If two or more bridges have
the same priority value, the bridge with the numerically
lowest MAC address becomes the root bridge. The
range is 0 to 61,440 in increments of 4,096. The range
is divided into sixteen increments, as shown in
Table 18. You specify the increment that represents the
desired bridge priority value. The default value is
32,768, which is increment 8.
Table 18. Bridge Priority Value Increments
Bridge
Priority
Increment
454
Increment
Bridge
Priority
0
0
8
32768
1
4096
9
36864
2
8192
10
40960
3
12288
11
45056
4
16384
12
49152
5
20480
13
53248
6
24576
14
57344
7
28672
15
61440
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
hellotime
Specifies the time interval between generating and
sending configuration messages by the bridge. This
parameter can be from 1 to 10 seconds. The default is 2
seconds.
forwarddelay
Specifies the waiting period before a bridge changes to
a new state, for example, becomes the new root bridge
after the topology changes. If the bridge transitions too
soon, not all links may have yet adapted to the change,
resulting in network loops. The range is 4 to 30
seconds. The default is 15 seconds. This parameter
effects only those ports operating in the STP compatible
mode.
maxage
Specifies the length of time, in seconds, after which
stored bridge protocol data units (BPDUs) are deleted
by the bridge. All bridges in a bridged LAN use this
aging time to test the age of stored configuration
messages called bridge protocol data units (BPDUs).
For example, if you use the default value of 20, all
bridges delete current configuration messages after 20
seconds. The range of this parameter is 6 to 40
seconds. The default is 20 seconds.
Note
The value for the maxage parameter must be greater than
(2 x (hellotime +1)) and less than (2 x (forwarddelay -1)).
rstptype or
forceversion
Sets the RSTP mode. The parameters are
equivalent. The options are:
stpcompatible or
forcestpcompatible
The bridge uses the RSTP
parameter settings, but transmits
only STP BPDU packets from the
ports. These options are
equivalent.
normalrspt
The bridge uses RSTP. It
transmits RSTP BPDU packets,
except on ports connected to
bridges running STP. This is the
default setting.
Description
This command configures the following RSTP parameter settings.
Section V: Spanning Tree Protocols
ˆ
Bridge priority
ˆ
Hello time
455
Chapter 26: Rapid Spanning Tree Protocols Commands
ˆ
Forwarding delay
ˆ
Maximum age time
ˆ
Port priority
ˆ
Force version of STP or normal RSTP
This command can also return the RSTP parameters to their default
settings.
Note
You can use this command only if RSTP is the active spanning tree
protocol on the switch. See “ACTIVATE RSTP” on page 450.
Examples
The following command sets the bridge priority to 20480 (increment 5), the
hello time to 5 seconds, and the forwarding delay to 20 seconds:
set rstp priority=5 hellotime=5 forwarddelay=20
The following command uses the FORCEVERSION parameter to
configure the bridge to use the RSTP parameters but to transmit only STP
BPDU packets:
set rstp forceversion=stpcompatible
The following command returns all RSTP parameter settings to their
default values:
set rstp default
Equivalent Command
purge rstp
For information, see “PURGE RSTP” on page 453.
456
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SET RSTP PORT
Syntax
set rstp port=port [pathcost|portcost=cost|auto]
[portpriority=portpriority]
[edgeport=yes|no|on|off|true|false]
[ptp|pointtopoint=yes|no|on|off|true|false|autoupdate]
[migrationcheck=yes|no|on|off|true|false]
Parameters
port
Specifies the port you want to configure. You can
specify more than one port at a time. You can specify
the ports individually (for example, 5, 7, 22), as a range
(for example, 18-23), or both (for example, 1, 5, 14-22).
pathcost or
portcost
Specifies the port’s cost. The parameters are
equivalent. The spanning tree algorithm uses the cost
parameter to decide which port provides the lowest cost
path to the root bridge for that LAN. The options are:
cost
A number for the port cost. The range is
1to 200,000,000.
auto
Automatically sets the port cost according
to the speed of the port. This is the default.
Table 19 lists the port cost with autodetect.
Table 19. RSTP Auto-Detect Port Costs
Port Speed
Port Cost
10 Mbps
2,000,000
100 Mbps
200,000
1000 Mbps
20,000
Table 20 lists the RSTP port costs with
Auto-Detect when the port is part of a port
trunk.
Table 20. RSTP Auto-Detect Port Trunk Costs
Section V: Spanning Tree Protocols
Port Speed
Port Cost
10 Mbps
20,000
457
Chapter 26: Rapid Spanning Tree Protocols Commands
Table 20. RSTP Auto-Detect Port Trunk Costs
portpriority
Port Speed
Port Cost
100 Mbps
20,000
1000 Mbps
2,000
Specifies the port’s priority. This parameter is used as a
tie breaker when two or more ports are determined to
have equal costs to the root bridge. The range is 0 to
240 in increments of 16, for a total of 16 increments, as
shown in Table 21. You specify the increment that
corresponds to the desired value. The default is 128,
which is increment 8.
Table 21. Port Priority Value Increments
Bridge
Priority
Increment
Bridge
Priority
0
0
8
128
1
16
9
144
2
32
10
160
3
48
11
176
4
64
12
192
5
80
13
208
6
96
14
224
7
112
15
240
edgeport
ptp or
pointtopoint
458
Increment
Defines whether the port is functioning as an edge port.
An edge port is connected to a device operating at halfduplex mode and is not connected to any device
running STP or RSTP. The options are:
yes, on, true
The port is an edge port. The options
are equivalent. This is the default.
no, off, false
The port is not an edge port. The
options are equivalent.
Defines whether the port is functioning as a pointto-point port. The parameters are equivalent. This type
of port is connected to a device operating at full-duplex
mode. The options are:
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
migrationcheck
yes, on, true
The port is an point-to-point port. The
options are equivalent.
no, off, false
The port is not an point-to-point port.
The parameters are equivalent. are
equivalent.
autoupdate
The port’s status is determined
automatically. This is the default.
Enables and disables migration check. The purpose of
this feature is to change from the RSTP mode to the
STP mode if STP BDPU packets are received on the
selected port. When you enable this option, the bridge
will send out RSTP BPDU packets from the selected
port until STP BPDU packets are received. The port will
remain in the RSTP mode until it receives an STP
BPDU packet. The options are:
yes, on, true
Enable migration check. The options
are equivalent.
no, off, false
Disable migration check. The options
are equivalent.
Description
This command sets a port’s RSTP settings.
Examples
The following command sets the port cost to 1,000,000 and port priority to
224 (increment 14) on port 4:
set rstp port=4 portcost=1000000 portpriority=14
The following command changes ports 6 to 8 so they are not considered
edge ports:
set rstp port=6-8 edgeport=no
Section V: Spanning Tree Protocols
459
Chapter 26: Rapid Spanning Tree Protocols Commands
SHOW RSTP
Syntax
show rstp [portconfig=port|portstate=port]
Parameters
portconfig
Displays the RSTP port settings. You can specify more
than one port at a time.
portstate
Displays the RSTP port status. You can specify more
than one port at a time.
Description
You can use this command to display the RSTP parameter settings. An
example of the display is shown in Figure 40.
Status .......................
Force Version ................
Bridge Priority ..............
Bridge Hello Time ............
Bridge Forward Delay .........
Bridge Max Age ...............
Bridge Identifier ............
Root Bridge Identifier .......
Root Path Cost ...............
Enabled
NormalRSTP
32768 (In multiples of 4096: 8)
2/2 (Configured/Actual)
15/15 (Configured/Actual)
20/20 (Configured/Actual)
32768/00:21:46:A7:B4:11
32768/00:21:46:A7:B4:11
0
Figure 40. Example of the SHOW RSTP Command
The bridge priority, bridge hello time, and bridge max age parameters will
have two values if RSTP is enabled on the switch (for example, Bridge
Forwarding .. 15/15). The first number is the configured value on the
switch for the parameter and the second is the value the switch obtained
from the root bridge and is currently using for the parameter. The switch
displays only the configured values for these parameters if spanning tree
is not enabled on the switch.
The Status parameter displays whether STP is enabled or disabled on the
switch.
For definitions of the force version, bridge priority, hello time, forward
delay, and max age parameters, refer to “SET RSTP” on page 454.
The bridge Identifier parameter consists of the switch’s bridge priority
value and MAC address, separated by a slash (/). To change the switch’s
priority value, refer to “SET RSTP” on page 454. The MAC address of the
switch cannot be changed.
460
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
The root bridge identifier parameter displays the bridge priority value and
MAC address of the root switch of the spanning tree domain. The values
are separated by a slash (/). This parameter only appears when RSTP is
activated on the switch.
The root path cost parameter displays the path cost from the switch to the
root bridge of the spanning tree domain. If the switch is the root bridge, the
path cost is 0. This parameter only appears when RSTP is activated on the
switch.
The PORTCONFIG parameter displays the current RSTP parameter
settings for the ports. An example is shown in Figure 41.
Port
| Edge-Port |Point-to-Point |
Cost
| Priority
-------------------------------------------------------------1
2
3
4
5
6
7
8
10
11
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Update
Update
Update
Update
Update
Update
Update
Update
Update
Update
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Auto
Update
Update
Update
Update
Update
Update
Update
Update
Update
Update
128
128
128
128
128
128
128
128
128
128
Figure 41. Example of the SHOW RSTP PORTCONFIG Command
For definitions of these parameters, refer to “SET RSTP PORT” on
page 457 or the AT-S63 Management Software Menus Interface User’s
Guide.
The PORTSTATE parameter displays the current operating settings and
status of the ports. An example is shown in Figure 42.
Port
State
Role
Edge P2P Version
Port-Cost
-----------------------------------------------------------------1
Disabled
-----------------------------------2
Forwarding
Designated No
Yes RSTP
200000
3
Forwarding
Designated No
Yes RSTP
200000
4
Forwarding
Designated No
Yes RSTP
200000
5
Forwarding
Designated No
Yes RSTP
200000
6
Forwarding
Designated No
Yes RSTP
200000
7
Forwarding
Designated No
Yes RSTP
200000
8
Forwarding
Designated No
Yes RSTP
200000
9
Forwarding
Designated No
Yes RSTP
200000
10
Forwarding
Designated No
Yes RSTP
200000
11
Forwarding
Designated No
Yes RSTP
200000
Figure 42. Example of the SHOW RSTP PORTSTATE Command
Section V: Spanning Tree Protocols
461
Chapter 26: Rapid Spanning Tree Protocols Commands
The information displayed by the command is as follows:
ˆ
Port — The port number.
ˆ
State — The RSTP state of the port. The possible states for a port
connected to another device running RSTP are Discarding and
Forwarding.
The possible states for a port connected to a device running STP are
Listening, Learning, Forwarding, and Blocking.
The possible states for a port not being used or where spanning tree is
not activated is Disabled.
ˆ
Role — The RSTP role of the port. Possible roles are:
Root - The port is connected to the root switch, directly or through
other switches, with the least path cost.
Alternate - The port offers an alternate path to the root switch.
Backup - The port on a designated switch that provides a backup for
the path provided by the designated port.
Designated - The port has the least cost path to the root switch.
ˆ
P2P — Whether or not the port is functioning as a point-to-point port.
The possible settings are Yes and No.
ˆ
Version — Whether the port is operating in RSTP mode or STPcompatible mode.
ˆ
Port Cost — The current operating cost of the port.
Examples
The following command displays the bridge’s RSTP settings:
show rstp
The following command displays the RSTP port settings for ports 1 to 4:
show rstp portconfig=1-4
The following command displays RSTP port status for port 15:
show rstp portstate=15
462
Section V: Spanning Tree Protocols
Chapter 27
Multiple Spanning Tree Protocol
Commands
This chapter contains the following commands:
ˆ
“ACTIVATE MSTP” on page 464
ˆ
“ADD MSTP” on page 465
ˆ
“CREATE MSTP” on page 466
ˆ
“DELETE MSTP” on page 467
ˆ
“DESTROY MSTP MSTIID” on page 468
ˆ
“DISABLE MSTP” on page 469
ˆ
“ENABLE MSTP” on page 470
ˆ
“PURGE MSTP” on page 471
ˆ
“SET MSTP” on page 472
ˆ
“SET MSTP CIST” on page 475
ˆ
“SET MSTP MSTI” on page 476
ˆ
“SET MSTP MSTIVLANASSOC” on page 478
ˆ
“SET MSTP PORT” on page 479
ˆ
“SHOW MSTP” on page 483
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 23,
“Multiple Spanning Tree Protocol” in the AT-S63 Management
Software Menus Interface User’s Guide.
463
Chapter 27: Multiple Spanning Tree Protocol Commands
ACTIVATE MSTP
Syntax
activate mstp
Parameters
None.
Description
This command designates MSTP as the active spanning tree on the
switch. You cannot enable MSTP or configure its parameters until after
you have designated it as the active spanning tree with this command.
Only one spanning tree protocol can be active on the switch at a time.
Example
The following command designates MSTP as the active spanning tree:
activate mstp
464
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
ADD MSTP
Syntax
add mstp mstiid=mstiid mstivlanassoc=vids
Parameters
mstiid
Specifies the ID of the multiple spanning tree instance
(MSTI) to which you want to associate VLANs. You can
specify only one MSTI ID at a time. The range is 1 to
15.
mstivlanassoc
Specifies the VID of the VLAN you want to associate
with the MSTI ID. You can specify more than one VID at
a time (for example, 2,5,44).
Description
This command associates VLANs to a MSTI.
The MSTIID parameter specifies the MSTI ID. The MSTI must already
exist on the switch. To create a spanning tree instance, see “CREATE
MSTP” on page 466.
The MSTIVLANASSOC parameter specifies the VIDs of the VLANs you
want to associate with the MSTI. The VLANs must already exist on the
switch. Any VLANs already associated with the MSTI are retained. If you
want to add VLANs to a MSTI while removing those already associated to
it, see “SET MSTP MSTIVLANASSOC” on page 478.
Examples
The following command associates the VLAN with the VID 4 to MSTI ID 8:
add mstp mstiid=8 mstivlanassoc=4
The following command associates the VLANs with the VIDs 24 and 44 to
MSTI ID 11:
add mstp mstiid=11 mstivlanassoc=24,44
Section V: Spanning Tree Protocols
465
Chapter 27: Multiple Spanning Tree Protocol Commands
CREATE MSTP
Syntax
create mstp mstiid=mstiid [mstivlanassoc=vids]
Parameters
mstiid
Specifies the MSTI ID of the spanning tree instance you
want to create. You can specify only one MSTI ID at a
time. The range is 1 to 15.
mstivlanassoc
Specifies the VID of the VLAN you want to associate
with the MSTI ID. You can specify more than one VID at
a time (for example, 2,5,44).
Description
This command creates an MSTI ID and associates VLANs to the new
spanning tree instance.
The MSTIID parameter specifies the new MSTI ID.
The MSTIVLANASSOC parameter specifies the VIDs of the VLANs you
want to associate with the new MSTI. The VLANs must already exist on
the switch. If you do not specify any VLANs, you can add them later using
“ADD MSTP” on page 465 or “SET MSTP MSTIVLANASSOC” on
page 478.
Examples
The following command creates the MSTI ID 8 and associates to it the
VLAN with the VID 4:
create mstp mstiid=8 mstivlanassoc=4
The following command creates the MSTI ID 11 and associates to it the
VLANs with the VIDs 24 and 44:
create mstp mstiid=11 mstivlanassoc=24,44
466
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
DELETE MSTP
Syntax
delete mstp mstiid=mstiid mstivlanassoc=vids
Parameters
mstiid
Specifies the MSTI ID of the spanning tree instance
where you want to remove VLANs. You can specify
only one MSTI ID at a time. The range is 1 to 15.
mstivlanassoc
Specifies the VID of the VLAN you want to remove from
the spanning tree instance. You can specify more than
one VID at a time (for example, 2,5,44).
Description
This command removes a VLAN from a spanning tree instance. A VLAN
removed from a spanning tree instance is automatically returned to CIST.
The MSTIID parameter specifies the MSTI ID.
The MSTIVLANASSOC parameter specifies the VIDs of the VLANs you
want to remove from the spanning tree instance.
Examples
The following command deletes the VLAN with the VID 4 from MSTI ID 8:
delete mstp mstiid=8 mstivlanassoc=4
The following command deletes the VLANs with the VIDs 24 and 44 from
MSTI ID 11:
delete mstp mstiid=11 mstivlanassoc=24,44
Section V: Spanning Tree Protocols
467
Chapter 27: Multiple Spanning Tree Protocol Commands
DESTROY MSTP MSTIID
Syntax
destroy mstp mstiid=mstiid
Parameter
mstiid
Specifies the MSTI ID of the spanning tree instance you
want to delete. You can specify only one MSTI ID at a
time. The range is 1 to 15.
Description
This command deletes a spanning tree instance. VLANs associated with a
deleted MSTI are returned to CIST.
Example
The following command deletes the spanning tree instance 4:
destroy mstp mstiid=4
468
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE MSTP
Syntax
disable mstp
Parameters
None.
Description
This command disables the Multiple Spanning Tree Protocol on the
switch. To view the current status of MSTP, refer to “SHOW MSTP” on
page 483.
Example
The following command disables MSTP:
disable mstp
Section V: Spanning Tree Protocols
469
Chapter 27: Multiple Spanning Tree Protocol Commands
ENABLE MSTP
Syntax
enable mstp
Parameters
None.
Description
This command enables Multiple Spanning Tree Protocol on the switch. To
view the current status of MSTP, refer to “SHOW MSTP” on page 483.
You must select MSTP as the active spanning tree on the switch before
you can enable it with this command. To activate MSTP, see “ACTIVATE
MSTP” on page 464.
Example
The following command enables MSTP:
enable mstp
470
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
PURGE MSTP
Syntax
purge mstp
Parameters
None.
This command returns all MSTP bridge and port parameters settings to
their default values. This command also deletes all multiple spanning tree
instances and VLAN associations.
In order for you to use this command, MSTP must be the active spanning
tree protocol on the switch and the protocol must be disabled. To select
MSTP as the active spanning tree protocol on the switch, see “ACTIVATE
MSTP” on page 464. To disable MSTP, refer to “DISABLE MSTP” on
page 469.
Example
The following command resets the MSTP bridge and port parameter
settings:
purge mstp
Equivalent Command
set mstp default
For information, see “SET MSTP” on page 472.
Section V: Spanning Tree Protocols
471
Chapter 27: Multiple Spanning Tree Protocol Commands
SET MSTP
Syntax
set mstp [default]
[forceversion=stpcompatible|forcestpcompatible|
normalmstp] [hellotime=hellotime]
[forwarddelay=forwarddelay] [maxage=maxage]
[maxhops=maxhops] [configname="name"]
[revisionlevel=number]
Parameters
default
Disables MSTP and returns all bridge and port MSTP
settings to the default values. This parameter cannot be
used with any other parameter. (This parameter
performs the same function as the PURGE MSTP
command.) The spanning tree protocol must be
disabled to use this parameter.
forceversion
Controls whether the bridge will operate with MSTP or
in an STP-compatible mode. If you select MSTP, the
bridge will operate all ports in MSTP, except for those
ports that receive STP or RSTP BPDU packets. If you
select STP Compatible or Force STP Compatible, the
bridge uses its MSTP parameter settings, but sends
only STP BPDU packets from the ports
The options are:
normalmspt
The bridge uses MSTP. The
bridge sends out MSTP BPDU
packets from all ports except for
those ports connected to bridges
running STP. This is the default
setting.
stpcompatible or
forcestpcompatible
The bridge operates in an STPcompatible mode where it uses
the MSTP parameter settings,
but transmits only STP BPDU
packets from the ports. These
options are equivalent.
Note
Selecting the STP-compatible mode deletes all spanning tree
instances on the switch.
472
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
hellotime
Specifies the time interval between generating and
sending configuration messages by the bridge. This
parameter can be from 1 to 10 seconds. The default is 2
seconds.
forwarddelay
Specifies the waiting period before a bridge changes to
a new state, for example, becomes the new root bridge
after the topology changes. If the bridge transitions too
soon, not all links may have yet adapted to the change,
resulting in network loops. The default is 15 seconds.
This parameter effects only those ports operating in the
STP compatible mode.
maxage
Specifies the length of time, in seconds, after which
stored bridge protocol data units (BPDUs) are deleted
by the bridge. All bridges in a bridged LAN use this
aging time to test the age of stored configuration
messages called bridge protocol data units (BPDUs).
For example, if you use the default value of 20, all
bridges delete current configuration messages after 20
seconds. The range of this parameter is 6 to 40
seconds. The default is 20 seconds.
Note
The value for the maxage parameter must be greater than
(2 x (hellotime +1)) and less than (2 x (forwarddelay -1)).
Section V: Spanning Tree Protocols
maxhops
Specifies the maximum hops counter. MSTP regions
use this parameter to discard BPDUs. The Max Hop
counter in a BPDU is decremented every time the
BPDU crosses a bridge within a MSTP region. After the
counter reaches zero, the BPDU is deleted. The counter
is reset to its original value if the BPDU crosses a MSTP
regional boundary.
configname
Specifies the name of the MSTP region. The range is 0
(zero) to 32 alphanumeric characters. The name is
case-sensitive and must be the same on all bridges in a
region. Examples include Sales Region and Production
Region. The name must be enclosed in quotes.
revisionlevel
Specifies the reversion number of an MSTP region. The
range is 0 (zero) to 255. This is an arbitrary number that
you assign to a region. The reversion level must be the
same on all bridges in a region. Different regions can
have the same reversion level without conflict.
473
Chapter 27: Multiple Spanning Tree Protocol Commands
Description
This command configures the following MSTP parameter settings.
ˆ
Hello time
ˆ
Forwarding delay
ˆ
Maximum age time
ˆ
Maximum hop count
ˆ
Force version of STP or normal MSTP
ˆ
Configuration name
ˆ
Revision level
Examples
The following command disables MSTP and returns all MSTP parameter
settings to their default values:
set mstp default
The following command sets the hop count to 10, the configuration name
to Engineering Region, and the reversion level to 2:
set mstp maxhops=10 configname="Engineering Region"
revisionlevel=2
The following command uses the FORCEVERSION parameter to
configure the bridge to use the MSTP parameters but to transmit only STP
BPDU packets:
set mstp forceversion=forcestpcompatible
Equivalent Command
purge mstp
For information, see “PURGE MSTP” on page 471. This command
performs the same function as the DEFAULT parameter.
474
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SET MSTP CIST
Syntax
set mstp cist priority=priority
Parameter
priority
Specifies the CIST priority number for the switch. The
range is 0 to 61,440 in increments of 4,096. The range
is divided into sixteen increments, as shown in
Table 22. You specify the increment that represents the
desired bridge priority value. The default value is
32,768, which is increment 8.
Table 22. CIST Priority Value Increments
CIST
Priority
Increment
Increment
CIST
Priority
0
0
8
32768
1
4096
9
36864
2
8192
10
40960
3
12288
11
45056
4
16384
12
49152
5
20480
13
53248
6
24576
14
57344
7
28672
15
61440
Description
This command sets the CIST priority number on the switch. This number is
used in determining the root bridge for the bridged network. The bridge
with the lowest priority number acts as the root bridge. If two or more
bridges have the same priority value, the bridge with the numerically
lowest MAC address becomes the root bridge. To view the current CIST
priority number, see “SHOW MSTP” on page 483.
Example
The following command sets the CIST priority value to 45,056, which is
increment 11:
set mstp cist priority=11
Section V: Spanning Tree Protocols
475
Chapter 27: Multiple Spanning Tree Protocol Commands
SET MSTP MSTI
Syntax
set mstp msti mstiid=mstiid priority=priority
Parameters
mstiid
Specifies a MSTI ID. You can specify only one MSTI ID
at a time. The range is 1 to 15.
priority
Specifies the MSTI priority value for the switch. The
range is 0 to 61,440 in increments of 4,096. The range
is divided into sixteen increments, as shown in
Table 23. You specify the increment that represents the
desired bridge priority value. The default value is
32,768, which is increment 8.
Table 23. MSTI Priority Value Increments
MSTI
Priority
Increment
Increment
MSTI
Priority
0
0
8
32,768
1
4,096
9
36,864
2
8,192
10
40,960
3
12,288
11
45,056
4
16,384
12
49,152
5
20,480
13
53,248
6
24,576
14
57,344
7
28,672
15
61,440
Description
This command changes the MSTI priority value of a spanning tree
instance on a bridge. This value is used in determining the regional root
bridge of a spanning tree instance.
The MSTIID parameter specifies the MSTI ID whose MSTI priority you
want to change. The range is 1 to 15.
The PRIORITY parameter specifies the new MSTI priority value. The
range is 0 (zero) to 61,440 in increments of 4,096, with 0 being the highest
priority.
476
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command changes the MSTI priority value to 45,056
(increment 11) for the MSTI ID 4:
set mstp msti mstiid=4 priority=11
The following command changes the MSTI priority value to 8,192
(increment 2) for the MSTI ID 6:
set mstp msti mstiid=6 priority=2
Section V: Spanning Tree Protocols
477
Chapter 27: Multiple Spanning Tree Protocol Commands
SET MSTP MSTIVLANASSOC
Syntax
set mstp mstivlanassoc mstiid=mstiid vlanlist=vids
Parameters
mstiid
Specifies the ID of the spanning tree instance where
you want to associate VLANs. You can specify only one
MSTI ID at a time. The range is 1 to 15.
vlanlist
Specifies the VID of the VLAN you want to associate
with the MSTI ID. You can specify more than one VID at
a time (for example, 2,5,44). If VLANs have already
been associated with the MSTI, they are overwritten.
Description
This command associates VLANs to spanning tree instances.
The MSTIID parameter specifies the ID of the spanning tree instance. The
spanning tree instance must already exist on the switch. To create a
spanning tree instance, see “CREATE MSTP” on page 466.
The VLANLIST parameter specifies the VID of the VLANs you want to
associate with the MSTI. The VLANs must already exist on the switch. If
VLANs are already associated with the MSTI, they are removed and
returned to CIST. If you want to add VLANs to an MSTI and retain those
VLANs already associated with it, see “ADD MSTP” on page 465.
Examples
The following command associates the VLAN with the VID 4 to MSTI ID 8:
set mstp mstivlanassoc mstiid=8 vlanlist=4
The following command associates VIDs 24 and 44 to MSTI ID 11:
set mstp mstivlanassoc mstiid=11 vlanlist=24,44
478
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SET MSTP PORT
Syntax 1
set mstp port=port|all [extportcost=auto|portcost]
[edgeport=yes|no|no|on|off|true|false]
[ptp|pointtopoint=yes|no|on|off|true|false|autoupdate]
[migrationcheck=yes|no|on|off|true|false]
Syntax 2
set mstp port=port|all [intportcost=auto|portcost]
[portpriority=priority] [stpid=msti_id]
Parameters
port
Specifies the port you want to configure. You can
specify more than one port at a time. To configure all
ports in the switch, enter ALL.
extportcost
Specifies the cost of a port connected to a bridge that is
a member of another MSTP region or is running STP or
RSTP. This is referred to as an external port cost. The
range is 0 to 200,000,000. The default setting is Auto,
which sets port cost based on port speed. Table 24 lists
the MSTP external port costs with the Auto setting
when the port is not a member of a trunk.
Table 24. Auto External Path Costs
Port Speed
Port Cost
10 Mbps
2,000,000
100 Mbps
200,000
1000 Mbps
20,000
Table 25 lists the MSTP port costs with the Auto setting
when the port is part of a port trunk.
Table 25. Auto External Path Trunk Costs
Port Speed
Section V: Spanning Tree Protocols
Port Cost
10 Mbps
20,000
100 Mbps
20,000
1000 Mbps
2,000
479
Chapter 27: Multiple Spanning Tree Protocol Commands
edgeport
ptp or
pointtopoint
migrationcheck
Defines whether the port is functioning as an edge port.
An edge port is connected to a device operating at halfduplex mode and is not connected to any device
running STP or MSTP. Selections are:
yes, on, true
The port is an edge port. These
values are equivalent. This is the
default.
no, off, false
The port is not an edge port. These
values are equivalent.
Defines whether the port is functioning as a point-topoint port. This type of port is connected to a device
operating at full-duplex mode. Selections are:
yes, on, true
The port is an point-to-point port.
no, off, false
The port is not an point-to-point port.
autoupdate
The port’s status is determined
automatically. This is the default.
This parameter resets a MSTP port, allowing it to send
MSTP BPDUs. When a MSTP bridge receives STP
BPDUs on an MSTP port, the port transmits STP
BPDUs. The MSTP port continues to transmit STP
BPDUs indefinitely. Set the migrationcheck parameter
to yes to reset the MSTP port to transmit MSTP BPDUs.
yes, on, true
Enable migration check. The values
are equivalent.
no, off, false
Disable migration check. The values
are equivalent.
Note
Each time a MSTP port is reset by receiving STP BPDUs, set the
migrationcheck parameter to yes, allowing the port to send MSTP
BPDUs.
intportcost
480
Specifies the cost of a port connected to a bridge that is
part of the same MSTP region. This is referred to as an
internal port cost. The range is 0 to 200,000,000. The
default setting is Auto-detect (0), which sets port cost
depending on the speed of the port. Default values are
2,000,000 for 10 Mbps ports, 200,000 for a 100 Mbps
ports, and 20,000 for one gigabit ports.
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
portpriority
Specifies the port’s priority. This parameter is used as a
tie breaker when two or more ports are determined to
have equal costs to the root bridge. The range is 0 to
240 in increments of 16. There are sixteen increments,
as shown in Table 26 on page 481. You specify the
increment of the desired value. The default is 128,
which is increment 8.
Table 26. Port Priority Value Increments
Increment
stpid
Port Priority
Increment
Port Priority
0
0
8
128
1
16
9
144
2
32
10
160
3
48
11
176
4
64
12
192
5
80
13
208
6
96
14
224
7
112
15
240
Specifies the ID number of an MSTI in which the VLAN
of a port is a member. This parameter is used with the
INTPORTCOST and PORTPRIORITY parameters to
assign different path costs and priority values to
untagged and tagged ports whose VLANs belong to
more than one MSTI. You can specify more than one
MSTI at a time (e.g., 4,6,11). If the VLANs of a port
belong to just one MSTI, you can omit this parameter.
Description
This command sets a port’s MSTP settings. The command is illustrated in
two syntaxes to represent the two groups of MSTI port parameters. The
first group is referred to as generic parameters. They are set just once on
a port, regardless of the number of MSTIs where a port is a member.
These parameters are the external path cost and edge port and point-topoint port designations.
The second group can be applied independently on a port on a per-MSTI
basis. There are two parameters in this group — internal path cost and
priority. A port whose VLANs are members of different MSTIs can have
different settings in each MSTI. The MSTI is identified with the STPID
parameter. You can omit the STPID parameter if a port is a member of one
or more VLANs that all belong to the same MSTI, or if you want to assign
the port the same path cost or priority value in all of its MSTI assignments.
Section V: Spanning Tree Protocols
481
Chapter 27: Multiple Spanning Tree Protocol Commands
Synax 1 Examples
The following command sets the external port cost to 500 for Ports 14 and
23:
set mstp port=14,23 extportcost=500
The following command sets the external port cost to 1,000,000 for Port 4
and designates it as an edge port:
set mstp port=6-8 edgeport=yes
The following command sets the external port cost for Ports 2 and 5 to
Auto, which sets the port cost based on speed:
set mstp port=2-5 extportcost=auto
The following command designates Ports 6 to 8 as point-to-point ports:
set mstp port=6-8 ptp=yes
Syntax 2 Examples
The following command sets the internal port cost to 500 for Ports 7 and
10. If the ports are members of more than one VLAN and the VLANs are
assigned to more than one MSTI, the new internal port cost is assigned to
all of their MSTI assignments:
set mstp port=7,10 intportcost=500
This example illustrates the STPID parameter. This parameter is used
when a port belongs to more than one VLAN and the VLANs are assigned
to different MSTIs. You can use the parameter to specify different priority
and internal port costs on a port for each MSTI assignment. This
command assigns Port 15 in MSTI 2 a priority of 64 (increment 4):
set mstp port=7,10 portpriority=4 stpid=2
The following command sets the internal port cost to 1,000,000 and port
priority to 224 (increment 14) for Port 4:
set mstp port=4 intportcost=1000000 portpriority=14
The following command is similar to the previous example, except it
assumes port 4 is a member of more than one MSTI and you want to
assign the new values to only one of its MSTI assignments, in this case
MSTI 12:
set mstp port=4 intportcost=1000000 portpriority=14 stpid=12
The following command sets the internal port cost for Ports 2 and 5 to
Auto, which sets the port cost based on speed:
set mstp port=2-5 intportcost=auto
482
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
SHOW MSTP
Syntax
show mstp [portconfig=ports] [portstate=ports]
[stpid=msti_id] [mstistate] [cist] [mstivlanassoc]
Parameters
portconfig
Displays the MSTP settings of a port. You can specify
more than one port at a time. For a list of the MSTP
information displayed by this parameter, refer to
Description below.
portstate
Displays the MSTP state of a port. You can specify
more than one port at a time. For a list of the MSTP
information displayed by this parameter, refer to
Description below.
stpid
Specifies an MSTI ID. This parameter is used with the
PORTCONFIG and PORTSTATE parameters to view
MSTP settings for a port whose VLANs are members of
different MSTIs. You can specify more than one MSTI
ID.
mstistate
Displays a list of the MSTIs on the switch and their
associated VLANs. The list does not include the CIST.
cist
Displays the CIST priority and the VLANs associated
with CIST.
mstivlanassoc
Displays a list of the MSTIs on the switch, including the
CIST, and their associated VLANs.
Note
You can specify only one parameter at a time in this command. The
only exception is the STPID parameter, which can be used together
with the PORTCONFIG and PORTSTATE parameters.
Description
This command displays MSTP parameters. For definitions of the MSTP
terms used below, refer to Chapter 23, “Multiple Spanning Tree Protocol”
in the AT-S63 Management Software Menus Interface User’s Guide.
Section V: Spanning Tree Protocols
483
Chapter 27: Multiple Spanning Tree Protocol Commands
Entering SHOW MSTP without any parameters displays the following
MSTP settings:
ˆ
MSTP status
ˆ
Force version
ˆ
Hello time
ˆ
Forwarding delay
ˆ
Maximum age
ˆ
Maximum hops
ˆ
Configuration name
ˆ
Reversion level
ˆ
Bridge identifier
ˆ
Root identifier
The hello time, forwarding delay, and bridge max age parameters will
have two values if MSTP is enabled on the switch (for example,
Forwarding Delay .. 15/15). The first number is the configured value on the
switch for the parameter and the second is the value the switch obtained
from the root bridge and is actually using for the parameter. The switch
displays only the configured values for these parameters if spanning tree
is not enabled on the switch.
The bridge Identifier parameter consists of the switch’s CIST priority value
and MAC address, separated by a slash (/). To change the CIST priority
value, refer to “SET MSTP CIST” on page 475. The MAC address of the
switch cannot be changed.the MAC address of the switch.
The root bridge parameter specifies the bridge identifier of the root bridge
of the spanning tree domain. The identifier consists of the bridge or CIST
priority value and MAC address of the root switch, separated by a slash
(/). This parameter only appears when STP is activated on the switch.
The PORTCONFIG parameter displays the following MSTP port
parameter settings:
ˆ
Edge-port status
ˆ
Point-to-point status
ˆ
External and internal port costs
ˆ
Port priority
The PORTSTATE parameter displays the following MSTP port status
information:
484
ˆ
MSTP port state
ˆ
MSTP role
Section V: Spanning Tree Protocols
AT-S63 Management Software Command Line Interface User’s Guide
ˆ
Point-to-point status
ˆ
Spanning tree version
ˆ
Internal and external port costs
The MSTI parameter displays the following information for each spanning
tree instance (excluding the CIST) on the switch:
ˆ
MSTI ID
ˆ
MSTI priority
ˆ
Regional root ID
ˆ
Path cost
ˆ
Associated VLANs
The CIST parameter displays the following CIST information:
ˆ
CIST priority value
ˆ
Root ID
ˆ
Root path cots
ˆ
Regional root ID
ˆ
Regional root path cost
ˆ
Associated VLANs
The MSTIVLANASSOC parameter displays the VLAN to MSTI
associations.
Examples
This command displays basic MSTP operating information:
show mstp
This command displays the MSTP state of Port 4:
show mstp portstate=4
This command displays the configuration of Port 5 in MSTI 2:
show mstp portconfig=5 stpid=2
This command displays the CIST information:
show mstp cist
This command displays the VLAN associations:
show mstp mstivlanassoc
Section V: Spanning Tree Protocols
485
Chapter 27: Multiple Spanning Tree Protocol Commands
486
Section V: Spanning Tree Protocols
Section VI
Virtual LANs
The chapters in this section contain the commands for managing virtual
LANs using the AT-S63 management software. The chapters include:
Section VI: Virtual LANs
ˆ
Chapter 28, “Port-based, Tagged, and Multiple Mode VLAN
Commands” on page 489
ˆ
Chapter 29, “GARP VLAN Registration Protocol Commands” on page
509
ˆ
Chapter 30, “Protected Ports VLAN Commands” on page 523
ˆ
Chapter 31, “MAC Address-based VLAN Commands” on page 533
487
488
Section VI: Virtual LANs
Chapter 28
Port-based, Tagged, and Multiple Mode
VLAN Commands
This chapter contains the following commands:
ˆ
“ADD VLAN” on page 490
ˆ
“CREATE VLAN” on page 493
ˆ
“DELETE VLAN” on page 497
ˆ
“DESTROY VLAN” on page 500
ˆ
“SET SWITCH INFILTERING” on page 501
ˆ
“SET SWITCH VLANMODE” on page 502
ˆ
“SET VLAN” on page 504
ˆ
“SHOW VLAN” on page 505
Note
Remember to use the SAVE CONFIGURATION command to save
your changes on the switch.
Note
For background information on tagged and port-based VLANs, and
ingress filtering, refer to Chapter 24, “Port-based and Tagged
VLANs” in the AT-S63 Management Software Menus Interface
User’s Guide. For background information on the multiple VLAN
modes, refer to Chapter 26, “Multiple VLAN Modes” in the AT-S63
Management Software Menus Interface User’s Guide.
489
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
ADD VLAN
Syntax 1
add vlan=name [vid=vid] ports=ports|all
frame=untagged|tagged
Syntax 2
add vlan=name [vid=vid] taggedports=ports|all
untaggedports=ports|all
Parameters
vlan
Specifies the name of the VLAN to modify.
vid
Specifies the VID of the VLAN you want to modify. This
parameter is optional.
ports
Specifies the ports to be added to the VLAN. You can
specify the ports individually (for example, 5, 7, 22), as
a range (for example, 18-23), or both (for example, 1, 5,
14-22).
frame
Identifies the new ports as either tagged or untagged.
This parameter must be used with the PORT
parameter.
taggedports
Specifies the ports to be added as tagged ports to the
VLAN. To include all ports on the switch as tagged
ports in the VLAN, use ALL.
untaggedports
Specifies the ports to be added as untagged ports to
the VLAN. Specifying ALL adds all ports on the switch
as untagged ports to the VLAN.
Description
This command adds tagged and untagged ports to an existing port-based
or tagged VLAN.
Note
To initially create a VLAN, see “CREATE VLAN” on page 493. To
remove ports from a VLAN, see “DELETE VLAN” on page 497.
490
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
This command has two syntaxes. You can use either command to add
ports to a VLAN. The difference between the two is that Syntax 1 can add
only one type of port, tagged or untagged, at a time to a VLAN, while
Syntax 2 can add both in the same command. This is illustrated in
Examples below.
When you add untagged ports to a VLAN, the ports are automatically
removed from their current untagged VLAN assignment. This is because a
port can be an untagged member of only one VLAN at a time. For
example, if you add port 4 as an untagged port to a VLAN, the port is
automatically removed from whichever VLAN it is currently an untagged
member.
Adding a tagged port to a VLAN does not change the port’s current tagged
and untagged VLAN assignments. This is because a tagged port can
belong to more than one VLAN at a time. For instance, if you add port 6 as
an tagged port to a new VLAN, port 6 remains a tagged and untagged
member of its other VLAN assignments.
If the switch is using 802.1x port-based network access control, a port set
to the authenticator or supplicant role must be changed to the 802.1x none
role before its untagged VLAN assignment can be changed. After the
VLAN assignment is made, the port’s role can be changed back again to
authenticator or supplicant, if necessary.
Examples
The following command uses Syntax 1 to add ports 4 and 7 as untagged
members to a VLAN called Sales:
add vlan=sales ports=4,7 frame=untagged
The following command does the same thing using Syntax 2:
add vlan=sales untaggedports=4,7
The following command uses Syntax 1 to add port 3 as a tagged member
to a VLAN called Production:
add vlan=production ports=3 frame=tagged
The following command does the same thing using Syntax 2:
add vlan=production untaggedports=3
Adding both tagged and untagged ports to a VLAN using Syntax 1 takes
two commands, one command for each port type. For example, if you had
a VLAN called Service and you wanted to add port 5 as a tagged port and
ports 7 and 8 as untagged ports, the commands would be:
add vlan=Service ports=5 frame=tagged
Section VI: Virtual LANs
491
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
add vlan=Service ports=7-8 frame=untagged
Using Syntax 2, you can add both types of ports with just one command:
add vlan=Service untaggedports=7-8 taggedports=5
492
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
CREATE VLAN
Syntax 1
create vlan=name vid=vid [type=port] ports=ports|all
frame=untagged|tagged
Syntax 2
create vlan=name vid=vid [type=port] taggedports=ports|all
untaggedports=ports|all
Parameters
vlan
Specifies the name of the VLAN. You must assign a
name to a VLAN.
The name can be from 1 to 20 characters in length
and should reflect the function of the nodes that will
be a part of the VLAN (for example, Sales or
Accounting). The name cannot contain spaces or
special characters, such as asterisks (*) or
exclamation points (!).
The name cannot be the same as the name of an
existing VLAN on the switch.
If the VLAN is unique in your network, then the
name needs to be unique as well. If the VLAN spans
multiple switches, then the name for the VLAN
should be the same on each switch.
vid
Specifies the VLAN identifier. The range is 2 to
4094. The VLAN must be assigned a VID.
You cannot use the VID 1, which is reserved for the
Default_VLAN.
The VID cannot be the same as the VID of an
existing VLAN on the switch.
If this VLAN is unique in your network, then its VID
should also be unique. If this VLAN is part of a
larger VLAN that spans multiple switches, then the
VID value for the VLAN should be the same on each
switch. For example, if you are creating a VLAN
called Sales that spans three switches, assign the
Sales VLAN on each switch the same VID value.
Section VI: Virtual LANs
493
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
type
Specifies the type of VLAN to be created. The
option PORT signifies a port-based or tagged
VLAN. This parameter is optional.
ports
Specifies the ports on the switch that are either
tagged or untagged members of the new VLAN.
You can specify the ports individually (for example,
5, 7, 22), as a range (for example, 18-23), or both
(for example, 1, 5, 14-22). To specify all ports on the
switch, use ALL. This parameter must be followed
by the FRAME parameter.
frame
Specifies whether the ports of the VLAN are to be
tagged or untagged. This parameter must be used
with the PORT parameter.
taggedports
Specifies the ports on the switch to serve as tagged
ports in the VLAN. To specify all ports on the switch,
use ALL. Omit this parameter if the VLAN does not
contain tagged ports.
untaggedports
Specifies the ports on the switch to function as
untagged ports in the VLAN. To specify all ports on
the switch, use ALL. Omit this parameter if the
VLAN does not contain untagged ports.
Description
This command creates a port-based or tagged VLAN.
This command has two syntaxes. You can use either syntax to create a
port-based or tagged VLAN. The difference between the two syntaxes is
how you specify which ports are members of the VLAN and whether the
ports are tagged or untagged. Syntax 1 is limited because it allows you to
specify either tagged or untagged ports, but not both at the same time. On
the other hand, you can use Syntax 2 to create a VLAN that has both
types of ports. This is illustrated in the Examples section below.
When you create a new VLAN, untagged ports of the new VLAN are
automatically removed from their current untagged VLAN assignment.
This is because a port can be an untagged member of only one VLAN at a
time. For example, creating a new VLAN with untagged Ports 1 to 4
automatically removes these ports from whichever VLAN they are
currently untagged members.
The PVID of an untagged port is automatically changed to match the VID
number of the VLAN where it is added. For instance, if you add port 4 as
an untagged member of a VLAN with a VID of 15, the PVID for port 4 is
automatically changed to 15.
494
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
Tagged ports of the new VLAN remain as tagged and untagged members
of their current VLAN assignments. No change is made to a tagged port’s
current VLAN assignments, other than its addition to the new VLAN. This
is because a tagged port can belong to more than one VLAN at a time. For
example, if you add port 6 as a tagged port to a new VLAN, port 6 remains
a member of its other current untagged and tagged VLAN assignments.
If the switch is using 802.1x port-based network access control, a port set
to the authenticator or supplicant role must be changed to the 802.1x none
role before its untagged VLAN assignment can be changed. After the
VLAN assignment is made, the port’s role can be changed back again to
authenticator or supplicant, if necessary.
Examples
The following command uses Syntax 1 to create a port-based VLAN called
Sales with a VID of 3. The VLAN consists of ports 4 to 8 and ports 12 to
16. All ports will be untagged ports in the VLAN:
create vlan=Sales vid=3 ports=4-8,12-16 frame=untagged
The following command uses Syntax 2 to create the same VLAN:
create vlan=Sales vid=3 untaggedports=4-8,12-16
In the following command, Syntax 1 is used to create a tagged VLAN
called Production with a VID of 22. The VLAN consists of two tagged ports,
ports 3 and 6:
create vlan=Production vid=22 ports=3,6 frame=tagged
The following command uses Syntax 2 to create the same VLAN:
create vlan=Sales vid=22 taggedports=3,6
You cannot use Syntax 1 to create a tagged VLAN that contains both
untagged and tagged ports. For instance, suppose you wanted to create a
VLAN called Service with a VID of 16 and untagged ports 1, 4, 5-7 and
tagged ports 11 and 12. Creating this VLAN using Syntax 1 would actually
require two commands. You would first need to create the VLAN,
specifying either the untagged or tagged ports. As an example, the
following command creates the VLAN and specifies the untagged ports:
create vlan=Service vid=16 ports=1,4,5-7 frame=untagged
Then, to add the other ports (in this case tagged ports), you would need to
use the ADD VLAN command.
Syntax 2 allows you to create a VLAN of both tagged and untagged ports
all in one command. Here is the command that would create our example:
Section VI: Virtual LANs
495
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
create vlan=Service vid=16 untaggedports=1,4,5-7
taggedports=11-12
The advantage of Syntax 2 over Syntax 1 is that you can create VLANs
containing both types of ports with one rather than two commands.
496
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
DELETE VLAN
Syntax 1
delete vlan=name [vid=vid] ports=ports frame=untagged|tagged
Syntax 2
delete vlan=name [vid=vid] taggedports=ports
untaggedports=ports
Parameters
vlan
Specifies the name of the VLAN to be modified.
vid
Specifies the VID of the VLAN to be modified. This
parameter is optional.
ports
Specifies the ports to be removed from the VLAN.
This parameter must be used with the FRAME
parameter.
frame
Identifies the ports to be removed as tagged or
untagged. This parameter must be used with the
PORT parameter.
taggedports
Specifies the tagged ports to be removed from the
VLAN.
untaggedports
Specifies the untagged ports to be removed from the
VLAN.
Description
This command removes tagged and untagged ports from a port-based or
tagged VLAN.
This command has two syntaxes. You can use either command to delete
ports from a VLAN. The difference between the two is that Syntax 1 can
remove only one type of port, tagged or untagged, at a time from a VLAN,
while Syntax 2 allows you to remove both port types in the same
command. This is illustrated in the Examples section below.
Note
To delete a VLAN, see “DESTROY VLAN” on page 500.
Section VI: Virtual LANs
497
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
Note
You cannot change a VLAN’s name or VID.
When you remove an untagged port from a VLAN, the following happens:
ˆ
The port is returned to the Default_VLAN as an untagged port.
ˆ
If the port is also a tagged member of other VLANS, those VLAN
assignments are not changed. The port remains a tagged member of
the other VLANs. For example, if you remove Port 4 from a VLAN, the
port is automatically returned as an untagged port to the Default
VLAN. If Port 4 is functioning as a tagged member in one or more
other VLANs, it remains as a tagged member of those VLANs.
ˆ
If you remove an untagged port from the Default_VLAN without
assigning it to another VLAN, the port is excluded as an untagged
member from all VLANs on the switch.
When you remove a tagged port from a VLAN, all of its other tagged and
untagged VLAN assignments remain unchanged.
If the switch is using 802.1x port-based network access control, a port set
to the authenticator or supplicant role must be changed to the 802.1x none
role before its untagged VLAN assignment can be changed. After the
VLAN assignment is made, the port’s role can be changed back again to
authenticator or supplicant, if necessary.
Examples
The following command uses Syntax 1 to delete untagged ports 4 and 7
from a VLAN called Sales:
delete vlan=sales ports=4,7 frame=untagged
The following command does the same thing using Syntax 2:
delete vlan=sales untaggedports=4,7
The following command uses Syntax 1 to delete tagged port 13 from a
VLAN called Production:
delete vlan=production ports=13 frame=tagged
The following command does the same thing using Syntax 2:
delete vlan=production untaggedports=13
To delete both tagged and untagged ports from a VLAN using Syntax 1
takes two commands. For example, if you had a VLAN called Service and
you wanted to delete tagged port 2 and untagged ports 6 to 8, the
commands would be:
498
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
delete vlan=Service ports=2 frame=tagged
delete vlan=Service ports=6-8 frame=untagged
Using Syntax 2, you can do the whole thing with just one command:
delete vlan=Service untaggedports=6-8 taggedports=2
Section VI: Virtual LANs
499
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
DESTROY VLAN
Syntax
destroy vlan=name|vid|all
Parameters
vlan
Specifies the name or VID of the VLAN to be deleted.
To delete all VLANs, use the ALL option.
Description
This command deletes port-based, tagged, and MAC address-based
VLANs from a switch. You can use the command to delete selected
VLANs or all the VLANs on the switch. Note the following before using this
command:
ˆ
You cannot delete the Default_VLAN.
ˆ
You cannot delete a VLAN if it has a routing interface. You must first
delete the interface from the VLAN. To delete an interface, refer to
“DELETE IP INTERFACE” on page 577.
ˆ
All untagged ports in a deleted VLAN are returned to the
Default_VLAN as untagged ports.
ˆ
Static addresses assigned to the ports of a deleted VLAN become
obsolete and should be deleted from the MAC address table. For
instructions, refer to “DELETE SWITCH FDB|FILTER” on page 146.
Examples
The following command deletes the Sales VLAN from the switch:
destroy vlan=Sales
The following command deletes the Sales VLAN using both the name and
the VID:
destroy vlan=Sales vid=102
The following command deletes all port-based and tagged VLANs on a
switch:
destroy vlan=all
500
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH INFILTERING
Syntax
set switch infiltering=yes|no|on|off|true|false
Parameters
infiltering
Specifies the operating status of ingress filtering.
The options are:
yes, on, true
Activates ingress filtering. The
options are equivalent. This is the
default.
no, off, false
Deactivates ingress filtering. The
options are equivalent.
Description
This command controls the status of ingress filtering. When ingress
filtering is activated, which is the default, tagged frames are filtered when
they are received on a port. When ingress filtering is deactivated, tagged
frames are filtered before they are transmitted out a port. To view the
current setting, use the “SHOW SWITCH” on page 64. For further
information on ingress filtering, refer to the AT-S63 Management Software
Menus Interface User’s Guide.
Example
The following command deactivates ingress filtering:
set switch infiltering=off
Section VI: Virtual LANs
501
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
SET SWITCH VLANMODE
Syntax
set switch vlanmode=userconfig|dotqmultiple|multiple
[uplinkport=port]
Parameters
vlanmode
uplinkport
Controls the switch’s VLAN mode. Options are:
userconfig
This mode allows you to create your
own port-based and tagged VLANs.
This is the default setting.
dotqmultiple
This option configures the switch for
the 802.1Q-compliant multiple VLAN
mode.
multiple
This option configures the switch for
the non-802.1Q compliant multiple
VLAN mode.
Specifies the port on the switch to function as the uplink
port when the switch is operating in one of the two
multiple VLAN modes. You can specify only one port.
Description
You use this command to configure the switch for one of the multiple
VLAN modes or so that you can create port-based and tagged VLANs.
If you select one of the multiple VLAN modes, you must also set an uplink
port with the UPLINKPORT parameter. You can specify only one uplink
port.
Note
For background information on the multiple VLAN modes, refer to
Chapter 26, “Multiple VLAN Modes” in the AT-S63 Management
Software Menus Interface User’s Guide.
Examples
The following command configures the switch for the 802.1Q-compliant
multiple VLAN mode and specifies port 4 as the uplink port:
set switch vlanmode=dotqmultiple uplinkport=4
502
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
The following command sets the switch so that you can create your own
port-based and tagged VLANs:
set switch vlanmode=userconfig
Section VI: Virtual LANs
503
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
SET VLAN
Syntax
set vlan=name [vid=vid] type=portbased
Parameter
vlan
Specifies the name of the dynamic GVRP VLAN you
want to convert into a static VLAN. To view VLAN
names, refer to “SHOW VLAN” on page 505.
vid
Specifies the VID of the dynamic VLAN. To view
VIDs, refer to “SHOW VLAN” on page 505. This
parameter is optional.
type
Specifies the type of static VLAN to which the
dynamic VLAN is to be converted. There is only one
option: PORTBASED.
Description
This command converts a dynamic GVRP VLAN into a static tagged
VLAN. You can perform this command to permanently retain the VLANs
the switch learned through GVRP.
Note
This command cannot convert a dynamic GVRP port in a static
VLAN into a static port. For that you must manually modify the static
VLAN, specifying the dynamic port as either a tagged or untagged
member of the VLAN.
Example
This command changes the dynamic VLAN GVRP_VLAN_22 into a static
VLAN:
set vlan=gvrp_vlan_22 type=portbased
504
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SHOW VLAN
Syntax
show vlan[=name|vid]
Parameter
vlan
Specifies the name or VID of the VLAN.
Description
This command displays the VLANs on the switch. An example of the
information displayed by this command for port-based and tagged VLANs
is shown in Figure 43.
VLAN Name ............................
VLAN ID ..............................
VLAN Type ............................
Protected Ports ......................
Untagged Port(s)
Configured .........................
Actual .............................
Tagged Port(s) .......................
VLAN Name ............................
VLAN ID ..............................
VLAN Type ............................
Protected Ports ......................
Untagged Port(s)
Configured .........................
Actual .............................
Tagged Port(s) .......................
Sales
4
Port Based
No
2,8-12
2,8-12
24
Engineering
5
Port Based
No
5-7
5-7
24
Figure 43. SHOW VLAN Command for Port-based and Tagged VLANs
The information displayed by the command is described here:
ˆ
VLAN name - The name of the VLAN.
ˆ
VLAN ID - The ID number assigned to the VLAN.
ˆ
VLAN Type - The type of VLAN. This will be Port Based for port-based
and tagged VLANs.
ˆ
Protected Ports - The status of protected ports. Since port-based and
tagged VLANs are not protected ports VLANs, this will be No.
ˆ
Untagged port(s) - The untagged ports of the VLAN. The untagged
ports are listed as follows.
–
Section VI: Virtual LANs
Configured: The untagged ports assigned to the VLAN
when the VLAN was created or modified.
505
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
–
Actual: The current untagged ports of the VLAN. If you
are not using 802.1x port-based network access
control, both the Configured and Actual untagged ports
of a VLAN will always be the same.
If you are using 802.1x and you assigned a guest VLAN to an
authenticator port or you associated an 802.1x supplicant to a
VLAN on the authentication server, it is possible for ports to be in
different VLANs than the virtual LANs where they were originally
assigned as untagged ports. In these situations, the Configured
and Actual port lists can differ, with the Actual list detailing the
ports that are currently functioning as untagged ports of the VLAN.
For example, if a particular port is listed as a Configured member
of a VLAN, but not as an Actual member, that would mean either
the port is currently a part of a Guest VLAN or the supplicant who
logged on the port was associated with a VLAN assignment on the
authentication server.
ˆ
Tagged port(s) - The tagged ports of the VLAN. A tagged port can
belong to more than one VLAN at a time.
An example of the information displayed by this command for the 802.1Qcompliant multiple VLAN mode is shown in Figure 44.
VLAN Mode: Pre Configured (802.1Q Multiple VLANs)
VLAN Information:
VLAN Name ............................ Client_VLAN_1
VLAN ID .............................. 1
VLAN Type ............................ Port Based
Protected Ports ...................... No
Untagged Port(s) ...................... 1
Tagged Port(s) ....................... 23
VLAN Name ............................
VLAN ID ..............................
VLAN Type ............................
Protected Ports ......................
Untagged Port(s) .....................
Tagged Port(s) .......................
Client_VLAN_2
2
Port Based
No
2
23
VLAN Name ............................
VLAN ID ..............................
VLAN Type ............................
Protected Ports ......................
Untagged Port(s) .....................
Tagged Port(s) .......................
Client_VLAN_3
3
Port Based
No
3
23
Figure 44. SHOW VLAN Command for the 802.1Q-compliant Multiple
VLAN Mode
506
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
The information displayed by the command is described here:
ˆ
VLAN name - The name of the VLAN. The name is Client_VLAN
followed by the port number.
ˆ
VLAN ID - The ID number assigned to the VLAN.
ˆ
VLAN Type - The type of VLAN. This will be Port Based for the VLANs
of a multiple VLAN mode.
ˆ
Protected Ports - The status of protected ports. Since the VLANs of a
multiple VLAN mode are not protected ports VLANs, this will be No.
ˆ
Untagged port(s) - The untagged port of the VLAN.
ˆ
Tagged port(s) - The tagged port that is functioning as the uplink port
for the VLANs.
For an example of the information displayed by this command for a
protected ports VLAN, see Figure 45 on page 531. For an example of a
MAC address-based VLAN, see Figure 46 on page 541.
Examples
The following command displays all the VLANs on the switch:
show vlan
The following command displays information on just the Sales VLAN:
show vlan=sales
The following command displays information for the VLAN with the VID of
22:
show vlan=22
Section VI: Virtual LANs
507
Chapter 28: Port-based, Tagged, and Multiple Mode VLAN Commands
508
Section VI: Virtual LANs
Chapter 29
GARP VLAN Registration Protocol
Commands
This chapter contains the following commands:
ˆ
“DISABLE GARP” on page 510
ˆ
“ENABLE GARP” on page 511
ˆ
“PURGE GARP” on page 512
ˆ
“SET GARP PORT” on page 513
ˆ
“SET GARP TIMER” on page 514
ˆ
“SHOW GARP” on page 516
ˆ
“SHOW GARP COUNTER” on page 517
ˆ
“SHOW GARP DATABASE” on page 519
ˆ
“SHOW GARP GIP” on page 520
ˆ
“SHOW GARP MACHINE” on page 521
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 25,
“GARP VLAN Registration Protocol” in the AT-S63 Management
Software Menus Interface User’s Guide.
509
Chapter 29: GARP VLAN Registration Protocol Commands
DISABLE GARP
Syntax
disable garp=gvrp [gip]
Parameters
garp
Specifies the GARP application to be disabled. GVRP
is the only GARP application supported by the
AT-9400 Series switches.
gip
Disables GARP Information Propagation (GIP).
Note
The online help for this command contains an STP option. The
option is not supported.
Description
This command disables GVRP on the switch. After disabled, the switch
will not learn any new dynamic GVRP VLANs or dynamic GVRP ports.
You can also use this command to disable GIP.
Note
Do not disable GIP if the switch is running GVRP. GIP is required for
proper GVRP operation.
Examples
The following command disables GVRP on the switch:
disable garp=gvrp
The following command disables GIP only:
disable garp=gvrp gip
510
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE GARP
Syntax
enable garp=gvrp [gip]
Parameters
garp
Specifies the GARP application to be activated.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
gip
Enables GARP Information Propagation (GIP).
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command enables GVRP on the switch. After activated, the switch
will learn dynamic GVRP VLANs and dynamic GVRP ports.
You can also use this command to enable GIP. GIP must be enabled for
GVRP to operate properly.
Examples
The following command enables GVRP on the switch:
enable garp=gvrp
The following command enables GIP only:
enable garp=gvrp gip
Section VI: Virtual LANs
511
Chapter 29: GARP VLAN Registration Protocol Commands
PURGE GARP
Syntax
purge garp=gvrp
Parameter
garp
Specifies the GARP application to be reset. GVRP is
the only GARP application supported by the AT-9400
Series switches.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command disables GVRP and returns all GVRP parameters to their
default settings. All GVRP-related statistics counters are returned to zero.
Example
The following command disables GVRP and returns all GVRP parameters
to their default values:
purge garp=gvrp
512
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SET GARP PORT
Syntax
set garp=gvrp port=port mode=normal|none
Parameters
garp
Specifies the GARP application to be configured.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
port
Specifies the port to be configured. You can specify
more than one port at a time.
mode
Specifies the GVRP mode of the port. Modes are:
normal
The port participates in GVRP. The port
processes GVRP information and
transmits PDUs. This is the default.
none
The port does not participate in GVRP.
The port does not process GVRP
information nor transmit PDUs.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command sets a port’s GVRP status. Set a port’s mode to Normal if it
is to learn remote VLANs and transmit PDUs. Set its mode to None If it is
not to participate in GVRP.
Examples
The following command prevents ports 1 to 4 from participating in GVRP:
set garp=gvrp port=1-4 mode=none
The following command activates GVRP on port 3:
set garp=gvrp port=3 mode=normal
Section VI: Virtual LANs
513
Chapter 29: GARP VLAN Registration Protocol Commands
SET GARP TIMER
Syntax
set garp=gvrp timer [default] [jointime=value]
[leavetime=value] [leavealltime=value]
Parameters
garp
Specifies the GARP application to be configured.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
default
Returns the GARP timers to their default settings.
jointime
Specifies the Join Timer in centiseconds, which are
one hundredths of a second. The default is 20 centi
seconds.
If you change this timer, it must be in relation to the
GVRP Leave Timer according to the following
equation:
Join Timer <= (2 x (GVRP Leave Timer))
leavetimer
Specifies the LeaveTimer in centiseconds, which are
one hundredths of a second. The default is 60 centi
seconds.
leavealltime
Specifies the LeaveAllTimer in centiseconds. The
default is 1000 centiseconds.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command sets the GARP timers.
Note
The settings for these timers must be the same on all GVRP-active
network devices.
514
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command sets the Join Period timer to 0.1 second, Leave
Period timer to 0.35 seconds, and the LeaveAllPeriod timer to 11 seconds
for all GVRP applications:
set garp=gvrp timer jointime=10 leavetime=35
leavealltime=1100
The following command sets the timers to their default values:
set garp=gvrp timer default
Section VI: Virtual LANs
515
Chapter 29: GARP VLAN Registration Protocol Commands
SHOW GARP
Syntax
show garp=gvrp
Parameter
garp
Specifies the GARP application to display. GVRP is
the only GARP application supported by the AT-9400
Series switches.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command displays current values for the following GARP application
parameters:
ˆ
GARP application protocol
ˆ
GVRP status
ˆ
GVRP GIP status
ˆ
GVRP Join Time
ˆ
GVRP Leave Time
ˆ
GVRP Leaveall Time
ˆ
Port information
ˆ
Mode
Example
The following command displays GVRP information:
show garp=gvrp
516
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SHOW GARP COUNTER
Syntax
show garp=gvrp counter
Parameter
garp
Specifies the GARP application to be displayed.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command displays the current values for the following GARP packet
and message counters:
Section VI: Virtual LANs
ˆ
GARP application
ˆ
Receive: Total GARP Packets
ˆ
Transmit: Total GARP Packets
ˆ
Receive: Invalid GARP Packets
ˆ
Receive Discarded: GARP Disabled
ˆ
Receive DIscarded: Port Not Listening
ˆ
Transmit Discarded: Port Not Sending
ˆ
Receive Discarded: Invalid Port
ˆ
Receive Discarded: Invalid Protocol
ˆ
Receive Discarded: Invalid Format
ˆ
Receive Discarded: Database Full
ˆ
Receive GARP Messages: LeaveAll
ˆ
Transmit GARP Messages: LeaveAll
ˆ
Receive GARP Messages: JoinEmpty
ˆ
Transmit GARP Messages: JoinEmpty
ˆ
Receive GARP Messages: JoinIn
ˆ
Transmit GARP Messages: JoinIn
ˆ
Receive GARP Messages: LeaveEmpty
ˆ
Transmit GARP Messages: LeaveEmpty
517
Chapter 29: GARP VLAN Registration Protocol Commands
ˆ
Receive GARP Messages: LeaveIn
ˆ
Transmit GARP Messages: LeaveIn
ˆ
Receive GARP Messages: Empty
ˆ
Transmit GARP Messages: Empty
ˆ
Receive GARP Messages: Bad Message
ˆ
Receive GARP Messages: Bad Attribute
Example
The following command displays information for all GARP application
counters:
show garp=gvrp counter
518
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SHOW GARP DATABASE
Syntax
show garp=gvrp db|database
Parameters
garp
Specifies the GARP application to be displayed.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command displays the following parameters for the internal database
for the GARP application. Each attribute is represented by a GID index
within the GARP application.
ˆ
GARP Application
ˆ
GID Index
ˆ
Attribute
ˆ
Used
Example
The following command displays the database for all GARP applications:
show garp=gvrp database
Section VI: Virtual LANs
519
Chapter 29: GARP VLAN Registration Protocol Commands
SHOW GARP GIP
Syntax
show garp=gvrp gip
Parameter
garp
Specifies the GARP application to be displayed.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command displays the following parameters for the GIP-connected
ring for the GARP application:
ˆ
GARP Application
ˆ
GIP contact
ˆ
STP ID
Example
The following command displays the GIP-connected ring for all GARP
applications:
show garp=gvrp gip
520
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SHOW GARP MACHINE
Syntax
show garp=gvrp machine
Parameter
garp
Specifies the GARP application to be displayed.
GVRP is the only GARP application supported by the
AT-9400 Series switches.
Note
The online help for this command contains an STP option. This
option is not supported.
Description
This command displays the following parameters for the GID state
machines for the GARP application. The output is shown on a per-GID
index basis; each attribute is represented by a GID index within the GARP
application.
ˆ
VLAN
ˆ
Port
ˆ
App
ˆ
Reg
Example
The following command displays GID state machines for all GARP
applications:
show garp=gvrp machine
Section VI: Virtual LANs
521
Chapter 29: GARP VLAN Registration Protocol Commands
522
Section VI: Virtual LANs
Chapter 30
Protected Ports VLAN Commands
This chapter contains the following commands:
ˆ
“ADD VLAN GROUP” on page 524
ˆ
“CREATE VLAN PORTPROTECTED” on page 526
ˆ
“DELETE VLAN” on page 527
ˆ
“DESTROY VLAN” on page 529
ˆ
“SET VLAN” on page 530
ˆ
“SHOW VLAN” on page 531
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 27,
“Protected Ports VLANs” in the AT-S63 Management Software
Menus Interface User’s Guide.
523
Chapter 30: Protected Ports VLAN Commands
ADD VLAN GROUP
Syntax 1
add vlan=name|vid ports=ports frame=tagged|untagged
group=uplink|1..256
Syntax 2
add vlan=name|vid [taggedports=ports] [untaggedports=ports]
group=uplink|1..256
Parameters
vlan
Specifies the name or VID of the protected ports
VLAN where ports are to be added. You can identify
the VLAN by either its name or VID.
ports
Specifies the uplink port(s) or the ports of a group.
You can specify the ports individually (for example, 5,
7, 22), as a range (for example, 18-22), or both (for
example, 1, 5, 14-22). This parameter must be used
with the FRAME parameter.
frame
Identifies the new ports as either tagged or untagged.
This parameter must be used with the PORTS
parameter.
taggedports
Specifies the tagged ports to be added to the VLAN.
untaggedports
Specifies the untagged ports to be added to the
VLAN.
group
Specifies that the port(s) being added is an uplink
port or belongs to a new group. If the port(s) being
added is an uplink port, specify the UPLINK option.
Otherwise, specify the group number for the port. The
group range is 1 to 256. The number must be unique
for each group on the switch.
Description
These commands perform two functions. One is to specify the uplink port
of a protected ports VLAN. The other function is to add ports to groups
within a VLAN.
524
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
Note the following before using this command:
ˆ
You must first create the protected ports VLAN by giving it a name and
a VID before you can add ports. Creating a VLAN is accomplished with
“CREATE VLAN PORTPROTECTED” on page 526.
ˆ
Both command syntaxes perform the same function. The difference is
that with syntax 1 you can add ports of only one type, tagged or
untagged, at a time. With syntax 2, you can add both at the same time.
ˆ
If you are adding an untagged port to a group, the port cannot be an
untagged member of another protected port VLAN. It must be an
untagged member of the Default_VLAN or a port-based or tagged
VLAN. To remove a port from a protected port VLAN, use “DELETE
VLAN” on page 527.
ˆ
You cannot add a new uplink port to a VLAN if the VLAN has already
been assigned an uplink port. Instead, you must delete the existing
uplink port(s) using the “DELETE VLAN” on page 527 and then re-add
the uplink port(s) using this command.
ˆ
You cannot add ports to an existing group. To modify an existing group,
you must delete the group by removing all ports from it, using
“DELETE VLAN” on page 527, and then add the ports back to the
group using this command.
Examples
The following command uses Syntax 1 to specify that port 11 is to be an
untagged uplink port for the protected ports VLAN called InternetGroups:
add vlan=InternetGroups ports=11 frame=untagged group=uplink
The following command accomplishes the same thing using Syntax 2:
add vlan=InternetGroups untaggedports=11 group=uplink
The following command uses Syntax 1 to create group 4 in the
InternetGroups VLAN. The group will consist of two untagged ports, 5 and
6:
add vlan=InternetGroups port=5,6 frame=untagged group=4
The following command does the same thing using Syntax 2:
add vlan=InternetGroups untaggedports=5,6 group=4
Section VI: Virtual LANs
525
Chapter 30: Protected Ports VLAN Commands
CREATE VLAN PORTPROTECTED
Syntax
create vlan=name vid=vid portprotected
Parameters
vlan
Specifies the name of the new protected ports VLAN.
The name can be from one to fifteen alphanumeric
characters in length. The name should reflect the
function of the nodes that will be a part of the
protected ports VLAN (for example, InternetGroups).
The name cannot contain spaces or special
characters, such as an asterisk (*) or exclamation
point (!).
vid
Specifies a VID for the new protected ports VLAN.
The range is 2 to 4094. This number must be unique
from the VIDs of all other tagged, untagged, and port
protected VLANs on the switch.
Description
This command is the first step to creating a protected ports VLAN. This
command assigns a name and VID to the VLAN. The second step is to
specify an uplink port and the port groups using “ADD VLAN GROUP” on
page 524.
Examples
The following command creates a protected ports VLAN called
InternetGroups and assigns it a VID of 12:
create vlan=InternetGroups vid=12 portprotected
526
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
DELETE VLAN
Syntax 1
delete vlan=name|vid ports=ports frame=tagged|untagged
Syntax 2
delete vlan=name|vid [taggedports=ports]
[untaggedports=ports]
Parameters
vlan
Specifies the name or VID of the VLAN to be
modified. You can specify the VLAN by its name or
VID.
port
Specifies the port to be removed from the VLAN. You
can specify more than one port at a time. This
parameter must be used with the FRAME parameter.
frame
Identifies the ports to be removed as tagged or
untagged. This parameter must be used with the
PORT parameter.
taggedports
Specifies the tagged ports to be removed from the
VLAN.
untaggedports
Specifies the untagged ports to be removed from the
VLAN.
Description
This command removes ports from a protected ports VLAN. You can use
this command to remove an uplink port or a port from a group.
Note the following before using this command:
Section VI: Virtual LANs
ˆ
Both command syntaxes perform the same function. The difference is
that with Syntax 1 you can delete ports of only one type, tagged or
untagged, at a time. With Syntax 2, you can delete both types at the
same time.
ˆ
Deleting all ports from a group deletes the group from the VLAN.
ˆ
Deleted untagged ports are returned to the Default_VLAN as
untagged.
ˆ
You can delete ports from only one group at a time.
527
Chapter 30: Protected Ports VLAN Commands
Examples
The following command uses Syntax 1 to delete untagged port 12 from the
InternetGroups VLAN:
delete vlan=InternetGroups port=12 frame=untagged
The following command accomplishes the same thing using Syntax 2:
delete vlan=InternetGroups untaggedports=12
528
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY VLAN
Syntax
destroy vlan=name|vid|all
Parameters
vlan
Specifies the name or VID of the VLAN to be
destroyed. To delete all tagged, port-based, and
protected ports VLANs on the switch, use the ALL
option.
Description
This command deletes VLANs from the switch. You can use this command
to delete tagged, port-based, and protected port VLANs. All untagged
ports in a deleted VLAN are automatically returned to the Default_VLAN.
You cannot delete the Default_VLAN.
Example
The following command deletes the VLAN called InternetGroups:
destroy vlan=InternetGroups
The following command deletes all VLANs:
destroy vlan=all
Section VI: Virtual LANs
529
Chapter 30: Protected Ports VLAN Commands
SET VLAN
Syntax
set vlan=name|vid port=ports frame=tagged|untagged
Parameters
vlan
Specifies the name or VID of the VLAN to be
modified.
ports
Specifies the port whose VLAN type is to be changed.
You can specify more than one port at a time. You
can specify the ports individually (for example, 5, 7,
22), as a range (for example, 18-22), or both (for
example, 1, 5, 14-22).
frame
Identifies the new VLAN type for the port. The type
can be tagged or untagged.
Description
This command changes a port’s VLAN type. You can use this command to
change a tagged port to untagged and vice versa.
Before using this command, note the following:
ˆ
Changing a port in a port-based, tagged, or protected ports VLAN from
untagged to tagged adds the port to the Default_VLAN as untagged.
ˆ
Changing a port in the Default_VLAN from untagged to tagged results
in the port being an untagged member of no VLAN.
ˆ
Changing a port from tagged to untagged removes the port from its
current untagged port assignment.
Examples
The following command changes port 4 in the Sales VLAN from tagged to
untagged:
set vlan=Sales port=4 frame=untagged
530
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SHOW VLAN
Syntax
show vlan[=name|vid]
Parameter
vlan
Specifies the name or VID of the VLAN you want to
view. Omitting this displays all VLANs.
Description
This command displays information about the VLANs on the switch. An
example of the information displayed by this command for a protected
ports VLAN is shown in Figure 45.
VLAN Name ............................
VLAN ID ..............................
VLAN Type ............................
Protected Ports ......................
Uplink Port(s) .......................
Phone_staff_2
12
Protected
Yes
23
Group (ports) ........................
Group (ports) ........................
Group (ports) ........................
Group (ports) ........................
Group (ports) ........................
Untagged Port(s) .....................
Tagged Port(s) .......................
1(14)
2(15)
3(16-17)
4(18-19)
5(20)
14-20
23
Figure 45. SHOW VLAN Command for a Protected Ports VLAN
The information displayed by this command is described here:
Section VI: Virtual LANs
ˆ
VLAN name - The name of the VLAN.
ˆ
VLAN ID - The ID number assigned to the VLAN.
ˆ
VLAN Type - The type of VLAN. This will be Protected for a protected
ports VLAN.
ˆ
Protected Ports - The status of protected ports. This will be Yes for a
protected ports VLANs.
ˆ
Uplink Port(s) - The port that is functioning as the unlink port for the
groups of the VLAN. There can be more than one uplink port.
ˆ
Group (ports) - The group number followed by the ports of the group.
ˆ
Untagged port(s) - The untagged ports of the VLAN.
ˆ
Tagged port(s) - The tagged ports of the VLAN.
531
Chapter 30: Protected Ports VLAN Commands
For an example of the information displayed by this command for a portbased or tagged VLAN, see Figure 43 on page 505. For an example of a
MAC address-based VLAN, see Figure 46 on page 541.
Examples
The following command displays all the VLANs on the switch:
show vlan
The following command displays the Sales VLAN:
show vlan=Sales
532
Section VI: Virtual LANs
Chapter 31
MAC Address-based VLAN Commands
This chapter contains the following commands:
ˆ
“ADD VLAN MACADDRESS” on page 534
ˆ
“ADD VLAN PORT MACADDRESS” on page 535
ˆ
“CREATE VLAN TYPE=MACADDRESS” on page 536
ˆ
“DELETE VLAN MACADDRESS” on page 538
ˆ
“DELETE VLAN PORT MACADDRESS” on page 539
ˆ
“DESTROY VLAN” on page 540
ˆ
“SHOW VLAN” on page 541
Note
Remember to use the SAVE CONFIGURATION command to save
your changes on the switch.
Note
This feature is not supported on the AT-9408LC/SP, AT-9424T/GB,
and AT-9424T/SP switches. For background information, refer to
Chapter 28, “MAC Address-based VLANs” in the AT-S63
Management Software Menus Interface User’s Guide.
533
Chapter 31: MAC Address-based VLAN Commands
ADD VLAN MACADDRESS
Syntax
add vlan=name|vid macaddress|destaddress=mac-address
Parameters
vlan
Specifies the name or VID of the VLAN to be modified.
macaddress or
destaddress
Specifies the MAC address to add to the VLAN. These
parameters are equivalent. A MAC address can be
entered in either of the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
Description
This command adds a MAC address to a MAC address-based VLAN. You
can add only one address at a time with this command. The command
does not accept ranges or wildcards.
The VLAN must already exist. To create a MAC address-based VLAN,
see “CREATE VLAN TYPE=MACADDRESS” on page 536. After you add
a MAC address to a VLAN, you can assign it one or more egress ports
using “ADD VLAN PORT MACADDRESS” on page 535.
Examples
The following command adds the MAC address 00:30:84:32:8A:5D to the
Sales VLAN:
add vlan=sales macaddress=00:30:84:32:8a:5d
The following command adds the MAC address 00:30:84:32:76:1A to the
VLAN with the VID 12:
add vlan=12 macaddress=00308432761a
534
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
ADD VLAN PORT MACADDRESS
Syntax
add vlan=name|vid port=ports macaddress|destaddress=mac-
address
Parameters
vlan
Specifies the name or VID of the VLAN to be modified.
port
Specifies the egress port(s) to assign to the MAC
address. You can specify more than one egress port.
macaddress or
destaddress
Specifies the MAC address to be assigned the egress
port(s). The MAC address can be entered in either of
the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
Description
This command assigns egress ports to a MAC address in a MAC addressbased VLAN. The MAC address must already be in the VLAN before you
can assign it egress ports. To assign a MAC address to a VLAN, refer to
“ADD VLAN MACADDRESS” on page 534.
Examples
The following command assigns ports 1 and 4 as egress ports for the MAC
address 00:30:84:32:8A:5D in the Sales VLAN:
add vlan=sales port=1,4 macaddress=00:30:84:32:8a:5d
The following command assigns port 11 to 14 as egress ports for the MAC
address 00:30:84:75:11:B2 from the VLAN with the VID 24:
add vlan=24 port=11-14 macaddress=00:30:84:75:11:b2
Section VI: Virtual LANs
535
Chapter 31: MAC Address-based VLAN Commands
CREATE VLAN TYPE=MACADDRESS
Syntax
create vlan=name vid=vid type=macaddress
Parameters
vlan
Specifies the name of the VLAN. You must assign a
name to a VLAN.
The name can be from 1 to 20 characters in length
and should reflect the function of the nodes that will
be a part of the VLAN (for example, Sales or
Accounting). The name cannot contain spaces or
special characters, such as asterisks (*) or
exclamation points (!).
The name cannot be the same as the name of an
existing VLAN on the switch.
If the VLAN is unique in your network, then the
name needs to be unique as well. If the VLAN spans
multiple switches, then the name for the VLAN
should be the same on each switch.
vid
Specifies the VLAN identifier. The range is 2 to
4094. The VLAN must be assigned a VID.
You cannot use the VID 1, which is reserved for the
Default_VLAN.
The VID cannot be the same as the VID of an
existing VLAN on the switch.
If this VLAN is unique in your network, then its VID
should also be unique. If this VLAN is part of a
larger VLAN that spans multiple switches, then the
VID value for the VLAN should be the same on each
switch. For example, if you are creating a VLAN
called Sales that spans three switches, assign the
Sales VLAN on each switch the same VID value.
type
536
Specifies the type of VLAN. To create a MAC
address-based VLAN, the type must be
MACADDRESS.
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
Description
This command is the first in the series to creating a MAC address-based
VLAN. This command assigns the VLAN a name and a VID and sets the
VLAN type. After you have initially created the VLAN with this command,
you must assign the MAC addresses. These are the source addresses of
the nodes that are to belong to the VLAN. The command for adding MAC
addresses to a VLAN is “ADD VLAN MACADDRESS” on page 534.
The final step to creating a new MAC address-based VLAN is assigning
the egress ports to the MAC addresses. The command for this is “ADD
VLAN PORT MACADDRESS” on page 535.
Examples
The following command creates a MAC address-based VLAN called Sales
and assigns it a VID of 3:
create vlan=Sales vid=3 type=macaddress
Section VI: Virtual LANs
537
Chapter 31: MAC Address-based VLAN Commands
DELETE VLAN MACADDRESS
Syntax
delete vlan=name|vid macaddress|destaddress=mac-address
Parameters
vlan
Specifies the name or VID of the VLAN to be
modified.
macaddress or
destaddress
Specifies the MAC address to be removed from the
VLAN. These parameters are equivalent. You can
remove only one MAC address at a time. A MAC
address can be entered in either of the following
formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
Description
This command removes MAC addresses from a MAC address-based
VLAN. You can remove only one MAC address at a time with this
command.
You cannot remove a MAC address if it has been assigned egress ports.
You must first remove the ports from the MAC address before you can
delete it. To remove egress ports from a MAC address, refer to “DELETE
VLAN PORT MACADDRESS” on page 539.
Examples
The following command removes the MAC address 00:30:84:32:8A:5D
from the Sales VLAN:
delete vlan=Sales macaddress=00:30:84:32:8A:5D
The following command removes the MAC address 00:30:84:75:11:B2
from the VLAN with the VID 24:
delete vlan=24 macaddress=0030847511b2
538
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
DELETE VLAN PORT MACADDRESS
Syntax
delete vlan=name|vid port=ports macaddress=mac-address
Parameters
vlan
Specifies the name or VID of the VLAN to be
modified.
port
Specifies the egress port to be removed for the MAC
address. You can remove more than one egress port
at a time.
macaddress
Specifies a MAC address to which the port is
assigned. A MAC address can be entered in either of
the following formats:
xx:xx:xx:xx:xx:xx or xxxxxxxxxxxx
Description
This command removes egress ports from a MAC address of a MAC
address-based VLAN. You might remove an egress port from a MAC
address-based VLAN if you no longer want it to be a part of the VLAN.
Examples
The following command removes port 4 from the MAC address
00:30:84:32:8A:5D in the Sales VLAN:
delete vlan=Sales port=4 macaddress=00:30:84:32:8A:5D
The following command removes ports 11 to 14 from the MAC address
00:30:84:75:11:B2 in the VLAN with the VID 24:
delete vlan=24 port=11-14 macaddress=0030847511b2
Section VI: Virtual LANs
539
Chapter 31: MAC Address-based VLAN Commands
DESTROY VLAN
Syntax
destroy vlan vlan=name|all [vid=vid]
Parameters
vlan
Specifies the name of the VLAN to be deleted. To
delete all VLANs, use the ALL option.
vid
Specifies the VID of the VLAN to be deleted. This
parameter is optional.
Description
The command deletes port-based, tagged, and MAC address-based
VLANs. You can use the command to deleted selected VLANS or to
delete all VLANs, with the exception of the Default_VLAN.
Examples
The following command deletes the Sales VLAN from the switch:
destroy vlan vlan=Sales
The following command deletes the Sales VLAN using both the name and
the VID:
destroy vlan vlan=Sales vid=102
The following command deletes all port-based and tagged VLANs on a
switch:
destroy vlan=all
540
Section VI: Virtual LANs
AT-S63 Management Software Command Line Interface User’s Guide
SHOW VLAN
Syntax
show vlan[=name|vid]
Parameter
vlan
Specifies the name or VID of the VLAN.
Description
This command displays the VLANs on the switch. An example of the
information displayed by this command for a MAC address-based VLAN is
shown in Figure 46.
VLAN Name ............................
VLAN ID ..............................
VLAN Type ............................
Protected Ports ......................
Untagged Port(s) .....................
Tagged Port(s) .......................
Sales
4
MAC Based
No
None
None
MAC Associations:
Total number of associated MAC addresses: 5
------------------------------------------------MAC Address
Ports
------------------------------------------------00:06:5B:44:44:44
4-8
00:06:5B:55:55:55
4
00:06:5B:66:66:66
4
00:06:5B:77:77:77
4
00:06:5B:88:88:88
4
-------------------------------------------------
Figure 46. SHOW VLAN Command for a MAC Address-based VLAN
The information displayed by the command is described here:
Section VI: Virtual LANs
ˆ
VLAN name - The name of the VLAN.
ˆ
VLAN ID - The ID number assigned to the VLAN.
ˆ
VLAN Type - The type of VLAN. This will be MAC Based for a MAC
address-based VLAN.
ˆ
Protected Ports - The status of protected ports. This will be No for a
MAC address-based VLAN.
ˆ
Untagged port(s) - The untagged ports of the VLAN. This will be None
for a MAC address-based VLAN.
ˆ
Tagged port(s) - The tagged ports of the VLAN. This will be None for a
MAC address-based VLAN.
541
Chapter 31: MAC Address-based VLAN Commands
ˆ
MAC Address / Ports - The MAC addresses of the VLAN and the
egress ports.
For an example of the information displayed by this command for a portbased or tagged VLAN, see Figure 43 on page 505. For an example of a
protected ports VLAN, see Figure 45 on page 531.
Examples
The following command displays all the VLANs on the switch:
show vlan
The following command displays information on only the Sales VLAN:
show vlan=sales
The following command displays information the VLAN with the VID of 22:
show vlan=22
542
Section VI: Virtual LANs
Section VII
Internet Protocol Routing
The chapter in this section contains the overview and commands for
Internet Protocol version 4 (IPv4) routing with routing interfaces, static
routes, and RIP versions 1 and 2. The chapter is:
ˆ
Section VII: Internet Protocol Routing
Chapter 32, “Internet Protocol Version 4 Packet Routing” on page 545
543
544
Section VII: Internet Protocol Routing
Chapter 32
Internet Protocol Version 4 Packet
Routing
This chapter contains the overview and commands for Internet Protocol
version 4 (IPv4) packet routing on the AT-9400 Series switch. The chapter
covers routing interfaces, static routes, and the Routing Information
Protocol (RIP) versions 1 and 2. The sections in the chapter include:
ˆ
“Internet Protocol Version 4 Packet Routing Overview” on page 546
ˆ
“ADD IP ARP” on page 568
ˆ
“ADD IP INTERFACE” on page 570
ˆ
“ADD IP RIP” on page 572
ˆ
“ADD IP ROUTE” on page 574
ˆ
“DELETE IP ARP” on page 576
ˆ
“DELETE IP INTERFACE” on page 577
ˆ
“DELETE IP RIP” on page 578
ˆ
“DELETE IP ROUTE” on page 579
ˆ
“PURGE IP” on page 580
ˆ
“SET IP ARP” on page 581
ˆ
“SET IP ARP TIMEOUT” on page 582
ˆ
“SET IP INTERFACE” on page 583
ˆ
“SET IP LOCAL INTERFACE” on page 585
ˆ
“SET IP RIP” on page 586
ˆ
“SET IP ROUTE” on page 588
ˆ
“SHOW IP ARP” on page 590
ˆ
“SHOW IP COUNTER” on page 592
ˆ
“SHOW IP INTERFACE” on page 594
ˆ
“SHOW IP RIP COUNTER” on page 596
ˆ
“SHOW IP RIP INTERFACE” on page 598
ˆ
“SHOW IP ROUTE” on page 600
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
545
Chapter 32: Internet Protocol Version 4 Packet Routing
Internet Protocol Version 4 Packet Routing Overview
This section contains an overview of the IPv4 routing feature on the
AT-9400 Series switch. It begins with an explanation of the following
available routing methods:
ˆ
Routing interfaces
ˆ
Static routes
ˆ
RIP version 1 and 2
A routing interface is a logical connection to a local network or subnet for
the purpose of routing IPv4 packets. Interfaces route packets between the
local networks and subnets directly connected to the switch and are
independent of static routes and RIP. In some limited network topologies
where there are no remote networks or subnets, you may be able to meet
the routing requirements of the IPv4 packets on your network with just
routing interfaces. This feature is explained in “Routing Interfaces” on
page 547.
In order for the switch to route packets to a remote destination (i.e., a
network or subnet not directly connected to the switch), there must be a
route to the destination on the switch. A route consists of the IP address of
the remote destination and the IP address of the next hop to reaching the
destination.
One method for specifying a route to a remote destination is to enter it
manually. This type of route is referred to as a static route. A static route
contains the IP addresses of the remote destination and the next hop. You
can also create a static route for packets with an unknown destination
network or subnet. This type of route is referred to as a default route. For
background information on static routes and the default route, refer to
“Static Routes” on page 550.
A switch can automatically learn routes to remote destinations with the
Routing Information Protocol (RIP). This protocol allows the routers of a
network to automatically share their routes by broadcasting their routing
tables to each other. The AT-9400 Series switch supports versions 1 and
2 of this routing protocol. This feature is explained in “Routing Information
Protocol (RIP)” on page 552.
This overview also contains an explanation of the role played by interfaces
with some of the management features of the switch, and how those
features are dependent on there being at least one interface on the switch.
A few examples of these management functions include uploading and
downloading files to the switch using a TFTP server and the enhanced
stacking feature. For information, refer to “Routing Interfaces and
Management Features” on page 557.
546
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
At the end of this overview are two examples that illustrate the sequence
of commands to implementing the features described in this chapter. You
can refer there to see how the commands are used in practice. The
sections are “Routing Command Example” on page 562 and “Non-routing
Command Example” on page 566.
In the following discussions, unless stated otherwise the term “remote
destination” refers to a network or subnet that is not directly connected to
the switch.
Supported
Switches
The packet routing feature is supported on the AT-9424Ts,
AT-9424Ts/XP, AT-9448T/SP, AT-9448Ts, and AT-9448Ts/XP switches.
The feature is not supported on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches. The latter switches do allow for one routing
interface to support those management functions that require an IP
address on the switch. For further information, refer to “Routing Interfaces
and Management Features” on page 557 and “AT-9408LC/SP AT-9424T/
GB, and AT-9424T/SP Switches” on page 560. For a complete list of
available AT-9400 Series switches, contact your Allied Telesyn sale
representative or visit our web site.
Routing
Interfaces
The IPv4 packet routing feature on the switch is built on the foundation of
the routing interface. An interface functions as a logical connection to a
subnet and allows the egress and ingress of IPv4 packets to the subnet
from other local and remote networks, subnets, and nodes.
Interfaces are an independent routing function. They are not dependent on
static routes or RIP to pass IPv4 traffic among themselves on a switch. A
switch automatically begins to route IPv4 packets among its local subnets
as soon as two or more interfaces have been defined on the device.
In order for a switch to route IPv4 traffic among it local subnets, there must
be a routing interface on each subnet. You create an interface by
assigning it a unique IP address of the subnet and indicating the VLAN
where the subnet resides.
Interfaces also function as anchor points for static routes. A static route
defines the next hop to a remote destination. To create a static route to a
remote destination, you add it to the interface on the switch where the next
hop to the remote destination is located.
Interfaces also act as anchor points for RIP. You can add RIP to the
interfaces so that the switch automatically learns routes to remote
destinations by sharing its routing information with the neighboring routers.
In some limited network topologies, you might be able to meet the routing
requirements of the IPv4 packets of your network with just routing
interfaces. This would assume, of course, that the switch is directly
connected to all of the networks or subnets of your network and that there
are no remote destinations that would require static routes or RIP.
Section VII: Internet Protocol Routing
547
Chapter 32: Internet Protocol Version 4 Packet Routing
Here are several other items to note concerning routing interfaces on an
AT-9400 Series switch:
ˆ
The switch can support up to 512 interfaces at one time, which means
it can route the IPv4 traffic on up to 512 local subnets and networks.
ˆ
A single VLAN on a switch can contain up to sixteen interfaces.
ˆ
The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches do not
support the IPv4 packet routing feature. However, you can create one
routing interface on the switches to support those management
functions that require the device to have an IP address. For more
information, refer to “Routing Interfaces and Management Features”
on page 557 and “AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP
Switches” on page 560.
ˆ
The commands for managing interfaces are “ADD IP INTERFACE” on
page 570, “DELETE IP INTERFACE” on page 577, and “SET IP
INTERFACE” on page 583.
Note
Routing interfaces can be configured from either the command line
interface or the menus interface.
The following subsections describe the three main components of a
routing interface:
ˆ
VLAN ID (VID)
ˆ
Interface number
ˆ
IP address and subnet mask
VLAN ID (VID)
An interface must be assigned to the VLAN on the switch where its
network or subnet resides. The VLAN is identified by its VLAN
identification (VID) number. The sequence of operations is to create the
VLAN first and then the routing interface. Creating the interface before the
VLAN is not permitted. For background information on VID numbers, refer
to the AT-S63 Management Software Menus Interface User’s Guide.
A VLAN can have more than one interface in circumstances where a
virtual LAN contains more than one subnet. The maximum number is
sixteen routing interfaces per VLAN, making sixteen the maximum number
of subnets you can have in an VLAN and still support packet routing on all
of them.
548
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Interface Numbers
An interface must be assigned an interface number in the range of 0 to 15.
This range corresponds to the maximum number of interfaces permitted in
a VLAN. Interfaces in different VLANs on the same switch can have the
same interface number, but interfaces in the same VLAN must have
different numbers.
For instance, if a switch has four local subnets and each is in a different
VLAN, all of the interfaces could have the same interface number, such as
0. However, if two or more of the subnets reside in the same VLAN, the
routing interfaces for the subnets in the VLAN must be assigned different
interface numbers.
Interfaces numbers are only used for interface identification when there is
more than one subnet and routing interface in a VLAN. Consequently, the
sequence in which the interface numbers are used is not important.
IP Address and Subnet Mask
An interface must be a member of the local network or subnet where it will
function as the logical connection for routing IPv4 packets. As such, it
must be assigned a unique IP address and a subnet mask appropriate to
the network or subnet.
The IP address and subnet mask of an interface can be assigned
manually or supplied by a DHCP or BOOTP server on the network. To
obtain its IP configuration from a DHCP server, a routing interface must be
able to directly access the server. The AT-S63 management software
does not support the DHCP Relay Agent. Routing interfaces and will not
forward DHCP client requests from DHCP clients, including other
interfaces on the same switch.
Additionally, when a VLAN contains more than one interface, only one of
the interfaces can obtain its IP address from a DHCP or BOOTP server.
The IP addresses for the other interfaces in the same VLAN must be
assigned manually. For example, if there are four interfaces and each of
their respective subnets resided in a separate VLAN, then each interface
can obtain its IP address and subnet mask from a DHCP or BOOTP
server. However, if the four subnets are sharing the same VLAN, only one
interface can obtain its IP address from a DHCP or BOOTP server. The
other three must be configured manually.
Section VII: Internet Protocol Routing
549
Chapter 32: Internet Protocol Version 4 Packet Routing
Interface Names
Many of the commands for the IPv4 packet routing feature have a
parameter for an interface name. An interface name consists of a VLAN
and an interface number, separated by a dash. The VLAN is designated
by “vlan” followed by the VLAN identification number (VID).
Here are several examples. The interface name for a VLAN with the VID
of 7 and an interface number of 0 is:
vlan7-0
The interface name for a VLAN with the VID of 28 and an interface number
of 2 is:
vlan28-2
The following is an example of a command that uses an interface name.
The example uses the ADD IP INTERFACE command to create a new
interface for a subnet in a VLAN with a VID of 28. The interface is
assigned an interface number of 0, an IP address of 149.44.22.22, and a
subnet mask of 255.255.255.0:
add ip interface=vlan28-0 ipaddress=149.44.22.22 mask
255.255.255.0
Static Routes
Before a switch can route IPv4 packets to a remote network or subnet, it
must have a route to the destination. You can explicitly define a route in
the form of a static route. The primary information of a static route is the IP
address of the remote destination and the address of the next hop to
reaching the destination.
A static route must be attached to a routing interface. Furthermore, the IP
address of the next hop in a static route and the IP address of the interface
must be members of the same subnet. Consequently, a static route must
be added to the interface that belongs to the same subnet as the next hop
in the route.
For example, assume a switch supported four subnets with four interfaces
named VLAN4-0, VLAN11-0, VLAN12-0, and VLAN12-1. To add a static
route to a remote destination that had as its next hop an IP address in the
subnet of the VLAN4-0 interface, you would need to specify the VLAN4-0
interface.
Fortunately, specifying the interface is optional. The switch can
automatically match the static route with its appropriate interface. The unit
examines the IP address of the next hop in the route and adds the route
automatically to the interface of the same subnet. If the switch does not
have an interface of the same subnet as the next hop in a route, the
system does not add the route and instead displays an error message.
550
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
A static route can be used by all the interfaces on a switch, not just the
interface where it is added. For example, referring to the previous
example, a static route added to the VLAN4-0 interface would be available
to all the other interfaces on the same switch.
The switch supports two types of static routes. The first specifies the IP
address of a specific destination, which can be a network, subnet, or node.
The second type of static route is a default route. This type of route is used
by the switch when it receives a network packet and cannot find a route for
it. So it sends it to the next hop specified in the default route. The
destination address for a default route is 0.0.0.0. A default route has no
subnet mask. There can be only one default route on a switch.
A static route includes a metric. This is a measurement of the cost of the
switch when it forwards packets to the remote destination specified in the
static route. The metric or cost is simply the hop count.
The default setting for a static route is one hop. The value can be set
higher to make a static route more costly. Networks, subnets, and nodes
directly connected to a router have a hop count of 0.
When the switch receives a packet from a remote subnet, it increases the
metric or cost of the packet before forwarding it on to the next hop. A
remote destination with a hop count of 16 is considered unreachable.
The switch’s routing table does not permit duplicate static routes to the
same destination. Furthermore, you cannot add a static route for a route
that the switch has already learned through RIP. The reverse is true as
well. The switch will not add a route learned through RIP to its routing table
if the route already exists as a static route. For more information, refer to
“Routing Table” on page 553.
A static route is functional as soon as it is added to an interface. A static
route cannot be disabled. To prevent a switch from routing packets with a
static route, the route must be deleted.
The switch can store up to 1024 static routes in addition to the 1024
dynamic routes it can learn through RIP.
The commands for managing static routes are “ADD IP ROUTE” on
page 574, “DELETE IP ROUTE” on page 579, and “SET IP ROUTE” on
page 588.
Note
Static routes must be configured with the command line interface.
Static routes are not supported in the menus and web browser
interfaces.
Section VII: Internet Protocol Routing
551
Chapter 32: Internet Protocol Version 4 Packet Routing
Routing
Information
Protocol (RIP)
A switch can automatically learn routes to remote destinations by sharing
the contents of its routing table with its neighboring routers in the network
with the Routing Information Protocol (RIP) versions 1 and 2.
RIP is a fairly simple distance vector routing protocol that defines networks
based in how many hops they are from the switch, just as with static
routes. Once a network is more than fifteen hops away (one hop is one
link), it is considered as unreachable and is not included in the routing
table.
RIP version 2 permits the inclusion of subnet masks and next hop
information in RIP updates. The addition of subnet masks allows the use
of different sized subnet masks on different subnets within the same
network.
RIP broadcasts are automatically activated when the protocol is added to
a routing interface on the switch. An interface sends RIP packets to the
RIP multicast address 224.0.0.9 when sending version 2 packets or uses
the broadcast address when sending out version 1 packets.
A route is propagated by RIP if its status at the physical level is active. An
active route has at least active one port in the VLAN. RIP does not
propagate an inactive route where there are no active ports in the VLAN.
RIP can be added to a maximum of 100 interfaces on a switch. The route
table can store up to 1024 routes learned by RIP.
Since the interfaces on a switch can route packets among the local
subnets without the presence of RIP or static routes, the routing protocol is
only necessary if the switch is to learn remote destinations by sharing the
switch’s routing table with the neighboring routers, and you choose not to
specify the routes manually with static routes.
You add RIP to the routing interfaces where there are neighboring routers
to remote destinations. You do not need to add RIP to interfaces where
there are no neighboring routers.
A route learned by RIP is immediately added to the routing table, where it
becomes available to all the interfaces on the switch.
The RIP implementation on the AT-9400 Series switch supports split
horizon. This feature prevents the switch from sending out or advertising a
dynamic route on the same interface where it was learned. The split
horizon feature is activated on an interface as soon as you add RIP. It
cannot be disabled.
When you add RIP to an interface, you can specify the type of RIP packets
the routing protocol is to send and receive. An AT-9400 Series switch can
send either version 1 or 2 packets and accept either or both versions.
552
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Version 2 supports the addition of a password of up to sixteen
alphanumeric characters to protect routers and their tables from
incorporating bogus routing updates. The switch adds the password into
the routing table when it broadcasts the contents of the table to its
neighboring routing devices, which check the password prior to updating
their tables.
Note
A RIP version 2 password is sent in plaintext. The AT-S63
management software does not support encrypted RIP passwords.
The switch broadcasts its routing table every thirty seconds from those
interfaces that have RIP. This interval is not adjustable on the switch. The
entire table is sent with the following exceptions:
ˆ
Dynamic RIP routes that fall under the split horizon rule.
ˆ
Inactive interface routes where there are no active ports in the VLAN.
ˆ
The default route.
Note
The AT-S63 management software does not support the RIP
holddown and flush timers.
The commands for managing RIP are “ADD IP RIP” on page 572,
“DELETE IP RIP” on page 578, and “SET IP RIP” on page 586.
Note
RIP must be configured from the command line interface. RIP is not
supported in the menus and web browser interfaces.
Routing Table
The switch maintains its routing information in a table of routes that tells
the switch how to find a local or remote destination. Each route is uniquely
identified in the table by its IP address, network mask, next hop, protocol,
and routing interface.
When the switch receives an IPv4 packet, it scans the routing table to find
the most specific route to the destination on an “up” interface where there
is at least one active port in the VLAN. If the switch does not find a direct
route to the remote destination and no default route exists, the switch
discards the packet and sends an ICMP message to that effect back to the
source.
The switch transmits its routing table every 30 seconds from those
interfaces that have RIP. The RIP timer is not adjustable. The switch also
transmits its routing table and resets the timer to zero whenever there is a
change to the table. This ensures that the neighboring routers are
immediately informed of updates to the table.
Section VII: Internet Protocol Routing
553
Chapter 32: Internet Protocol Version 4 Packet Routing
Dynamic RIP routes are removed from the table when they are not kept up
to date (refreshed) by the neighboring routers. The metric of a route that is
not refreshed is increased to 16 to indicate an unreachable network. If the
route is not updated after 180 seconds, it is deleted from the table.
The switch does not permit duplicate routes with identical destination IP
addresses in the routing table. It does, however, allow the addition of a
route with a more general IP address of a preexisting address, but not a
more specific address. For instance, a new route to 149.44.0.0 (mask
255.255.0.0) is permitted even when the table already contains a static or
dynamic route to the subnet 149.44.22.0 (mask 255.255.255.0), because
the new route is more general than the preexisting route. The more
specific route would be used to route packets to the 149.44.22.0 subnet
and the more general route for all other packets with a destination address
in the 149.44.0.0 network.
The switch, however, does not accept a more specific route of a
preexisting route. As an example, a new static or dynamic route to
149.55.44.0 is rejected if the route to 149.55.0.0 is already in the table.
Here are other items concerning the routing table:
ˆ
The switch does not permit the substitution of one static route for
another. To change the attributes of an existing static route, such as
the next hop or metric value, you could modify it using the “SET IP
ROUTE” on page 588 or delete it and add the route again with the new
information, using “ADD IP ROUTE” on page 574.
ˆ
The switch does not permit the substitution of a static route for a
dynamic RIP route. The converse is equally true, as well. For instance,
a static route to a remote destination cannot be added if the switch has
already learned the route dynamically with RIP. Conversely, to replace
a static route with a dynamic route, the static route must be deleted
and the switch allowed to learn the route dynamically with RIP.
ˆ
If the switch is running RIP, a new dynamic route with a lower metric
value will replace a preexisting dynamic route. If the preexisting
dynamic route has the same or a lower metric value, the new route is
discarded and the timer on the preexisting route is refreshed.
ˆ
An inactive interface route, where there are no active ports in the
VLAN, is not propagated by RIP.
The maximum storage capacity of the routing table in the AT-9400 Series
switch is:
554
ˆ
512 interface routes
ˆ
1024 static routes
ˆ
1024 RIP routes
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Address
Resolution
Protocol (ARP)
Table
The switch maintains an ARP table of IP addresses and the matching
Ethernet MAC addresses. It refers to the table when routing packets to
determine the destination MAC addresses of the nodes, as well as
interfaces and ports from where the nodes are reached.
The ARP table can store both static and dynamic entries. Static entries are
entries you add yourself. This type of entry is never removed by the switch
from the ARP table, even when the corresponding nodes are inactive.
Dynamic entries are entries that the switch learns on it own. Dynamic
entries of inactive nodes are periodically removed from table to prevent the
table from filling with entries of inactive nodes.
The switch adds a dynamic entry to the table when it receives a response
to an ARP request. The switch generates an ARP request when it receives
a packet that needs to be routed across a subnet, but lacks the destination
MAC address in its ARP table. The switch, after receiving the ARP
response from the destination node, adds the IP address and MAC
address of the node to its ARP table and begins to route packets to the
device. It should be noted that until the switch receives a respond to its
ARP request, it discards all packets intended to that destination node.
The switch will also add a dynamic entry when it is the destination of an
ARP request from another node, such as when pinged by a management
station. The switch adds the source IP address and MAC address in the
request from the node to the table when it responds to the ARP request.
Dynamic ARP entries are aged from the table according to the ARP cache
timeout value to protect the table from filling with entries for hosts which
are no longer active. Old entries are deleted. The default setting for the
timeout value is 150 seconds. This value is adjustable with the SET IP
ARP TIMEOUT command. Static ARP entries are not aged and are
retained in the table even when the nodes are inactive.
The commands for managing the ARP table are “ADD IP ARP” on
page 568, “DELETE IP ARP” on page 576, “SET IP ARP” on page 581,
“SET IP ARP TIMEOUT” on page 582, and “SHOW IP ARP” on page 590.
Note
The switch does not support Proxy ARP.
The storage capacity of the ARP table in an AT-9400 Series switch is:
Section VII: Internet Protocol Routing
ˆ
1024 static entries
ˆ
1024 dynamic entries
555
Chapter 32: Internet Protocol Version 4 Packet Routing
Internet Control
Message Protocol
(ICMP)
ICMP allows routers to send error and control messages to other routers
or hosts. It provides the communication between IP software on one
system and IP software on another. The switch implements the nonobsolete ICMP functions listed in Table 27.
Table 27. ICMP Messages Implemented on the AT-9400 Series Switch
ICMP Packet (Type)
556
Switch Response
Echo reply (0)
This is used to implement the
“ping” command common to most
UNIX and TCP implementations.
The switch sends out an “Echo
reply” packet in response to an
“Echo request.”
Destination unreachable (3)
This message is sent out when the
switch drops a packet because it
did not have a route to the
destination.
Source Quench (4)
The switch will send a “Source
Quench” if it must drop a packet
due to limited internal resources.
This could be because the source
was sending data too fast to be
forwarded.
Redirect (5)
The switch will issue a “redirect”
packet to inform a local host that
its target is located on the same
LAN (no routing is required) or
when it detects a host using a nonoptimal route (usually because a
link has failed or changed its
status).
Ech request (8)
This is related to (1) and results in
an “echo reply” packet being sent.
The switch can also generate an
“echo request” packet as a result
of the PING command.
Time to Live Exceeded (11)
If the TTL field in a packet falls to
zero the switch will send a “Time to
live exceeded” packet. This could
occur if a route was excessively
long or if too many hops were in
the path.
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Routing
Interfaces and
Management
Features
Routing interfaces are primary intended for the IPv4 packet routing
feature. There are, however, a number of management functions that rely
on the presence of at least one routing interface on the switch to operate
properly. The switch uses the IP address of an interface as its source
address when it performs the management function. The management
functions are listed here:
ˆ
Network servers
ˆ
Enhanced stacking
ˆ
Remote Telnet, SSH, and web browser management sessions
ˆ
Pinging a remote device
ˆ
DHCP or BOOTP server
Network Servers
A local subnet on the switch must have an interface if the device is using
the subnet to access any of the following types of network servers:
ˆ
SNTP server for setting the switch’s date and time.
ˆ
RADIUS or TACACS+ authentication server for manager access
accounts and 802.1x port-based network access control.
ˆ
Syslog server for storing events from the switch’s event logs.
ˆ
FTP server for uploading and downloading files to the switch.
The switch uses the IP address of the interface as its source address
when communicating with the network server. Without a routing interface
on the subnet, the switch will not have a source IP address to include in its
packets. For example, the switch, in order to set its date and time using an
SNTP server, must have a routing interface on the local subnet from
where it is accessing the server.
The servers can be located on different routing interfaces on the switch.
For instance, the switch can access an SNTP server through one interface
and a RADIUS authentication server from another. This differs from earlier
versions of the AT-S63 management software where all the servers had to
be members of what was referred to as the “management VLAN.”
If you intend to use the IPv4 routing feature of the switch and assign
routing interfaces to all the local subnets and networks on a switch, this
requirement should not be a issue. However, if you choose not to use the
routing function and so not create interfaces or you have an AT-9400
Series switch that only supports one interface, some planning will be
necessary in order to use these features. At a minimum, you must create
one routing interface on the switch and plan your network so that the
switch can access the servers from the subnet of the interface.
Section VII: Internet Protocol Routing
557
Chapter 32: Internet Protocol Version 4 Packet Routing
As an example, assume you decided not to implement the IPv4 routing
feature on a switch that had four local subnets, but you wanted the switch
to send its events to a syslog server and have access to a RADIUS
authentication server. Assume also that you wanted to use an TFTP
server to upload and download files to the device. To accomplish this, you
would need to plan your network so that the switch could reach the syslog,
RADIUS, and TFTP servers from the same local subnet on the unit, and
you would need to assign an interface to the subnet. The switch, having
only one interface, would not route IPv4 packets among its local subnets,
but would use the interface’s IP address to communicate with the servers.
Enhanced Stacking
The enhanced stacking feature simplifies the task of managing the Allied
Telesyn switches in your network by allowing you to easily transition
among the switches in a stack during a management session.
The master switch of a stack must have an interface on the common
VLAN and subnet that interconnects the switches of the stack.
Furthermore, the interface must designated as the local interface,
described in “Local Interface” on page 559.
There is important an important difference between the need for interfaces
for enhanced stacking versus network servers, as explained in the
previous subsection. As previously explained, a switch can reach network
servers through different interfaces of different subnets, simultaneously. In
contrast, the switches of an enhanced stack must share a common VLAN
and subnet, and the interface on the common subnet must be designated
as the local interface on the master switch.
For background information and guidelines on the enhanced stacking
feature, refer to the AT-S63 Management Software Menus Interface
User’s Guide.
Remote Telnet, SSH, and Web Browser Management Sessions
To remotely manage a switch using a Telnet or SSH client, or a web
browser application, the remote management workstation must access the
switch through a subnet that has a routing interface. Furthermore, the
interface must be designated as the local interface on the switch. Only a
workstation that can reach the switch through the subnet of the local
interface can manage the unit. This rule applies to an isolated device (that
is, a switch that is not a part of an enhanced stack) and a master switch of
a stack. This does not apply to a slave switch of a stack.
For background information and guidelines on remote management, refer
to the AT-S63 Management Software Menus Interface User’s Guide.
558
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Pinging a Remote Device
This function is used to validate the existence of an active path between
the switch and another network node. The switch can ping a device if there
is a routing interface on the local subnet from where it reaches the device.
In previous versions of the AT-S63 management software, the device to
be pinged had to be reached through the management VLAN of the
switch. This restriction no longer applies. A remote device can be pinged
through any subnet of the switch, so long as the subnet has an interface.
DHCP or BOOTP Server
You can use a DHCP or BOOTP server to assign IP addresses to the
interfaces of a switch. To receive its IP configuration from a DHCP server,
an interface must be able to directly reach the server. The switch does not
support the DHCP Relay Agent and will not forward DHCP client requests
from DHCP clients, including requests from other interfaces.
Local Interface
The local interface is used with the enhanced stacking feature. It is also
used with remote management of a switch with a Telnet or SSH client, or a
web browser. The local interface does the following:
ˆ
With an enhanced stack, it designates on the master switch the
common VLAN and subnet that interconnects the switches of the
stack. The master switch uses the local interface to send out its
broadcast packets when searching for other switches in a stack.
ˆ
With remote management, it designates the VLAN and subnet from
where the remote management workstation will access the switch. The
switch uses the local interface to watch for the management packets
from the remote workstation and to send packets back to the remote
station.
For example, assume you wanted to remotely manage a switch that had
four subnets and four interfaces named VLAN4-0, VLAN11-0, VLAN12-0,
and VLAN12-1, and the remote workstation was reaching the switch
through the subnet of the VLAN11-0 interface. To be able to remotely
manage the switch you would need to designate the VLAN11-0 interface
as the local interface on the unit.
A switch can have only one local interface.
For background information on enhanced stacking and remote
management of a switch, refer to the AT-S63 Management Software
Menus Interface User’s Guide.
Section VII: Internet Protocol Routing
559
Chapter 32: Internet Protocol Version 4 Packet Routing
AT-9408LC/SP
AT-9424T/GB,
and AT-9424T/SP
Switches
The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches do not
support the IPv4 packet routing feature. They do, however, support a
limited version of some of the features.
Local Interface
You can create one routing interface to provide support for those
management features that require the switch to have an IP address.
Furthermore, the interface can be designated as the local interface so that
it can function as the master switch of an enhanced stack or for remote
Telnet, SSH, or web browser management. For further information, refer
to “Routing Interfaces and Management Features” on page 557.
ARP Table
These switches also have an ARP table with a maximum capacity of ten
ARP entries. The table and entries are used by the AT-S63 management
software when it performs a management function that requires it to
communicate with another device on the network. An example would be if
you instructed the switch to ping another network device or download a
new AT-S63 image file or configuration file from a TFTP server.
The value of the ARP table is that it eliminates the need of the switch to
issue unnecessary ARP broadcast packets when performing some
management functions. This can improve the switch’s response time as
well as reduce the number of broadcast packets on your network.
There are two types of entries. One type is permanent. There is only one
permanent entry and it is used by the switch for internal diagnostics. It can
never be removed from the table.
The other type is a temporary entry, of which there can be up to nine. The
switch adds a temporary entry whenever its management software
interacts with another network device during a management function.
When you enter a management command that contains an IP address not
in the table, the switch sends out an ARP broadcast packet. When the
remote device responds with its MAC address, the switch adds the
device’s IP address and MAC address as a new temporary entry to the
table.
A temporary entry remains in the table only while active. An entry remains
active so long as it is periodically used by the switch for management
functions. If an entry is inactive for a defined period of time known as the
ARP cache timeout, it is automatically removed from the table. To adjust
this value, refer to “SET IP ARP TIMEOUT” on page 582. The default is
150 seconds. If the table becomes full, the management software
continues to add new entries by deleting the oldest entries.
560
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Note
The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches do
not use the ARP table to move packets through the switching matrix.
The switches refer to the table only when performing a management
function that requires communications with another network node.
Default Gateway
The default gateway specifies the IP address of an interface on a
neighboring router. The switch’s management software uses this address
as the next hop to reaching a remote network device, such as a remote
Telnet, SSH, or web browser management workstation or a syslog server,
when the switch’s interface and the remote device are on different
subnets.
As an example, assume you wanted to manage the switch from a remote
management workstation on a different subnet than the local interface,
and needed the switch to access a RADIUS authentication server also on
a different subnet. Here, you would need to define a default gateway on
the switch so that the unit would know the next hop to reaching the remote
workstation and the RADIUS server.
The default gateway is only used for management functions, such as
communicating with a remote management workstation or sending events
to a syslog server. The default gateway is not used during the normal
Layer 2 switching of packets among the switch ports and, as such, is not
necessary for normal operations of the device.
You define the default gateway by creating a default route on the switch.
As explained in “Static Routes” on page 550, this type of route does not
specify a destination address. Rather, it simply defines the IP address of
the next hop, which becomes the default gateway for the switch.
The IP address of the next hop of the default route must be of the same
subnet as the switch’s interface.
Section VII: Internet Protocol Routing
561
Chapter 32: Internet Protocol Version 4 Packet Routing
Routing
Command
Example
This section contains an example of the IPv4 routing feature. It illustrates
the sequence of commands to implementing the feature. To make the
example easier to explain, some of the command options are not
mentioned and the default values are used instead. For information on all
of the available options of a command, refer to the appropriate section in
this chapter.
Note
This example does not apply to the AT-9408LC/SP, AT-9424T/GB,
and AT-9424T/SP switches, which do not support the packet routing
feature. For an example of how to assign an IP address to these
switches, refer to “Non-routing Command Example” on page 566.
This example has the following sections:
ˆ
“Creating the VLANs” on page 563
ˆ
“Creating the Routing Interfaces” on page 563
ˆ
“Adding a Static Route and Default Route” on page 564
ˆ
“Adding RIP” on page 565
ˆ
“Selecting the Local Interface” on page 565
This example assumes an AT-9448T/SP switch with four local subnets.
Two subnets will reside in their own VLANs and two will share a VLAN.
The table below lists the relevant information.
Table 28. IPv4 Routing Example
Company
Department
VLAN Name
VID
Subnet IP
Address
Subnet Mask
Portsa
Sales
Sales
4
149.35.67.0
255.255.255.0
U - 1-11
T- 50
Production
Production
5
149.35.68.0
255.255.255.0
U - 12-20
T - 50
Engineering
Group 1
Engineering
11
149.35.69.0
255.255.255.0
U - 21 - 40
T - 50
149.35.70.0
255.255.255.0
Engineering
Group 2
a. U - untagged ports; T - tagged ports
562
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Creating the VLANs
The first step is to create the VLANs for the local subnets on the switch.
The VLANs must be created before the routing interfaces. The following
command creates a VLAN for the Sales department with a VID of 4 and
the appropriate ports:
create vlan=Sales vid=4 untaggedport=1-11 taggedport=50
The following commands create the Production and Engineering VLANs:
create vlan=Production vid=5 untaggedport=12-20
taggedport=50
create vlan=Engineering vid=11 untaggedport=21-40
taggedport=50
Note that even though there are four local subnets in the example, there
are only three VLANs because two of the subnets will share a VLAN.
For further information on this command, refer to “CREATE VLAN” on
page 493.
Creating the Routing Interfaces
Now that the VLANs are created, you can add the routing interfaces to the
individual subnets. There are four local subnets in the example, so there
will need to be four interfaces to support routing on all the subnets.
The following command creates the routing interface for the Sales subnet.
The interface name is based on the VID of the VLAN, which is 4, and an
interface number, in this case 0. The interface is assigned the unique IP
address 149.35.67.11 and a subnet mask to make it a member of its
corresponding subnet.
add ip interface=vlan4-0 ipaddress=149.35.67.11
netmask=255.255.255.0
These commands create the interfaces for the remaining subnets:
add ip interface=vlan5-0 ipaddress=149.35.68.24
netmask=255.255.255.0
add ip interface=vlan11-0 ipaddress=149.35.69.23
netmask=255.255.255.0
add ip interface=vlan11-1 ipaddress=149.35.70.45
netmask=255.255.255.0
The Engineering VLAN (VID 11) has two interfaces for its two subnets.
Each interface is given a different interface number, 0 and 1, to distinguish
between them.
Section VII: Internet Protocol Routing
563
Chapter 32: Internet Protocol Version 4 Packet Routing
At this point, the switch begins to route IPv4 packets among the local
subnets.
For further information on this command, refer to “ADD IP INTERFACE”
on page 570.
Adding a Static Route and Default Route
Building on our example, assume you decided to manually enter a route to
a remote subnet as a static route. The command for creating a static route
is “ADD IP ROUTE” on page 574. Here is the basic information for
defining a static route:
ˆ
The IP address of the remote destination.
ˆ
The subnet mask of the remote destination.
ˆ
The IP address of the next hop.
ˆ
The routing interface on the switch where the next hop is located. This
piece of information is optional because the switch can automatically
determine the appropriate interface from the IP address of the next
hop. The IP addresses of the next hop of a static route and the
interface where the hop is located must be members of the same
subnet.
Let’s assume you wanted to add a static route to a remote subnet with the
IP address 149.35.22.0 and a mask of 255.255.255.0. Let’s also assume
that the IP address of the next hop is 149.35.70.26, making it part of the
subnet of the VLAN11-1 interface. Consequently, the static route must be
added to that interface, though you do not need to specify it in the
command. Here is the command for adding the static route:
add ip route=149.35.22.0 nexthop=149.35.70.26
mask=255.255.255.0
A static route becomes active as soon as it is defined and is available to all
of the interfaces on the switch.
Now assume that you want to create a default route for when the switch
receives a packet with a destination address to a network or subnet for
which it does not have a route. All you need to know for a default route is
the IP address of the next hop for the packets. For this example, assume
that the IP address of the next hop will be 149.35.68.12. This locates the
next hop on the VLAN5-0 interface. Here is the command for creating the
default route:
add ip route=0.0.0.0 nexthop=149.35.68.12
A default route does not have a subnet mask. Note also that the
appropriate routing interface for the next hop, in this example VLAN5-0, is
also not defined because, as with static routes, specifying the interface is
optional.
564
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Adding RIP
Rather than adding the static routes to remote destinations, or perhaps to
augment them, you decide that the switch should learn the routes by
exchanging its route table with its routing neighbors using RIP. To
implement RIP, you add it to the routing interfaces where routing
neighbors are located. The command for adding RIP to an interface is
“ADD IP RIP” on page 572.
For the purpose of this example, assume the routing neighbors of the
switch are located on the VLAN5-0 and VLAN11-1 interfaces. The
following commands add RIP to the interfaces and configure the routing
protocol to send only version 2 packets, but accept packets of either
version 1 or 2. In both cases, RIP is running without a password.
add ip rip interface=vlan5-0 send=rip2 receive=both
authentication=none
add ip rip interface=vlan11-1 send=rip2 receive=both
authentication=none
You could, if you wanted, add RIP to the other interfaces. But since, in our
example, those interfaces do not have links to other RIP routers, they
would not learn any routes.
Selecting the Local Interface
This last part of the example designates a local interface. This step is
necessary on a master switch of an enhanced stack to designate the
common VLAN of the switches in the stack. This is also necessary if you
want to manage the device from a remote management workstation with a
Telnet or SSH client, or a web browser.
Let’s assume you plan to remotely manage the switch from a management
workstation that reaches the device through the subnet in the Sales VLAN,
which has the interface name is VLAN4-0. Here is the command to
designate that interface as the local interface on the switch:
set ip local interface=vlan4-0
To start a remote management session on the switch, you use the IP
address of the local interface as the switch’s address. In the example, the
switch’s address would be 149.35.67.11 because that happens to be the
IP address of the VLAN4-0 interface, which is the local interface.
Section VII: Internet Protocol Routing
565
Chapter 32: Internet Protocol Version 4 Packet Routing
Non-routing
Command
Example
This example illustrates how to assign an IP address to a switch by
creating just one interface. This example is appropriate in cases where
you want to implement the management functions described in “Routing
Interfaces and Management Features” on page 557 but without IPv4
packet routing. This section is also appropriate for those AT-9400 Series
switches that do not support packet routing.
The first step is to select the VLAN and subnet on the switch for the
interface. The appropriate VLAN for the master switch of an enhanced
stack is the common VLAN of the switches in the stack. The appropriate
VLAN for remote management or for remote access to a network server is
the VLAN where the remote device is located.
Let’s assume for the purposes of this example that the switch will be
remotely managed from a Telnet, SSH, or web browser management
workstation on the network. Consequently, the appropriate VLAN would
be the VLAN on the switch where the remote management workstation is
located. Assume that the VID of the VLAN is 12 and that the IP address of
the subnet of the VLAN is 149.44.55.0 with a subnet mask of
255.255.255.0.
The following command assigns an interface to the VLAN. It identifies the
VLAN by its VID of 12 and assigns it the interface number 0. The interface
is given the IP address 149.44.55.22 to make it a member of the subnet:
add ip interface=vlan12-0 ipaddress=149.44.55.22
netmask=255.255.255.0
In order to manage the switch remotely, the interface must be designated
as the local interface so that the management software monitors the
subnet for management packets. Here is the command for designating the
interface as the local interface:
set ip local interface=vlan12-0
As the final part of the example, assume that the management software on
the switch must communicate with a network device, such as
management workstation, syslog server, or RADIUS server, that is not a
member of the same subnet as the interface. For this, you need to define a
default route. The route will specify the next hop to reaching the remote
subnet. The switch will use the default route whenever it needs to send a
management packet to a remote network device that resides on a different
subnet than its local interface.
The next hop in the route must specify the IP address of a routing interface
on a router in the network. Furthermore, the IP address of the routing
interface must be a member of the same subnet as the interface on the
switch.
566
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
The following command creates a default route for the example and
specifies the next hop as 149.44.55.6:
add ip route=0.0.0.0 nexthop=149.44.55.6
Upgrading from
AT-S63 Version
1.3.0 or Earlier
When an AT-9400 Series switch running AT-S63 version 1.3.0 or earlier is
upgraded to the latest version of the management software, the unit
retains its previous IP configuration by automatically creating a routing
interface that replicates the configuration. If the switch had a static
address, the interface is assigned the same address. If the unit obtained
its IP configuration from a DHCP or BOOTP server, the interface is
created with its DHCP or BOOTP client activated. The interface is given
the interface number 0 and assigned to the preexisting management
VLAN. Furthermore, the interface is designated as the local interface of
the switch.
For example, a switch with the static IP address 149.55.55.55, subnet
mask 255.2552.255.0, and a management VLAN with a VID of 12 will
have, after the upgrade, a routing interface with the name VLAN12-0 and
the same static IP address and subnet mask.
The purpose of retaining the IP configuration is to ensure that those
management functions (e.g., remote Telnet management, syslog client,
and RADIUS client) that were operating before the upgrade will continue to
operate after the unit is upgraded to the newest version of the
management software. Without this feature, you would have to restore the
switch’s IP configuration by manually creating a routing interface.
If the switch does not have an IP address and the DHCP and BOOTP
clients are not activated, the upgrade process does not create a routing
interface.
Section VII: Internet Protocol Routing
567
Chapter 32: Internet Protocol Version 4 Packet Routing
ADD IP ARP
Syntax
add ip arp=ipaddress interface=interface port=port
ethernet=macaddress
Parameters
arp
Specifies the IP address of the host. The IP address
must be a member of a local subnet or network that
has a routing interface on the switch.
interface
Specifies the name of the interface from where the
host is reached. An interface name consists of
“VLAN” followed by a VID and an interface number,
separated by a dash (e.g., vlan4-0). For background
information, refer to “Interface Names” on page 550.
port
Specifies the physical port on the switch where the
host is reached.
ethernet
Specifies the MAC address of the host. The MAC
address can be entered in either of the following
formats:
xxxxxxxxxxxx or xx:xx:xx:xx:xx:xx
Description
This command adds a static ARP entry to the ARP cache. This is typically
used to add entries for local hosts that do not support ARP or to speed up
the address resolution function for a host. The ARP entry must not already
exist in the cache. The switch can support up to 1024 static ARP entries.
For background information, refer to “Address Resolution Protocol (ARP)
Table” on page 555.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Examples
This command adds a static ARP entry for a host with an IP address of
149.42.67.8 and a MAC address of 00:06:5B:BB:72:88. The host is a
member of the subnet of the VLAN8-0 interface and is located on port 15:
add ip arp=149.42.67.8 interface=vlan8-0 port=15
ethernet=00:06:5b:bb:72:88
568
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
This command adds a static ARP entry for a host with an IP address of
149.124.85.14 and a MAC address of 00:06:7A:22:11:A4. The host is
located on port 6 in the VLAN14-1 interface:
add ip arp=149.124.85.14 interface=vlan14-1 port=6
ethernet=00:06:7a:22:11:a4
Section VII: Internet Protocol Routing
569
Chapter 32: Internet Protocol Version 4 Packet Routing
ADD IP INTERFACE
Syntax
add ip interface=interface ipaddress=ipaddress|dhcp|bootp
[mask|netmask=subnetmask] [ripmetric=value]
Parameters
interface
Specifies a name for the new routing interface. A
name consists of “VLAN” followed by the ID (VID) of
the VLAN where the interface is to be assigned and
an interface number, separated by a dash (e.g.,
vlan4-0). The range of the interface number is 0 to 15.
For background information, refer to “Interface
Names” on page 550.
ipaddress
Specifies an IP address for the interface. The
address must be a unique member of the subnet or
network where the interface is to be assigned.
You can assign an address manually or activate the
DHCP or BOOTP client and have a DHCP or BOOTP
server on the network assign the address
automatically. When there is more than one interface
in a VLAN, only one of the interfaces can obtain its IP
address from a DHCP or BOOTP server. The IP
addresses of the other interfaces in the same VLAN
must be assigned manually.
mask or
netmask
Specifies the subnet mask of the IP address of the
routing interface. Do not specify a mask if the IP
address will be assigned by a DHCP or BOOTP
server. The default value is based on the address’
network type. The default values are:
Class A address - 255.0.0.0
Class B address - 255.255.0.0
Class C address - 255.255.255.0
Note
These three values are the only supported subnet masks for a
routing interface. However, the masks can be assigned to any
address class. For example, the mask 255.0.0.0 can be assigned to
a Class B address.
570
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
ripmetric
Specifies the cost of crossing the interface for RIP.
The range is 1 to 16. The default is 1.
Description
This command creates a new interface for routing IPv4 packets to a local
network or subnet. For background information, refer to “Routing
Interfaces” on page 547. Note the following before using this command:
ˆ
The VLAN must already exist on the switch.
ˆ
You cannot assign more than one interface to the same local network
or subnet on a switch.
ˆ
When there are multiple interfaces within a VLAN, each must be
assigned a unique interface number. For background information, refer
to “Interface Numbers” on page 549.
ˆ
Only one interface in a VLAN can obtain its IP configuration from a
DHCP or BOOTP server.
ˆ
If an interface is configured to use the DHCP or BOOTP client to obtain
its IP address and subnet mask, it does not participate in IP routing
until its IP address and subnet mask have been obtained from the
DHCP or BOOTP server.
ˆ
The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches
support only one routing interface.
Examples
This command creates an interface with an IP address 149.123.44.56 and
a mask of 255.255.255.0. The interface is assigned to the VLAN with the
VID of 6 and given the interface number 0. Since no RIP metric is
specified, the default value of 1 is applied to the interface:
add ip interface=vlan6-0 ipaddress=149.123.44.56
netmask=255.255.255.0
This command creates an interface with an IP address 149.211.126.14
and a mask of 255.255.255.0. The interface is assigned to the VLAN with
the VID of 24 and given the interface number 2. The RIP hop count for the
interface is set to 2:
add ip interface=vlan24-2 ipaddress=149.211.126.14
netmask=255.255.255.0 ripmetric=2
This command creates an interface with an IP address and subnet mask
set by a DHCP server. The interface is assigned to the VLAN with the VID
of 18 and given the interface number 1. The hop count for RIP is increased
to 4:
add ip interface=vlan18-1 ipaddress=dhcp ripmetric=4
Section VII: Internet Protocol Routing
571
Chapter 32: Internet Protocol Version 4 Packet Routing
ADD IP RIP
Syntax
add ip rip interface=interface [send=rip1|rip2]
[receive=rip1|rip2|both] [authentication=pass|none]
[password=password]
Parameters
interface
Specifies the name of the routing interface where RIP
is to be added. The name consists of “VLAN” followed
by a VID and an interface number, separated by a
dash (e.g., vlan4-0). For background information,
refer to “Interface Names” on page 550.
send
Specifies the version of RIP packets to be sent by the
routing protocol. Options are:
receive
authentication
password
572
rip1
Sends RIP version 1 packets. This is the
default value.
rip2
Sends RIP version 2 packets.
Specifies the version of RIP packets to be accepted
by the routing protocol. Options are:
rip1
Accepts RIP version 1 packets.
rip2
Accepts RIP version 2 packets.
both
Accepts RIP version 1 and 2 packets.
This is the default value.
Specifies whether there is password protection. This
option only applies to RIP version 2. Options are:
pass
Specifies password protection. The
password is assigned with the
PASSWORD parameter.
none
Specifies no password protection. This is
the default setting.
Specifies the password used to authenticate RIP
version 2 packets. The password can be up to sixteen
alphanumeric characters. The password is case
sensitive and can include the hyphen and
underscore.
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Passwords are sent in plaintext. The AT-S63
management software does not support encrypted
passwords.
Passwords are not supported in RIP version 1.
Description
This command adds RIP to an interface. It also controls the type of RIP
packets sent to and accepted by the interface. For background
information, refer to “Routing Information Protocol (RIP)” on page 552.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Examples
This command adds RIP to the VLAN5-0 interface and configures the
routing protocol to send and accept only version 1 packets. No password
is specified since RIP version 1 does not support passwords.
add ip rip interface=vlan5-0 send=rip1 receive=rip1
This command adds RIP to the VLAN10-0 interface and configures the
routing protocol to send version 2 packets and accept packets of either
version. Password protection is not used:
add ip rip interface=vlan10-0 send=rip2 receive=both
authentication=none
This command adds RIP to the VLAN12-2 interface. It configures the
protocol to send version 2 packets and accept packets of either version.
The password “net25aqy” is used for authentication:
add ip rip interface=vlan12-2 send=rip2 receive=both
authentication=pass password=net25aqy
Section VII: Internet Protocol Routing
573
Chapter 32: Internet Protocol Version 4 Packet Routing
ADD IP ROUTE
Syntax
add ip route=ipaddress [interface=interface]
nexthop=ipaddress [mask=subnetmask] [metric=value]
Parameters
route
Specifies the IP address of the destination network,
subnet, or node. The IP address for a default route is
0.0.0.0.
interface
Specifies the name of the routing interface where the
static route is to be added. The name consists of
“VLAN” followed by a VID and an interface number,
separated by a dash (e.g., vlan4-0). To view the
interfaces on the switch, refer to “SHOW IP
INTERFACE” on page 594. For background
information, refer to “Interface Names” on page 550.
This parameter is optional. The switch automatically
determines the appropriate interface by adding a
route to the interface whose IP address is a member
of the same subnet as the next hop. (An error
message is displayed if you try to add a route to an
interface whose IP address is a member of a different
subnet than the next hop in the route.)
nexthop
Specifies the IP address of the next hop for the route.
The next hop’s IP address must be a member of a
local subnet on the switch and the subnet must have
an interface.
mask
Specifies the subnet mask of the destination IP
address of the static route. The default value is based
of the address’ network type. The default values are:
Class A address - 255.0.0.0
Class B address - 255.255.0.0
Class C address - 255.255.255.0
Do not include a mask for the default route.
574
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Note
The only supported subnet masks for a static route are these three
values and 255.255.255.255. However, the masks can be assigned
to any address class. For example, the mask 255.0.0.0 can be
assigned to a Class B address.
metric
Specifies the cost of crossing the route. The range is
1 to 16. The default is 1.
Description
For AT-9400 Series switches that support IPv4 packet routing, this
command creates a new static route or a default route. For background
information, refer to “Static Routes” on page 550.
The only route that you can define on an AT-9400 Series switch that does
not support IPv4 packet routing is a default route. The default route
specifies the switch’s default gateway. You cannot create any static
routes. The management software uses the default route to communicate
with other network devices, such as syslog and RADIUS servers, on a
remote subnet when performing a management function. For further
information, refer to “Default Gateway” on page 561.
Examples
This command adds a static route to a remote subnet with the IP address
149.124.55.0 and a mask of 255.255.255.0. The IP address of the next
hop is 149.111.12.4. Specifying an interface is unnecessary since the
management software automatically adds the route to whichever interface
is a member of the same subnet as the next hop:
add ip route=149.124.55.0 nexthop=149.111.12.4
mask=255.255.255.0
This command adds a static route to a remote subnet with the IP address
149.14.120.0 and the mask 255.255.255.0. The IP address of the next hop
is 162.76.44.12. The metric for the route is set to 5:
add ip route=162.14.120.0 nexthop=162.76.44.12
mask=255.255.255.0 metric=5
This command adds a default route. The IP address of the next hop is
172.211.16.12. No mask is specified for a default route. Specifying an
interface is unnecessary since the switch automatically adds the route to
the interface on the same subnet as the next hop:
add ip route=0.0.0.0 nexthop=172.211.16.12
Section VII: Internet Protocol Routing
575
Chapter 32: Internet Protocol Version 4 Packet Routing
DELETE IP ARP
Syntax
delete ip arp=ipaddress
Parameters
arp
Specifies the IP address of the host to be deleted
from the ARP cache.
Description
This command deletes static ARP entries from the ARP cache. This
command can delete only one ARP entry at a time. To view the entries in
the cache, refer to “SHOW IP ARP” on page 590.
You cannot use this command to delete dynamic entries from the table.
Dynamic entries are removed according to the ARP timeout value.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Example
This command deletes the static ARP entry for a host with the IP address
149.42.67.8:
delete ip arp=149.42.67.8
576
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
DELETE IP INTERFACE
Syntax
delete ip interface=interface
Parameters
interface
Specifies the name of the interface to be deleted from
the switch. The name consists of “VLAN” followed by
a VID and an interface number, separated by a dash
(e.g., vlan4-0). For background information, refer to
“Interface Names” on page 550.
Description
This command deletes an interface from the switch. You can only delete
one interface at a time. To display the names of the existing interfaces,
refer to “SHOW IP INTERFACE” on page 594. For background
information, refer to “Routing Interfaces” on page 547.
Note the following before performing this command:
ˆ
All IPv4 packet routing to the local network or subnet of a deleted
interface ceases.
ˆ
All routes manually added to the interface are deleted from the route
table.
ˆ
Deleting an interface from where the AT-S63 management software on
the switch is accessing a network management device (e.g., a
RADIUS or syslog server) causes the switch to stop performing a
management function. For background information, refer to “Routing
Interfaces and Management Features” on page 557.
ˆ
Deleting the local interface on a master switch disables the device’s
ability to function as the master switch of the stack.
ˆ
Deleting the local interface of a switch during a remote Telnet or SSH
management session immediately ends the session if you accessed
the switch directly (i.e., not through enhanced stacking). To continue
managing the switch, you must start a local management session
using the Terminal Port on the unit. For background information, refer
to “Local Interface” on page 559.
Example
This command deletes the VLAN6-2 interface from the switch:
delete ip interface=vlan6-2
Section VII: Internet Protocol Routing
577
Chapter 32: Internet Protocol Version 4 Packet Routing
DELETE IP RIP
Syntax
delete ip rip interface=interface
Parameters
interface
Specifies the name of the interface where RIP is to be
removed. The name consists of “VLAN” followed by a
VID and an interface number, separated by a dash
(e.g., vlan4-0). For background information, refer to
“Interface Names” on page 550.
Description
This command removes RIP from an interface. This stops the interface
from routing packets with RIP. However, an interface, even without RIP,
continues to route packets to other interfaces on the same switch. It also
routes packets to remote networks and subnets using the static routes.
To view the names of the interfaces using RIP, refer to “SHOW IP RIP
COUNTER” on page 596.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Examples
This command removes RIP from the VLAN8-0 interface:
delete ip rip interface=vlan8-0
578
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
DELETE IP ROUTE
Syntax
delete ip route=ipaddress [interface=interface]
[nexthop=ipaddress] mask=subnetmask
Parameters
route
Specifies the destination IP address of the static route
to be deleted. The IP address for the default route is
0.0.0.0.
interface
Specifies the name of the interface where the static
route is assigned. The name consists of “VLAN”
followed by a VID and an interface number, separated
by a dash (e.g., vlan4-0). This parameter is optional.
nexthop
Specifies the IP address of the next hop of the route.
This parameter is optional.
mask
Specifies the subnet mask for the destination IP
address. The mask for the default route is
255.255.255.255.
Description
This command deletes a static route or the default route from the routing
table. The only required parameters are the IP address of the remote
destination and the subnet mask. To delete the default route, the IP
address is 0.0.0.0 and the mask is 255.255.255.255. For background
information, refer to “Static Routes” on page 550.
To display the existing routes, refer to “SHOW IP ROUTE” on page 600.
You cannot delete a dynamic route.
Examples
This command deletes a static route to the remote subnet 149.124.55.0
with the subnet mask 255.255.255.0:
delete ip route=149.124.55.0 mask=255.255.255.0
This command deletes the default route:
delete ip route=0.0.0.0 mask=255.255.255.255
Section VII: Internet Protocol Routing
579
Chapter 32: Internet Protocol Version 4 Packet Routing
PURGE IP
Syntax
purge ip
Parameters
None.
Description
This command deletes all routing interfaces on the switch. Note the
following before performing this command:
ˆ
All IPv4 packet routing on the switch ceases. The device, however,
continues to switch packets among the ports within the VLANs (but not
across the VLAN boundaries) using Layer 2.
ˆ
All static routes are deleted from the route table.
ˆ
The AT-S63 management software stops performing those
management functions that require access to a network management
device (e.g., a RADIUS server). For background information, refer to
“Routing Interfaces and Management Features” on page 557.
ˆ
Deleting all interfaces deletes the local interface. This prohibits you
from remotely managing the device with a Telnet or SSH client, or with
a web browser. For background information, refer to “Local Interface”
on page 559.
ˆ
Deleting all interfaces during a remote Telnet or SSH management
session immediately ends your session. To continue managing the
switch, you must start a local management session using the Terminal
Port on the unit.
ˆ
Deleting all interfaces on the master switch of an enhanced stack
disables the device’s ability to function as the master switch of the
stack.
Example
This command deletes all routing interfaces on the switch:
purge ip interface
580
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
SET IP ARP
Syntax
set ip arp=ipaddress [interface=interface] [port=port]
[ethernet=macaddress]
Parameters
arp
Specifies the IP address of the static route entry to be
modified.
interface
Specifies a new interface where the host is located.
An interface name consists of “VLAN” followed by a
VID and an interface number, separated by a dash
(e.g., vlan4-0). The interface must already exist on the
switch. For background information, refer to “Interface
Names” on page 550.
port
Specifies a new physical port on the switch where the
host is located.
ethernet
Specifies a new MAC address of the host. The MAC
address can be entered in either of the following
formats:
xxxxxxxxxxxx or xx:xx:xx:xx:xx:xx
Description
This command modifies an existing static ARP entry in the ARP cache.
You can change all of the settings of an entry, except the IP address. To
change the IP address, you must delete the entry and add it again. To
view the ARP entries, refer to “SHOW IP ARP” on page 590.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Examples
This command modifies the port number for the static ARP entry with the
IP address 149.42.67.8:
set ip arp=149.42.67.8 port=24
This command changes the MAC address for the static ARP entry with the
IP address 149.124.85.14:
set ip arp=149.124.85.14 ethernet=00:06:7a:22:11:24
Section VII: Internet Protocol Routing
581
Chapter 32: Internet Protocol Version 4 Packet Routing
SET IP ARP TIMEOUT
Syntax
set ip arp timeout=integer
Parameter
timeout
Specifies the ARP cache timeout value The range is 1 to
260000 seconds. The default setting is 150 seconds.
Description
This command sets the ARP cache timeout value. The timer prevents the
ARP table from becoming full with inactive entries. An entry that is not
used for the length of the timeout period is designated as inactive and is
deleted from the table.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Example
The following command sets the timer to 600 seconds:
set ip arp timeout=600
582
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
SET IP INTERFACE
Syntax
set ip interface=interface|eth0
[ipaddress=ipaddress|dhcp|bootp] [mask|netmask=subnetmask]
[ripmetric=value]
Parameters
interface
Specifies the name of the routing interface to be
modified. The name consists of “VLAN” followed by a
VID and an interface number, separated by a dash
(e.g., vlan4-0). The “eth0” value can be used in place
of the interface name to specify the local interface.
For background information, refer to “Interface
Names” on page 550.
ipaddress
Specifies a new IP address for the interface.
mask or
netmask
Specifies a new subnet mask for the interface. Do
not specify a mask if the IP address is assigned by a
DHCP or BOOTP server. To change the subnet
mask, you must also include the IP address of the
interface. The default value is based on the address’
network type. The default values are:
Class A address - 255.0.0.0
Class B address - 255.255.0.0
Class C address - 255.255.255.0
Note
These three values are the only supported subnet masks for a
routing interface. However, the masks can be assigned to any
address class. For example, the mask 255.0.0.0 can be assigned to
a Class B address.
ripmetric
Specifies the new cost of crossing the interface for
RIP. The range is 1 to 16. The default is 1.
Description
This command modifies the IP address, subnet mask and RIP metric
attribute of an existing routing interface. To initially create an interface,
refer to “ADD IP INTERFACE” on page 570. To view the interfaces, refer
to “SHOW IP INTERFACE” on page 594
Section VII: Internet Protocol Routing
583
Chapter 32: Internet Protocol Version 4 Packet Routing
Note the following before performing this procedure:
ˆ
Modifying the IP address of a routing interface deletes all static routes
assigned to the interface.
ˆ
Modifying the IP address of a routing interface that has RIP removes
the routing protocol from the interface and deletes all RIP routes
learned on the interface from the routing table.
ˆ
You cannot change the name of a routing interface. You must delete
the interface and recreate it to change its VID or interface number.
ˆ
To can specify the local interface two ways. You can specify its
interface name (for example, VLAN5-1) or use the “eth0” value. The
“0” in the value is not a VID, as in an interface name. Rather, the “eth0”
value signifies the local interface. To designate the local interface of a
switch, refer to “SET IP LOCAL INTERFACE” on page 585.
Examples
This command changes the IP address of the VLAN7-0 interface to
149.188.27.55 and the subnet mask to 255.255.255.0:
set ip interface=vlan7-0 ipaddress=149.188.27.55
mask=255.255.255.0
This command activates the DHCP client on the VLAN 28-5 interface so
that it obtain its IP address and subnet mask from a DHCP server:
set ip interface=vlan28-5 ipaddress=dhcp
This command changes the RIP metric for the VLAN12-0 interface to 2:
set ip interface=vlan12-0 ripmetric=2
This command changes the IP address and subnet mask of the local
interface to 149.24.222.6 and 255.255.255.0, respectively. The example
uses “eth0” rather than the interface name to designate the local interface:
set ip interface=eth0 ipaddress=149.24.222.6
mask=255.255.255.0
584
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
SET IP LOCAL INTERFACE
Syntax
set ip local interface=interface|none
Parameters
interface
Specifies the name of the interface to act as the local
interface. The name consists of “VLAN” followed by a
VID and an interface number, separated by a dash
(e.g., vlan4-0). For background information, refer to
“Interface Names” on page 550.
Use the NONE option to remove the currently
assigned local interface without assigning a new one.
The default is no local interface.
Description
This command specifies the local interface of the switch. The selected
interface must already exist on the switch. The local interface is used for
enhanced stacking and for remote management of the unit with a Telnet or
SSH client, or a web browser. A switch can have only one local interface at
a time. For background information, refer to “Local Interface” on page 559.
To view the interfaces on the switch, refer to “SHOW IP INTERFACE” on
page 594.
Examples
This command specifies the VLAN6-0 interface as the local interface on
the switch:
set ip local interface=vlan6-0
This command removes the currently assigned local interface without
assigning a new one:
set ip local interface=none
Section VII: Internet Protocol Routing
585
Chapter 32: Internet Protocol Version 4 Packet Routing
SET IP RIP
Syntax
set ip rip interface=interface [send=rip1|rip2]
[receive=rip1|rip2|both] [authentication=pass|none]
[password=password]
Parameters
interface
Specifies the name of an interface whose RIP
settings are to be modified. The name consists of
“VLAN” followed by a VID and an interface number,
separated by a dash (e.g., vlan4-0). For background
information, refer to “Interface Names” on page 550.
send
Specifies the version of the RIP packets to be sent by
the interface. Options are:
receive
authentication
password
586
rip1
Sends RIP version 1 packets. This is the
default value.
rip2
Sends RIP version 2 packets.
Specifies the version of the RIP packets to be
accepted by the interface. Options are:
rip1
Accepts RIP version 1 packets.
rip2
Accepts RIP version 2 packets.
both
Accepts RIP version 1 and 2 packets.
This is the default value.
Specifies whether there is password protection. This
option only applies to RIP version 2. Options are:
pass
Specifies password protection. The
password is specified with the
PASSWORD parameter.
none
Specifies no password protection. This is
the default setting.
Specifies the password used to authenticate RIP
version 2 packets. The password can be up to sixteen
alphanumeric characters. The password is case
sensitive and can include the hyphen and
underscore.
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
The interface must be configured for RIP version 2 in
order for you to specify a password. Passwords are
not supported in RIP version 1.
Passwords are sent in plaintext. The AT-S63
management software does not support encrypted
passwords.
Description
This command modifies the RIP settings of an interface. To initially add
RIP to an interface, refer to “ADD IP RIP” on page 572. To view the
interfaces on the switch, refer to “SHOW IP INTERFACE” on page 594.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Examples
This command changes RIP on the VLAN4-3 interface to send version 2
packets, accept either version 1 or 2, and use the password “wa24pt” for
authentication:
set ip rip interface=vlan4-3 send=rip2 receive=both
authentication=pass password=wa24pt
This command changes RIP on the VLAN11-0 interface to accept both
RIP version 1 and version 2 packets:
set ip rip interface=vlan11-0 receive=both
This command changes RIP on the VLAN22-1 interface to send and
receive RIP version 1 packets. Since version 1 does not support password
authentication, the command disables it:
set ip rip interface=vlan22-1 send=rip1 receive=rip1
authentication=none
Note
Password authentication must be disabled to change an interface
from RIP version 2 to version 1.
Section VII: Internet Protocol Routing
587
Chapter 32: Internet Protocol Version 4 Packet Routing
SET IP ROUTE
Syntax
set ip route=ipaddress [interface=interface]
nexthop=ipaddress mask=subnetmask [metric=value]
Parameters
route
Specifies the IP address of the remote destination of
the static route to be modified. The IP address of the
default route is 0.0.0.0.
You cannot change the destination IP address of a
static route. If the destination address changes, you
must delete the old route and enter a new route.
interface
Specifies the name of the interface where the next
hop is located. The name consists of “VLAN” followed
by a VID and an interface number, separated by a
dash (e.g., vlan4-0). To view the interfaces on the
switch, refer to “SHOW IP INTERFACE” on page 594.
For background information, refer to “Interface
Names” on page 550.
Allied Telesyn recommends omitting this optional
parameter. The appropriate interface for a static route
is determined automatically by the switch when it
examines the IP address of the next hop and adds
the route to the interface of the same subnet.
nexthop
Specifies the IP address of the next hop of the route.
You must specify the next hop even if you are not
changing it.
If the IP address of the next hop belongs to a different
subnet than the original IP address, the switch
automatically moves the route to the appropriate
interface.
mask
Specifies the subnet mask for the destination IP
address. The default value is based of the address’
network type. The default values are:
Class A address - 255.0.0.0
Class B address - 255.255.0.0
Class C address - 255.255.255.0
588
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Do not include a mask when specifying a default
route.
Note
These three values and 255.255.255.255 are the only supported
subnet masks for a static route. However, the masks can be
assigned to any address class. For example, the mask 255.0.0.0
can be assigned to a Class B address.
metric
Specifies a new cost for crossing the route. The range
is 1 to 16. The default is 1.
Description
This command modifies the attributes of an existing static route or default
route. You can use the command to change the IP address of the next hop
or the subnet mask of the destination address. The command can also
change the metric cost of a route. This command cannot change the
destination address. Changing the destination address requires deleting
the static route and recreating it with the new address. For background
information, refer to “Static Routes” on page 550. To view the static routes,
refer to “SHOW IP ROUTE” on page 600.
Examples
This command changes the IP address of the next hop for the static route
to the remote subnet 149.124.55.0. The IP address of the next hop is
changed to 149.124.52.4:
set ip route=149.124.55.0 nexthop=149.124.52.4
mask=255.255.255.0
This command changes the metric value to 7 for the static route to the
remote subnet 172.55.156.0:
set ip route=172.55.156.0 nexthop=172.55.101.2
mask=255.255.255.0 metric=7
This command changes the IP address of the next hop to 149.211.16.12
for the default route:
set ip route=0.0.0.0 nexthop=149.211.16.12
Section VII: Internet Protocol Routing
589
Chapter 32: Internet Protocol Version 4 Packet Routing
SHOW IP ARP
Syntax
show ip arp
Parameters
None.
Description
This command displays the entries in the ARP cache. The ARP cache
contains mappings of IP addresses to physical addresses for hosts where
the switch has recently routed packets. For background information, refer
to “Address Resolution Protocol (ARP) Table” on page 555.
Figure 47 is an example of the information displayed by this command.
----------------------------------------------------------------Interface
IP Address
MAC Address
Port
Type
----------------------------------------------------------------vlan2-0
149.122.34.4
00:06:5B:B2:44:21
2
Dynamic
vlan2-0
149.122.34.12
00:A0:D2:18:EE:A1
3
Dynamic
vlan2-0
149.122.34.21
00:A0:C3:57:32:14
4
Dynamic
vlan8-1
149.122.35.1
00:A0:64:B1:76:A5
7
Dynamic
Figure 47. SHOW IP ARP Command
The columns in the display are:
ˆ
Interface - Interface from where the network device is accessed.
ˆ
IP Address - IP address of the node.
ˆ
MAC Address - MAC address of the node.
ˆ
Port - Port on the switch from where the node is accessed.
ˆ
Type - Type of entry. This is one of the following:
–
Static: Static entry added with “ADD IP ARP” on page 568.
–
Dynamic: Entry learned from ARP request/reply exchanges.
–
Invalid: Possible nonexistent entry.
–
Other: Entry automatically generated by the system.
To set the ARP timeout value, refer to “SET IP ARP TIMEOUT” on
page 582.
590
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Example
This command displays the entries in the ARP cache:
show ip arp
Section VII: Internet Protocol Routing
591
Chapter 32: Internet Protocol Version 4 Packet Routing
SHOW IP COUNTER
Syntax
show ip counter [port=ports|all]
Parameters
port
Specifies the ports whose IP statistics are to be
displayed. You can specify the ports individually (for
example, 5,7,22), as a range (for example, 18-23), or
both (for example, 1,5,14-22). Omitting this parameter
displays the statistics for all ports.
Description
This command displays Layer 3 counters for the individual ports on a
switch. Figure 48 is an example of the information displayed by this
command.
Port 1
IPInUcastPkts ...................
IPOutUcastPkts ..................
IPInDiscards ....................
IPInHdrErrors ...................
0
0
0
0
Port 2
IPInUcastPkts ...................
IPOutUcastPkts ..................
IPInDiscards ....................
IPInHdrErrors ...................
0
0
0
0
Figure 48. SHOW IP COUNTER Command
The lines in the display are:
ˆ
IPInUcastPkts - Number of IP packets received on a port.
ˆ
IPOutUcastPkts - Number of IP packets transmitted from a port.
ˆ
IPInDiscards - Number of IP packets received but discarded due to
resource limitations at the IP level.
ˆ
IPInHdrErrors - Number of IP packets received with header errors.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
592
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Examples
This command displays the statistics for all the ports:
show ip counter
This command displays the statistics for ports 1 to 4:
show ip counter port=1-4
Section VII: Internet Protocol Routing
593
Chapter 32: Internet Protocol Version 4 Packet Routing
SHOW IP INTERFACE
Syntax
show ip interface[=interface|eth0]
Parameters
interface
Specifies the interface name. The name consists of
“VLAN” followed by a VID and an interface number,
separated by a dash (e.g., vlan4-0). For background
information, refer to “Interface Names” on page 550.
If no interface value is specified, the switch displays
all the interfaces.
The “eth0” value can be used to designate the local
interface.
Description
This command displays the routing interfaces on a switch. An example of
the information displayed by this command is shown in Figure 49.
--------------------------------------------------Interface
IPAddress
NetMask
RipMet
--------------------------------------------------eth0
149.55.14.8
255.255.255.0
1
vlan2-0
149.123.11.21 255.255.255.0
1
vlan5-0#
149.55.12.15
255.255.255.0
2
vlan8-0
149.55.13.2
255.255.255.0
1
vlan8-1
149.55.14.8
255.255.255.0
1
Figure 49. SHOW IP INTERFACE Command
The local interface of a switch, if one has been designated, is listed twice
in the table, as “eth0” at the top of the table and again as a regular entry.
For instance, the local interface on the switch in the above example is the
VLAN8-1 interface because its values and those of the “eth0” interface are
identical. The “eth0” entry contains null values (i.e., 0.0.0.0) if no local
interface is designated on the unit.
The columns in the display are:
ˆ
594
Interface - The interface name consisting of the VLAN’s identification
(VID) and interface number. A hash symbol (#) marks IP interfaces
where there are no active nodes in the VLAN on the switch. For
background information, refer to “Interface Names” on page 550.
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
ˆ
IPAddress - The interface’s IP address. The address is assigned
manually to the interface or automatically by a DHCP or BOOTP
server. If the address is 0.0.0.0, the interface is configured to receive
its IP configuration from a DHCP or BOOTP server, but the server has
not responded.
ˆ
NetMask - The interface’s subnet mask. The subnet mask is assigned
manually to the interface or automatically by a DHCP or BOOTP
server. If the mask is 0.0.0.0, the DHCP or BOOTP server has not
responded.
ˆ
RipMet - The hop count for this interface when routing packets with
RIP. This column has no function on
Examples
This command displays all the routing interfaces on a switch:
show ip interface
This command displays just the VLAN2-6 interface:
show ip interface=vlan2-6
Section VII: Internet Protocol Routing
595
Chapter 32: Internet Protocol Version 4 Packet Routing
SHOW IP RIP COUNTER
Syntax
show ip rip counter
Parameters
counter
Displays RIP packet statistics for all interfaces where
RIP has been added. This parameter cannot be used
with the INTERFACE parameter.
Description
This command displays RIP statistics for the entire switch. An example of
the information displayed by this command is shown in Figure 50.
IP RIP Counter Summary
Input:
inResponses......................5
inRequests.......................1
inDiscards.......................0
Output:
outResponses.....................6
outRequests......................2
outTrigResponses.................0
outErrors........................0
Figure 50. SHOW IP RIP Command with COUNTER Parameter
The columns in the display are described here:
ˆ
inResponse - The number of response packets received.
ˆ
inRequests - The number of request packets received.
ˆ
inDiscards - The number of packets discarded. Packets may be
discarded due to an authentication failure or a mismatched sequence
number of a triggered acknowledgement.
ˆ
outResponse - The number of response packets sent.
ˆ
outRequests - The number of request packets sent.
ˆ
outTrigResponse - The number of triggered response packets sent.
ˆ
outErrors - The number of errors encountered when sending a request
or response RIP message.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
596
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
Example
This command displays RIP packet statistics:
show ip rip counter
Section VII: Internet Protocol Routing
597
Chapter 32: Internet Protocol Version 4 Packet Routing
SHOW IP RIP INTERFACE
Syntax
show ip rip interface[=interface]
Parameters
interface
Specifies the interface name. The name consists of
“VLAN” followed by a VID and an interface number,
separated by a dash (e.g., vlan4-0). If no interface
value is specified, the switch displays all the
interfaces where the routing protocol has been
added. For background information, refer to “Interface
Names” on page 550.
Description
This command lists the routing interfaces where RIP has been assigned
and the RIP settings. An example of the information displayed by this
command is shown in Figure 51.
----------------------------------------------------------Interface
Send
Receive
Auth
Password
----------------------------------------------------------vlan2-0
RIP2
BOTH
PASS
********
vlan5-0
RIP1
BOTH
NONE
NOT SET
vlan8-0
RIP2
BOTH
PASS
********
vlan8-1
RIP2
BOTH
PASS
********
Figure 51. SHOW IP RIP Command
The columns in the display are described here:
ˆ
Interface - An interface name consisting of a VLAN’s identification
(VID) number and interface number. For background information, refer
to “Interface Names” on page 550.
ˆ
Send - The version of RIP packets sent by the interface. Possible
settings are:
ˆ
598
–
RIP1: version 1 packets
–
RIP2: version 2 packets
Receive - The version of RIP packets the interface will accept.
Possible settings are:
–
RIP1: version 1 packets
–
RIP2: version 2 packets
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
–
ˆ
ˆ
BOTH: both version 1 and 2 packets
Auth - The form of authentication. Possible settings are:
–
NONE: no password authentication
–
PASS: plaintext password authentication
Password - The authentication password, displayed with asterisks. A
value of NOT SET in this column indicates the interface does not have
a password for RIP.
To add RIP to an interface, refer to “ADD IP RIP” on page 572. To modify
the RIP settings of an interface, refer to “SET IP RIP” on page 586.
This command is not available on the AT-9408LC/SP, AT-9424T/GB, and
AT-9424T/SP switches.
Examples
This command displays the RIP settings for all of the interfaces where RIP
has been added:
show ip rip
This command displays the RIP settings of the VLAN17-2 interface:
show ip rip interface=vlan17-2
The command does not display anything if the VLAN17-2 interface does
not have RIP.
Section VII: Internet Protocol Routing
599
Chapter 32: Internet Protocol Version 4 Packet Routing
SHOW IP ROUTE
Syntax
show ip route [general] [full]
Parameters
general
Displays general routing information, such as the total
number of routes in the cache and the cache size.
full
Displays both the routes and the general routing
information.
Description
Entering this command without any parameters displays all of the IPv4
routes learned by the interfaces and RIP, as well as those entered as
static routes. An example of the information displayed by this command
without the parameters is shown in Figure 52.
IP Routes
--------------------------------------------------------Destination
Mask
NextHop
Interface
Protocol
RipMetric
--------------------------------------------------------0.0.0.0
0.0.0.0
202.24.124.2
VLAN2-0
Static
1
149.102.34.0
255.255.255.0
149.211.54.6
VLAN14-0
Interface
1
149.102.37.0
255.255.255.0
149.211.54.6
VLAN14-0
Interface
1
Figure 52. SHOW IP ROUTE Command
The columns are described here:
ˆ
Destination - Destination IP address of the network or subnet. The
default route is 0.0.0.0.
ˆ
Mask - Subnet mask of the destination IP address.
ˆ
Protocol - Source of the route. Possible options are:
ˆ
600
–
Interface - Route was learned by a routing interface.
–
Static - Route was entered manually as a static route.
–
RIP - Route was learned by RIP.
NextHop - IP address of the next hop to the destination network or
subnet.
Section VII: Internet Protocol Routing
AT-S63 Management Software Command Line Interface User’s Guide
ˆ
RipMetric - RIP metric (cost) to reaching the destination.
ˆ
Interface - Name of the interface where the route was added as a static
route or learned by RIP. A hash symbol (#) following the name signifies
an IP interface where there are no active nodes in the VLAN of the
interface.
This command always displays interface and static routes. RIP routes,
however, are only displayed when the outgoing interface is up. Note that
routes are only propagated by RIP when their status at the physical level is
up. This means that a VLAN’s interface route is propagated if at least one
port in the VLAN is active.
Figure 53 is an example of the information provided by the GENERAL
parameter.
IP Route General Information
Number of routes................
Interface routes................
RIP routes......................
Static routes...................
Cache size......................
Source route byte counting .....
Route debugging.................
Multipath routing...............
25
11
12
2
1024
no
no
yes
Figure 53. SHOW IP ROUTE Command with the GENERAL Parameter
The information is described here:
ˆ
Number of routes - Total number of routing interfaces, static routes,
and dynamic RIP routes.
ˆ
Interface routes - Number of routing interfaces on the switch.
ˆ
RIP routes - Number of routes learned by RIP.
ˆ
Static routes - Number of static routes.
ˆ
Cache size - Size of the route cache (the maximum number of entries)
ˆ
Source route byte counting - Whether source route byte counting is
enabled.
ˆ
Route debugging - Whether route debugging is enabled.
ˆ
Multipath routing - Whether multipath routing is enabled.
Examples
This command displays the IPv4 packet routes on the switch:
show ip route
Section VII: Internet Protocol Routing
601
Chapter 32: Internet Protocol Version 4 Packet Routing
This command displays general routing information:
add ip route general
This command displays both the routes and the general routing
information:
add ip route full
602
Section VII: Internet Protocol Routing
Section VIII
Port Security
The chapters in this section provide the commands for configuring port
security. The chapters include:
Section VIII: Port Security
ˆ
Chapter 33, “MAC Address-based Port Security Commands” on page
605
ˆ
Chapter 34, “802.1x Port-based Network Access Control Commands”
on page 613
603
604
Section VIII: Port Security
Chapter 33
MAC Address-based Port Security
Commands
This chapter contains the following command:
ˆ
“SET SWITCH PORT INTRUSIONACTION” on page 606
ˆ
“SET SWITCH PORT SECURITYMODE” on page 607
ˆ
“SHOW SWITCH PORT INTRUSION” on page 610
ˆ
“SHOW SWITCH PORT SECURITYMODE” on page 611
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 30,
“MAC Address-based Port Security” in the AT-S63 Management
Software Menus Interface User’s Guide.
605
Chapter 33: MAC Address-based Port Security Commands
SET SWITCH PORT INTRUSIONACTION
Syntax
set switch port=port intrusionaction=discard|trap|disable
Parameters
port
Specifies the port where you want to change the
intrusion action. You can specify more than one port
at a time. You can specify the ports individually (for
example, 5,7,22), as a range (for example, 18-23), or
both (for example, 1,5,14-22).
intrusionaction
Specifies the action the port takes when it receives an
invalid frame. The options are:
discard
The port discards invalid frames. This is
the default.
trap
The port discards invalid frames and
sends an SNMP trap.
disable
The port discards invalid frames, sends an
SNMP trap, and disables the port.
Description
This command defines what a port does when it receives an invalid frame.
and applies only to ports operating in the Limited security mode.
Example
The following command sets the intrusion action to trap on ports 12 and
21:
set switch port=12,21 intrusionaction=trap
606
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
SET SWITCH PORT SECURITYMODE
Syntax
set switch port=port
[securitymode=automatic|limited|secured|locked]
[intrusionaction=discard|trap|disable]
[learn=value] [participate=yes|no|on|off|true|false]
Parameters
port
Specifies the port where you want to set security. You
can specify more than one port at a time.You can
specify the ports individually (for example, 5,7,22), as
a range (for example, 18-23), or both (for example,
1,5,14-22).
securitymode
Specifies the port’s security mode. Options are:
automatic
Disables security on the port. This is the
default setting.
limited
Sets the port to the Limited security
mode. The port learns a limited number
of dynamic MAC addresses, set with the
LEARN parameter.
secured
Sets the port to the Secured security
mode. The port accepts frames based
only on static MAC addresses. You must
enter the static MAC addresses of the
nodes with frames the port is to accept
after you have activated this security
mode on a port. To add static MAC
addresses, use the command “ADD
SWITCH FDB|FILTER” on page 144.
locked
Sets the switch to the Locked security
mode. The port stops learning new
dynamic MAC addresses. The port
forwards frames based on static MAC
addresses and on those dynamic
addresses it has already learned.
Note
The online help for this command includes a “pacontrol” option for
this parameter. The option is nonfunctional.
Section VIII: Port Security
607
Chapter 33: MAC Address-based Port Security Commands
intrusionaction
Specifies the action taken by the port in the event port
security is violated. This parameter applies only to the
Limited security mode. Intrusion actions are:
discard
Discards invalid frames. This is the
default setting.
trap
Discards invalid frames and sends a
management trap.
disable
Discards invalid frames, sends a
management trap, and disables the port.
The intrusion action of a port operating in the Secured
or Locked security level is to discard invalid frames.
learn
Specifies the maximum number of dynamic MAC
addresses a port on the switch can learn. This
parameter applies only to ports set to the Limited
security mode. The range is 1 to 255 addresses. The
default is 255.
participate
Enables or disables the intrusion action on the port.
This option only applies to the Limited security mode
and only when a port’s intrusion action is set to trap or
disable. This option does not apply when intrusion
action is set to discard. The options are:
yes, on, true
Enables the trap or disable intrusion
action. These options are equivalent.
no, off, false
Disables the trap or disable intrusion
action. The port still discards invalid
ingress frames. This is the default.
These options are equivalent.
Description
This command sets and configures a port’s security mode. Only one mode
can be active on a port at a time.
Note
For explanations of the security levels and intrusion actions, refer to
Chapter 30, “MAC Address Port Security” in the AT-S63
Management Software Menus Interface User’s Guide.
To view a port’s current security mode, use the command “SHOW
SWITCH PORT SECURITYMODE” on page 611.
608
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
The management software displays a confirmation prompt whenever you
perform this command. Responding with Y for yes completes your
command, while N for no cancels the command.
Examples
The following command sets the security level for port 8 to the Limited
mode and specifies a limit of 5 dynamic MAC addresses. Because no
intrusion action is specified, the discard action is assigned by default:
set switch port=8 securitymode=limited learn=5
The following command sets the security level for ports 9 and 12 to the
Limited mode and specifies a limit of 15 dynamic MAC addresses per port.
The disable intrusion action is specified:
set switch port=9,12 securitymode=limited learn=15
intrusionaction=disable participate=yes
In the above example, the Participate option is required to activate the
disable intrusion action. Without it, the port would discard invalid ingress
frames but would not send an SNMP trap and disable the port.
The following command changes the maximum number of learned MAC
addresses to 150 on ports 15 and 16. The command assumes that the
ports have already be set to the Limited security mode:
set switch port=15-16 learn=150
The following command sets the security level to Locked for ports 2, 6, and
18:
set switch port=2,6,18 securitymode=locked
The Limit and Participate options are not included with the above
command because they do not apply to the Locked mode, nor to the
Secured mode.
The following command sets the security level to Secured for ports 12 to
24:
set switch port=12-24 securitymode=secured
The following command returns ports 8 to 11 to the automatic security
level, which disables port security:
set switch port=8-11 securitymode=automatic
Section VIII: Port Security
609
Chapter 33: MAC Address-based Port Security Commands
SHOW SWITCH PORT INTRUSION
Syntax
show switch port=port intrusion
Parameter
port
Specifies the port where you want to view the number
of intrusions that have occurred. You can specify
more than one port at a time.
Description
This command displays the number of times a port has detected an
intrusion violation. An intrusion violation varies depending on the security
mode:
ˆ
Limited Security Level - An intrusion is an ingress frame with a source
MAC address not already learned by a port after the port had reached
its maximum number of dynamic MAC addresses, or that was not
assigned to the port as a static address.
ˆ
Secured Security Level - An intrusion is an ingress frame with a source
MAC address that was not entered as a static address on the port.
ˆ
Locked - An intrusion is an ingress frame with a source MAC address
that the port has not already learned or that was not assigned as a
static address.
Example
The following command displays the number of intrusion violations
detected on ports 12 and 21:
set switch port=12,21 intrusion
610
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SWITCH PORT SECURITYMODE
Syntax
show switch port=port securitymode
Parameters
port
Specifies the port whose security mode settings you
want to view. You can specify the ports individually
(for example, 5,7,22), as a range (for example, 1823), or both (for example, 1,5,14-22).
Description
This command displays the security mode settings for the ports on the
switch. An example of the information displayed by this command is
shown in Figure 54.
Port
Security Mode
Intrusion Action
Participating
MAC Limit
-------------------------------------------------------------------------1
Secured
---------2
Limited
Trap
Yes
20
3
Limited
Trap
Yes
20
4
Limited
Trap
Yes
20
5
Automatic
---------6
Automatic
----------
Figure 54. SHOW SWITCH PORT SECURITYMODE Command
The columns in the display are defined here:
Section VIII: Port Security
ˆ
Port - Port number.
ˆ
Security Mode - The current security mode of the port. Possible
settings are Automatic (no security), Limited, Secured, and Locked.
For definitions of the security levels, refer to “SET SWITCH PORT
SECURITYMODE” on page 607.
ˆ
Intrusion Action - The action taken by a port operating with the Limited
security level when it detects an intrusion violation.
ˆ
Participating - The status of intrusion action on the port. This option
only applies to the Limited security mode and only when a port’s
intrusion action is set to trap or disable. This option does not apply
when intrusion action is set to discard.
ˆ
MAC Limit - The maximum number of dynamic MAC addresses the
port can learn. This parameter applies only to the Limited security
mode.
611
Chapter 33: MAC Address-based Port Security Commands
Example
The following command displays the security mode settings for ports 1 to
5:
show switch port=1-5 securitymode
612
Section VIII: Port Security
Chapter 34
802.1x Port-based Network Access
Control Commands
This chapter contains the following commands:
ˆ
“DISABLE PORTACCESS|PORTAUTH” on page 614
ˆ
“DISABLE RADIUSACCOUNTING” on page 615
ˆ
“ENABLE PORTACCESS|PORTAUTH” on page 616
ˆ
“ENABLE RADIUSACCOUNTING” on page 617
ˆ
“SET PORTACCESS|PORTAUTH PORT ROLE=AUTHENTICATOR”
on page 618
ˆ
“SET PORTACCESS|PORTAUTH PORT ROLE=SUPPLICANT” on
page 626
ˆ
“SET RADIUSACCOUNTING” on page 628
ˆ
“SHOW PORTACCESS|PORTAUTH” on page 630
ˆ
“SHOW PORTACCESS|PORTAUTH PORT” on page 632
ˆ
“SHOW RADIUSACCOUNTING” on page 635
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information on this feature, refer to Chapter 31,
“802.1x Port-based Network Access Control” in the AT-S63
Management Software Menus Interface User’s Guide.
613
Chapter 34: 802.1x Port-based Network Access Control Commands
DISABLE PORTACCESS|PORTAUTH
Syntax
disable portaccess|portauth
Note
The PORTACCESS and PORTAUTH keywords are equivalent.
Parameters
None.
Description
This command disables 802.1x Port-based Network Access Control on
the switch. This is the default setting.
Example
The following command disables 802.1x Port-based Network Access
Control on the switch:
disable portaccess
614
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
DISABLE RADIUSACCOUNTING
Syntax
disable radiusaccounting
Parameters
None
Description
This command disables RADIUS accounting on the switch.
Example
The following command disables RADIUS accounting:
disable radiusaccounting
Equivalent Command
set radiusaccounting status=disabled
For information, see “SET RADIUSACCOUNTING” on page 628.
Section VIII: Port Security
615
Chapter 34: 802.1x Port-based Network Access Control Commands
ENABLE PORTACCESS|PORTAUTH
Syntax
enable portaccess|portauth
Note
The PORTACCESS and PORTAUTH keywords are equivalent.
Parameters
None.
Description
This command activates 802.1x Port-based Network Access Control on
the switch. The default setting for this feature is disabled.
Note
You should activate and configure the RADIUS client software on
the switch before activating port-based access control. Refer to
“SET AUTHENTICATION” on page 695.
Example
The following command activates 802.1x Port-based Network Access
Control on the switch:
enable portaccess
616
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE RADIUSACCOUNTING
Syntax
enable radiusaccounting
Parameters
None
Description
This command activates RADIUS accounting on the switch.
Example
The following command activates RADIUS accounting:
enable radiusaccounting
Equivalent Command
set radiusaccounting status=enabled
For information, see “SET RADIUSACCOUNTING” on page 628.
Section VIII: Port Security
617
Chapter 34: 802.1x Port-based Network Access Control Commands
SET PORTACCESS|PORTAUTH PORT ROLE=AUTHENTICATOR
Sy nt a x
set portaccess|portauth=8021x|macbased port=port
type|role=authenticator|none [mode=single|multi]
[control=auto|authorised|forceauthenticate|
unauthorised|forceunauthenticate]
[quietperiod=value] [txperiod=value]
[reauthenabled=enabled|disabled] [reauthperiod=value]
[supptimeout=value] [servertimeout|servtimeout=value]
[maxreq=value] [ctrldirboth=ingress|both]
[piggyback=enabled|disabled] [guestvlan=vlan-name|vid|none]
[vlanassignment=enabled|disabled] [securevlan=on|off]
Parameters
portaccess or
portauth
port
618
Specifies the authentication method. The two choices
are:
8021x
Specifies 802.1x username
and password authentication.
With this authentication
method the supplicant must
provide, either manually or
automatically, a username and
password. This authentication
method requires 802.1x client
software on the supplicant
nodes.
macbased
Specifies MAC address-based
authentication. The
authenticator port extracts the
source MAC address from the
initial frames received from a
supplicant and automatically
sends the address as both the
username and password of the
supplicant to the authentication
server. This authentication
method does not require
802.1x client software on the
supplicant nodes.
Specifies the port to set to the Authenticator role or
whose Authenticator settings you want to adjust. You
can specify more than one port at a time.
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
type or
role
mode
control
Specifies the role of the port. The parameters are
equivalent. The options are:
authenticator
Specifies the authenticator role.
none
Disables port-based access
control on the port.
Controls the operating mode of an authenticator port.
The options are:
single
Configures the port to accept
only one authentication. This
authenticator mode should be
used together with the piggyback mode. When an
authenticator port is set to the
single mode and the piggyback mode is disabled, only the
one client who is authenticated
can use the port. Packets from
or to other clients on the port
are discarded. If piggy-back
mode is enabled, other clients
can piggy-back onto another
client’s authentication and so
be able to use the port. This is
the default setting.
multi
Configures the port to accept
up to 20 authentications. Every
client using an authenticator
port in this mode must have a
username and password
combination and log on
separately.
Specifies the authenticator state. The options are:
auto
Section VIII: Port Security
Sets the port state to 802.1X
port-based authentication. The
port begins in the unauthorized
state, allowing only EAPOL
frames to be sent and received
through the port. The
authentication process begins
when the link state of the port
changes. The switch requests
the identity of the client and
begins relaying authentication
messages between the client
619
Chapter 34: 802.1x Port-based Network Access Control Commands
and the authentication server.
Each client that attempts to
access the network is uniquely
identified by the switch by
using the client's MAC
address. This is the default
setting.
620
authorised or
forceauthenticate
Disables 802.1X port-based
authentication and causes the
port to transition to the
authorized state without any
authentication exchange
required. The port transmits
and receives normal traffic
without 802.1X-based
authentication of the client. The
parameters are equivalent.
unauthorised or
forceunauthenticate
Causes the port to remain in
the unauthorized state,
ignoring all attempts by the
client to authenticate. The
switch blocks all authentication
on the port. The parameters
are equivalent.
quietperiod
Sets the number of seconds that the switch remains in
the quiet state following a failed authentication
exchange with the client. The default value is 60
seconds. The range is 0 to 65,535 seconds.
txperiod
Sets the number of seconds that the switch waits for a
response to an EAP-request/identity frame from the
client before retransmitting the request. The default
value is 30 seconds. The range is 1 to 65,535 seconds.
reauthenabled
Controls whether the client must periodically
reauthenticate. The options are:
enabled
Specifies that the client must periodically
reauthenticate. This is the default
setting. The time period between
reauthentications is set with the
reauthperiod parameter.
disabled
Specifies that reauthentication by the
client is not required after the initial
authentication. Reauthentication is only
required if there is a change to the status
of the link between the supplicant and
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
the switch or the switch is reset or power
cycled.
reauthperiod
Enables periodic reauthentication of the client, which is
disabled by default. The default value is 3600 seconds.
The range is 1 to 65,535 seconds.
supptimeout
Sets the switch-to-client retransmission time for the
EAP-request frame. The default value for this
parameter is 30 seconds. The range is 1 to 600
seconds.
servertimeout or Sets the timer used by the switch to determine
servtimeout
authentication server timeout conditions. The default
value is 30 seconds. The range is 1 to 600 seconds.
The parameters are equivalent.
maxreq
Specifies the maximum number of times that the switch
retransmits an EAP Request packet to the client before
it times out the authentication session. The range is 1 to
10 retransmissions and the default is 2.
ctrldirboth
Specifies how the port is to handle ingress and egress
broadcast and multicast packets when in the
unauthorized state.
When a port is set to the authenticator role, it remains in
the unauthorized state until a client is authenticated by
the authentication server. In the unauthorized state, the
port accepts only EAP packets from the client. All other
ingress packets the port might receive from the
supplicant, including multicast and broadcast traffic, are
discarded until the supplicant has been authenticated.
You can use this selection to control how an
authenticator port handles egress broadcast and
multicast traffic when in the unauthorized state. You
can instruct the port to forward this traffic to the client,
even though the client has not logged on, or you can
have the port discard the traffic.
The options are:
ingress
Section VIII: Port Security
An authenticator port, when in the
unauthorized state, discards all ingress
broadcast and multicast packets from the
client while forwarding all egress
broadcast and multicast traffic to the same
client. This is the default setting.
621
Chapter 34: 802.1x Port-based Network Access Control Commands
both
An authenticator port, when in the
unauthorized state, does not forward
ingress or egress broadcast and multicast
packets from or to the client until the client
has logged on.
This parameter is only available when the
authenticator’s operating mode is set to single. When
set to multiple, an authenticator port does not forward
ingress or egress broadcast or multicast packets until
at least one client has logged on.
piggyback
guestvlan
Controls who can use the switch port in cases where
there are multiple clients using the port, for example the
port is connected to an Ethernet hub. This parameter is
applicable when the authenticator’s operating mode is
set to single. The options are:
enabled
Allows all clients on the port to piggyback onto the initial client’s
authentication, causing the port to
forward all packets after one client is
authenticated. This is the default setting.
disabled
Specifies that the switch port forward
only those packets from the client who is
authenticated and discard packets from
all other users.
Specifies the name or VID of a Guest VLAN. The
authenticator port is a member of a Guest VLAN when
no supplicant is logged on. Clients do not log on to
access a Guest VLAN.
If an authenticator port where a Guest VLAN has been
defined starts to receive EAPOL packets, signalling that
a supplicant is logging on, it changes to the
unauthorized state and moves from the Guest VLAN to
its predefined VLAN. The port remains in the
unauthorized state until the log on process between the
supplicant and the RADIUS server is completed.
The options are:
622
vlan-name
Specifies the name of the Guest VLAN.
vlan-id
Specifies the VID of the Guest VLAN.
none
Removes a predefined Guest VLAN from
an authenticator port.
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
A Guest VLAN is only supported when the operating
mode of the port is set to Single. The specified VLAN
must already exit on the switch.
vlanassignment
securevlan
Specifies whether to use the VLAN assignments
entered in the user accounts on the RADIUS server.
Options are:
enabled
Specifies that the authenticator port is to
use the VLAN assignments returned by
the RADIUS server when a supplicant logs
on. This is the default setting.
disabled
Specifies that the authenticator port ignore
any VLAN assignment information
returned by the RADIUS server when a
supplicant logs on. The authenticator port
remains in its predefined VLAN
assignment even when the RADIUS
server returns a VLAN assignment when a
supplicant logs on.
Controls the action of an authenticator port to
subsequent authentications after the initial
authentication where VLAN assignments have been
added to the user accounts on the RADIUS server. This
parameter only applies when the port is operating in the
Multiple operating mode. Options are:
on
Specifies that only those supplicants with
the same VLAN assignment as the initial
supplicant are authenticated. Supplicants
with a different or no VLAN assignment
are denied entry to the port. This is the
default setting.
off
Specifies that all supplicants, regardless of
their assigned VLANs, are authenticated.
However, the port remains in the VLAN
specified in the initial authentication,
regardless of the VLAN assignments of
subsequent authentications.
Description
This command sets ports to the authenticator role and configures the
authenticator role parameters. This command also removes port-based
access control from a port.
Section VIII: Port Security
623
Chapter 34: 802.1x Port-based Network Access Control Commands
Examples
The following command sets ports 4 to 6 to the authenticator role. The
authentication method is set to 802.1x, meaning that the supplicants must
have 802.1x client software and provide a username and password, either
automatically or manually, when logging on and during reauthentications.
The operating mode is set to Single and the piggy back mode to disabled.
With these settings, only one supplicant can use each port. After a
supplicant logs on, access by any other client to the same port is denied:
set portaccess=8021x port=4-6 role=authenticator mode=single
piggyback=disabled
The next command is identical to the previous example, except the
authentication method is MAC address-based, meaning the authenticator
ports use the MAC addresses of the supplicants as the usernames and
passwords. With MAC address-based authentication, an authenticator
port automatically extracts the MAC address from the initial frames
received from a supplicant and sends it to the RADIUS server. The
supplicants do not need 802.1x client software. Again, as in the previous
example, since the operating mode is Single and the piggy back mode is
disabled, only one supplicant can use each port.
set portaccess=macbased port=4-6 role=authenticator
mode=single piggyback=disabled
Note
The remaining examples are limited to the 802.1x authentication
method, but apply equally to the MAC address-based authentication
method.
The following command sets port 12 to the authenticator role and the
operating mode to Single. The difference between this and the previous
example is the piggy back mode is enabled. This configuration is
appropriate when an authenticator port is supporting multiple clients, such
as when a port is connected to an Ethernet hub, and you do not want to
give each supplicant a separate username and password combination on
the RADIUS server. With the piggy back mode enabled, all of the clients
connected to the port can access it after one supplicant logs on:
set portaccess=8021x port=12 role=authenticator mode=single
piggyback=enabled
The following command sets port 22 to the authenticator role and the
operating mode to Multiple. This configuration is also appropriate where
there is more than one supplicant on a port. But an authenticator port in
the Multiple mode requires that all supplicants have their own username
and password combinations on the RADIUS server and that they log on
before they can use the authenticator port on the switch:
624
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
set portaccess=8021x port=22 role=authenticator mode=multi
The following command assigns the Guest VLAN “Product_show” to
authenticator ports 5 and 12. The ports function as untagged members of
the VLAN and allow any network user access to the VLAN without logging
on. However, should a port start to receive EAPOL packets, it assumes
that a supplicant is initiating a log on and changes to the unauthorized
state. After the log on is completed, the port moves to its predefined VLAN:
set portaccess=8021x port=5,12 role=authenticator
guestvlan=product_show
The following command configures port 15 as an authenticator port. This
example assumes that the user accounts on the RADIUS server have
VLAN assignments. With the VLANASSIGNMENT parameter set to
enabled, the port processes the VLAN assignments it receives from the
RADIUS server. Had this parameter been disabled, the port would ignore
the VLAN assignments and leave the port in its predefined VLAN
assignment. The VLAN assignment of the port is determined by the initial
log on by a client. With the SECUREVLAN parameter set to enabled, only
those subsequent supplicants having the same VLAN assignment as the
initial supplicant are allowed to use the port:
set portaccess=8021x port=15 role=authenticator mode=multi
vlanassignment=enabled securevlan=on
The following command sets port 7 to the authenticator role, the quiet
period on the port to 30 seconds, and the server timeout period to 200
seconds:
set portaccess=8021x port=7 role=authenticator
quietperiod=30 servtimeout=200
The following command configures authenticator port 5 to the multiple
operating mode:
set portaccess=8021x port=5 role=authenticator mode=multi
The following command configures authenticator port 5 to the single
operating mode and disables piggy backing:
set portaccess=8021x port=5 role=authenticator mode=single
piggyback=disabled
The following command removes port-based access control from ports 12
and 15:
set portaccess port=12,15 role=none
Section VIII: Port Security
625
Chapter 34: 802.1x Port-based Network Access Control Commands
SET PORTACCESS|PORTAUTH PORT ROLE=SUPPLICANT
Sy nt a x
set portaccess|portauth port=port type|role=supplicant|none
[authperiod=value] [heldperiod=value] [maxstart=value]
[startperiod=value] [username|name=name]
[password=password]
Note
The PORTACCESS and PORTAUTH keywords are equivalent.
Parameters
626
port
Specifies the port that you want to set to the supplicant
role or whose supplicant settings you want to adjust.
You can specify more than one port at a time.
type or
role
Specifies the role of the port. The parameters are
equivalent. The options are:
supplicant
Specifies the supplicant role.
none
Disables port-based access control on
the port.
authperiod
Specifies the period of time in seconds that the
supplicant will wait for a reply from the authenticator
after sending an EAP-Response frame. The range is 1
to 300 seconds. The default is 30 seconds.
heldperiod
Specifies the amount of time in seconds the supplicant
is to refrain from retrying to re-contact the authenticator
in the event the end user provides an invalid username
and/or password. After the time period has expired, the
supplicant can attempt to log on again. The range is 0
to 65,535. The default value is 60.
maxstart
Specifies the maximum number of times the supplicant
will send EAPOL-Start frames before assuming that
there is no authenticator present. The range is 1 to 10.
The default is 3.
startperiod
Specifies the time period in seconds between
successive attempts by the supplicant to establish
contact with an authenticator when there is no reply.
The range is 1 to 60. The default is 30.
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
username or
name
Specifies the username for the switch port. The
parameters are equivalent. The port sends the name to
the authentication server for verification when the port
logs on to the network. The username can be from 1 to
16 alphanumeric characters (A to Z, a to z, 1 to 9). Do
not use spaces or special characters, such as asterisks
or exclamation points. The username is case-sensitive.
password
Specifies the password for the switch port. The port
sends the password to the authentication server for
verification when the port logs on to the network. The
password can be from 1 to 16 alphanumeric characters
(A to Z, a to z, 1 to 9). Do not use spaces or special
characters, such as asterisks or exclamation points.
The password is case-sensitive.
Description
This command sets ports to the supplicant role and configures the
supplicant role parameters. This command also removes port-based
access control on a port.
Examples
The following command sets ports 4 to 6 to the supplicant role:
set portacess port=4-6 role=supplicant
The following command sets port 8 to the supplicant role, the name to
“switch22,” and the password to “bluebird”:
set portaccess port=8 role=supplicant name=switch22
password=bluebird
The following command removes port-based access control on ports 12
and 15:
set portaccess port=12,15 role=none
Section VIII: Port Security
627
Chapter 34: 802.1x Port-based Network Access Control Commands
SET RADIUSACCOUNTING
Syntax
set radiusaccounting [status=enabled|disabled]
[serverport=value] [type=network]
[trigger=start_stop|stop_only]
[updateenable=enabled|disabled] [interval=value]
Parameters
status
628
Activates and deactivates RADIUS accounting on the
switch. The options are:
enabled
Activates RADIUS accounting. This
option is equivalent to “ENABLE
RADIUSACCOUNTING” on page 617.
disabled
Deactivates the feature. This is the
default. This option is equivalent to
“DISABLE RADIUSACCOUNTING” on
page 615.
serverport
Specifies the UDP port for RADIUS accounting. The
default is port 1813.
type
Specifies the type of RADIUS accounting. The default
is Network. This value cannot be changed.
trigger
Specifies the action that causes the switch to send
accounting information to the RADIUS server. The
options are:
start_stop
The switch sends accounting information
whenever a client logs on or logs off the
network. This is the default.
stop_only
The switch sends accounting information
only when a client logs off.
updateenable
Specifies whether the switch is to send interim
accounting updates to the RADIUS server. The
default is disabled. If you enable this feature, use the
INTERVAL parameter to specify the intervals at which
the switch is to send the accounting updates.
interval
Specifies the intervals at which the switch is to send
interim accounting updates to the RADIUS server.
The range is 30 to 300 seconds. The default is 60
seconds.
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
Description
RADIUS accounting is supported on those switch ports operating in the
Authenticator role. The accounting information sent by the switch to a
RADIUS server includes the date and time when clients log on and log off,
as well as the number of packets sent and received by a switch port during
a client session. This feature is disabled by default on the switch.
Examples
The following command activates RADIUS accounting and sets the trigger
to stop only:
set radiusaccounting status=enabled trigger=stop_only
The following command enables the update feature and sets the interval
period to 200 seconds:
set radiusaccounting updateenable=enabled interval=200
Section VIII: Port Security
629
Chapter 34: 802.1x Port-based Network Access Control Commands
SHOW PORTACCESS|PORTAUTH
Syntax
show portaccess|portauth=8021x|macbased
Parameters
portaccess or
portauth
Specifies the authenticator method of the
port. Options are:
8021x
Displays information for an 802.1x
authenticator port.
macbased Displays information for a MAC addressbased authenticator port.
config
Displays whether port-based access control is
enabled or disabled on the switch.
status
Displays the role and status of each port.
Description
This command displays the port roles. Figure 55 is an example of the
information displayed by this command.
802.1x Authentication Information
--------------------------------------------------SystemAuthControl.................. Disabled
Number of 802.1x Supplicants....... 0 (480)
Port
Role
Supplicant
Protocol
Mode
Version
--------------------------------------------------1
Authenticator
Single
1
2
Authenticator
Single
1
3
Authenticator
Single
1
4
Authenticator
Single
1
5
Authenticator
Single
1
6
Authenticator
Single
1
7
Authenticator
Single
1
8
Authenticator
Single
1
Figure 55. SHOW PORTACCESS|PORTAUTH Command
630
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
Examples
The following command displays the 802.1x authenticator ports:
show portaccess=8021x
The following command displays the MAC address-based authenticator
ports:
show portaccess=macbased
Section VIII: Port Security
631
Chapter 34: 802.1x Port-based Network Access Control Commands
SHOW PORTACCESS|PORTAUTH PORT
Syntax
show portaccess|portauth=8021x|macbased port=port
authenticator|supplicant [config] [status]
Parameters
portaccess or
portauth
Specifies the authenticator method of the
port. Options are:
8021x
Displays information for an 802.1x
authenticator port.
macbased Displays information for a MAC addressbased authenticator port.
port
Specifies the port whose port-based access control
settings you want to view. You can specify more than
one port at a time.
authenticator
Indicates that the port is an authenticator.
supplicant
Indicates that the port is a supplicant.
config
Displays the port-based access control settings for
the port. Omitting this option and the STATUS option
displays information on both.
status
Displays the status and role of the port. Omitting this
option and the CONFIG option displays information
on both.
Description
This command displays information about authenticator and supplicant
ports.
Figure 56 illustrates the information displayed by this command for an
authenticator port. For an explanation of the parameters, refer to “SET
PORTACCESS|PORTAUTH PORT ROLE=AUTHENTICATOR” on
page 618.
632
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
Port 1
PAE Type..................
Supplicant Mode...........
AuthControlPortControl....
quietPeriod...............
txPeriod..................
suppTimeout...............
serverTimeout.............
maxReq....................
reAuthPeriod..............
reAuthEnabled.............
vlanAssignment............
secureVlan................
guestVlan.................
adminControlDirection.....
piggyBack.................
Authenticator
Single
Auto
60
30
30
30
2
3600
Enabled
Enabled
On
None (VID=0)
Both
Disabled
Attached Supplicant(s)
MAC Address..................... Authenticator PAE State......... Connecting
Port Status..................... Unauthorized
Backend Authenticator State..... Initialize
Figure 56. Authenticator Port Information
Figure 57 illustrates the information displayed for a supplicant port. For an
explanation of the parameters, refer to “SET PORTACCESS|PORTAUTH
PORT ROLE=SUPPLICANT” on page 626.
Port 5
PAE Type.................. Supplicant
heldPeriod...................... 60
authPeriod...................... 30
startPeriod..................... 30
maxStart........................ 3
Supplicant PAE State............ Connecting
Figure 57. Supplicant Port Information
Examples
The following command displays the configuration and status for port 10,
which is an 802.1x authenticator port:
show portaccess=8021x port=10 authenticator
The following command displays the configuration and status for port 12
which is a MAC address-based authenticator port:
Section VIII: Port Security
633
Chapter 34: 802.1x Port-based Network Access Control Commands
show portaccess=8021x=macbased port=12 authenticator
This command displays the port access configuration of port 17, which is a
supplicant port:
show portaccess port=17 supplicant
634
Section VIII: Port Security
AT-S63 Management Software Command Line Interface User’s Guide
SHOW RADIUSACCOUNTING
Syntax
show radiusaccounting
Parameters
None.
Description
This command displays the current parameter settings for RADIUS
accounting, which sends updates of supplicant activity on the switch’s
authenticator ports to the RADIUS server. Figure 58 is an example of the
information displayed by this command.
Radius Accounting Configuration
------------------------------------Radius Accounting Status ...........:
Radius Accounting Port..............:
Radius Accounting Type..............:
Radius Accounting Trigger Type......:
Radius Accounting Update Status.....:
Radius Accounting Update Interval...:
Enabled
1813
Network
Start_Stop
Disabled
60
Figure 58. SHOW RADIUSACCOUNTING Command
The information displayed by this command is described here:
Section VIII: Port Security
ˆ
Radius Accounting Status - Specifies the status of RADIUS accounting
on the switch. A status of Enabled means that the switch is sending
supplicant updates to the RADIUS server: A status of Disabled means
that the feature is not activated. The default is disabled.
ˆ
Radius Accounting Port - Specifies the UDP port for RADIUS
accounting. The default is port 1813.
ˆ
Radius Accounting Type - Specifies the type of RADIUS accounting.
The only possible setting is Network.
ˆ
Radius Accounting Trigger Type - Specifies the action that causes the
switch to send accounting information to the RADIUS server. An action
of Start_Stop sends accounting information whenever a client logs on
or logs off the network. This is the default. An action of Stop_Only
sends accounting information only when a client logs off.
ˆ
Radius Accounting Update Status - Specifies whether the switch is to
send interim accounting updates to the RADIUS server. The default is
disabled.
635
Chapter 34: 802.1x Port-based Network Access Control Commands
ˆ
Radius Accounting Update Interval - Specifies the interval at which the
switch sends interim accounting updates to the RADIUS server. The
default is 60 seconds.
Example
The following command displays the current parameter settings for
RADIUS accounting:
show radiusaccounting
636
Section VIII: Port Security
Section IX
Management Security
The chapters in this section contain the commands for configuring
management security using the AT-S63 management software. The
chapters include:
Section IX: Management Security
ˆ
Chapter 35, “Web Server Commands” on page 639
ˆ
Chapter 36, “Encryption Key Commands” on page 649
ˆ
Chapter 37, “Public Key Infrastructure (PKI) Certificate Commands” on
page 657
ˆ
Chapter 38, “Secure Sockets Layer (SSL) Commands” on page 673
ˆ
Chapter 39, “Secure Shell (SSH) Commands” on page 677
ˆ
Chapter 40, “TACACS+ and RADIUS Commands” on page 685
ˆ
Chapter 41, “Management ACL Commands” on page 699
637
638
Section IX: Management Security
Chapter 35
Web Server Commands
This chapter contains the following commands:
ˆ
“DISABLE HTTP SERVER” on page 640
ˆ
“ENABLE HTTP SERVER” on page 641
ˆ
“PURGE HTTP SERVER” on page 642
ˆ
“SET HTTP SERVER” on page 643
ˆ
“SHOW HTTP SERVER” on page 648
Note
Remember to use the SAVE CONFIGURATION command to save
your changes.
Note
For background information on this feature, refer to Chapter 32,
“Web Server” in the AT-S63 Management Software Menus Interface
User’s Guide.
639
Chapter 35: Web Server Commands
DISABLE HTTP SERVER
Syntax
disable http server
Parameters
None.
Description
This command disables the web server on the switch. When the server is
disabled, you cannot manage the switch from a web browser. To view the
current status of the web server, see “SHOW HTTP SERVER” on
page 648. The default setting for the web server is enabled.
Example
The following command disables the web server:
disable http server
640
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE HTTP SERVER
Syntax
enable http server
Parameters
None.
Description
This command activates the web server on the switch. Activating the
server allows you to manage the unit from a web browser. To view the
current status of the web server, see “SHOW HTTP SERVER” on
page 648. The default setting for the web server is enabled.
Example
The following command activates the web server:
enable http server
Section IX: Management Security
641
Chapter 35: Web Server Commands
PURGE HTTP SERVER
Syntax
purge http server
Parameters
None.
Description
This command resets the HTTP server to its default values, as specified in
Appendix A, “AT-S63 Default Settings” in the AT-S63 Management
Software Menus Interface User’s Guide. To view the current web server
settings, refer to “SHOW HTTP SERVER” on page 648.
Example
The following command resets the web server parameters to their default
values:
purge http server
642
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SET HTTP SERVER
Syntax
set http server [security=enabled|disabled] [sslkeyid=keyid] [port=port]
Parameters
security
Specifies the security mode of the web server. The
options are:
enabled
Specifies that the web server is to
function in the secure HTTPS mode.
disabled
Specifies that the web server is to
function in the non-secure HTTP
mode. This is the default.
sslkeyid
Specifies a key pair ID. This parameter is required if
you are configuring the web server to operate in the
secure HTTPS mode.
port
Specifies the TCP port number that the web server
will listen on. The default for non-secure HTTP
operation is port 80. The default for secure HTTPS
operation is port 443.
Description
This command configures the web server. You can configure the server for
either secure HTTPS or non-secure HTTP operation.
Before configuring the web server, please note the following:
Section IX: Management Security
ˆ
You cannot use this command when the web server is enabled. You
must first disable the web server before making changes. To disable
the server, refer to “DISABLE HTTP SERVER” on page 640.
ˆ
To configure the web server for the HTTPS secure mode, you must
first create an encryption key and a certificate, and add the certificate
to the certificate database. The management software will not allow
you to configure the web server for the secure HTTPS mode until
those steps have been completed.
643
Chapter 35: Web Server Commands
Examples
The following command configures the web server for the non-secure
HTTP mode. Since no port is specified, the default HTTP port 80 is used:
set http server security=disabled
The following command configures the web server for the secure HTTPS
mode. It specifies the key pair ID as 5. Since no port is specified, the
default HTTPS port 443 is used:
set http server security=enabled sslkeyid=5
General Configuration Steps for a Self-signed Certificate
Below are the steps to configuring the switch’s web server for a selfsigned certificate using the command line commands:
1. Set the switch’s date and time. You can do this manually using “SET
DATE” on page 83 or you can configure the switch to obtain the date
and time from an SNTP server using “ADD SNTPSERVER
PEER|IPADDRESS” on page 78.
2. Create an encryption key pair using “CREATE ENCO KEY” on
page 650 (syntax 1).
3. Create the self-signed certificate using “CREATE PKI CERTIFICATE”
on page 660.
4. Add the self-signed certificate to the certificate database using “ADD
PKI CERTIFICATE” on page 658.
5. Disable the switch’s web server using “DISABLE HTTP SERVER” on
page 640.
6. Configure the web server using “SET HTTP SERVER” on page 643.
7. Activate the web server using “ENABLE HTTP SERVER” on
page 641.
The following is an example of the command sequence to configuring the
web server for a self-signed certificate. (The example does not include
step 1, setting the system time.)
1. This command creates the encryption key pair with an ID of 4, a length
of 512 bits, and the description “Switch 12 key”:
create enco key=4 type=rsa length=512 description="Switch
12 key"
644
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
2. This command creates a self-signed certificate using the key created
in step 1. The certificate is assigned the filename “Sw12cert.cer. (The
“.cer” extension is not included in the command because it is added
automatically by the management software.) The certificate is
assigned the serial number 0 and a distinguished name of
149.11.11.11, which is the IP address of a master switch:
create pki certificate=Sw12cert keypair=4 serialnumber=0
subject="cn=149.11.11.11"
3. This command adds the new certificate to the certificate database. The
certificate is given a description of “Switch 12 certificate”:
add pki certificate="Switch 12 certificate"
location=Sw12cert.cer
4. This command disables the web server:
disable http server
5. This command configures the web server by activating HTTPS and
specifying the encryption key pair created in step 1:
set http server security=enabled sslkeyid=4
6. This command enables the web server:
enable http server
General Configuration Steps for a CA Certificate
Below are the steps to configuring the switch’s web server for CA
certificates using the command line commands. The steps explain how to
create an encryption key and a self-signed certificate, and how to
configure the web server for the certificate:
1. Set the switch’s date and time. You can do this manually using the
“SET DATE” on page 83 or you can configure the switch to obtain the
date and time from an SNTP server using “ADD SNTPSERVER
PEER|IPADDRESS” on page 78.
2. Create an encryption key pair using “CREATE ENCO KEY” on
page 650 (syntax 1).
3. Set the switch’s distinguished name using “SET SYSTEM
DISTINGUISHEDNAME” on page 670.
4. Create an enrollment request using “CREATE PKI
ENROLLMENTREQUEST” on page 663.
Section IX: Management Security
645
Chapter 35: Web Server Commands
5. Upload the enrollment request from the switch to a management
station or FTP server using “UPLOAD METHOD=XMODEM” on
page 224 or “UPLOAD METHOD=TFTP” on page 221.
6. Submit the enrollment request to a CA.
7. After you have received the CA certificates, download them into the
switch’s file system using “LOAD METHOD=XMODEM” on page 211
or “LOAD METHOD=TFTP” on page 206.
8. Add the CA certificates to the certificate database using “ADD PKI
CERTIFICATE” on page 658.
9. Disable the switch’s web server using the command “DISABLE HTTP
SERVER” on page 640.
10. Configure the web server using “SET HTTP SERVER” on page 643.
11. Activate the web server using “ENABLE HTTP SERVER” on page 641
The following is an example of the command sequence for configuring the
web server for CA certificates. It explains how to create an encryption key
and enrollment request, and how to download the CA certificates on the
switch. (The example does not include step 1, setting the system time, and
the procedure for submitting the request to a CA, which will vary
depending on the enrollment requirements of the CA.)
1. This command creates the encryption key pair with an ID of 8, a length
of 512 bits, and the description “Switch 24 key”:
create enco key=8 type=rsa length=512 description="Switch
24 key"
2. This command sets the switch’s distinguished name to the IP address
149.44.44.44, which is the IP address of a master switch:
set system distinguishedname="cn=149.44.44.44"
3. This command creates an enrollment request using the encryption key
created in step 1. It assigns the request the filename “sw24cer.csr”.
The command omits the “.csr” extension because the management
software adds it automatically:
create pki enrollmentrequest=sw24cer keypair=8
4. This command uploads the enrollment request from the switch’s file
system to a TFTP server. The command assumes that the TFTP
server has the IP address 149.88.88.88. (This step could also be
performed using Xmodem.)
upload method=tftp destfile=c:sw24cer.csr
server=149.88.88.88 file=sw24cer.csr
646
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
5. These commands download the CA certificates into the switch’s file
system from the TFTP server. The commands assume that the IP
address of the server is 149.88.88.88 and that the certificate names
are “sw24cer.cer” and “ca.cer”. (This step could be performed using
Xmodem.)
load method=tftp destfile=sw24cer.cer server=149.88.88.88
file=c:sw24cer.cer
load method=tftp destfile=ca.cer server=149.88.88.88
file=c:ca.cer
6. These commands load the certificates into the certificate database:
add pki certificate="Switch 24 certificate"
location=sw24cert.cer
add pki certificate="CA certificate" location=ca.cer
7. This command disables the web server:
disable http server
8. This command configures the web server. It activates HTTPS and
specifies the key created in step 1:
set http server security=enabled sslkeyid=8
9. This command enables the web server:
enable http server
Section IX: Management Security
647
Chapter 35: Web Server Commands
SHOW HTTP SERVER
Syntax
show http server
Parameters
None.
Description
This command displays the following information about the web server on
the switch:
ˆ
Status
ˆ
SSL security
ˆ
SSL key ID
ˆ
Listen port
Example
The following command displays the status of the web server:
show http server
648
Section IX: Management Security
Chapter 36
Encryption Key Commands
This chapter contains the following commands:
ˆ
“CREATE ENCO KEY” on page 650
ˆ
“DESTROY ENCO KEY” on page 654
ˆ
“SET ENCO KEY” on page 655
ˆ
“SHOW ENCO” on page 656
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 33, “Encryption Keys”
in the AT-S63 Management Software Menus Interface User’s Guide.
649
Chapter 36: Encryption Key Commands
CREATE ENCO KEY
Syntax 1
create enco key=key-id type=rsa length=value
[description="description"]
Syntax 2
create enco key=key-id type=rsa [description="description"]
[file=filename.key] [format=hex|ssh|ssh2]
Parameters
key
Specifies a key ID. The range is 0 to 65,535. The
default is 0. When creating a new key this value must
be unique from all other key IDs on the switch.
type
Specifies the type of key, which can only be a random
RSA key.
length
Specifies the length of the key in bits. The range is
512 to 1536 bits, in increments of 256 bits (for
example, 512, 768, 1024, etc). The default is 512 bits.
This parameter is only used when creating a new
encryption key pair.
description
Specifies a description for the encryption key. The
description can be up to 40 alphanumeric characters.
Spaces are allowed. The description must be
enclosed in quotes. This parameter, which is optional,
is used when creating a new key pair and when
importing a public key from the AT-S63 file system to
the key database. This parameter should not be used
when exporting a public key to the file system.
file
Specifies a filename for the key. The filename must
include the “.key” extension. This parameter is used
when you are importing or exporting a public key from
the key database. This parameter is not used when
creating a new encryption key pair.
format
Specifies the format when importing or exporting a
public encryption key. The options are:
hex
650
Specifies a hexadecimal format used
to transfer a key between devices
other than switches. This is the
default.
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
ssh
Specifies a format for Secure Shell
version 1 users.
ssh2
Specifies a format for Secure Shell
version 2 users.
Description
This command serves two functions. One is to create encryption keys. The
other is to import and export public encryption keys from the AT-S63 file
system to the key database.
Caution
Key generation is a CPU-intensive process. Because this process
may affect switch behavior, Allied Telesyn recommends creating
keys when the switch is not connected to a network or during
periods of low network activity.
Syntax 1 Description
Syntax 1 creates encryption key pairs. It creates both the public and
private keys of a key pair. A new key pair is automatically stored in the key
database and the file system. To view the current keys on a switch, use
the “SHOW ENCO” on page 656.
The KEY parameter specifies the identification number for the key. The
number must be unique from all other key pairs already on the switch. The
range is 0 to 65,535. This number is used only for identification purposes
and not in generating the actual encryption key pair.
The TYPE parameter specifies the type of key to be created. The only
option is RSA.
The LENGTH parameter specifies the length of the key in bits. The range
is 512 to 1,536 bits, in increments of 256 bits (for example, 512, 768, 1024,
etc). Before selecting a key length, note the following:
ˆ
For SSL and web browser encryption, key length can be any valid
value within the range.
ˆ
For SSH host and server key pairs, the two key pairs must be created
separately and be of different lengths of at least one increment (256
bits) apart. The recommended length for the server key is 768 bits and
the recommended length for the host key is 1024 bits.
The DESCRIPTION parameter is optional. You can use it to add a
description to the key. This can help you identify the different keys on the
switch. The description can be up to forty alphanumeric characters. It must
be enclosed in quotes and spaces are allowed.
Section IX: Management Security
651
Chapter 36: Encryption Key Commands
Syntax 1 Examples
This example creates a key with the ID of 12 and a length of 512 bits:
create enco key=12 type=rsa length=512
This example creates a key with the ID of 4, a length of 1024 bits, and a
description of “Switch12a encryption key”:
create enco key=4 type=rsa length=1024
description="Switch12a encryption key"
Syntax 2 Description
Syntax 2 is used to import and export public encryption keys. You can
import a public key from the AT-S63 file system to the key database or
vice versa.
The only circumstance in which you are likely to use this command is if
you are using an SSH client that does not download the key automatically
when you start an SSH management session. In that situation, you can
use this procedure to export the SSH client key from the key database into
the AT-S63 file system, from where you can upload it onto the SSH
management session for incorporation in your SSH client software.
You should not use this command to export an SSL public key. Typically,
an SSL public key only has value when incorporated into a certificate or
enrollment request.
The KEY parameter specifies the identification number for the key. The
range is 0 to 65,535. To import a public key from the file system to the key
database, the key ID must be unused; it cannot already be assigned to
another key pair. Importing a public key to the database assumes that you
have already stored the public key in the file system.
If you are exporting a public key from the key database to the file system,
the KEY parameter should specify the ID of the key that you want to
export. Only the public key of a key pair is exported to the file system. You
cannot export a private key.
The TYPE parameter specifies the type of key to be imported or exported.
The only option is RSA.
The FILE parameter specifies the filename of the encryption key. The
filename must include the “.key” extension. If you are exporting a key from
the key database to the file system, the filename must be unique from all
other files in the file system. If you are importing a key, the filename should
specify the name of the file in the file system that contains the key you
want to import into the key database.
The DESCRIPTION parameter specifies a user-defined description for the
652
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
key. This parameter should be used only when importing a key and not
when exporting a key. The description will appear next to the key when
you view the key database. Descriptions can help you identify the different
keys stored in the switch.
The FORMAT parameter specifies the format of the key, which can be
either Secure Shell format (SSH version 1 or 2) or hexadecimal format
(HEX). The FORMAT parameter must be specified when importing or
exporting keys. The default is HEX.
Syntax 2 Examples
This is an example of exporting a public key from the key database to the
file system. The example assumes that the ID of the key pair with the
public key to be exported is 12 and that you want to store the key as a file
called “public12.key” in the file system. It specifies the format as SSH
version 1 and the type as RSA:
create enco key=12 type=rsa file=public12.key format=ssh
This is an example of importing a public key from the file system to the key
database. It assumes that the name of the file containing the public key is
swpub24.key and that the key is to be given the ID number 6 in the key
database. It gives the key the description “Switch 24 public key.” The
format is SSH version 2 and the type is RSA:
create enco key=6 type=rsa description="Switch 24 public
key" file=swpub24.key format=ssh2
Section IX: Management Security
653
Chapter 36: Encryption Key Commands
DESTROY ENCO KEY
Syntax
destroy enco key=key-id
Parameter
key
Specifies the ID number of the key pair to be deleted
from the key database.
Description
This command deletes an encryption key pair from the key database. This
command also deletes a key’s corresponding ”.UKF” file from the file
system. After a key pair is deleted, any SSL certificate created using the
public key of the key pair will be invalid and cannot be used to manage the
switch. To view the keys, see “SHOW ENCO” on page 656.
You cannot delete a key pair if it is being used by SSL or SSH. You must
first either disable the SSL or SSH server software on the switch or
reconfigure the software by specifying another key.
Example
The following command destroys the encryption key pair with the key ID 4:
destroy enco key=4
654
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SET ENCO KEY
Syntax
set enco key=key-id description="description"
Parameters
key
Specifies the ID number of the key pair whose
description you want to change.
description
Specifies the new description of the key. The
description can contain up to 25 alphanumeric
characters. Spaces are allowed. The description must
be enclosed in double quotes.
Description
This command changes the description of a key pair. Descriptions can
make it easier to identify the different keys on a switch.
The KEY parameter specifies the identification number of the key. The
encryption key must already exist. To view the keys on a switch, see
“SHOW ENCO” on page 656.
The DESCRIPTION parameter specifies the new description for the key.
Example
The following command changes the description for the key with the ID 6
to “Switch 22 key”:
set enco key=1 description="Switch 22 key"
Section IX: Management Security
655
Chapter 36: Encryption Key Commands
SHOW ENCO
Syntax
show enco key=[key-id]
Parameters
key
Specifies the ID of a specific key whose information
you want to display. Otherwise, all keys are displayed.
Description
This command displays information about encryption key pairs stored in
the key database. This command displays the following information about
each key:
ˆ
ID
ˆ
Algorithm
ˆ
Length Digest
ˆ
Description
Example
The following command displays the information on encryption key 1:
show enco key=1
656
Section IX: Management Security
Chapter 37
Public Key Infrastructure (PKI)
Certificate Commands
This chapter contains the following commands:
ˆ
“ADD PKI CERTIFICATE” on page 658
ˆ
“CREATE PKI CERTIFICATE” on page 660
ˆ
“CREATE PKI ENROLLMENTREQUEST” on page 663
ˆ
“DELETE PKI CERTIFICATE” on page 665
ˆ
“PURGE PKI” on page 666
ˆ
“SET PKI CERTIFICATE” on page 667
ˆ
“SET PKI CERTSTORELIMIT” on page 669
ˆ
“SET SYSTEM DISTINGUISHEDNAME” on page 670
ˆ
“SHOW PKI” on page 671
ˆ
“SHOW PKI CERTIFICATE” on page 672
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 34, “PKI Certificates
and SSL” in the AT-S63 Management Software Menus Interface
User’s Guide.
657
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
ADD PKI CERTIFICATE
Syntax
add pki certificate="name" location="filename.cer"
[trusted=yes|no|on|off|true|false] [type=ca|ee|self]
Parameters
certificate
Specifies a name for the certificate. This is the name
for the certificate as it will appear in the certificate
database list. The name can up to 40 alphanumeric
characters. Spaces are allowed. If the name contains
spaces, it must be enclosed in double quotes. Each
certificate must be given a unique name.
location
Specifies the filename of the certificate, with the “.cer”
file extension, as it is stored in the switch’s file
system.
trusted
Specifies whether or not the certificate is from a
trusted CA. The options are:
type
yes, on, true
Specifies that the certificate is from a
trusted CA. This is the default.
no, off, false
Specifies that the certificate is not
from a trusted CA.
Specifies the type of certificate being added. The
options are:
ca
Tags the certificate as a CA
certificate.
ee
Tags the certificate as belonging to
another end entity (EE). This is the
default.
self
Tags the certificate as its own.
Description
This command adds a certificate to the certificate database from the
AT-S63 file system. To view the certificate files in the file system, refer to
“SHOW FILE” on page 201. To view the certificates already in the
database, refer to “SHOW PKI CERTIFICATE” on page 672.
658
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
The CERTIFICATE parameter assigns the certificate a name. The name
can be from 1 to 40 alphanumeric characters. Each certificate in the
database should be given a unique name.
The LOCATION parameter specifies the filename of the certificate as
stored in the switch’s file system. When specifying the filename, be sure to
include the file extension “.cer”.
The TRUSTED parameter specifies whether the certificate is from a
trusted CA. The default is TRUE. Only self-signed root CA certificates are
typically set to be automatically trusted, and only after the user has
checked the certificate’s fingerprint and other details using “SHOW PKI
CERTIFICATE” on page 672.
The TYPE parameter specifies what type of certificate is being added. Self
signed certificates should be assigned a type of SELF. If CA is specified,
the switch tags this certificate as a CA certificate. If ENDENTITY or EE is
specified, the switch tags the certificate to indicate that it belongs to an end
entity. The default is ENDENTITY.
Note
The TRUSTED and TYPE parameters have no affect on the
operation of a certificate. You can select any permitted value for
either parameter, or you can omit the parameters. The parameters
are included only as placeholders for information in the certificate
database.
Example
The following command loads the certificate “sw12.cer” from the file
system into the certificate database. The certificate is assigned the name
“Switch 12 certificate”:
add pki certificate="Switch 12 certificate"
location="sw12.cer" type=self
Section IX: Management Security
659
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
CREATE PKI CERTIFICATE
Syntax
create pki certificate=name keypair=key-id
serialnumber=value [format=der|pem]
subject="distinguished-name"
Parameters
certificate
Specifies a name for the self-signed certificate. The
name can be from one to eight alphanumeric
characters. Spaces are allowed; if included, the name
must be enclosed in double quotes. The
management software automatically adds the “.cer”
extension.
keypair
Specifies the ID of the key pair that you want to use to
create the certificate.
serialnumber
Specifies the serial number for the certificate. The
range is 0 to 2147483647. The default is 0.
format
Specifies the type of encoding the certificate will use.
The options are:
subject
der
Specifies binary format which cannot
be displayed. This is the default.
pem
Specifies an ASCII-encoded format
that allows the certificate to be
displayed once it is generated.
Specifies the distinguished name for the certificate.
The name must be enclosed in quotes.
Description
This command creates a self-signed certificate. You can use the certificate
to add encryption to your web browser management sessions of the
switch. A new self-signed certificate is automatically stored in the switch’s
file system.
Before you can create a self-signed certificate, you must create an
encryption key pair. The certificate will contain the public key of the key
pair. To create a key pair, refer to “CREATE PKI CERTIFICATE” on
page 660.
After you have created a new self-signed certificate, you need to load it
into the certificate database. The switch cannot use the certificate for
660
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
encrypted web browser management systems until it is loaded into the
database. For instructions, refer to “ADD PKI CERTIFICATE” on
page 658.
Note
For a review of the steps to configuring the web server for a selfsigned certificate, refer to “SET HTTP SERVER” on page 643.
The CERTIFICATE parameter assigns a file name to the certificate. This is
the name under which the certificate will be stored as in the switch’s file
system. The name can be from one to eight alphanumeric characters. If
the name includes a space, it must be enclosed in double quotes. The
software automatically adds the extension “.cer” to the name.
The KEYPAIR parameter specifies the ID of the encryption key that you
want to use to create the certificate. The public key of the pair will be
incorporated into the certificate. The key pair that you select must already
exist on the switch. To create a key pair, refer to “CREATE ENCO KEY” on
page 650. To view the IDs of the keys already on the switch, refer to
“SHOW ENCO” on page 656.
The SERIALNUMBER parameter specifies the number to be inserted into
the serial number field of the certificate. A serial number is typically used to
distinguish a certificate from all others issued by the same issuer, in this
case the switch. Self-signed certificates are usually assigned a serial
number of 0.
The FORMAT parameter specifies the type of encoding the certificate will
use. PEM is ASCII-encoded and allows the certificate to be displayed once
it has been generated. DER encoding is binary and so cannot be
displayed. The default is DER.
The SUBJECT parameter specifies the distinguished name for the
certificate. The name is inserted in the subject field of the certificate. Allied
Telesyn recommends using the IP address of the master switch as the
distinguished name (for example, “cn=149.11.11.11”). If your network has
a Domain Name System and you mapped a name to the IP address of a
switch, you can specify the switch’s name instead of the IP address as the
distinguished name. For a explanation of distinguished names, refer to
Chapter 34, “PKI Certificates and SSL” in the AT-S63 Management
Software Menus Interface User’s Guide.
Section IX: Management Security
661
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
Examples
The following command creates a self-signed certificate. It assigns the
certificate the filename “sw12.cer”. (The management software
automatically adds the “.cer” extension.) The command uses the key pair
with the ID 12 to create the certificate. The format is ASCII and the
distinguished name is the IP address of a master switch:
create pki certificate=sw12 keypair=12 serialnumber=0
format=pem subject="cn=149.11.11.11"
The following command creates a self-signed certificate with a filename of
“S45 cert”. The key pair used to create it has the ID 5. No format is
specified, so the default binary format is used. The distinguished name is
the IP address of another master switch:
create pki certificate="S45 cert" keypair=5 serialnumber=0
subject="cn=149.22.22.22"
662
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
CREATE PKI ENROLLMENTREQUEST
Syntax
create pki enrollmentrequest="name" keypair=key-id
[format=der|pem] [type=pkcs10]
Parameters
enrollmentrequest
Specifies a filename for the enrollment request. The
filename can be from 1 to 8 alphanumeric
characters. If the name contains spaces, it must be
enclosed in double quotes. The management
software automatically adds the “.csr” extension.
keypair
Specifies the key pair that you want to use to create
the enrollment request.
format
Specifies the type of encoding the certificate
request will use. The options are:
type
der
Specifies binary format which cannot
be displayed. This is the default.
pem
Specifies an ASCII-encoded format
that allows the certificate to be
displayed once it is generated.
Formats the request according to PKCS #10.
Description
This command creates a certificate enrollment request. You create an
enrollment request when you want a public or private CA to issue a
certificate.
Before you can create an enrollment request, you must create the key pair
that you want the CA to use when creating the certificate. The enrollment
request will contain the public key of the key pair. To create a key pair,
refer to “CREATE PKI CERTIFICATE” on page 660.
You must also set the system’s distinguished name before using this
command. For a explanation of distinguished names, refer to Chapter 34,
“PKI Certificates and SSL” in the AT-S63 Management Software Menus
Interface User’s Guide. To set the distinguished name, refer to “SET
SYSTEM DISTINGUISHEDNAME” on page 670.
Section IX: Management Security
663
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
Note
For a review of the steps to configuring the web server for a CA
certificate, refer to “SET HTTP SERVER” on page 643.
The ENROLLMENTREQUEST parameter specifies a filename for the
request. The filename can contain from 1 to 8 alphanumeric characters. If
spaces are used, the name must be enclosed in quotes. The management
software automatically adds the “.csr” extension. This is the filename
under which the request will be stored in the file system.
The KEYPAIR parameter specifies the key that you want to use to create
the enrollment request. The public key of the pair is incorporated into the
request.
The FORMAT parameter specifies the type of encoding format for the
request. DER specifies that the enrollment request should be written
straight to the binary file. PEM specifies that the enrollment request should
be encoded using the “Privacy Enhanced Mail” format. The default is
DER. This parameter is only valid for manual enrollment.
The TYPE parameter specifies the type of request. The only option is
PKCS10.
You do not need to use the SAVE CONFIGURATION command after you
create an enrollment request. The file is permanently saved in the file
system until you manually delete it.
Examples
The following command creates an enrollment request. It names the
enrollment request file “Switch12” and uses the key pair with the ID 4 to
generate the request:
create pki enrollmentrequest=Switch12 keypair=4
664
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
DELETE PKI CERTIFICATE
Syntax
delete pki certificate="name"
Parameter
certificate
Specifies the name of the certificate you want to
delete from the certificate database. The name is
case sensitive. If the name contains spaces, it must
be enclosed in double quotes. Wildcards are not
allowed.
Description
This command deletes a certificate from the switch’s certificate database.
To view the certificates in the database, refer to “SHOW PKI
CERTIFICATE” on page 672.
Deleting a certificate from the database does not delete it from the file
system. To delete a file from the file system, refer to “DELETE FILE” on
page 191.
You cannot delete a certificate from the database if you specified its
corresponding encryption key as the active key in the web server
configuration. The switch considers the certificate to be in use and will not
allow you to delete it. You must first configure the web server with another
encryption key pair for a different certificate.
Example
The following command deletes the certificate “Switch 12 certificate” from
the certificate database:
delete pki certificate="Switch 12 certificate"
Section IX: Management Security
665
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
PURGE PKI
Syntax
purge pki
Parameters
None.
Description
This command deletes all certificates from the certificate database and
resets the certificate database storage limit to the default. This command
does not delete the certificates from the file system. To delete files from
the file system, refer to “DELETE FILE” on page 191.
Example
The following command deletes the certificates from the database and
resets the storage limit to the default:
purge pki
666
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SET PKI CERTIFICATE
Syntax
set pki certificate="name"
[trusted=yes|no|on|off|true|false] [type=ca|ee|self]
Parameters
certificate
Specifies the certificate name whose trust or type you want to
change. The name is case sensitive. If the name contains
spaces, it must be enclosed in quotes.
trusted
Specifies whether or not the certificate is from a trusted CA.
The options are:
type
yes, on, true
Specifies that the certificate is from a trusted
CA. This is the default. The options are
equivalent.
no, off, false
Specifies that the certificate is not from a
trusted CA. The options are equivalent.
Specifies a type for the certificate. The options are:
ca
Tags the certificate as a CA certificate.
ee
Tags the certificate as belonging to another end entity
(EE). This is the default.
self
Tags the certificate as its own.
Description
This command changes the level of trust and type for a certificate in the
switch’s certificate database. To list the certificates in the database, refer
to “SHOW PKI CERTIFICATE” on page 672.
The TRUSTED parameter specifies whether the certificate is from a
trusted CA. The default is TRUE. Only self-signed root CA certificates are
typically set to be automatically trusted, and only after the user has
checked the certificate’s fingerprint and other details using “SHOW PKI
CERTIFICATE” on page 672.
The TYPE parameter specifies the certificate type. If CA is specified, the
switch tags this certificate as a CA certificate. If ENDENTITY or EE is
specified, the switch tags the certificate to indicate that it belongs to an end
entity. If SELF is specified, the switch tags the certificate as its own. The
default is ENDENTITY.
Section IX: Management Security
667
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
Note
The TRUSTED and TYPE parameters have no affect on the
operation of a certificate. You can select any permitted value for
either parameter. The parameters are included only as placeholders
for information in the certificate database.
Example
The following command sets the certificate named “Switch 12 certificate”
to be trusted.
set pki certificate="Switch 12 certificate" trusted=true
668
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SET PKI CERTSTORELIMIT
Syntax
set pki certstorelimit=value
Parameter
certstorelimit
Specifies the maximum number of certificates the
certificate database can store. The range is 12 and
256; the default is 256.
Description
This command sets the maximum number of certificates the database can
store.
Example
The following command sets the certificate storage limit to 100:
set pki certstorelimit=100
Section IX: Management Security
669
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
SET SYSTEM DISTINGUISHEDNAME
Syntax
set system distinguishedname="name"
Parameter
distinguishedname
Specifies the distinguished name for the switch.
The name must be enclosed in quotes.
Description
This command sets the distinguished name for the switch. The
distinguished name is used to create a self signed certificate or enrollment
request. For a explanation of distinguished names, refer to Chapter 34,
“PKI Certificates and SSL” in the AT-S63 Management Software Menus
Interface User’s Guide.
Allied Telesyn recommends using the switch’s IP address or, for networks
with a Domain Name System, its domain name as the distinguished name.
For slave switches, which do not have an IP address, you can use the IP
address or domain name of the master switch of the enhanced stack as
the slave switch’s distinguished name.
To set the distinguished name when creating a self signed certificate, you
can use this command or you can set it directly in “CREATE PKI
CERTIFICATE” on page 660, which is the command for creating a self
signed certificate. It has a parameter for setting the distinguished name.
If you are creating an enrollment request, you must set the distinguished
name with this command first before creating the request. The command
for creating an enrollment request is “CREATE PKI
ENROLLMENTREQUEST” on page 663.
Example
The following command sets the switch’s distinguished name to the IP
address 169.22.22.22:
set system distinguishedname="cn=169.22.22.22"
670
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SHOW PKI
Syntax
show pki
Parameters
None.
Description
This command displays the current setting for the maximum number of
certificates the switch will allow you to store in the certificate database. To
change this value, refer to “SET PKI CERTSTORELIMIT” on page 669.
Example
The following command displays the current PKI settings:
show pki
Section IX: Management Security
671
Chapter 37: Public Key Infrastructure (PKI) Certificate Commands
SHOW PKI CERTIFICATE
Syntax
show pki certificate[="name"]
Parameter
certificate
Specifies the name of a certificate. If the name
contains spaces, it must be enclosed in double
quotes. This parameter is case sensitive. Wildcards
are not allowed.
Description
This command lists all of the certificates in the certificates database. This
command can also display information about a specific certificate in the
database.
Example
The following command lists all of the certificates in the database:
show pki certificate
The following command displays information specific to the certificate
“Switch 12 certificate”:
show pki certificate="Switch 12 certificate"
672
Section IX: Management Security
Chapter 38
Secure Sockets Layer (SSL) Commands
This chapter contains the following command:
ˆ
“SET SSL” on page 674
ˆ
“SHOW SSL” on page 675
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 34, “PKI Certificates
and SSL” in the AT-S63 Management Software Menus Interface
User’s Guide.
673
Chapter 38: Secure Sockets Layer (SSL) Commands
SET SSL
Syntax
set ssl [cachetimeout=value] [maxsessions=value]
Parameters
cachetimeout
Specifies the maximum time in seconds that a
session will be retained in the cache The range is 1 to
600 seconds. The default is 300 seconds.
maxsessions
Specifies the maximum number of sessions that will
be allowed in the session resumption cache. The
range is 0 to 100 sessions. The default is 50
sessions.
Description
This command configures the SSL parameters.
The CACHETIMEOUT parameter determines the maximum time that a
session will be retained in the cache. The cache stores information about
closed connections so they can be resumed quickly. The default is 300
seconds.
The MAXSESSIONS parameter specifies the maximum number of
sessions that will be allowed in the session resumption cache. The
number of ENCO channels supported by the switch limits this number.
The default is 50 sessions.
Example
The following command sets the session resumption cache to 180
seconds:
set ssl cachetimeout=180
674
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SHOW SSL
Syntax
show ssl
Parameters
None.
Description
This command displays the current settings for the following SSL values:
ˆ
Version
ˆ
Available ciphers
ˆ
Maximum number of sessions
ˆ
Cache timeout
Example
The following command displays the current SSL settings:
show ssl
Section IX: Management Security
675
Chapter 38: Secure Sockets Layer (SSL) Commands
676
Section IX: Management Security
Chapter 39
Secure Shell (SSH) Commands
This chapter contains the following commands:
ˆ
“DISABLE SSH SERVER” on page 678
ˆ
“ENABLE SSH SERVER” on page 679
ˆ
“SET SSH SERVER” on page 682
ˆ
“SHOW SSH” on page 684
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 35, “Secure Shell
(SSH)” in the AT-S63 Management Software Menus Interface User’s
Guide.
677
Chapter 39: Secure Shell (SSH) Commands
DISABLE SSH SERVER
Syntax
disable ssh server
Parameters
None.
Description
This command disables the Secure Shell server. When the Secure Shell
server is disabled, connections from Secure Shell clients are not
accepted.
By default, the Secure Shell server is disabled.
Example
The following command disables the Secure Shell server:
disable ssh server
678
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE SSH SERVER
Syntax
enable ssh server hostkey=key-id serverkey=key-id
[expirytime=hours] [logintimeout=seconds]
Parameters
hostkey
Specifies the ID number of the encryption key pair to
function as the host key.
serverkey
Specifies the ID number of the encryption key pair to
function as the server key.
expirytime
Specifies the length of time, in hours, after which the
server key pair is regenerated. The range is 0 to 5
hours. Entering 0 never regenerates the key. The
default is 0.
logintimeout
Specifies the length of time the server waits before
disconnecting an un-authenticated client. The range is
60 to 600 and the default is 180.
Description
This command enables the Secure Shell server and sets the server’s
parameters. When the Secure Shell server is enabled, connections from
Secure Shell clients are accepted. The default setting for the server is
disabled.
The HOSTKEY parameter specifies the key ID of the host key pair. The
specified key pair must already exist. To create a key pair, refer to
“CREATE ENCO KEY” on page 650 (syntax 1).
The SERVERKEY parameter specifies the key of the server key pair. The
specified key pair must already exist.
The EXPIRYTIME parameter specifies the time, in hours, after which the
Secure Shell server key will expire and will be regenerated. If 0 is specified
the key does not expire. The range is 0 to 5 and the default is 0.
The LOGINTIMEOUT parameter specifies the length of time the server
waits before disconnecting an unauthenticated client. The range is 60 to
600 and the default is 180.
Section IX: Management Security
679
Chapter 39: Secure Shell (SSH) Commands
Note
Before you enable SSH, disable the Telnet management session.
Otherwise, the security provided by SSH is not active. See
“DISABLE TELNET” on page 44.
Example
The following command activates the Secure Shell server and specifies
encryption key pair 0 as the host key and key pair 1 as the server key:
enable ssh server hostkey=0 serverkey=1
General Configuration Steps for SSH Operation
Configuring the SSH server involves several commands. The information
in this section lists the functions and commands you need to perform to
configure the SSH feature.
1. Create two encryption key pairs. One pair will function as the SSH host
key and another as the SSH server key. The keys must be of different
lengths of at least one increment (256 bits) apart. The recommended
size for the server key is 768 bits. The recommended size for the
server key is 1024 bits. To create a key pair, see to “CREATE ENCO
KEY” on page 650.
2. Disable Telnet access to the switch with the DISABLE TELNET
command. See “DISABLE TELNET” on page 44.
Although the AT-S63 management software allows the SSH and
Telnet servers to be active on the switch simultaneously, allowing
Telnet to remain active negates the security of the SSH feature.
3. Configure and activate SSH on the switch using “ENABLE SSH
SERVER” on page 679.
4. Install SSH client software on your PC.
Follow the directions provided with the client software. You can
download SSH client software from the Internet. Two popular SSH
clients are PuTTY and CYGWIN.
5. Log on to the SSH server from the SSH client.
Acceptable users are those with a Manager or Operator login as well
as users configured with the RADIUS and TACACS+ protocols.
680
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following is an example of the command sequence to configuring the
SSH software on the server:
1. The first step is to create the two encryption key pairs. Each key must
be created separately and the key lengths must be at least one
increment (256 bits) apart. The following two commands create the
host and server keys using the recommended key lengths:
create enco key=1 type=rsa length=1024 description="host
key"
create enco key=2 type=rsa length=768 description="server
key"
2. The following command disables Telnet:
disable telnet
3. The last command activates the SSH software and sets the host key
as encryption key pair 1 and the server key as key pair 2:
enable ssh server hostkey=1 serverkey=2
Section IX: Management Security
681
Chapter 39: Secure Shell (SSH) Commands
SET SSH SERVER
Syntax
set ssh server hostkey=key-id serverkey=key-id
[expirytime=hours] [logintimeout=seconds]
Parameters
hostkey
Specifies the ID number of the encryption key pair to
function as the host key.
serverkey
Specifies the ID number of the encryption key pair to
function as the server key.
expirytime
Specifies the length of time, in hours, after which the
server key pair is regenerated. The range is 0 to 5
hours. Entering 0 never regenerates the key. The
default is 0.
logintimeout
Specifies the length of time the server waits before
disconnecting an un-authenticated client. The range is
60 to 600 and the default is 180.
Description
This command modifies the configuration of the Secure Shell server
parameters.
The HOSTKEY parameter specifies the key ID of the host key pair. The
specified key pair must already exist. To create a key pair, refer to
“CREATE ENCO KEY” on page 650 (syntax 1).
The SERVERKEY parameter specifies the key of the server key pair. The
specified key pair must already exist.
The EXPIRYTIME parameter specifies the time, in hours, after which the
Secure Shell server key will expire and will be regenerated. If 0 is
specified the key does not expire. The range is 0 to 5 and the default is 0.
The LOGINTIMEOUT parameter specifies the length of time the server
waits before disconnecting an un-authenticated client. The range is 60 to
600 seconds. The default is 180 seconds.
682
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
Example
The following command sets the Secure Shell server key expiry time to 1
hour:
set ssh server expirytime=1
Section IX: Management Security
683
Chapter 39: Secure Shell (SSH) Commands
SHOW SSH
Syntax
show ssh
Parameters
None.
Description
This command displays the current values for the following SSH
parameters:
ˆ
Versions supported
ˆ
Server Status
ˆ
Server Port
ˆ
Host Key ID
ˆ
Host Key Bits (size of host key in bits)
ˆ
Server Key ID
ˆ
Server Key Bits (size of server key in bits)
ˆ
Server Key Expiry (hours)
ˆ
Login Timeout (seconds)
ˆ
Authentication Available
ˆ
Ciphers Available
ˆ
MACs Available
ˆ
Data Compression
Example
The following command displays the configuration of the Secure Shell
server:
show ssh
684
Section IX: Management Security
Chapter 40
TACACS+ and RADIUS Commands
This chapter contains the following commands:
ˆ
“ADD RADIUSSERVER” on page 686
ˆ
“ADD TACACSSERVER” on page 688
ˆ
“DELETE RADIUSSERVER” on page 690
ˆ
“DELETE TACACSSERVER” on page 691
ˆ
“DISABLE AUTHENTICATION” on page 692
ˆ
“ENABLE AUTHENTICATION” on page 693
ˆ
“PURGE AUTHENTICATION” on page 694
ˆ
“SET AUTHENTICATION” on page 695
ˆ
“SHOW AUTHENTICATION” on page 697
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 36, “TACACS+ and
RADIUS Protocols” in the AT-S63 Management Software Menus
Interface User’s Guide.
685
Chapter 40: TACACS+ and RADIUS Commands
ADD RADIUSSERVER
Syntax
add radiusserver server|ipaddress=ipaddress order=value
[secret=string] [port=value] [accport=value]
Parameters
server or
ipaddress
Specifies an IP address of a RADIUS server. The
parameters are equivalent.
order
Specifies the order that the RADIUS servers are queried by
the switch. This value can be from 1 to 3. The servers are
queried starting with 1.
secret
Specifies the encryption key used for this server. The
maximum length is 39 characters.
port
Specifies the UDP (User Datagram Protocol) port of the
RADIUS server. The default is port 1812.
accport
Specifies the UDP port for RADIUS accounting. The default
is port 1813.
Description
This command specifies the IP addresses of the RADIUS servers and the
order they are to be queried by the switch. There can be up to three
servers, but you can specify only one at a time with this command. You
may specify an encryption key, a RADIUS UDP port, and a RADIUS
accounting UDP port.
Note
The switch must communicate with the authentication server
through a local network or subnet that has a routing interface. The
switch uses the IP address of the interface as its source address
when sending packets to the server. For background information,
refer to “Routing Interfaces and Management Features” on
page 557. For instructions on how to add a routing interface to the
switch, refer to “ADD IP INTERFACE” on page 570.
Examples
The following command adds a RADIUS server with the 149.245.22.22 IP
address and specifies it as the first server in the list:
add radiusserver ipaddress=149.245.22.22 order=1
686
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
The following command adds the RADIUS server with the IP address
149.245.22.22. In addition, it specifies the server as the third RADIUS
server to be queried by the switch and has a UDP port of 3:
add radiusserver ipaddress=149.245.22.22 order=3 port=3
The following command adds a RADIUS server with an IP address of
149.245.22.22. It specifies the order is 2, the encryption key is tiger74, and
the UDP port is 1811:
add radiusserver ipaddress=149.245.22.22 order=2
secret=tiger74 port=1811
Section IX: Management Security
687
Chapter 40: TACACS+ and RADIUS Commands
ADD TACACSSERVER
Syntax
add tacacsserver server|ipaddress=ipaddress order=value
[secret=string]
Parameters
server or
ipaddress
Specifies the IP address of a TACACS+ server. The
parameters are equivalent.
order
Specifies the order the switch queries the TACACS+ servers.
The range is 1 to 3. The server assigned the order value of 1
is queried first.
secret
Specifies the optional encryption key used on this server.
The maximum length is 39 characters.
Description
This command adds the IP address and encryption key of a TACACS+
server to the switch. This command can also specify the order the
TACACS+ servers are queried by the switch. You can add the IP
addresses of up to three TACACS+ servers on an AT-9400 Series switch.
This command can add only one TACACS+ server at a time.
Note
The switch must communicate with the authentication server
through a local network or subnet that has a routing interface. The
switch uses the IP address of the interface as its source address
when sending packets to the server. For background information,
refer to “Routing Interfaces and Management Features” on
page 557. For instructions on how to add a routing interface to the
switch, refer to “ADD IP INTERFACE” on page 570.
Examples
The following command adds a TACACS+ server with the IP address
149.245.22.20 and an order value of 1:
add tacacsserver ipaddress=149.245.22.20 order=1
The following command adds a TACACS+ server with an IP address of
149.245.22.24, an order of 2, and an encryption key of lioness54:
add tacacsserver ipaddress=149.245.22.24 order=2
secret=lioness54
688
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
The following command adds a TACACS+ server with an IP address
149.245.22.26 and specifies that this TACACS+ server is the third
TACACS+ server to be queried by the switch:
add tacacsserver ipaddress=149.245.22.26 order=3
Section IX: Management Security
689
Chapter 40: TACACS+ and RADIUS Commands
DELETE RADIUSSERVER
Syntax
delete radiusserver server|ipaddress=ipaddress
Parameter
server or
ipaddress
Specifies the IP address of a RADIUS server to be deleted
from the management software. The parameters are
equivalent.
Description
This command deletes the IP address of a RADIUS from your switch.
Example
The following command deletes the RADIUS server with the IP address
149.245.22.22:
delete radiusserver ipaddress=149.245.22.22
690
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
DELETE TACACSSERVER
Syntax
delete tacacsserver server|ipaddress=ipaddress
Parameter
server or
ipaddress
Specifies the IP address of a TACACS+ server to be deleted
from the management software. The parameters are
equivalent.
Description
This command deletes the IP address of a TACACS+ server from your
switch.
Example
The following command deletes the TACACS+ server with the IP address
149.245.22.20:
delete tacacsserver ipaddress=149.245.22.20
Section IX: Management Security
691
Chapter 40: TACACS+ and RADIUS Commands
DISABLE AUTHENTICATION
Syntax
disable authentication
Parameters
None.
Description
This command disables TACACS+ and RADIUS manager account
authentication on your switch. When you disable authentication you retain
your current authentication parameter settings.
Note
This command applies only to TACACS+ and RADIUS manager
accounts. Disabling authentication means that you must use the
default manager accounts of manager and operator to manage the
switch. This command does not affect 802.1x port-based access
control.
Example
The following command disables TACACS+ and RADIUS manager
account authentication on your switch:
disable authentication
692
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE AUTHENTICATION
Syntax
enable authentication
Parameters
None.
Description
This command enables TACACS+ or RADIUS manager account
authentication on your switch. You must use the manager accounts you
defined on the TACACS+ or RADIUS server to manage the switch when
you enable manager authentication. To select an authenticator protocol,
refer to “SET AUTHENTICATION” on page 695.
Note
If you are using the RADIUS authentication protocol for 802.1x Portbased Network Access Control but not for manager account
authentication, you do not need to use this command. Even when
the RADIUS manager account feature is disabled, the switch still
has access to the RADIUS configuration information for 802.1x portbased access control.
Example
The following command enables manager account authentication on your
switch:
enable authentication
Section IX: Management Security
693
Chapter 40: TACACS+ and RADIUS Commands
PURGE AUTHENTICATION
Syntax
purge authentication
Parameters
None.
Description
This command disables authentication, returns the authentication method
to TACACS+, deletes any global secret, and returns the timeout value to
its default setting of 10 seconds. This command does not delete the IP
address or secret of any RADIUS or TACACS+ authentication servers you
may have specified.
Example
The following command returns the authentication settings to their default
values:
purge authentication
694
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SET AUTHENTICATION
Syntax
set authentication method=tacacs|radius [secret=string]
[timeout=value]
Parameters
method
Specifies which authenticator protocol, TACACS+ or
RADIUS, is to be the active protocol on the switch.
secret
Specifies the global encryption key of the TACACS+
or RADIUS servers. If the servers use different
encryption keys, you can leave this parameter blank
and set individual encryption keys with “ADD
TACACSSERVER” on page 688 or “ADD
RADIUSSERVER” on page 686. To remove a
previously assigned global key without specifying a
new value, enter the string as “none”. The maximum
length is 39 characters.
timeout
Specifies the maximum amount of time the switch
waits for a response from an authentication server
before the switch assumes the server will not
respond. If the timeout expires and the server has not
responded, the switch queries the next server in the
list. After the switch has exhausted the list of servers,
the switch defaults to the standard Manager and
Operator accounts. The default is 30 seconds. The
range is 1 to 300 seconds.
Description
This command selects the authentication protocol. One authentication
protocol can be active on the switch at a time. You may specify a global
encryption code and the maximum number of seconds the switch waits for
a response from an authenticator server.
Examples
The following command selects TACACS+ as the authentication protocol
on the switch:
set authentication method=tacacs
The following command selects TACACS+ as the authentication protocol
and specifies a global encryption key of tiger54:
set authentication method=tacacs secret=tiger54
Section IX: Management Security
695
Chapter 40: TACACS+ and RADIUS Commands
The following command selects RADIUS as the authentication protocol
with a global encryption key of leopard09 and a timeout of 15 seconds:
set authentication method=radius secret=leopard09 timeout=15
The following command removes the current global secret from the
RADIUS client without assigning a new value:
set authentication method=radius secret=none
696
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SHOW AUTHENTICATION
Syntax
show authentication[=tacacs|radius]
Parameters
None.
Description
This command displays the following information about the authenticated
protocols on the switch:
ˆ
Status - The status of your authenticated protocol: enabled or disabled.
ˆ
Authentication Method - The authentication protocol activated on your
switch. Either TACACS+ or RADIUS protocol may be active. The
TACACS+ protocol is the default.
ˆ
The IP addresses of up to three authentication servers.
ˆ
The server encryption keys, if defined.
ˆ
TAC global secret - The global encryption code that applies to all
authentication servers.
ˆ
Timeout - The length of the time, in seconds, before the switch
assumes the server will not respond.
Entering the command without specifying either TACACS or RADIUS
displays the current status of the authentication feature and the specifics
of the currently selected authentication protocol. Specifying TACACS or
RADIUS in the command displays the specifics for that authentication
protocol.
Example
The following command displays authentication protocol information on
your switch:
show authentication
The following command displays the information for the RADIUS protocol:
show authentication=radius
Section IX: Management Security
697
Chapter 40: TACACS+ and RADIUS Commands
698
Section IX: Management Security
Chapter 41
Management ACL Commands
This chapter contains the following commands:
ˆ
“ADD MGMTACL” on page 700
ˆ
“CREATE MGMTACL” on page 701
ˆ
“DESTROY MGMTACL” on page 703
ˆ
“DISABLE MGMTACL” on page 704
ˆ
“ENABLE MGMTACL” on page 705
ˆ
“PURGE MGMTACL” on page 706
ˆ
“SET MGMTACL” on page 707
ˆ
“SHOW MGMTACL” on page 708
Note
Remember to save your changes with the SAVE CONFIGURATION
command.
Note
For background information, refer to Chapter 37, “Management
Access Control List” in the AT-S63 Management Software Menus
Interface User’s Guide.
699
Chapter 41: Management ACL Commands
ADD MGMTACL
Syntax
add mgmtacl id=value application=telnet|web|ping|all
Parameters
id
Specifies the identification number of the access control
entry to be modified. The range is 1 to 256. To view the
ID numbers of the existing ACEs, refer to “SHOW
MGMTACL” on page 708.
application
Specifies the permitted applications of the ACE. The
options are:
telnet
Permits Telnet management.
web
Permits web browser management.
ping
Permits the management workstation to ping
the switch.
all
Permits all of the above.
You can specify more than one option by separating
them with a comma (for example, “Web,Ping”). The new
application is added to the existing application of the
ACE.
Description
This command modifies the permitted application of an ACE. The new
application is added to any application already assigned to the ACE. If you
want to assign a new application while overriding the existing one, refer to
“SET MGMTACL” on page 707.
Examples
The following command adds web browser as a permitted application to
ACE ID 12:
add mgmtacl id=12 application=web
The following command adds pinging as a permitted application to ACE ID
27:
add mgmtacl id=27 application=ping
700
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
CREATE MGMTACL
Syntax
create mgmtacl id=value ipddress=ipaddress mask=string
application=telnet|web|ping|all
Parameters
id
Specifies an identification number for the new access
control entry. The range is 1 to 256. Every ACE must
have a unique identification number.
ipaddress
Specifies the IP address of a subnet or a specific
management station.
mask
Specifies the mask used by the switch to filter the IP
address. A binary “1” indicates the switch should filter
on the corresponding bit of the address, while a “0”
indicates that it should not. If, with the IPADDRESS
parameter, you specify the IP address of a specific
management station, the appropriate mask is
255.255.255.255. If you are filtering on a subnet, then
the mask would depend on the address. For example,
for a Class C subnet address of 149.11.11.32, the mask
would be 255.255.255.224.
application
Specifies the permitted type of remote management.
The options are:
telnet
Permits Telnet management.
web
Permits web browser management.
ping
Permits the management workstation to ping
the switch.
all
Permits all of the above.
You can specify more than one option by separating
them with a comma (for example, “Web,Ping”).
Description
This command creates a new access control entry for the Management
ACL. The Management ACL controls who can manage the switch
remotely using a web browser or the Telnet application protocol. There
can be up to 256 ACEs in a Management ACL.
Section IX: Management Security
701
Chapter 41: Management ACL Commands
An ACE is an implicit “permit” statement. A workstation that meets the
criteria of the ACE is allowed to remotely manage the switch.
The IPADDRESS parameter specifies the IP address of a specific
management station or a subnet.
The MASK parameter indicates the parts of the IP address the switch
should filter on. A binary “1” indicates the switch should filter on the
corresponding bit of the address, while a “0” indicates that it should not. If
you are filtering on a specific IP address, use the mask 255.255.255.255.
For a subnet, you need to enter the appropriate mask. For example, to
allow all management stations in the subnet 149.11.11.0 to manage the
switch, you would enter the mask 255.255.255.0.
The APPLICATION parameter allows you control whether the remote
management station can manage the switch using Telnet, a web browser,
or both. You can also use it to control whether the workstation can ping the
device. For example, you might create an ACE that states that a particular
remote management station can only use a web browser to manage the
switch.
Note
You must specify all the parameters when creating a new entry.
Examples
The following command creates an ACE that allows the management
station with the IP address 169.254.134.247 to manage the switch from
either a Telnet or web browser management session and to ping the
device:
create mgmtacl id=1 ipaddress=169.254.134.247
mask=255.255.255.255 application=all
The following command creates an ACE that allows the management
station with the IP address 169.254.134.12 to manage the switch with a
web browser and to ping the device. However, the workstation cannot
manage the switch with the Telnet application protocol:
create mgmtacl id=12 ipaddress=169.254.134.12
mask=255.255.255.255 application=web,ping
The following command creates an ACE that allows all management
stations in the Class A subnet 169.24.144.128 to manage the switch using
the Telnet protocol application:
create mgmtacl id=17 ipaddress=169.24.144.128
mask=255.255.255.224 application=telnet
702
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
DESTROY MGMTACL
Syntax
destroy mgmtacl id=value
Parameters
id
Specifies the identification number of the ACE to be
deleted.
Description
This command deletes an ACE from the Management ACL. You specify
the ACE by its identification number, which is displayed with “SHOW
MGMTACL” on page 708.
Note
If you are remotely managing the switch from a Telnet management
session and the Management ACL is active, your management
session will end and you will be unable to reestablish it should you
delete the ACE that specifies your management workstation.
Example
The following command deletes the ACE with the identification number 18
from the Management ACL:
destroy mgmtacl id=18
Section IX: Management Security
703
Chapter 41: Management ACL Commands
DISABLE MGMTACL
Syntax
disable mgmtacl
Parameters
None
Description
This command disables the Management ACL.
Example
The following command disables the Management ACL:
disable mgmtacl
704
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
ENABLE MGMTACL
Syntax
enable mgmtacl
Parameters
None.
Description
This command activates the Management ACL.
Note
Activating the Management ACL without entering any access control
entries (ACEs) prohibits you from remotely managing the switch
from a Telnet or web browser management session, or pinging the
device.
Example
The following command activates the Management ACL:
enable mgmtacl
Section IX: Management Security
705
Chapter 41: Management ACL Commands
PURGE MGMTACL
Syntax
purge mgmtacl
Parameters
None.
Description
This command deletes all access control entries from the Management
ACL.
Note
If you are remotely managing the switch from a Telnet management
session and the Management ACL is active, your management
session will end and you will be unable to reestablish it if you delete
all ACEs.
Example
The following command deletes all ACEs from the Management ACL:
purge mgmtacl
706
Section IX: Management Security
AT-S63 Management Software Command Line Interface User’s Guide
SET MGMTACL
Syntax
set mgmtacl id=value [ipaddress=ipaddress] [mask=string]
[application=telnet|web|ping|all]
Parameters
id
The identification number of the ACE to be modified. To
view the ID numbers of the ACEs, refer to “SHOW
MGMTACL” on page 708.
ipaddress
Specifies a new IP address for the ACE.
mask
Specifies a new mask for the ACE.
application
Specifies the permitted type of remote management.
The options are:
telnet
Permits Telnet management.
web
Permits web browser management.
ping
Permits the management workstation to ping
the switch.
all
Permits all of the above.
You can specify more than one option by separating
them with a comma (for example, “Web,Ping”). The new
application replaces the current permitted application of
the ACE.
Description
This command modifies an existing management access control entry in
the Management ACL. You can use the command to change the IP
address, subnet mask, or permitted applications of an ACE.
Examples
The following command changes the IP address of ACE ID 22 to
169.254.134.247:
set mgmtacl id=22 ipaddress=169.254.134.247
The following command changes the permitted applications of ACE ID 45
to web browser and pinging:
set mgmtacl id=45 application=web,ping
Section IX: Management Security
707
Chapter 41: Management ACL Commands
SHOW MGMTACL
Syntax
show mgmtacl [id=value]
Parameters
id
Specifies the ID number of an ACE to view.
Description
This command displays the state of the Management ACL and ACL
entries. Figure 59 is an example of the information displayed by this
command.
Management ACL Status ......................... Disable
ID
IP Address
Mask
Application
---------------------------------------------------------1
149.44.44.44
255.255.255.255
TELNET
2
149.55.55.0
255.255.255.0
ALL
Figure 59. SHOW MGMTACL Command with ENTRIES Option
For an explanation of the parameters, refer to “CREATE MGMTACL” on
page 701.
Examples
The following command displays the status of all the ACEs in the
Management ACL:
show mgmtacl
The following command displays the details of just ACE ID 14:
show mgmtacl id=14
708
Section IX: Management Security
Index
Numerics
802.1Q multiple VLAN mode 502
802.1x Port-based Network Access Control 628
authenticator port
configuring 618
displaying 630
disabling 614
displaying 630, 632
enabling 616
supplicant port
configuring 626
displaying 630
A
access control
authenticator port, displaying 630
supplicant port, displaying 630
access control entries (ACE)
deleting 706
access control entry (ACE)
adding 700
creating 701
deleting 703
displaying 708
modifying 707
access control list (ACL)
creating 268
deleting 270, 271
displaying 274
modifying 272
ACCESS SWITCH command 70
ACL. See access control list (ACL) and Management ACL
ACTIVATE MSTP command 464
ACTIVATE RSTP command 450
ACTIVATE STP command 436
ACTIVATE SWITCH PORT command 110
ADD IP ARP command 568
ADD IP INTERFACE command 570
ADD IP RIP command 572
ADD IP ROUTE command 574
ADD LACP PORT command 166
ADD LOG OUTPUT command 228
ADD MGMTACL command 700
ADD MSTP command 465
ADD PKI CERTIFICATE command 658
ADD QOS FLOWGROUP command 290
ADD QOS POLICY command 291
ADD QOS TRAFFICCLASS command 292
ADD RADIUSSERVER command 686
ADD SNMP COMMUNITY command 90
ADD SNMPV3 USER command 377, 420
ADD SNTPSERVER PEER|IPADDRESS command 78
ADD SWITCH FDB|FILTER command 144
ADD SWITCH TRUNK command 156
ADD TACACSSERVER command 688
ADD VLAN command 490
ADD VLAN GROUP command 524
ADD VLAN MACADDRESS command 534
ADD VLAN PORT MACADDRESS command 535
ADD VLAN TYPE=MACADDRESS command 536
Address Resolution Protocol (ARP)
adding entries 568
deleting entries 576
described 555
displaying entries 590
modifying entries 581
setting cache timeout 582
aging timer 149
AT-S63 software image
downloading 204, 206, 211
uploading 215, 217, 221, 224
AT-S63 software, resetting to factory defaults 49
authentication
disabling 692
displaying 697
enabling 693
protocol, selecting 695
resetting to defaults 694
authentication failure traps
disabling 99
displaying 106
enabling 102
authenticator port
configuring 618
displaying 630, 632
B
back pressure 119
boot configuration file names, displaying 200
BPDU 455, 473
bridge forwarding delay 440, 454, 472
bridge hello time 440, 454, 472
bridge max age 440, 454, 472
bridge priority 440
broadcast filter 119
709
Index
C
cache timeout 674
certificate database 669
certificates
name, changing 667
trust level, changing 667
CIST priority 475
Class of Service. See CoS
classifiers
creating 256
deleting 260, 261
displaying 265
modifying 262
removing from flow group 308
CLEAR SCREEN command 34
command line prompt 40
commands, formatting 30
compact flash card
configuration file on 197
copying files 188
directory, selecting 196
displaying files 201
files on 199
renaming files 194
space available 199
configuration file
creating 190
downloading 206, 211
name 200
setting 197
uploading 217, 221, 224
console mode, setting 41
console timeout 55
console timer, setting 55
contact name, configuring 48, 56
COPY command 188
CoS
Class of Service priority
setting 281
specifying 278
mapping to egress queues 278, 281
QoS scheduling 282
CREATE ACL command 268
CREATE CLASSIFIER command 256
CREATE CONFIG command 190
CREATE ENCO KEY command 650
CREATE LACP AGGREGATOR command 167
CREATE LOG OUTPUT command 230
CREATE MGMTACL command 701
CREATE MSTP command 466
CREATE PKI CERTIFICATE command 660
CREATE PKI ENROLLMENTREQUEST command 663
CREATE QOS FLOWGROUP command 293
CREATE QOS POLICY command 296
CREATE QOS TRAFICCLASS command 303
CREATE SNMP COMMUNITY command 92
CREATE SNMPV3 ACCESS command 379
CREATE SNMPV3 COMMUNITY command 382
710
CREATE SNMPV3 GROUP command 384
CREATE SNMPV3 NOTIFY command 386
CREATE SNMPV3 TARGETADDR command 388
CREATE SNMPV3 TARGETPARAMS command 390
CREATE SNMPV3 VIEW command 392
CREATE SWITCH TRUNK command 158
CREATE VLAN command 493
CREATE VLAN PORTPROTECTED command 526
D
daylight savings time, setting 84
default route
adding 574
deleting 579
described 551
displaying 600
example 564
modifying 588
DELETE FILE command 191
DELETE IP ARP command 576
DELETE IP INTERFACE command 577
DELETE IP RIP command 578
DELETE IP ROUTE command 579
DELETE LACP PORT command 169
DELETE MSTP command 467
DELETE PKI CERTIFICATE command 665
DELETE QOS FLOWGROUP command 308
DELETE QOS POLICY command 309
DELETE QOS TRAFFICCLASS command 310
DELETE RADIUSSERVER command 690
DELETE SNMP COMMUNITY command 95
DELETE SNMPV3 USER command 394
DELETE SNTPSERVER PEER|IPADDRESS command 79
DELETE SWITCH FDB|FILTER command 146
DELETE SWITCH TRUNK command 160
DELETE TACACSSERVER command 691
DELETE VLAN command 497, 527
DELETE VLAN MACADDRESS command 538
DELETE VLAN PORT MACADDRESS command 539
Denial of Service. See DoS
DESTROY ACL command 270
DESTROY CLASSIFIER command 260
DESTROY ENCO KEY command 654
DESTROY LACP AGGREGATOR command 170
DESTROY LOG OUTPUT command 234
DESTROY MGMTACL 703
DESTROY MSTP MSTIID command 468
DESTROY QOS FLOWGROUP command 311
DESTROY QOS POLICY command 312
DESTROY QOS TRAFFICCLASS command 313
DESTROY SNMP COMMUNITY command 97
DESTROY SNMPV3 ACCESS command 395
DESTROY SNMPV3 COMMUNITY command 397
DESTROY SNMPV3 GROUP command 398
DESTROY SNMPV3 NOTIFY command 399
DESTROY SNMPV3 TARGETADDR command 400
DESTROY SNMPV3 TARGETPARAMS command 401
DESTROY SNMPV3 VIEW command 402
DESTROY SWITCH TRUNK command 161
AT-S63 Management Software Web Browser Interface User’s Guide
DESTROY VLAN command 500, 529, 540
DISABLE AUTHENTICATION command 692
DISABLE GARP command 510
DISABLE HTTP SERVER command 640
DISABLE IGMPSNOOPING command 350
DISABLE INTERFACE LINKTRAP command 111
DISABLE LACP command 171
DISABLE LOG command 235
DISABLE LOG OUTPUT command 236
DISABLE MGMTACL command 704
DISABLE MLDSNOOPING command 360
DISABLE MSTP command 469
DISABLE PORTACCESS|PORTAUTH command 614
DISABLE RADIUSACCOUNTING command 615
DISABLE RRPSNOOPING command 370
DISABLE RSTP command 451
DISABLE SNMP AUTHENTICATETRAP command 99
DISABLE SNMP command 98
DISABLE SNMP COMMUNITY command 100
DISABLE SNTP command 80
DISABLE SSH SERVER command 678
DISABLE STP command 437
DISABLE SWITCH PORT command 112
DISABLE SWITCH PORT FLOW command 113
DISABLE TELNET command 44
distinguished name
displaying 67
setting 670
document conventions 18
DoS
displaying 344
IP Option defense 335
LAND defense 334, 337
Ping of Death defense 338
SMURF defense 334, 340
SYN ACK Flood defense 341
Teardrop defense 342
E
edge port 457, 479
ENABLE AUTHENTICATION command 693
ENABLE GARP command 511
ENABLE HTTP SERVER command 641
ENABLE IGMPSNOOPING command 351
ENABLE INTERFACE LINKTRAP command 114
ENABLE LACP command 172
ENABLE LOG command 237
ENABLE LOG OUTPUT command 238
ENABLE MGMTACL command 705
ENABLE MLDSNOOPING command 361
ENABLE MSTP command 470
ENABLE PORTACCESS|PORTAUTH command 616
ENABLE RADIUSACCOUNTING command 617
ENABLE RRPSNOOPING command 371
ENABLE RSTP command 452
ENABLE SNMP AUTHENTICATETRAP command 102
ENABLE SNMP command 101
ENABLE SNMP COMMUNITY command 103
ENABLE SNTP command 81
ENABLE SSH SERVER command 679
ENABLE STP command 438
ENABLE SWITCH PORT command 115
ENABLE SWITCH PORT FLOW command 116
ENABLE TELNET command 45
ENCO module, displaying 656
encryption key
configuring 655
creating 650
destroying 654
enhanced stacking
management session 70
switch list, displaying 74
switch mode, setting 72
event log
configuring 242
disabling 235
displaying 246, 253
enabling 237
resetting to defaults 239
saving 240
EXIT command 35
external port cost 479
F
factory defaults 49
files
copying 188
deleting 191
displaying file list 201
downloading 206, 211
renaming 194
uploading 217, 221, 224
flash memory
configuration file in 197
copying files 188
displaying files 201
files in 202
formatting 193
renaming files 194
space available in 202
flow control
disabling 113
enabling 116, 119
flow group
adding classifiers to 290
creating 293
modifying 308
removing from traffic class 310
force version 454, 472
FORMAT DEVICE command 193
forwarding delay 440, 454, 472
G
GARP
converting dynamic VLANs 504
counters, displaying 517
database, displaying 519
disabling 510
711
Index
displaying 516
enabling 511
GID state machines 521
GIP 520
port GVRP status 513
resetting to defaults 512
timer, setting 514
GID state machines 521
GIP-connected ring 520
H
head of line blocking 121
hello time 440, 454, 472
help, context-sensitive 29
HOL blocking 119
HTTP server
configuring 643
disabling 640
displaying 648
enabling 641
resetting to defaults 642
I
IGMP snooping
configuring 352
disabling 350
displaying 355, 356
enabling 351
ingress filtering 501
internal port cost 479
Internet Protocol version 4 routing
see also routing interfaces, Routing Information Protocol (RIP), static routes
described 546
example 562, 566
supported switches 547
IPOPTION denial of service defense 335
K
keyword abbreviations 29
L
LACP
disabling 171, 176
displaying status 177
enabling 172, 176
LACP aggregator
adding ports 166
changing adminkey 173
changing load distribution method 173
creating 167
deleting ports 169
destroying 170
displaying status 177
setting system priority 175
LAND denial of service defense 337
LOAD METHOD=LOCAL command 204
LOAD METHOD=TFTP command 206
LOAD METHOD=XMODEM command 211
712
local interface
described 559
specifying 585
location, configuring 48, 56
log output
adding 228
creating 230
destroying 234
disabling 236
displaying 251
enabling 238
modifying 243
LOGOFF command 37
LOGOUT command 37
M
MAC address aging timer 149
MAC address table
addresses
adding 144
deleting 146, 148
displaying 151
aging time 149
multicast groups 352, 362
MAC address-based VLAN
adding egress ports 535
adding MAC addresses 534
creating 536
deleting 540
deleting egress ports 539
deleting MAC addresses 538
displaying 541
MAC addresses
adding 144
deleting 146, 148
Management ACL
access control entry
adding 700
creating 701
deleting 703, 706
modifying 707
disabling 704
displaying 708
enabling 705
manager password, setting 53, 58
MAP QOS COSP command 278
master switch 72
max age 440, 454, 472
max hops 472
Mcheck 457, 479
MDI mode 119
MENU command 38
migration check 457, 479
MLD snooping
configuring 362
disabling 360
displaying 364, 366
enabling 361
AT-S63 Management Software Web Browser Interface User’s Guide
MSTI ID
adding 465
creating 466
deleting 467, 468
MSTI priority 476
MSTP
activating 464
disabling 469
displaying 483
enabling 470
returning to defaults 471
setting 472
VLAN association 478
multicast router port 352, 362
multiple VLAN mode 502
N
NULL character 57, 66
O
operator password, setting 54, 58
P
packet filtering 123
PING command 46
PING OF DEATH denial of service defense 338
PKI certificate database 669
PKI certificate enrollment request
creating 663
PKI certificates
adding 658
creating 660
deleting 665
displaying 672
downloading 206, 211
number of certificates 671
uploading 221, 224
PKI module information 671
PKI, resetting to defaults 666
point-to-point port 457, 479
policy
adding traffic classes to 291
creating 296
port
autonegotiation, setting 110
back pressure
disabling 120
enabling 120
back pressure, limit 121
broadcast filter 121
configuring 119
cost 443, 457
description, setting 119
disabling 112
displaying parameters 131
enabling 115
flow control
disabling 113
enabling 116
GVRP status, setting 513
head of line blocking 121
interface information 129
link traps
disabling 111
enabling 114
negotiation 119
packet filitering 123
priority 443, 457, 479
rate limit 126
resetting 118, 121
security 606, 607, 610, 611
speed, setting 119
statistics counter
displaying 142
resetting 138
status, specifying 119
port intrusion action 606
port mirror
destination port, setting 182
displaying 184
setting 183
port trunk
adding 156
creating 158
deleting 160
destroying 161
displaying 163
load distribution 162
setting 162
speed, setting 162
port-based access control
authenticator port, configuring 618
disabling 614
displaying 630, 632
enabling 616
RADIUS accounting 628
supplicant port, configuring 626
port-based VLAN
adding ports 490
creating 493
deleting ports 497
destroying 500
displaying 505
protected ports VLANs
adding ports 524
changing port type 530
creating 526
deleting 529
deleting ports 527
displaying 531
PURGE ACL command 271
PURGE AUTHENTICATION command 694
PURGE CLASSIFIER command 261
PURGE GARP command 512
PURGE HTTP SERVER command 642
PURGE IP INTERFACE command 580
PURGE LOG command 239
PURGE MGMTACL 706
713
Index
PURGE MSTP command 471
PURGE PKI command 666
PURGE QOS COMMAND 280, 314
PURGE RSTP command 453
PURGE SNMPV3 ACCESS command 403
PURGE SNMPV3 COMMUNITY command 404
PURGE SNMPV3 NOTIFY command 405
PURGE SNMPV3 TARGETADDR command 406
PURGE SNMPV3 VIEW command 407
PURGE SNTP command 82
PURGE STP command 439
PURGE SWITCH PORT command 117
Q
QoS
resetting to defaults 280, 314
QoS configuration, displaying 286
QoS flow group
adding 290
creating 293
deleting 311
displaying 327
modifying 308, 315
QoS policy
adding 291
creating 296
deleting 312
displaying 329
modifying 309, 318, 321
QoS traffic class
adding 292
creating 303
deleting 313
displaying 331
modifying 310, 322
Quality of Service. See QoS
QUIT command 37
R
RADIUS accounting
configuring 628
disabling 615
displaying 635
enabling 617
RADIUS server
adding 686
deleting 690
rate limiting 126
RENAME command 194
RESET SWITCH command 47
RESET SWITCH FDB command 148
RESET SWITCH PORT command 118
RESET SWITCH PORT COUNTER command 138
RESET SYSTEM command 48
RESTART REBOOT command 49
RESTART SWITCH command 50
round robin QoS scheduling 282
714
Routing Information Protocol (RIP)
adding to routing interfaces 572
described 552
displaying configuration 598
displaying routes 600
modifying on routing interfaces 586
removing from routing interfaces 578
routing interface names, described 550
routing interface numbers, described 549
routing interfaces
and enhanced stacking 558
and network servers 557
and remote management 558
creating 570
deleting 577
deleting all 580
described 547
displaying 594
displaying routes 600
modifying 583
routing table, described 553
RRP snooping
disabling 370
displaying 372
enabling 371
RSTP
activating 450
disabling 451
displaying 460
enabling 452
port, setting 457
resetting to defaults 453
setting 454
S
SAVE CONFIGURATION command 39
SAVE LOG command 240
Secure Shell (SSH), configuration overview 680
serial terminal port
settings, displaying 59
speed, setting 52
SET ACL command 272
SET ASYN command 52
SET AUTHENTICATION command 695
SET CLASSIFIER command 262
SET CONFIG command 197
SET DATE TIME command 83, 85
SET DOS command 334
SET DOS IPOPTION command 335
SET DOS LAND command 337
SET DOS PINGOFDEATH command 338
SET DOS SMURF command 340
SET DOS SYNFLOOD command 341
SET DOS TEARDROP command 342
SET ENCO KEY command 655
SET GARP PORT command 513
SET GARP TIMER command 514
SET HTTP SERVER SECURITY command 643
SET IP ARP command 581
AT-S63 Management Software Web Browser Interface User’s Guide
SET IP ARP TIMEOUT command 582
SET IP IGMP command 352
SET IP INTERFACE command 583
SET IP LOCAL INTERFACE command 585
SET IP RIP command 586
SET IP ROUTE command 588
SET IPV6 MLD command 362
SET LACP AGGREGATOR command 173
SET LACP STATE command 176
SET LACP SYSPRIORITY command 175
SET LOG FULLACTION command 242
SET LOG OUTPUT command 243
SET MANAGER OPERATOR command 58
SET MGMTACL command 707
SET MSTP CIST command 475
SET MSTP command 472
SET MSTP MSTI command 476
SET MSTP MSTIVLANASSOC command 478
SET MSTP PORT command 479
SET PASSWORD MANAGER command 53
SET PASSWORD OPERATOR command 54, 58
SET PKI CERTIFICATE command 667
SET PKI CERTSTORELIMIT command 669
SET PORTACCESS|PORT AUTH PORT AUTHENTICATOR command 618
SET PORTACCESS|PORT AUTH PORT SUPPLICANT
command 626
SET PROMPT command 40
SET QOS COSP command 281
SET QOS FLOWGROUP command 315
SET QOS POLICY command 318
SET QOS PORT command 321
SET QOS SCHEDULING command 282
SET QOS TRAFFICCLASS command 322
SET RADIUSACCOUNTING command 628
SET RSTP command 454
SET RSTP PORT command 457
SET SNMP COMMUNITY command 104
SET SNMPV3 ACCESS command 408
SET SNMPV3 COMMUNITY command 410
SET SNMPV3 GROUP command 412
SET SNMPV3 NOTIFY command 414
SET SNMPV3 TARGETADDR command 416
SET SNMPV3 TARGETPARAMS command 418
SET SNMPV3 VIEW command 422
SET SNTP command 84
SET SSH SERVER command 682
SET SSL command 674
SET STP command 440
SET STP PORT command 443
SET SWITCH AGINGTIMER|AGEINGTIMER command
149
SET SWITCH CONSOLEMODE command 41
SET SWITCH CONSOLETIMER command 55
SET SWITCH INFILTERING command 501
SET SWITCH MIRROR command 182
SET SWITCH PORT command 119
SET SWITCH PORT FILTERING command 123
SET SWITCH PORT INTRUSION command 606
SET SWITCH PORT MIRROR command 183
SET SWITCH PORT PRIORITY OVERRIDEPRIORITY
command 284
SET SWITCH PORT RATELIMITING command 126
SET SWITCH PORT SECURITYMODE command 607
SET SWITCH STACKMODE command 72
SET SWITCH TRUNK command 162
SET SWITCH VLANMODE command 502
SET SYSTEM command 56
SET SYSTEM DISTINGUISHEDNAME command 670
SET TELNET INSERTNULL command 57
SET VLAN command 504, 530
SHOW ACL command 274
SHOW ASYN command 59
SHOW AUTHENTICATION command 697
SHOW CLASSIFIER command 265
SHOW CONFIG command 200
SHOW CONFIG DYNAMIC command 60
SHOW CONFIG INFO command 63
SHOW DOS command 344
SHOW ENCO command 656
SHOW FILE command 201
SHOW GARP command 516
SHOW GARP COUNTER command 517
SHOW GARP DATABASE command 519
SHOW GARP GIP command 520
SHOW GARP MACHINE command 521
SHOW HTTP SERVER command 648
SHOW IGMPSNOOPING command 355
SHOW INTERFACE command 129
SHOW IP ARP command 590
SHOW IP COUNTER command 592
SHOW IP IGMP command 356
SHOW IP INTERFACE command 594
SHOW IP MLD command 366
SHOW IP RIP COUNTER command 596
SHOW IP RIP INTERFACE command 598
SHOW IP ROUTE command 600
SHOW LACP command 177
SHOW LOG command 246
SHOW LOG OUTPUT command 251
SHOW LOG STATUS command 253
SHOW MGMTACL command 708
SHOW MLDSNOOPING command 364
SHOW MSTP command 483
SHOW PKI CERTIFICATE command 672
SHOW PKI command 671
SHOW PORTACCESS|PORTAUTH command 630
SHOW PORTACCESS|PORTAUTH PORT command 632
SHOW QOS CONFIG command 286
SHOW QOS FLOWGROUP command 327
SHOW QOS POLICY command 329
SHOW QOS TRAFFICCLASS command 331
SHOW RADIUSACCOUNTING command 635
SHOW REMOTELIST command 74
SHOW RRPSNOOPING command 372
SHOW RSTP command 460
SHOW SNMP command 106
SHOW SNMPV3 ACCESS command 424
715
Index
SHOW SNMPV3 COMMUNITY command 425
SHOW SNMPV3 GROUP command 426
SHOW SNMPV3 NOTIFY command 427
SHOW SNMPV3 TARGETADDR command 428
SHOW SNMPV3 TARGETPARAMS command 429
SHOW SNMPV3 USER command 430
SHOW SNMPV3 VIEW command 431
SHOW SNTP command 86
SHOW SSH command 684
SHOW SSL command 675
SHOW STP command 447
SHOW SWITCH AGINGTIMER|AGEINGTIMER command
150
SHOW SWITCH command 64
SHOW SWITCH COUNTER command 139
SHOW SWITCH FDB command 151
SHOW SWITCH MIRROR command 184
SHOW SWITCH PORT command 131
SHOW SWITCH PORT COUNTER command 142
SHOW SWITCH PORT INTRUSION command 610
SHOW SWITCH PORT SECURITYMODE command 611
SHOW SWITCH TRUNK command 163
SHOW SYSTEM command 67
SHOW TIME command 88
SHOW USER command 42
SHOW VLAN command 505, 531, 541
slave switch 72
SMURF denial of service defense 340
SNMP
disabling 98
information, displaying 106
SNMP community
adding 90
creating 92
deleting 95
destroying 97
disabling 100
enabling 101, 103
modifying 104
SNMP management access 90
SNMPv3 Access Table entry
creating 379
deleting 395
modifying 408
SNMPv3 Community Table entry
creating 382
deleting 397
modifying 410
SNMPv3 Notify Table entry
creating 386
deleting 399
modifying 414
SNMPv3 SecurityToGroup Table entry
creating 384
deleting 398
modifying 412
SNMPv3 Target Address Table entry
creating 388
deleting 400
716
modifying 416
SNMPv3 Target Parameters Table entry
creating 390
deleting 401
displaying 429
modifying 418
SNMPv3 User Table entry
adding 377
deleting 394
displaying 430
SNMPv3 View Table entry
creating 392
deleting 402
displaying 431
SNTP
disabling 80
enabling 81
information, displaying 86
IP address
deleting 79
specifying 78
resetting to defaults 82
split horizon 552
SSH configuration, displaying 684
SSH server
configuring 682
disabling 678
enabling 679
SSL
configuring 674
displaying 675
static multicast address 144
static routes
adding 574
deleting 579
described 550
displaying 600
modifying 588
static unicast address 144
STP
activating 436
disabling 437
displaying 447
enabling 438
port, setting 443
resetting to defaults 439
setting 440
strict QoS scheduling 282
supplicant port
configuring 626
displaying 630, 632
switch
accessing via enhanced stacking 70
configuration, displaying 60, 63, 200
distinguished name 67
information, displaying 67
parameters, displaying 64
restarting 50
statistics counters, displaying 139
AT-S63 Management Software Web Browser Interface User’s Guide
SYNFLOOD denial of service defense 341
system date
displaying 88
setting 83, 85
system files
downloading 206, 211
uploading 217, 221, 224
system name, configuring 48, 56
system time
displaying 88
setting 83, 85
T
TACACS+ server
adding 688
deleting 691
tagged port
adding 524
deleting 527
tagged VLAN
adding ports 490
creating 493
deleting ports 497
destroying 500
displaying 505
TEARDROP denial of service defense 342
Telnet server
disabling 44
enabling 45
temperature, switch, displaying 67
traffic class
adding flow groups to 292
creating 303
removing from policy 309
trap receiver 90
U
untagged port
adding 524
deleting 527
UPLOAD METHOD=LOCAL command 215
UPLOAD METHOD=REMOTESWITCH command 217
UPLOAD METHOD=TFTP command 221
UPLOAD METHOD=XMODEM command 224
uploading files 217, 221, 224
UTC offset, setting 84
V
VLAN. See 802.1Q multiple VLAN mode, MAC addressbased VLAN, multiple VLAN mode, port-based VLAN,
protected ports VLAN, and tagged VLAN
717
Index
718

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Allied Telesis management software layer 2+ fast ethernet switches Webcam User`s guide

Allied Telesyn International Corp

management software layer 2+ fast ethernet switches

  • User`s guide
Allied Telesis AT-8550 User`s guide

Allied Telesis

AT-8550

  • User`s guide
Download PDF

advertisement