Zebra EX-3524/EX-3548 Reference Guide
Zebra EX-3524/EX-3548 is a Layer 2 Gigabit Ethernet PoE/PoE+ Switch designed for high-performance networking applications. It provides a reliable and cost-effective solution for connecting and powering network devices such as IP phones, wireless access points, and security cameras. With its advanced features, this switch is ideal for businesses, educational institutions, and other organizations that require a robust and scalable network infrastructure.
Advertisement
Advertisement
EX-3524/EX-3548
Layer 2 Gigabit Ethernet PoE/PoE+ Switch
CLI Reference Guide www.edge-core.com
Zebra and the Zebra head graphic are registered trademarks of ZIH Corp. The Symbol logo is a registered trademark of Symbol Technologies, Inc., a Zebra Technologies company.
© 2015 Symbol Technologies, Inc.
– 2 –
How to Use This Guide
This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Who Should
Read this Guide?
This guide is for network administrators who are responsible for operating and maintaining network equipment. The guide assumes a basic working knowledge of
LANs (Local Area Networks), the Internet Protocol (IP), and Simple Network
Management Protocol (SNMP).
How this Guide is Organized
This guide describes the switch’s command line interface (CLI). For more detailed information on the switch’s key features refer to the System Reference Guide.
The guide includes these sections:
◆
Section I “Getting Started” — Includes information on initial configuration.
◆
Section II “Command Line Interface” — Includes all management options
available through the CLI.
◆
— Includes information on troubleshooting switch management access.
Related
Documentation
This guide focuses on switch software configuration through the CLI.
For information on how to manage the switch through the Web management interface, see the following guide:
System Reference Guide
For information on how to install the switch, see the following guide:
Installation Guide
For all safety information and regulatory statements, see the following documents:
Quick Start Guide
Safety and Regulatory Information
– 3 –
How to Use This Guide
Conventions
The following conventions are used throughout this guide to show information:
Note: Emphasizes important information or calls your attention to related features or instructions.
Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Warning: Alerts you to a potential hazard that could cause personal injury.
Revision History
This section summarizes the changes in each revision of this guide.
December 2014 Revision
This is the third version of this guide. This guide is valid for software release v5.0.0.0-07D. This release includes a major change in the underlying software platform. It contains the following changes:
◆ Updated data displayed by the commands
"show access-list tcam-utilization" on page 99 ,
"show memory" on page 100 , and "show process cpu" on page 100
◆ Updated syntax for
"show running-config" on page 101 .
◆ Added the command
"show tech-support" on page 104 .
◆ Updated display output for the command
.
◆ Added the commands
"show watchdog" on page 107 and "watchdog software" on page 107
.
◆ Updated syntax for the command
.
◆ Updated syntax for the command
.
◆ Added the command
"upgrade opcode reload" on page 118
◆ Added the section
"TFTP Configuration Commands" on page 118 .
◆ Removed the “auto” option from the command
◆ Added the command
◆ Updated display output for the command
.
– 4 –
How to Use This Guide
◆ Updated syntax for the commands
"logging host" on page 133 and
"logging sendmail host" on page 138 .
◆ Added the section
.
◆ Added the commands
"clock summer-time (predefined)" on page 150
and
"clock summer-time (recurring)" on page 151 .
◆
Removed the command “clock timezone-predefined” from the section "Manual
Configuration Commands" on page 149 .
◆ Added the section
.
◆ Updated syntax for the command
"snmp-server enable traps" on page 176
.
◆ Added the commands
"snmp-server enable port-traps mac-notification" on page 179
and "show snmp-server enable port-traps" on page 180
.
◆ Added the section
"Additional Trap Commands" on page 192 .
◆ Updated description of “level” parameter for the command
.
◆ Updated description of “access level” parameter for the command
.
◆ Added the commands
and
"show privilege" on page 207 .
◆ Updated syntax for the command
"tacacs-server host" on page 215 .
◆ Added the commands
"tacacs-server retransmit" on page 216
and
"tacacsserver timeout" on page 217 .
◆ Added the commands
"aaa accounting commands" on page 219 and
"accounting commands" on page 225 .
◆ Updated syntax for the command
"show accounting" on page 228 .
◆ Added the command
"dot1x max-reauth-req" on page 248 .
◆ Added the section
"PPPoE Intermediate Agent" on page 262
.
◆ Added the command
◆ Added the command
"show port security" on page 275 .
◆ Updated syntax for the command
"ip dhcp snooping information option" on page 299 .
– 5 –
How to Use This Guide
◆ Added the commands
"ip dhcp snooping information option encode nosubtype" on page 300
, "ip dhcp snooping information option remote-id" on page 301 ,
"ip dhcp snooping limit rate" on page 303 , and
"ip dhcp snooping information option circuit-id" on page 305 .
◆ Updated display output for the command
"show ip dhcp snooping" on page 308 .
◆ Added the section
.
◆ Updated syntax for the commands
"ip source-guard binding" on page 319 and
"ip source-guard max-binding" on page 323
.
◆ Added the command
"clear ip source-guard binding blocked" on page 323 .
◆ Added the command
"ip source-guard mode" on page 324 .
◆ Updated syntax for the command
"show ip source-guard binding" on page 325 .
◆ Added the section
"IPv6 Source Guard" on page 326 .
◆
Added “allow-zeros” parameter to the command "ip arp inspection validate" on page 335 .
◆
Updated command in the section "Denial of Service Protection" on page 340 .
◆
Updated command in the section "Port-based Traffic Segmentation" on page 346 .
◆ Removed “redirect-to” interface options from all permit and deny commands in the chapter
"Access Control Lists" on page 351 .
◆
Removed “tos” parameter from the command "permit, deny (Extended IPv4
.
◆ Added “counter” parameter to the commands
"ip access-group" on page 356 ,
"ipv6 access-group" on page 362
and "mac access-group" on page 369
.
◆ Updated syntax for the command
"permit, deny(MAC ACL)" on page 365 .
◆ Added “log” parameter to the command
"permit, deny (ARP ACL)" on page 371
.
◆ Added the command
"clear access-list hardware counters" on page 373
, and
added “hardware counters” parameter to the command "show access-list" on page 374 .
◆
Removed the “symmetric” parameter from the command "capabilities" on page 379 .
– 6 –
How to Use This Guide
◆ Added the command
◆ Removed the command “giga-phy-mode” from the chapter
.
◆ Updated display output for the command
"show interfaces status" on page 388 .
◆ Added the section
"Transceiver Threshold Configuration" on page 390
.
◆
Added the command "port-channel load-balance" on page 404 ,
, and
"show port-channel load-balance" on page 415 .
◆ Added the commands
"power mainpower maximum allocation" on page 418
and
"show power mainpower" on page 424
.
◆ Removed the command “show power poe” from the chapter
Ethernet Commands" on page 417 .
◆ Updated syntax for the command
◆ Reduced the maximum number of mirror sessions from two to one for all
relevant local mirror and remote mirror commands in the chapter "Port
Mirroring Commands" on page 425
.
◆ Addedthe chapter
"Loopback Detection Commands" on page 453 .
◆ Added the command
"spanning-tree system-bpdu-flooding" on page 472
.
◆ Updated syntax for the command
"spanning-tree bpdu-guard" on page 478
.
◆ Updated syntax for the command
"spanning-tree loopback-detection action" on page 482
.
◆ Added the command
"spanning-tree port-bpdu-flooding" on page 486 .
◆ Added the command
"spanning-tree tc-prop-stop" on page 488 .
◆ Updated syntax for the command
"show spanning-tree" on page 490 .
◆ Added the command
"switchport dot1q-tunnel service match cvid" on page 518 .
◆ Updated syntax and display output for the command
"show dot1q-tunnel" on page 520 .
◆ Added the section
"Configuring L2CP Tunneling" on page 521
.
◆
Added the “priority” parameter to the command "protocol-vlan protocol-group
(Configuring Interfaces)" on page 527 .
– 7 –
How to Use This Guide
◆ Added the “mask” parameter to the command
◆
Added the “match-all” option to the command "class-map" on page 554
.
◆ Updated syntax for the command
.
◆
Updated range for "Quality of Service Commands" on page 553 .
◆ Added the command
"ip igmp snooping priority" on page 574 .
◆ Added the commands
"clear ip igmp snooping groups dynamic" on page 588
and
"clear ip igmp snooping statistics" on page 589
.
◆ Updated syntax for the command
"show ip igmp snooping" on page 589 and
"show ip igmp snooping group" on page 590 .
◆ Added the commands
"ip igmp authentication" on page 599
, "ip igmp querydrop" on page 603
,
"ip multicast-data-drop" on page 603
, "show ip igmp authentication" on page 604
, "show ip igmp query-drop" on page 606
, and
"show ip multicast-data-drop" on page 607 .
◆ Added the sections
and
◆ Replaced command set for
"Multicast VLAN Registration for IPv4" on page 630
.
◆ Added the section
"Multicast VLAN Registration for IPv6" on page 654 .
◆ Added the command
"lldp dot3-tlv mac-phy" on page 684 .
◆ Removed the command “ipv6 dhcp client rapid-commit vlan” from the section
.
◆ Updated syntax for the command
◆ Added the command
◆ Added the command
and
"show ipv6 nd raguard" on page 759
.
◆ Added the section
.
◆ Added the command
September 2014 Revision
This is the second version of this guide. This guide is valid for software release v4.0.1.0-04R. It contains the following changes:
◆
Updated syntax description for the command "snmp-server user" on page 183
.
– 8 –
How to Use This Guide
◆ Added the command
"clear ip dhcp snooping binding" on page 307 .
◆
Updated description for the command "spanning-tree bpdu-filter" on page 477 .
◆
Updated usage information for the command "spanning-tree port-priority" on page 486 .
◆
Updated syntax for the command "switchport trunk allowed vlan" on page 509 .
◆ Updated syntax for the command
"switchport trunk native vlan" on page 510
.
◆ Added the commands
"switchport trunk allowed vlan" on page 509
and
"switchport trunk native vlan" on page 510
.
◆ Updated configuration procedure for protocol-based VLANs. See
Protocol-based VLANs" on page 525
.
◆
Updated command usage for "subnet-vlan" on page 530 .
◆
Updated command usage for "mac-vlan" on page 532
.
◆
Updated usage information for the command "voice vlan aging" on page 535
.
◆
Updated usage information for the command "show voice vlan" on page 539
.
◆ Added the command
"show lldp neighbors" on page 696 .
◆
Updated display text for the command “ show cdp neighbors
detail” on
◆ Changed default setting for the command
"ip dhcp client class-id" on page 714 .
◆ Removed the command “show ip dhcp client-identifier” on page 542.
◆ Updated output display for the command
"show ip interface" on page 727 .
March 2014 Revision
This is the first version of this guide. This guide is valid for software release v4.0.0.0-02R.
– 9 –
How to Use This Guide
– 10 –
Contents
Section I
How to Use This Guide 3
Contents 11
Figures 41
Tables 43
Getting Started 49
1 Initial Switch Configuration
Connecting to the Console Port
Logging Onto the Command Line Interface
Configuring the Switch for Remote Management
Enabling SNMP Management Access
Saving or Restoring Configuration Settings
Automatic Installation of Operation Code and Configuration Settings
Downloading Operation Code from a File Server
Specifying a DHCP Client Identifier
Downloading a Configuration File Referenced by a DHCP Server
51
– 11 –
Contents
Section II
Command Line Interface 75
2 Using the Command Line Interface
Negating the Effect of Commands
3 General Commands 89
reload (Global Configuration) 90
disable 94 reload (Privileged Exec)
77
– 12 –
Contents
4 System Management Commands 97
show access-list tcam-utilization
show watchdog watchdog software
Automatic Code Upgrade Commands upgrade opcode auto
upgrade opcode reload show upgrade
TFTP Configuration Commands ip tftp retry
– 13 –
Contents
Event Logging logging facility
SMTP Alerts logging sendmail logging sendmail host
logging sendmail destination-email logging sendmail source-email
– 14 –
Contents
Manual Configuration Commands clock summer-time (date)
clock summer-time (predefined)
show cluster show cluster members show cluster candidates
controller hello-interval adjacency-hold-time controller host ip address
debug adoption no adoption show adoption debug
– 15 –
Contents
5 SNMP Commands 171
General SNMP Commands 173 snmp-server 173 snmp-server community
snmp-server location show snmp
SNMP Target Host Commands snmp-server enable traps
snmp-server enable port-traps mac-notification
show snmp-server enable port-traps
SNMPv3 Commands snmp-server engine-id
show snmp engine-id show snmp group
Notification Log Commands 189 nlm 189
show nlm oper-status show snmp notify-filter
Additional Trap Commands memory process cpu
6 Remote Monitoring Commands
195
– 16 –
Contents
show rmon alarms show rmon events show rmon history
7 Authentication Commands
User Accounts and Privilege Levels
203
privilege 207 show privilege 207
Authentication Sequence authentication enable
radius-server auth-port radius-server host
radius-server retransmit radius-server timeout
tacacs-server host tacacs-server key
tacacs-server port tacacs-server retransmit
tacacs-server timeout show tacacs-server
aaa accounting dot1x aaa accounting exec
– 17 –
Contents
aaa group server 224 server 224
accounting dot1x accounting commands
ip http server ip http secure-port
ip telnet max-sessions ip telnet port
ip telnet server show ip telnet
ip ssh server-key size ip ssh timeout
delete public-key ip ssh crypto host-key generate
ip ssh save host-key show ip ssh
General Commands dot1x default
– 18 –
Contents
Authenticator Commands dot1x intrusion-action
dot1x max-reauth-req dot1x max-req
dot1x port-control dot1x re-authentication
dot1x timeout quiet-period dot1x timeout re-authperiod
dot1x timeout supp-timeout dot1x timeout tx-period
Supplicant Commands dot1x identity profile dot1x max-start
dot1x timeout auth-period dot1x timeout held-period
Information Display Commands show dot1x
Management IP Filter 260 management 260
pppoe intermediate-agent pppoe intermediate-agent format-type
pppoe intermediate-agent port-enable
pppoe intermediate-agent port-format-type
pppoe intermediate-agent port-format-type remote-id-delimiter pppoe intermediate-agent trust
pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics
– 19 –
Contents
show pppoe intermediate-agent info
show pppoe intermediate-agent statistics
8 General Security Measures 271
Port Security 272 mac-learning 272
Network Access (MAC Address Authentication)
network-access aging network-access mac-filter
mac-authentication reauth-time
network-access guest-vlan network-access link-detection
network-access link-detection link-down network-access link-detection link-up
network-access link-detection link-up-down network-access max-mac-count
network-access mode mac-authentication
network-access port-mac-filter
mac-authentication intrusion-action mac-authentication max-mac-count
clear network-access show network-access
show network-access mac-address-table
show network-access mac-filter
web-auth quiet-period web-auth session-timeout
web-auth system-auth-control 293 web-auth 293
web-auth re-authenticate (Port) 294
– 20 –
show web-auth show web-auth interface
ip dhcp snooping information option
ip dhcp snooping information option encode no-subtype
ip dhcp snooping information option remote-id
ip dhcp snooping information policy
ip dhcp snooping limit rate ip dhcp snooping verify mac-address
ip dhcp snooping information option circuit-id
clear ip dhcp snooping binding clear ip dhcp snooping database flash
ip dhcp snooping database flash show ip dhcp snooping
ipv6 dhcp snooping option remote-id
ipv6 dhcp snooping option remote-id policy
ipv6 dhcp snooping max-binding ipv6 dhcp snooping trust
clear ipv6 dhcp snooping binding
clear ipv6 dhcp snooping statistics show ipv6 dhcp snooping
show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics
IPv4 Source Guard ip source-guard binding
– 21 –
Contents
Contents
ip source-guard max-binding clear ip source-guard binding blocked
show ip source-guard show ip source-guard binding
IPv6 Source Guard ipv6 source-guard binding
show ipv6 source-guard binding
ip arp inspection log-buffer logs
ip arp inspection limit ip arp inspection trust
show ip arp inspection configuration show ip arp inspection interface
show ip arp inspection log show ip arp inspection statistics
dos-protection echo-chargen dos-protection smurf
dos-protection tcp-flooding dos-protection tcp-null-scan
dos-protection tcp-syn-fin-scan dos-protection tcp-udp-port-zero
dos-protection tcp-xmas-scan dos-protection udp-flooding
dos-protection win-nuke show dos-protection
– 22 –
Port-based Traffic Segmentation traffic-segmentation
traffic-segmentation uplink/downlink
traffic-segmentation uplink-to-uplink
9 Access Control Lists
permit, deny (Standard IP ACL)
permit, deny (Extended IPv4 ACL)
show ip access-group show ip access-list
permit, deny (Standard IPv6 ACL)
permit, deny (Extended IPv6 ACL)
show ipv6 access-group show ipv6 access-list
mac access-group show mac access-group
ACL Information clear access-list hardware counters
– 23 –
Contents
351
Contents
show access-group show access-list
10 Interface Commands 377
Interface Configuration 378 interface 378
description 381 flowcontrol 381
show interfaces brief show interfaces counters
Transceiver Threshold Configuration 390 transceiver-monitor 390
transceiver-threshold-auto 391
transceiver-threshold rx-power
transceiver-threshold temperature
transceiver-threshold tx-power
show interfaces transceiver-threshold
Cable Diagnostics test cable-diagnostics
– 24 –
Contents
11 Link Aggregation Commands
Manual Configuration Commands port-channel load-balance
Dynamic Configuration Commands 406 lacp 406
lacp admin-key (Ethernet Interface) 408
lacp system-priority lacp admin-key (Port Channel)
Trunk Status Display Commands show lacp
show port-channel load-balance
403
12 Power over Ethernet Commands
power mainpower maximum allocation
power inline maximum allocation
show power inline time-range show power mainpower
417
13 Port Mirroring Commands
Local Port Mirroring Commands port monitor
425
– 25 –
Contents
14 Congestion Control Commands 435
Storm Control Commands switchport packet-rate
Automatic Traffic Control Commands
Threshold Commands auto-traffic-control apply-timer
auto-traffic-control release-timer 442
auto-traffic-control 443 auto-traffic-control action 443
auto-traffic-control alarm-clear-threshold 444
auto-traffic-control alarm-fire-threshold 445
auto-traffic-control auto-control-release 446
auto-traffic-control control-release 447
SNMP Trap Commands 447 snmp-server enable port-traps atc broadcast-alarm-clear 447
snmp-server enable port-traps atc multicast-control-release
ATC Display Commands show auto-traffic-control
show auto-traffic-control interface
15 Loopback Detection Commands 453
loopback-detection 454 loopback-detection action
loopback-detection recover-time
loopback-detection transmit-interval loopback detection trap
– 26 –
Contents
16 Address Table Commands
clear mac-address-table dynamic show mac-address-table
show mac-address-table aging-time show mac-address-table count
17 Spanning Tree Commands 465
spanning-tree cisco-prestandard spanning-tree forward-time
spanning-tree max-age spanning-tree mode
spanning-tree pathcost method spanning-tree priority
spanning-tree mst configuration spanning-tree system-bpdu-flooding
spanning-tree transmission-limit
spanning-tree link-type spanning-tree loopback-detection
spanning-tree loopback-detection action
spanning-tree loopback-detection release-mode
spanning-tree loopback-detection trap
459
– 27 –
Contents
spanning-tree mst port-priority
spanning-tree port-bpdu-flooding spanning-tree port-priority
spanning-tree spanning-disabled spanning-tree tc-prop-stop
spanning-tree loopback-detection release
spanning-tree protocol-migration show spanning-tree
show spanning-tree mst configuration
18 VLAN Commands
GVRP and Bridge Extension Commands
495
switchport gvrp show bridge-ext
switchport acceptable-frame-types
switchport native vlan switchport trunk allowed vlan
switchport trunk native vlan 510
Displaying VLAN Information 513
– 28 –
Contents
Configuring IEEE 802.1Q Tunneling
dot1q-tunnel system-tunnel-control
switchport dot1q-tunnel service match cvid
Configuring L2CP Tunneling l2protocol-tunnel tunnel-dmac
Configuring Protocol-based VLANs
protocol-vlan protocol-group (Configuring Groups)
protocol-vlan protocol-group (Configuring Interfaces)
show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group
Configuring IP Subnet VLANs 529
switchport voice vlan switchport voice vlan priority
switchport voice vlan security show voice vlan
19 Class of Service Commands
541
– 29 –
Contents
show queue mode show queue weight
Priority Commands (Layer 3 and 4) qos map cos-dscp
show qos map cos-dscp show qos map dscp-mutation
show qos map phb-queue show qos map trust-mode
20 Quality of Service Commands 553
show class-map show policy-map
21 Multicast Filtering Commands
571
– 30 –
Contents
ip igmp snooping proxy-reporting
ip igmp snooping router-alert-option-check ip igmp snooping router-port-expire-time
ip igmp snooping tcn-query-solicit
ip igmp snooping unregistered-data-flood ip igmp snooping unsolicited-report-interval
ip igmp snooping version-exclusive ip igmp snooping vlan general-query-suppression
ip igmp snooping vlan immediate-leave
ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl
ip igmp snooping vlan proxy-address
ip igmp snooping vlan query-interval
ip igmp snooping vlan query-resp-intvl
ip igmp snooping vlan static clear ip igmp snooping groups dynamic
clear ip igmp snooping statistics show ip igmp snooping
show ip igmp snooping statistics
Static Multicast Routing ip igmp snooping vlan mrouter
ip igmp filter (Global Configuration) ip igmp profile
ip igmp filter (Interface Configuration) 601 ip igmp max-groups 601
– 31 –
Contents
ip igmp query-drop ip multicast-data-drop
show ip igmp authentication show ip igmp filter
show ip igmp query-drop show ip igmp throttle interface
ipv6 mld snooping ipv6 mld snooping querier
ipv6 mld snooping query-interval
ipv6 mld snooping query-max-response-time ipv6 mld snooping proxy-reporting
ipv6 mld snooping robustness ipv6 mld snooping router-port-expire-time
ipv6 mld snooping unknown-multicast mode ipv6 mld snooping unsolicited-report-interval
ipv6 mld snooping vlan immediate-leave ipv6 mld snooping vlan mrouter
clear ipv6 mld snooping groups dynamic clear ipv6 mld snooping statistics
show ipv6 mld snooping show ipv6 mld snooping group
show ipv6 mld snooping group source-list
show ipv6 mld snooping mrouter show ipv6 mld snooping statistics
ipv6 mld filter (Global Configuration) ipv6 mld profile
– 32 –
ipv6 mld filter (Interface Configuration)
ipv6 mld max-groups action ipv6 mld query-drop
ipv6 multicast-data-drop show ipv6 mld filter
show ipv6 mld profile show ipv6 mld query-drop
show ipv6 mld throttle interface
Multicast VLAN Registration for IPv4
mvr robustness-value mvr source-port-mode dynamic
clear mvr groups dynamic clear mvr statistics
show mvr associated-profile show mvr interface
show mvr profile show mvr statistics
Multicast VLAN Registration for IPv6
– 33 –
Contents
Contents
mvr6 proxy-query-interval mvr6 proxy-switching
mvr6 upstream-source-ip mvr6 vlan
clear mvr6 statistics show mvr6
22 LLDP Commands 673
lldp 675 lldp holdtime-multiplier 675
lldp med-fast-start-count lldp notification-interval
lldp refresh-interval lldp reinit-delay
679 lldp basic-tlv management-ip-address
lldp basic-tlv port-description lldp basic-tlv system-capabilities
lldp basic-tlv system-description lldp basic-tlv system-name
– 34 –
lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid
lldp dot1-tlv pvid lldp dot1-tlv vlan-name
lldp dot3-tlv link-agg lldp dot3-tlv mac-phy
lldp dot3-tlv max-frame lldp dot3-tlv poe
lldp med-notification lldp med-tlv ext-poe
lldp med-tlv inventory lldp med-tlv location
lldp med-tlv med-cap lldp med-tlv network-policy
23 CDP Commands
cdp (Global Configuration) cdp hold-time
cdp transmit-interval cdp version
cdp (Interface Configuration) clear cdp table show cdp
show cdp interface show cdp neighbors
24 Domain Name Service Commands
– 35 –
Contents
699
705
Contents
25 DHCP Commands
DHCP for IPv4 ip dhcp client class-id
DHCP for IPv6 ipv6 dhcp client rapid-commit vlan
26 IP Interface Commands
723
Basic IPv4 Configuration ip address
show ip interface show ip traffic 727
713
– 36 –
Contents
Interface Address Configuration and Utilities ipv6 default-gateway
show ipv6 mtu show ipv6 traffic
clear ipv6 traffic 753 ping6 753
Neighbor Discovery 755 ipv6 nd dad attempts 755
clear ipv6 neighbors show ipv6 nd raguard
ipv6 nd snooping auto-detect ipv6 nd snooping auto-detect retransmit count
ipv6 nd snooping auto-detect retransmit interval
ipv6 nd snooping prefix timeout ipv6 nd snooping max-binding
ipv6 nd snooping trust clear ipv6 nd snooping binding
– 37 –
Contents
Section III
clear ipv6 nd snooping prefix show ipv6 nd snooping
show ipv6 nd snooping binding show ipv6 nd snooping prefix
26 IP Routing Commands
IPv4 Commands ip route ip sw-route
Appendices 777
A Troubleshooting 779
Problems Accessing the Management Interface
B License Information
The GNU General Public License
GNU Lesser General Public License, version 3.0
C Customer Support
793
781
Glossary 795
Index of CLI Commands 803
Index 811
771
– 38 –
Figures
Figure 1: Storm Control by Limiting the Traffic Rate
Figure 2: Storm Control by Shutting Down a Port
Figure 3: Configuring VLAN Trunking
Figure 4: Mapping QinQ Service VLAN to Customer VLAN
– 41 –
Figures
– 42 –
Tables
Table 1: Options 60, 66 and 67 Statements
Table 2: Options 55 and 124 Statements
Table 3: General Command Modes
Table 4: Configuration Command Modes
Table 8: System Management Commands
Table 9: Device Designation Commands
Table 10: System Status Commands
Table 11: show system – display description
Table 12: show version – display description
Table 15: File Directory Information
Table 17: Event Logging Commands
Table 19: show logging flash/ram - display description
Table 20: show logging trap - display description
Table 21: Event Logging Commands
Table 23: Predefined Summer-Time Parameters
Table 25: Switch Cluster Commands
Table 26: Switch Cluster Commands
Table 28: show snmp engine-id - display description
Table 29: show snmp group - display description
– 43 –
Tables
Table 30: show snmp user - display description
Table 31: show snmp view - display description
Table 33: Authentication Commands
Table 34: User Access Commands
Table 35: Default Login Settings
Table 36: Authentication Sequence Commands
Table 37: RADIUS Client Commands
Table 38: TACACS+ Client Commands
Table 41: HTTPS System Support
Table 42: Telnet Server Commands
Table 43: Secure Shell Commands
Table 44: show ssh - display description
Table 45: 802.1X Port Authentication Commands
Table 46: Management IP Filter Commands
Table 47: PPPoE Intermediate Agent Commands
Table 48: show pppoe intermediate-agent statistics - display description
Table 49: General Security Commands
Table 50: Management IP Filter Commands
Table 51: show port security - display description
Table 52: Network Access Commands
Table 53: Dynamic QoS Profiles
Table 55: DHCP Snooping Commands
Table 56: Option 82 information
Table 57: DHCP Snooping Commands
Table 58: IP Source Guard Commands
Table 59: IPv6 Source Guard Commands
Table 60: ARP Inspection Commands
Table 61: DoS Protection Commands
Table 62: Commands for Configuring Traffic Segmentation
Table 63: Traffic Segmentation Forwarding
Table 64: Access Control List Commands
– 44 –
Table 69: ACL Information Commands
Table 71: show interfaces switchport - display description
Table 72: Link Aggregation Commands
Table 73: show lacp counters - display description
Table 74: show lacp internal - display description
Table 75: show lacp neighbors - display description
Table 76: show lacp sysid - display description
Table 78: Maximum Number of Ports Providing Simultaneous Power
Table 79: PoE Shut Down Sequence
Table 80: show power inline status - display description
Table 81: Port Mirroring Commands
Table 82: Mirror Port Commands
Table 84: Congestion Control Commands
Table 88: Loopback Detection Commands
Table 89: Address Table Commands
Table 90: Spanning Tree Commands
Table 91: Recommended STA Path Cost Range
Table 92: Default STA Path Costs
Table 94: GVRP and Bridge Extension Commands
Table 95: show bridge-ext - display description
Table 96: Commands for Editing VLAN Groups
Table 97: Commands for Configuring VLAN Interfaces
Table 98: Commands for Displaying VLAN Information
Table 99: 802.1Q Tunneling Commands
– 45 –
Tables
Tables
Table 100: L2 Protocol Tunnel Commands
Table 101: Protocol-based VLAN Commands
Table 102: IP Subnet VLAN Commands
Table 103: MAC Based VLAN Commands
Table 104: Voice VLAN Commands
Table 106: Priority Commands (Layer 2)
Table 107: Priority Commands (Layer 3 and 4)
Table 108: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence
Table 109: Default Mapping of DSCP Values to Internal PHB/Drop Values
Table 110: Mapping Internal Per-hop Behavior to Hardware Queues
Table 111: Quality of Service Commands
Table 112: Multicast Filtering Commands
Table 113: IGMP Snooping Commands
Table 114: show ip igmp snooping statistics input - display description
Table 115: show ip igmp snooping statistics output - display description
Table 116: show ip igmp snooping statistics vlan query - display description
Table 117: Static Multicast Interface Commands
Table 118: IGMP Filtering and Throttling Commands
Table 119: IGMP Authentication RADIUS Attribute Value Pairs
Table 120: MLD Snooping Commands
Table 121: MLD Filtering and Throttling Commands
Table 122: Multicast VLAN Registration for IPv4 Commands
Table 123: show mvr - display description
Table 124: show mvr interface - display description
Table 125: show mvr members - display description
Table 126: show mvr statistics input - display description
Table 127: show mvr statistics output - display description
Table 128: show mvr statistics query - display description
Table 129: show mvr statistics summary interface - display description
Table 130: show mvr statistics summary interface mvr vlan - description
Table 131: Multicast VLAN Registration for IPv6 Commands
Table 132: show mvr6 - display description
Table 133: show mvr6 interface - display description
Table 134: show mvr6 members - display description
– 46 –
Table 135: show mvr6 statistics input - display description
Table 136: show mvr6 statistics output - display description
Table 138: LLDP MED Location CA Types
Table 140: show cdp neighbors - display description
Table 141: Address Table Commands
Table 142: show dns cache - display description
Table 143: show hosts - display description
Table 145: DHCP Client Commands
Table 146: Options 60, 66 and 67 Statements
Table 147: Options 55 and 124 Statements
Table 148: DHCP Relay Option 82 Commands
Table 149: IP Interface Commands
Table 150: IPv4 Interface Commands
Table 151: Basic IP Configuration Commands
Table 152: Address Resolution Protocol Commands
Table 153: IPv6 Configuration Commands
Table 154: show ipv6 interface - display description
Table 155: show ipv6 mtu - display description
Table 156: show ipv6 traffic - display description
Table 157: show ipv6 neighbors - display description
Table 158: ND Snooping Commands
Table 203: IP Routing Commands
Table 204: Global Routing Configuration Commands
Table 205: Troubleshooting Chart
Tables
– 47 –
Tables
– 48 –
Section I
Getting Started
This section describes how to configure the switch for management access through the web interface or SNMP.
This section includes these chapters:
◆
"Initial Switch Configuration" on page 51
– 49 –
Section I
| Getting Started
– 50 –
1
Initial Switch Configuration
This chapter includes information on connecting to the switch and basic configuration procedures.
Connecting to the Switch
The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface.
A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Note: An IPv4 address for this switch is obtained via DHCP by default. To change this address, see
“Setting an IP Address” on page 55
.
Configuration Options
The switch’s HTTP web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard web browser such as
Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions.
The switch’s web management interface can be accessed from any computer attached to the network.
The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.
The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software.
The switch’s web interface, console interface, and SNMP agent allow you to perform the following management functions:
◆
◆
◆
◆
◆
◆
◆
Set user names and passwords
Set an IP interface for any VLAN
Configure SNMP parameters
Enable/disable any port
Set the speed/duplex mode for any port
Configure the bandwidth of any port by limiting input or output rates
Control port access through IEEE 802.1X security or static address filtering
– 51 –
Chapter 1
| Initial Switch Configuration
Connecting to the Switch
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
Filter packets using Access Control Lists (ACLs)
Configure up to 256 IEEE 802.1Q VLANs
Enable GVRP automatic VLAN registration
Configure IP routing for unicast traffic
Configure IGMP multicast filtering
Upload and download system firmware or configuration files via HTTP (using the web interface) or FTP/TFTP (using the command line or web interface)
Configure Spanning Tree parameters
Configure Class of Service (CoS) priority queuing
Configure static or LACP trunks (up to 12)
Enable port mirroring
Set storm control on any port for excessive broadcast, multicast, or unknown unicast traffic
Display system information and statistics
Connecting to the
Console Port
The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the
Installation Guide.
To connect a terminal to the console port, complete the following steps:
1.
Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.
2.
Connect the other end of the cable to the RS-45 serial port on the switch.
3.
Make sure the terminal emulation software is set as follows:
■ Select the appropriate serial port (COM port 1 or COM port 2).
■
■
■
■
■
Set the baud rate to 115200 bps.
Set the data format to 8 data bits, 1 stop bit, and no parity.
Set flow control to none.
Set the emulation mode to VT100.
When using HyperTerminal, select Terminal keys, not Windows keys.
– 52 –
Chapter 1
| Initial Switch Configuration
Connecting to the Switch
4.
Power on the switch.
After the system completes the boot cycle, the logon screen appears.
For a description of how to use the CLI, see “Using the Command Line Interface” on page 77
. For a list of all the CLI commands and detailed information on using the
CLI, refer to “CLI Command Groups” on page 86
.
Logging Onto the
Command Line
Interface
The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.
Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these steps:
1.
To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.
2.
At the User name prompt, enter “admin.”
3.
At the Password prompt, enter “admin123.” (The password characters are not displayed on the console screen.)
4.
The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level.
Setting Passwords
If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place.
Passwords can consist of up to 32 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:
1.
Open the console interface with the default user name “admin” and password
“admin123” to access the Privileged Exec level.
2.
Type “configure” and press <Enter>.
3.
Type “username guest password 0 password,” for the Normal Exec level, where
password is your new password. Press <Enter>.
– 53 –
Chapter 1
| Initial Switch Configuration
Connecting to the Switch
4.
Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press <Enter>.
Username: admin
Password:
CLI session with the EX-3524* is opened.
To end the CLI session, enter [Exit].
Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username admin password 0 [password]
Console(config)#
* This manual covers both the EX-3524 and EX-3548 Gigabit Ethernet PoE/PoE+ switches. Other than the difference in the number of ports, there are no other significant differences. Therefore nearly all of the screen display examples are based on the EX-3524.
Remote Connections
Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IPv4 or IPv6 address.
The default network interface is VLAN 1 which includes ports 1-28/52. When configuring the network interface, the IP address, subnet mask, and default gateway may all be set using a console connection, or DHCP protocol as described in the following sections.
An IPv4 address for the switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see
“Setting an IP Address” on page 55 .
After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet or SSH from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions), or from a network computer using SNMP network management software.
Note: This switch supports eight Telnet sessions or SSH sessions.
Note: Any VLAN group can be assigned an IP interface address (page 72) for managing the switch.
The onboard program only provides access to basic configuration functions. To access the full range of SNMP management functions, you must use SNMP-based network management software.
– 54 –
Chapter 1
| Initial Switch Configuration
Configuring the Switch for Remote Management
Configuring the Switch for Remote Management
Using the Network
Interface
The switch can be managed through the operational network, known as in-band management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging. In-band network management can be accessed via a connection to any network port (1-28/52).
Setting an IP Address
You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways:
◆ Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
◆ Dynamic — The switch can send IPv4 configuration requests to BOOTP or
DHCP address allocation servers on the network, or automatically generate a unique IPv6 host address based on the local subnet address prefix received in router advertisement messages. An IPv6 link local address for use in a local network can also be dynamically generated as described in
The current software supports DHCP for IPv6, so an IPv6 global unicast address for use in a network containing more than one subnet can be obtained through the DHCPv6 server, or manually configured as described in
Manual Configuration
You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
Note: The IPv4 address for VLAN 1 is obtained via DHCP by default.
◆
◆
◆
Assigning an IPv4 Address
Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:
IP address for the switch
Network mask for this network
Default gateway for the network
– 55 –
Chapter 1
| Initial Switch Configuration
Configuring the Switch for Remote Management
To assign an IPv4 address to the switch, complete the following steps
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>.
3.
Type “exit” to return to the global configuration mode prompt. Press <Enter>.
4.
To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Assigning an IPv6 Address
This section describes how to configure a “link local” address for connectivity within the local subnet only, and also how to configure a “global unicast” address, including a network prefix for use on a multi-segment network and the host portion of the address.
An IPv6 prefix or address must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. For detailed information on the other ways to assign IPv6 addresses, see
“IPv6 Interface” on page 734 .
Link Local Address — All link-local addresses must be configured with a prefix in the range of FE80~FEBF. Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only. Also, if the switch detects that the address you configured conflicts with that in use by another device on the subnet, it will stop using the address in question, and automatically generate a link local address that does not conflict with any other devices on the local subnet.
To configure an IPv6 link local address for the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press <Enter>.
– 56 –
Chapter 1
| Initial Switch Configuration
Configuring the Switch for Remote Management
Console(config)#interface vlan 1
Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
fe80::260:3eff:fe11:6700%1/64
Global unicast address(es):
(None)
Joined group address(es): ff02::1:ff11:6700 ff02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised router lifetime is 1800 seconds
Console#
◆
◆
◆
Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator:
Prefix for this network
IP address for the switch
Default gateway for the network
For networks that encompass several different subnets, you must define the full address, including a network prefix and the host address for the switch. You can specify either the full IPv6 address, or the IPv6 address and prefix length. The prefix length for an IPv6 network is the number of bits (from the left) of the prefix that form the network address, and is expressed as a decimal number. For example, all
IPv6 addresses that start with the first byte of 73 (hexadecimal) could be expressed as 73:0:0:0:0:0:0:0/8 or 73::/8.
To generate an IPv6 global unicast address for the switch, complete the following steps:
1.
From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
From the interface prompt, type “ipv6 address ipv6-address” or “ipv6 address
ipv6-address/prefix-length,” where “prefix-length” indicates the address bits used to form the network portion of the address. (The network address starts from the left of the prefix and should encompass some of the ipv6-address bits.) The remaining bits are assigned to the host interface. Press <Enter>.
3.
Type “exit” to return to the global configuration mode prompt. Press <Enter>.
– 57 –
Chapter 1
| Initial Switch Configuration
Configuring the Switch for Remote Management
4.
To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway,” where “gateway” is the
IPv6 address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address 2001:DB8:2222:7272::66/64
Console(config-if)#exit
Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254
Console(config)end
Console#show ipv6 interface
Link-local address:
fe80::260:3eff:fe11:6700%1/64
Global unicast address(es):
2001:db8:2222:7272::66/64, subnet is 2001:db8:2222:7272::/64
Joined group address(es): ff02::1:ff00:66 ff02::1:ff11:6700 ff02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised router lifetime is 1800 seconds
Console#show ipv6 default-gateway
IPv6 default gateway 2001:db8:2222:7272::254
Console#
Dynamic Configuration
Obtaining an IPv4 Address
If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a
BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a
BOOTP or DHCP server. BOOTP and DHCP values can include the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is slow to respond, you may need to use the “ip dhcp restart client” command to re-start broadcasting service requests.
Note that the “ip dhcp restart client” command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP. It may be necessary to use this command when DHCP is configured on a VLAN, and the member ports which were previously shut down are now enabled.
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.
– 58 –
Chapter 1
| Initial Switch Configuration
Configuring the Switch for Remote Management
To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
At the interface-configuration mode prompt, use one of the following commands:
■
■
To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.
To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
3.
Type “end” to return to the Privileged Exec mode. Press <Enter>.
4.
Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.
5.
Then save your configuration changes by typing “copy running-config startupconfig.” Enter the startup file name and press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#show ip interface
VLAN 1 is Administrative Up - Link Up
Address is 00-E0-0C-00-00-FD
Index: 1001, MTU: 1500
Address Mode is DHCP
IP Address: 192.168.0.4 Mask: 255.255.255.0
Proxy ARP is disabled
DHCP Client Vendor Class ID (text): EX-3548
DHCP Relay Server: 0.0.0.0
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Obtaining an IPv6 Address
Link Local Address — There are several ways to configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix in the range of FE80~FEBF). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet.
To generate an IPv6 link local address for the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
Type “ipv6 enable” and press <Enter>.
– 59 –
Chapter 1
| Initial Switch Configuration
Configuring the Switch for Remote Management
Console(config)#interface vlan 1
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
fe80::2e0:cff:fe00:fd%1/64
Global unicast address(es):
(None)
Joined group address(es): ff02::1:ff00:fd ff02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised router lifetime is 1800 seconds
Console#
Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages. (DHCP for IPv6 can also be used to obtain a unique IPv6 host address.)
To dynamically generate an IPv6 host address for the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
From the interface prompt, type “ipv6 address autoconfig” and press <Enter>.
3.
Type “ipv6 enable” and press <Enter> to enable IPv6 on an interface that has not been configured with an explicit IPv6 address.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address autoconfig
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
fe80::2e0:cff:fe00:fd%1/64
Global unicast address(es):
2001:db8:2222:7272:2E0:cff:fe00:fd/64, subnet is 2001:db8:2222:7272::/
64[AUTOCONFIG]
valid lifetime 2591978 preferred lifetime 604778
Joined group address(es): ff02::1:ff00:fd ff02::1:ff11:6700 ff02::1
– 60 –
Chapter 1
| Initial Switch Configuration
Enabling SNMP Management Access
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised router lifetime is 1800 seconds
Console#
Enabling SNMP Management Access
The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications. You can configure the switch to respond to SNMP requests or generate SNMP traps.
When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.
The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients.
To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e., an SNMPv3 construct) for the default “public” community string that provides read access to the entire MIB tree, and a default view for the “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security
requirements (see snmp-server view command).
Community Strings (for SNMP version 1 and 2c clients)
Community strings are used to control management access to SNMP version 1 and
2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
The default strings are:
◆ public - with read-only access. Authorized management stations are only able to retrieve MIB objects.
◆ private - with read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
– 61 –
Chapter 1
| Initial Switch Configuration
Enabling SNMP Management Access
To configure a community string, complete the following steps:
1.
From the Privileged Exec level global configuration mode prompt, type “snmpserver community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.)
2.
To remove an existing string, simply type “no snmp-server community string,” where “string” is the community access string to remove. Press <Enter>.
Console(config)#snmp-server community admin rw
Console(config)#snmp-server community private
Console(config)#
Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Trap Receivers
You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the
Privileged Exec level global configuration mode prompt, type:
“snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]” where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host,
“version” indicates the SNMP client version, and “auth | noauth | priv” means that authentication, no authentication, or authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see the
snmp-server host command. The following example creates a trap host for
each type of SNMP client.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#
– 62 –
Chapter 1
| Initial Switch Configuration
Managing System Files
Configuring Access for SNMP Version 3 Clients
To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that
MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth read mib-2 write 802.1d
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien
Console(config)#
For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to “Simple Network Management Protocol” in the System
Reference Guide, or refer to the specific CLI commands for SNMP starting on
Managing System Files
The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
The types of files are:
◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via FTP/TFTP to a server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the switch will also create a file named
“startup1.cfg” that contains system settings for switch initialization, including information about the unit identifier, and MAC address for the switch. The configuration settings from the factory defaults configuration file are copied to
this file, which is then used to boot the switch. See “Saving or Restoring
Configuration Settings” on page 65 for more information.
◆ Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the
CLI and web management interfaces.
– 63 –
Chapter 1
| Initial Switch Configuration
Managing System Files
◆ Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).
Note: The Boot ROM and Loader cannot be uploaded or downloaded from the
FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.
In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the runningconfig, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
Upgrading the
Operation Code
The following example shows how to download new firmware to the switch and activate it. The TFTP server could be any standards-compliant server running on
Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server. Note that
“anonymous” is set as the default user name.
File names on the switch are case-sensitive. The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 128 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”)
Console#copy tftp file
TFTP server ip address: 10.1.0.19
Choose file type:
1. config: 2. opcode: 2
Source file name: m360.bix
Destination file name: m360.bix
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode: m360.bix
Console(config)#exit
Console#dir
File Name Type Startup Modify Time Size(bytes)
-------------------------- -------------- ------- ------------------- ----------
Unit 1: m360.bix OpCode Y 2013-02-25 15:41:04 25812529 m355.bix OpCode N 2012-12-04 13:23:59 25783857
Factory_Default_Config.cfg Config N 2012-12-04 13:18:37 455 startup1.cfg Config Y 2013-03-21 05:39:15 3463
– 64 –
Chapter 1
| Initial Switch Configuration
Managing System Files
-----------------------------------------------------------------------------
Free space for compressed user config files:1593241600
Console#
Saving or Restoring
Configuration Settings
Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.
New startup configuration files must have a name specified. File names on the switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes
(\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config:<filename> command.
The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command.
To save the current configuration settings, enter the following command:
1.
From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press <Enter>.
2.
Enter the name of the start-up file. Press <Enter>.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
To restore configuration settings from a backup server, enter the following command:
1.
From the Privileged Exec mode prompt, type “copy tftp startup-config” and press <Enter>.
2.
Enter the address of the TFTP server. Press <Enter>.
3.
Enter the name of the startup file stored on the server. Press <Enter>.
– 65 –
Chapter 1
| Initial Switch Configuration
Automatic Installation of Operation Code and Configuration Settings
4.
Enter the name for the startup file on the switch. Press <Enter>.
Console#copy file startup-config
Console#copy tftp startup-config
TFTP server IP address: 192.168.0.4
Source configuration file name: startup-rd.cfg
Startup configuration file name [startup1.cfg]:
Success.
Console#
Automatic Installation of Operation Code and Configuration Settings
Downloading
Operation Code from a File Server
Automatic Operation Code Upgrade can automatically download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Usage Guidelines
◆ If this feature is enabled, the switch searches the defined URL once during the bootup sequence.
◆ FTP (port 21) and TFTP (port 69) are both supported. Note that the TCP/UDP port bindings cannot be modified to support servers listening on non-standard ports.
◆ The host portion of the upgrade file location URL must be a valid IPv4 IP address. DNS host names are not recognized. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
◆ The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/” to indicate this (e.g., ftp://192.168.0.1/).
◆ The file name must not be included in the upgrade file location URL. The file name of the code stored on the remote server must be ECS4620-28T.bix (using lower case letters as indicated).
◆ The FTP connection is made with PASV mode enabled. PASV mode is needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled.
◆ The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept EX3524_Op.BIX from the server even though EX3524_Op.bix was requested). However, keep in mind that the file systems of many operating systems such as Unix and most Unix-like systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions, etc.) are
– 66 –
Chapter 1
| Initial Switch Configuration
Automatic Installation of Operation Code and Configuration Settings case-sensitive, meaning that two files in the same directory, ex3524_op.bix and
EX3524_Op.BIX are considered to be unique files. Thus, if the upgrade file is stored as EX3524_Op.BIX (or even Ex3524_Op.bix) on a case-sensitive server, then the switch (requesting EX3524_Op.BIX) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal. A notable exception in the list of case-sensitive Unix-like operating systems is Mac OS X, which by default is case-insensitive. Please check the documentation for your server’s operating system if you are unsure of its file system’s behavior.
◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image.
◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
◆ The automatic upgrade process will take place in the background without impeding normal operations (data switching, etc.) of the switch.
◆ During the automatic search and transfer process, the administrator cannot transfer or update another operation code image, configuration file, public key, or HTTPS certificate (i.e., no other concurrent file management operations are possible).
◆ The upgrade operation code image is set as the startup image after it has been successfully written to the file system.
◆ The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures.
◆ The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image.
To enable automatic upgrade, enter the following commands:
1.
Specify the TFTP or FTP server to check for new operation code.
■
■
When specifying a TFTP server, the following syntax must be used, where
filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/
When specifying an FTP server, the following syntax must be used, where
filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/
If the user name is omitted, “anonymous” will be used for the connection. If the password is omitted a null string (“”) will be used for the connection.
– 67 –
Chapter 1
| Initial Switch Configuration
Automatic Installation of Operation Code and Configuration Settings
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
This shows how to specify an FTP server where new code is stored.
Console(config)#upgrade opcode path ftp://zebra:[email protected]/sm24/
Console(config)#
2.
Set the switch to automatically reboot and load the new code after the opcode upgrade is completed.
Console(config)#upgrade opcode reload
Console(config)#
3.
Set the switch to automatically upgrade the current operational code when a new version is detected on the server. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up:
a.
It will search for a new version of the image at the location specified by
upgrade opcode path command. The name for the new image stored on the TFTP server must be EX3524_Op.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
b.
After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
c.
It sets the new version as the startup image.
d.
It then restarts the system to start using the new image.
Console(config)#upgrade opcode auto
Console(config)#
4.
Display the automatic upgrade settings.
Console#show upgrade
Auto Image Upgrade Global Settings:
Status : Enabled
Reload Status : Enabled
Path :
File Name : EX3524_Op.bix
Console#
– 68 –
Chapter 1
| Initial Switch Configuration
Automatic Installation of Operation Code and Configuration Settings
Specifying a DHCP
Client Identifier
DHCP servers index their database of address bindings using the client’s Media
Access Control (MAC) Address or a unique client identifier. The client identifier is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
DHCP client Identifier (Option 60) is used by DHCP clients to specify their unique identifier. The client identifier is optional and can be specified while configuring
DHCP on the primary network interface. DHCP Option 60 is disabled by default.
The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator. Options 60 (vendor-class-identifier), 66
(tftp-server-name) and 67 (bootfile-name) statements can be added to the server daemon’s configuration file as described in the following section.
If the DHCP server has an index entry for a switch requesting service, it should reply with the TFTP server name and boot file name. Note that the vendor class identifier can be formatted in either text or hexadecimal, but the format used by both the client and server must be the same.
Console(config)#interface vlan 2
Console(config-if)#ip dhcp client class-id hex 0000e8666572
Console(config-if)#
Downloading a
Configuration File
Referenced by a
DHCP Server
Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed. If the Factory Default Configuration file is used to provision the switch at startup, in addition to requesting IP configuration settings from the DHCP server, it will also ask for the name of a bootup configuration file and TFTP servers where that file is stored.
If the switch receives information that allows it to download the remote bootup file, it will save this file to a local buffer, and then restart the provision process.
Note the following DHCP client behavior:
◆ The bootup configuration file received from a TFTP server is stored on the switch with the original file name. If this file name already exists in the switch, the file is overwritten.
◆ If the name of the bootup configuration file is the same as the Factory Default
Configuration file, the download procedure will be terminated, and the switch will not send any further DHCP client requests.
– 69 –
Chapter 1
| Initial Switch Configuration
Automatic Installation of Operation Code and Configuration Settings
◆ If the switch fails to download the bootup configuration file based on information passed by the DHCP server, it will not send any further DHCP client requests.
◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
To successfully transmit a bootup configuration file to the switch, the DHCP daemon (using a Linux based system for this example) must be configured with the following information:
◆ Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Table 1: Options 60, 66 and 67 Statements
60
66
67
Option
Keyword vendor-class-identifier tftp-server-name bootfile-name
Statement
Parameter a string indicating the vendor class identifier a string indicating the tftp server name a string indicating the bootfile name
◆ By default, DHCP option 66/67 parameters are not carried in a DHCP server reply. To ask for a DHCP reply with option 66/67 information, the DHCP client request sent by this switch includes a “parameter request list” asking for this information. Besides these items, the client request also includes a “vendor class identifier” that allows the DHCP server to identify the device, and select the appropriate configuration file for download. This information is included in
Option 55 and 124.
Table 2: Options 55 and 124 Statements
Option
55
124
Statement
Keyword Parameter dhcp-parameter-request-list a list of parameters, separated by a comma ',' vendor-class-identifier a string indicating the vendor class identifier
The following configuration example is provided for a Linux-based DHCP daemon
(dhcpd.conf file). In the “Vendor class” section, the server will always send Option
66 and 67 to tell the switch to download the “test” configuration file from server
192.168.255.101.
ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200;
– 70 –
Chapter 1
| Initial Switch Configuration
Setting the System Clock log-facility local7; server-name "Server1";
Server-identifier 192.168.255.250;
#option 66, 67
option space dynamicProvision code width 1 length 1 hash size 2;
option dynamicProvision.tftp-server-name code 66 = text;
option dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 {
range 192.168.255.160 192.168.255.200;
option routers 192.168.255.101;
option tftp-server-name "192.168.255.100"; #Default Option 66
option bootfile-name "bootfile"; #Default Option 67
} class "Option66,67_1" { #DHCP Option 60 Vendor class two
match if option vendor-class-identifier = "EX3524_Op.cfg";
option tftp-server-name "192.168.255.101";
option bootfile-name "test";
}
Note: Use “EX3524_Op.cfg” for the vendor-class-identifier in the dhcpd.conf file.
Setting the System Clock
Simple Network Time Protocol (SNTP) or Network Time Protocol (NTP) can be used to set the switch’s internal clock based on periodic updates from a time server.
Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock. If the clock is not set manually or via SNTP or NTP, the switch will only record the time from the factory default set at the last bootup.
When the SNTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.
The switch also supports the following time settings:
◆ Time Zone – You can specify the offset from Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT).
◆ Summer Time/Daylight Saving Time (DST) – In some regions, the time shifts by one hour in the fall and spring. The switch supports manual entry for one-time or recurring clock shifts.
– 71 –
Chapter 1
| Initial Switch Configuration
Setting the System Clock
Setting the
Time Manually
To manually set the clock to 14:11:36, April 1st, 2013, enter this command.
Console#calendar set 14 11 36 1 April 2013
Console#
To set the time zone, enter a command similar to the following.
Console(config)#clock timezone Japan hours 8 after-UTC
Console(config)#
To set the time shift for summer time, enter a command similar to the following.
Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0
0
Console(config)#
To display the clock configuration settings, enter the following command.
Console#show calendar
Current Time : Apr 2 15:56:12 2013
Time Zone : UTC, 08:00
Summer Time : SUMMER, offset 60 minutes
Apr 2 2013 00:00 to Jun 30 2013 00:00
Summer Time in Effect : Yes
Console#
Configuring SNTP
Setting the clock based on an SNTP server can provide more accurate clock synchronization across network switches than manually-configured time. To configure SNTP, set the switch as an SNTP client, and then set the polling interval, and specify a time server as shown in the following example.
Console(config)#sntp client
Console(config)#sntp poll 60
Console(config)#sntp server 10.1.0.19
Console(config)#exit
Console#show sntp
Current Time : Apr 2 16:06:07 2013
Poll Interval : 60 seconds
Current Mode : Unicast
SNTP Status : Enabled
SNTP Server : 10.1.0.19
Current Server : 10.1.0.19
Console#
– 72 –
Chapter 1
| Initial Switch Configuration
Setting the System Clock
Configuring NTP
Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
The key numbers and key values must match on both the server and client.
When more than one time server is configured, the client will poll all of the time servers, and compare the responses to determine the most reliable and accurate time update for the switch.
To configure NTP time synchronization, enter commands similar to the following.
Console(config)#ntp client
Console(config)#ntp authentication-key 45 md5 thisiskey45
Console(config)#ntp authenticate
Console(config)#ntp server 192.168.3.20
Console(config)#ntp server 192.168.3.21
Console(config)#ntp server 192.168.5.23 key 19
Console(config)#exit
Console#show ntp
Current Time : Apr 29 13:57:32 2011
Polling : 1024 seconds
Current Mode : unicast
NTP Status : Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server : 192.168.0.88 Port: 123
Last Update Time : Mar 12 02:41:01 2013 UTC
NTP Server 192.168.0.88 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.4.22 version 3 key 19
NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885
Current Time : Apr 2 16:28:34 2013
Polling : 1024 seconds
Current Mode : unicast
NTP Status : Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server : 192.168.5.23 Port: 0
Last Update Time : Apr 2 16:00:00 2013 UTC
NTP Server 192.168.3.20 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.5.23 version 3 key 19
NTP Authentication Key 45 md5 2662T75S5658RU5424180034777
Console#
– 73 –
Chapter 1
| Initial Switch Configuration
Setting the System Clock
– 74 –
Section II
Command Line Interface
This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
This section includes these chapters:
◆
◆
“System Management Commands” on page 97
◆
◆
“Remote Monitoring Commands” on page 195
◆
“Authentication Commands” on page 203
◆
“General Security Measures” on page 271
◆
“Access Control Lists” on page 351
◆
“Interface Commands” on page 377
◆
“Link Aggregation Commands” on page 403
◆
“Power over Ethernet Commands” on page 417
◆
“Port Mirroring Commands” on page 425
◆
“Congestion Control Commands” on page 435
◆
“Loopback Detection Commands” on page 453
◆
“Address Table Commands” on page 459
◆
“Spanning Tree Commands” on page 465
◆
– 75 –
Section II
| Command Line Interface
◆
“Class of Service Commands” on page 541
◆
“Quality of Service Commands” on page 553
◆
“Multicast Filtering Commands” on page 571
◆
◆
◆
“Domain Name Service Commands” on page 705
◆
◆
“IP Interface Commands” on page 723
◆
“IP Routing Commands” on page 771
– 76 –
2
Using the Command Line
Interface
This chapter describes how to use the Command Line Interface (CLI).
Accessing the CLI
When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Console Connection
To access the switch through the console port, perform these steps:
1.
At the console prompt, enter the user name and password. (The default user names are “admin” and “guest” with corresponding passwords of “admin” and
“guest.”) When the administrator user name and password is entered, the CLI displays the “Console#” prompt and enters privileged access mode
(i.e., Privileged Exec). But when the guest user name and password is entered, the CLI displays the “Console>” prompt and enters normal access mode
(i.e., Normal Exec).
2.
Enter the necessary commands to complete your desired tasks.
3.
When finished, exit the session with the “quit” or “exit” command.
After connecting to the system through the console port, the login screen displays:
User Access Verification
Username: admin
Password:
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Console#
– 77 –
Chapter 2
| Using the Command Line Interface
Accessing the CLI
Telnet Connection
Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1).
Note: The IP address for this switch is obtained via DHCP by default.
To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet. For example,
Console(config)#interface vlan 1
Console(config-if)#ip address 10.1.0.4 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 10.1.0.254
Console(config)#
If your corporate network is connected to another network outside your office or to the Internet, you need to apply for a registered IP address. However, if you are attached to an isolated network, then you can use any IP address that matches the network segment to which you are attached.
After you configure the switch with an IP address, you can open a Telnet session by performing these steps:
1.
From the remote host, enter the Telnet command and the IP address of the device you want to access.
2.
At the prompt, enter the user name and system password. The CLI will display the “Vty-n#” prompt for the administrator to show that you are using privileged access mode (i.e., Privileged Exec), or “Vty-n>” for the guest to show that you are using normal access mode (i.e., Normal Exec), where n indicates the number of the current Telnet session.
3.
Enter the necessary commands to complete your desired tasks.
4.
When finished, exit the session with the “quit” or “exit” command.
After entering the Telnet command, the login screen displays:
Username: admin
Password:
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Vty-1#
– 78 –
Chapter 2
| Using the Command Line Interface
Entering Commands
Note: You can open up to eight sessions to the device via Telnet or SSH.
Entering Commands
This section describes how to enter CLI commands.
Keywords and
Arguments
A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
You can enter commands as follows:
◆ To enter a simple command, enter the command keyword.
◆ To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter the following commands. The default password “super” is used to change from Normal Exec to Privileged Exec mode.
Console>enable
Password:
Console#show startup-config
◆ To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter:
Console(config)#username admin password 0 smith
Minimum
Abbreviation
The CLI will accept a minimum number of characters that uniquely identify a command. For example, the command “configure” can be entered as con. If an entry is ambiguous, the system will prompt for further input.
Command Completion
If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “logging.”
– 79 –
Chapter 2
| Using the Command Line Interface
Entering Commands
Getting Help on
Commands
You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list keywords or parameters.
Showing Commands
If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command. For example, the command “show ?” displays a list of possible show commands:
Console#show ?
access-group Access groups
access-list Access lists
accounting Uses the specified accounting list
adoption Adoption related information
arp Information of ARP cache
authorization Enables EXEC accounting
auto-traffic-control Auto traffic control information
bridge-ext Bridge extension information
cable-diagnostics Shows the information of cable diagnostics
calendar Date and time information
cdp CDP
class-map Displays class maps
cluster Display cluster
collision-mac-address-table Show collision mac address
debug State of each debugging option
dns DNS information
dos-protection Shows the system dos-protection summary
information
dot1q-tunnel dot1q-tunnel
dot1x 802.1X content
garp GARP properties
gvrp GVRP interface information
history Shows history information
hosts Host information
interfaces Shows interface information
ip IP information
ipv6 IPv6 information
l2protocol-tunnel Layer 2 protocol tunneling configuration
lacp LACP statistics
line TTY line information
lldp LLDP
log Log records
logging Logging setting
loop Shows the information of loopback
loopback-detection Shows loopback detection information
mac MAC access list
mac-address-table Configuration of the address table
mac-vlan MAC-based VLAN information
management Shows management information
memory Memory utilization
mvr multicast VLAN registration
mvr6 IPv6 Multicast VLAN registration
neighbors Shows LLDP neighbors information
network-access Shows the entries of the secure port.
nlm Show notification log
ntp Network Time Protocol configuration
policy-map Displays policy maps
port Port characteristics
port-channel Port channel information
– 80 –
Chapter 2
| Using the Command Line Interface
Entering Commands
power Shows power
power-save Shows the power saving information
pppoe Displays PPPoE configuration
privilege Shows current privilege level
process Device process
protocol-vlan Protocol-VLAN information
public-key Public key information
qos Quality of Service
queue Priority queue information
radius-server RADIUS server information
reload Shows the reload settings
rmon Remote monitoring information
rspan Display status of the current RSPAN
configuration
running-config Information on the running configuration
snmp Simple Network Management Protocol
configuration and statistics
snmp-server Displays SNMP server configuration
sntp Simple Network Time Protocol configuration
spanning-tree Spanning-tree configuration
ssh Secure shell server connections
startup-config Startup system configuration
subnet-vlan IP subnet-based VLAN information
system System information
tacacs-server TACACS server information
tech-support Technical information
time-range Time range
traffic-segmentation Traffic segmentation information
upgrade Shows upgrade information
users Information about users logged in
version System hardware and software versions
vlan Shows virtual LAN settings
voice Shows the voice VLAN information
watchdog Displays watchdog status
web-auth Shows web authentication configuration
Console#show
The command “show interfaces ?” will display the following information:
Console#show interfaces ?
brief Shows brief interface description
counters Interface counters information
protocol-vlan Protocol-VLAN information
status Shows interface status
switchport Shows interface switchport information
transceiver Interface of transceiver information
transceiver-threshold Interface of transceiver-threshold information
Console#
Show commands which display more than one page of information (e.g., show
running-config) pause and require you to press the [Space] bar to continue displaying one more page, the [Enter] key to display one more line, or the [a] key to display the rest of the information without stopping. You can press any other key to terminate the display.
– 81 –
Chapter 2
| Using the Command Line Interface
Entering Commands
Partial Keyword
Lookup
If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.”
Console#show s?
snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system
Console#show s
Negating the Effect of
Commands
For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
Using Command
History
The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed.
Using the show history command displays a longer list of recently executed commands.
Understanding
Command Modes
The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters.
Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode. You can always enter a question mark “?” at the prompt to display a list of the commands available for the current mode. The command classes and associated modes are displayed in the following table:
Table 3: General Command Modes
Class
Exec
Mode
Normal
Privileged
Global * Configuration Access Control List
Class Map
IGMP Profile
Interface
Line
Multiple Spanning Tree
Policy Map
Time Range
VLAN Database
* You must be in Privileged Exec mode to access the Global configuration mode.
You must be in Global Configuration mode to access any of the other configuration modes.
– 82 –
Chapter 2
| Using the Command Line Interface
Entering Commands
Exec Commands
When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the
Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name “admin” and password
“admin123.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the
enable command, followed by the privileged level password “super.”
To enter Privileged Exec mode, enter the following user names and passwords:
Username: admin
Password: [admin login password]
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Console#
Username: guest
Password: [guest login password]
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Console>enable
Password: [privileged level password]
Console#
Configuration
Commands
Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
The configuration commands are organized into different modes:
◆ Global Configuration - These commands modify the system level configuration, and include commands such as hostname and snmp-server community.
◆ Access Control List Configuration - These commands are used for packet filtering.
◆ Class Map Configuration - Creates a DiffServ class map for a specified traffic type.
◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode.
– 83 –
Chapter 2
| Using the Command Line Interface
Entering Commands
◆ Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation.
◆ Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits.
◆ Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance.
◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces.
◆ Time Range - Sets a time range for use by other functions, such as Access
Control Lists.
◆ VLAN Configuration - Includes the command to create VLAN groups.
To enter the Global Configuration mode, enter the command configure in
Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands.
Console#configure
Console(config)#
To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Table 4: Configuration Command Modes
Mode Command
Access Control
List access-list ip standard access-list ip extended access-list ipv6 standard access-list ipv6 extended access-list mac
Class Map
Interface
Line class-map interface {ethernet port | port-channel id| vlan id} line {console | vty}
Prompt
Console(config-std-acl)
Console(config-ext-acl)
Console(config-std-ipv6-acl)
Console(config-ext-ipv6-acl)
Console(config-mac-acl)
Console(config-cmap)
Console(config-if )
Page
MSTP
Policy Map
Time Range
VLAN spanning-tree mst-configuration policy-map time-range vlan database
Console(config-line-console)
Console(config-line-vty)
Console(config-mstp)
Console(config-pmap)
Console(config-time-range)
Console(config-vlan)
– 84 –
Chapter 2
| Using the Command Line Interface
Entering Commands
For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode.
Console(config)#interface ethernet 1/5
.
.
.
Console(config-if)#exit
Console(config)#
Command Line
Processing
Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. You can also use the following editing keystrokes for command-line processing:
Table 5: Keystroke Commands
Keystroke
Ctrl-A
Ctrl-B
Ctrl-C
Ctrl-E
Ctrl-F
Ctrl-K
Ctrl-L
Ctrl-N
Ctrl-P
Ctrl-R
Ctrl-U
Ctrl-W
Esc-B
Esc-D
Esc-F
Delete key or backspace key
Function
Shifts cursor to start of command line.
Shifts cursor to the left one character.
Terminates the current task and displays the command prompt.
Shifts cursor to end of command line.
Shifts cursor to the right one character.
Deletes all characters from the cursor to the end of the line.
Repeats current command line on a new line.
Enters the next command line in the history buffer.
Enters the last command.
Repeats current command line on a new line.
Deletes from the cursor to the beginning of the line.
Deletes the last word typed.
Moves the cursor back one word.
Deletes from the cursor to the end of the word.
Moves the cursor forward one word.
Erases a mistake when entering a command.
– 85 –
Chapter 2
| Using the Command Line Interface
CLI Command Groups
CLI Command Groups
The system commands can be broken down into the functional groups shown below
.
Table 6: Command Group Index
Command Group
General
Page
System Management Display and setting of system information, basic modes of operation, maximum frame size, file management, console port and telnet settings, system logs, SMTP alerts, the system clock, and switch clustering
Activates authentication failure traps; configures community access strings, and trap receivers
Simple Network
Management Protocol
Remote Monitoring
User Authentication
Link Aggregation
Supports statistics, history, alarm and event groups
Configures user names and passwords, logon access using local or remote authentication, management access through the web server, Telnet server and Secure Shell; as well as port security, IEEE 802.1X port access control, and restricted access based on specified IP addresses
General Security Measures Segregates traffic for clients attached to common data ports; and prevents unauthorized access by configuring valid static or dynamic addresses, web authentication, MAC address authentication, filtering DHCP requests and replies, and discarding invalid ARP responses
Access Control List Provides filtering for IPv4 frames (based on address, protocol,
TCP/UDP port number or TCP control code), IPv6 frames
(based on address or DSCP traffic class), or non-IP frames
(based on MAC address or Ethernet type)
Interface Configures the connection parameters for all Ethernet ports, aggregated links, and VLANs
Statically groups multiple ports into a single logical trunk; configures Link Aggregation Control Protocol for port trunks
Power over Ethernet
Mirror Port
Description
Basic commands for entering privileged access mode, restarting the system, or quitting the CLI
Congestion Control
Loopback Detection
Address Table
Spanning Tree
VLANs
Configures power output for connected devices
Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port
Sets the input/output rate limits, traffic storm thresholds, and thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
Detects general loopback conditions caused by hardware problems or faulty protocol settings
Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time
Configures Spanning Tree settings for the switch
Configures VLAN settings, and defines port membership for
VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling
– 86 –
Chapter 2
| Using the Command Line Interface
CLI Command Groups
Table 6: Command Group Index (Continued)
Command Group
Class of Service
Quality of Service
Multicast Filtering
Link Layer Discovery
Protocol
Cisco Discovery Protocol
Domain Name Service
Dynamic Host
Configuration Protocol
IP Interface
IP Routing
Description Page
Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue, also sets priority for DSCP
Configures Differentiated Services
Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router; also configures multicast VLAN registration
Configures LLDP settings to enable information discovery about neighbor devices
Configures CDP settings to enable information discovery about neighbor devices
Configures DNS services.
Configures DHCP client functions
Configures IP address for the switch interfaces; also configures ARP parameters and static entries
Configures static unicast routing
The access mode shown in the following tables is indicated by these abbreviations:
ACL (Access Control List Configuration)
CM (Class Map Configuration)
GC (Global Configuration)
IC (Interface Configuration)
IPC (IGMP Profile Configuration)
LC (Line Configuration)
MST (Multiple Spanning Tree)
NE (Normal Exec)
PE (Privileged Exec)
PM (Policy Map Configuration)
VC (VLAN Database Configuration)
– 87 –
Chapter 2
| Using the Command Line Interface
CLI Command Groups
– 88 –
3
General Commands
The general commands are used to control the command access mode, configuration mode, and other basic functions.
Table 7: General Commands
Command
Function
Customizes the CLI prompt
Mode
GC
Restarts the system at a specified time, after a specified delay, or at a periodic interval
GC
Activates privileged mode
Exits a CLI session
Shows the command history buffer
Activates global configuration mode
NE
NE, PE
NE, PE
PE
Returns to normal mode from privileged mode
Restarts the system immediately
Displays the current reload settings, and the time at which next scheduled reload will take place
Returns to Privileged Exec mode
PE
PE
PE
? help
Returns to the previous configuration mode, or exits the CLI
Shows how to use help
Shows options for command completion (context sensitive) any config. mode any mode any mode any mode
prompt
This command customizes the CLI prompt. Use the no form to restore the default prompt.
Syntax
prompt string no prompt
string - Any alphanumeric string to use for the CLI prompt.
(Maximum length: 32 characters)
Default Setting
Console
– 89 –
Chapter 3
| General Commands
Command Mode
Global Configuration
Command Usage
This command and the
command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Example
Console(config)#prompt RD2
RD2(config)#
reload
(Global Configuration)
This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Syntax
reload {at hour minute [{month day | day month} [year]] |
in {hour hours | minute minutes | hour hours minute minutes} |
regularity hour minute [period {daily | monthly day-of-month | weekly day-
of-week}] | cancel [at | in | regularity]}
reload at - A specified time at which to reload the switch.
hour - The hour at which to reload. (Range: 0-23)
minute - The minute at which to reload. (Range: 0-59)
month - The month at which to reload. (january ... december)
day - The day of the month at which to reload. (Range: 1-31)
year - The year at which to reload. (Range: 1970-2037)
reload in - An interval after which to reload the switch.
hours - The number of hours, combined with the minutes, before the switch resets. (Range: 0-576)
minutes - The number of minutes, combined with the hours, before the switch resets. (Range: 0-34560)
reload regularity - A periodic interval at which to reload the switch.
hour - The hour at which to reload. (Range: 0-23)
minute - The minute at which to reload. (Range: 0-59)
day-of-month - Day of the month at which to reload. (Range: 1-31)
day-of-week - Day of the week at which to reload.
(Range: monday ... saturday)
reload cancel - Cancels the specified reload option.
– 90 –
Chapter 3
| General Commands
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ This command resets the entire system.
◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten.
◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the
running-config startup-config command (See
Example
This example shows how to reset the switch after 30 minutes:
Console(config)#reload in minute 30
***
*** --- Rebooting at January 1 02:10:43 2007 ---
***
Are you sure to reboot the system at the specified time? <y/n>
enable
This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information.
See “Understanding Command Modes” on page 82
.
Syntax
enable [level]
level - Privilege level to log into the device.
The device has two predefined privilege levels: 0: Normal Exec,
15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
Default Setting
Level 15
Command Mode
Normal Exec
Command Usage
◆ “super” is the default password required to change the command mode from
Normal Exec to Privileged Exec. (To set this password, see the
command.)
– 91 –
Chapter 3
| General Commands
◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Example
Console>enable
Password: [privileged level password]
Console#
Related Commands
quit
This command exits the configuration program.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
The quit and exit commands can both exit the configuration program.
Example
This example shows how to quit a CLI session:
Console#quit
% CLI exit session
Press ENTER to start session
show history
This command shows the contents of the command history buffer.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
– 92 –
Chapter 3
| General Commands
Example
In this example, the show history command lists the contents of the command history buffer:
Console#show history
Execution command history:
2 config
1 show history
Configuration command history:
4 interface vlan 1
3 exit
2 interface vlan 1
1 end
Console#
The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the
Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the
Execution history buffer (config).
Console#!2
Console#config
Console(config)#
configure
This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, such as Interface
Configuration, Line Configuration, and VLAN Database Configuration. See
“Understanding Command Modes” on page 82 .
Default Setting
None
Command Mode
Privileged Exec
Example
Console#configure
Console(config)#
Related Commands
– 93 –
Chapter 3
| General Commands
disable
This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged
mode. See “Understanding Command Modes” on page 82
.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Example
Console#disable
Console>
Related Commands
reload
(Privileged Exec) This command restarts the system.
Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
This command resets the entire system.
Example
This example shows how to reset the switch:
Console#reload
System will be restarted, continue <y/n>? y
– 94 –
Chapter 3
| General Commands
show reload
This command displays the current reload settings, and the time at which next scheduled reload will take place.
Command Mode
Privileged Exec
Example
Console#show reload
Reloading switch in time: 0 hours 29 minutes.
The switch will be rebooted at January 1 02:11:50 2001.
Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds.
Console#
end
This command returns to Privileged Exec mode.
Default Setting
None
Command Mode
Global Configuration, Interface Configuration, Line Configuration, VLAN Database
Configuration, and Multiple Spanning Tree Configuration.
Example
This example shows how to return to the Privileged Exec mode from the Interface
Configuration mode:
Console(config-if)#end
Console#
exit
This command returns to the previous configuration mode or exits the configuration program.
Default Setting
None
Command Mode
Any
– 95 –
Chapter 3
| General Commands
Example
This example shows how to return to the Privileged Exec mode from the Global
Configuration mode, and then quit the CLI session:
Console(config)#exit
% CLI exit session
Press ENTER to start session
– 96 –
4
System Management
Commands
The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Table 8: System Management Commands
Command Group
Function
Configures information that uniquely identifies this switch
Displays system configuration, active managers, and version information
Enables support for jumbo frames
Manages code image or switch configuration files
Sets communication parameters for the serial port, including baud rate and console time-out
Controls logging of error messages
Configures SMTP email alerts
Sets the system clock automatically via NTP/SNTP server or manually
Sets a time range for use by other functions, such as Access Control Lists
Configures management of multiple devices via a single IP address
Configures switch to submit request to be adopted for centralized management by “Controller” software
Device Designation
This section describes commands used to configure information that uniquely identifies the switch.
Table 9: Device Designation Commands
Command
Function
Specifies the host name for the switch
Sets the system contact string
Sets the system location string
Mode
GC
GC
GC
– 97 –
Chapter 4
| System Management Commands
System Status
hostname
This command specifies or modifies the host name for this device. Use the no form to restore the default host name.
Syntax
hostname name no hostname
name - The name of this host. (Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ The host name specified by this command is displayed by the
command and on the Show > System web page.
◆
command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Example
Console(config)#hostname RD#1
RD#1(config)#
System Status
This section describes commands used to display system information.
Table 10: System Status Commands
Command
show access-list tcam-utilization
Function
Shows utilization parameters for TCAM
Mode
PE
Shows memory utilization parameters
Shows CPU utilization parameters
NE, PE
NE, PE
Displays the configuration data currently in use
Displays the contents of the configuration file (stored in flash memory) that is used to start up the system
Displays system information
PE
PE
NE, PE
Displays a detailed list of system settings designed to help technical support resolve configuration or functional problems
PE
– 98 –
Chapter 4
| System Management Commands
System Status
Table 10: System Status Commands (Continued)
Command
Function Mode
Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet clients
NE, PE
Displays version information for the system NE, PE
show access-list tcam-utilization
This command shows utilization parameters for TCAM (Ternary Content
Addressable Memory), including the number policy control entries in use, the number of free entries.
Command Mode
Privileged Exec
Command Usage
Policy control entries (PCEs) are used by various system functions which rely on rule-based searches, including Access Control Lists (ACLs), IP Source Guard filter rules, Quality of Service (QoS) processes, or traps.
For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Example
Console#show access-list tcam-utilization
Pool capability code:
ALL - All supported function, AM - MAC ACL, A4 - IPv4 ACL,
A6S - IPv6 Standard ACL, A6E - IPv6 extended ACL, DM - MAC DiffServ,
D4 - IPv4 DiffServ, D6S - IPv6 standard DiffServ,
D6E - IPv6 extended DiffServ, AEM - Egress MAC ACL,
AE4 - Egress IPv4 ACL, AE6S - Egress IPv6 standard ACL,
AE6E - Egress IPv6 extended ACL, DEM - Egress MAC DiffServ,
DE4 - Egress IPv4 DiffServ, DE6S - Egress IPv6 standard DiffServ,
DE6E - Egress IPv6 extended DiffServ, W - Web authentication,
I - IP source guard, I6- IPv6 source guard, C - CPU interface,
R - Rate limit, L - Link local, Reserved - Reserved
Unit Device Pool Total Used Free Pool Capability
---- ------ ---- ----- ----- ----- ----------------------------------------
1 0 0 372 196 176 ALL
1 1 0 372 196 176 ALL
Console#
– 99 –
Chapter 4
| System Management Commands
System Status
show memory
This command shows memory utilization parameters.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, the total amount of system memory, and the alarm thresholds.
Example
Console#show memory
Status Bytes %
------ ---------- ---
Free 19951616 14
Used 114266112 86
Total 134217728
Alarm Configuration
Rising Threshold : 95%
Falling Threshold : 90%
Console#
Related Commands
show process cpu
This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show process cpu
CPU Utilization in the past 5 seconds : 22%
CPU Utilization in the past 60 seconds
Average Utilization : 27%
Maximum Utilization : 39%
Alarm Status
Current Alarm Status : Off
Last Alarm Start Time :
Last Alarm Duration Time : 44 seconds
Alarm Configuration
Rising Threshold : 90%
Falling Threshold : 70%
Console#
– 100 –
Chapter 4
| System Management Commands
System Status
Related Commands
show running-config
This command displays the configuration information currently in use.
Syntax
show running-config [interface interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: Always 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
vlan vlan-id (Range: 1-4094)
Command Mode
Privileged Exec
Command Usage
◆ Use the interface keyword to display configuration data for the specified interface.
◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in nonvolatile memory.
◆
■
■
■
■
■
■
■
■
■
■
This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information:
MAC address for the switch
SNMP community strings
Users (names, access levels, and encrypted passwords)
VLAN database (VLAN ID, name and state)
VLAN configuration settings for each interface
Multiple spanning tree instances (name and interfaces)
IP address configured for management VLAN
Spanning tree settings
Interface settings
Any configured settings for the console port and Telnet
Example
Console#show running-config
Building running configuration. Please wait...
!<stackingDB>00</stackingDB>
!<stackingMac>01_00-e0-0c-00-00-fd_03</stackingMac>
!
– 101 –
Chapter 4
| System Management Commands
System Status snmp-server community public ro snmp-server community private rw
!
snmp-server enable traps authentication
!
username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
!
vlan database
vlan 1 name DefaultVlan media ethernet state active
!
spanning-tree mst configuration
!
interface ethernet 1/1
!
interface ethernet 1/1
ip address dhcp
.
.
radius-server acct-port 1813
.
.
interface vlan 1
ip address 192.168.1.10 255.255.255.0
!
line console
!
line vty
!
end
!
Console#
Related Commands
show startup-config
This command displays the configuration file stored in non-volatile memory that is used to start up the system.
Command Mode
Privileged Exec
Command Usage
◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory.
◆
■
■
■
■
■
This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information:
MAC address for the switch
SNMP community strings
SNMP trap authentication
Users (names and access levels)
VLAN database (VLAN ID, name and state)
– 102 –
Chapter 4
| System Management Commands
System Status
■
■
■
■
Multiple spanning tree instances (name and interfaces)
Interface settings and VLAN configuration settings for each interface
IP address for management VLAN
Any configured settings for the console port and Telnet
Example
Refer to the example for the running configuration file.
Related Commands
show system
This command displays system information.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
◆ The number of fans provided: EX-3524 - 2, EX-3548 - 3
◆ The EX-3528 does not monitor system temperature.
Example
Console#show system
System Description : EX-3524 Managed POE/POE+ Switch
System OID String : 1.3.6.1.4.1.388.19.101
System Information
System Up Time : 0 days, 5 hours, 48 minutes, and 23.9 seconds
System Name :
System Location :
System Contact :
MAC Address (Unit 1) : FC-0A-81-B7-C7-E0
Web Server : Enabled
Web Server Port : 80
Web Secure Server : Enabled
Web Secure Server Port : 443
Telnet Server : Enabled
Telnet Server Port : 23
Jumbo Frame : Disabled
Unit 1
Fan 1: Ok Fan 2: Ok
Console#
Table 11: show system – display description
Parameter
System Description
System OID String
Description
Brief description of device type.
MIB II object ID for switch’s network management subsystem.
– 103 –
Chapter 4
| System Management Commands
System Status
Table 11: show system – display description (Continued)
Parameter
System Up Time
System Name
System Location
System Contact
MAC Address
Web Server/Port
Web Secure Server/Port
Telnet Server/Port
Jumbo Frame
System Fan
Description
Length of time the management agent has been up.
Name assigned to the switch system.
Specifies the system location.
Administrator responsible for the system.
MAC address assigned to this switch.
Shows administrative status of web server and UDP port number.
Shows administrative status of secure web server and UDP port number.
Shows administrative status of Telnet server and TCP port number.
Shows if jumbo frames are enabled or disabled.
Shows the status of the system fans.
show tech-support
This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command generates a long list of information including detailed system and interface settings. It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program.
Example
Console#show tech-support dir:
File Name Type Startup Modify Time Size(bytes)
-------------------------- -------------- ------- ------------------- ----------
Unit 1:
EX3500_Op_V5.0.0.0-03D.bix OpCode N 2014-08-22 11:37:23 8395896
EX3500_Op_V5.0.0.0-05D.bix OpCode Y 2014-08-24 11:46:15 8399992
Factory_Default_Config.cfg Config N 2014-08-24 06:40:02 455 startup1.cfg Config Y 2014-09-12 13:24:06 1602
----------------------------------------------------------------------------
Free space for compressed user config files: 1519616
– 104 –
Chapter 4
| System Management Commands
System Status show arp:
ARP Cache Timeout: 1200 (seconds)
IP Address MAC Address Type Interface
--------------- ----------------- --------- -----------
192.168.0.2 70-72-CF-83-34-66 other VLAN1
192.168.0.99 00-60-6E-00-5F-A1 dynamic VLAN1
Total entry : 2 show interfaces brief:
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ---------------- -------- ---- --- ------------- ------------ ---
Eth 1/ 1 Up 1 0 Auto-100full 1000BASE-T None
Eth 1/ 2 Down 1 0 Auto 1000BASE-T None
Eth 1/ 3 Down 1 0 Auto 1000BASE-T None
Eth 1/ 4 Down 1 0 Auto 1000BASE-T None
Eth 1/ 5 Down 1 0 Auto 1000BASE-T None
.
show adoption status:
Not adopted to any wireless controller show adoption history:
No history
Console#
show users
Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
The session used to execute this command is indicated by a “*” symbol next to the
Line (i.e., session) index number.
Example
Console#show users
User Name Accounts:
User Name Privilege Public-Key
-------------------- ---------- --------------admin 15 None guest 0 None steve 15 RSA
Online Users:
Line Session ID User Name Idle Time (h:m:s) Remote IP Addr
--------- ---------- -------------------- ----------------- ---------------
*Console 0 admin 0:00:00
Telnet 1 admin 0:00:00 192.168.1.19
Telnet 2 SSH 1 0:00:06 192.168.1.19
– 105 –
Chapter 4
| System Management Commands
System Status
Web Online Users:
Line User Name Idle time (h:m:s) Remote IP addr
---------- -------------------- -------------------- --------------------
HTTP admin 0:00:05 192.168.0.99
Console#
show version
This command displays hardware and software version information for the system.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show version
Unit 1
Serial Number : 14053520900018
Hardware Version : R01
EPLD Version : 0.00
Number of Ports : 28
Main Power Status : Up
Role : Master
Loader Version : 5.0.0.1-01A
Linux Kernel Version : 2.6.22.18
Boot ROM Version : 0.0.0.1
Operation Code Version : 5.0.0.0-03D
Adoptd Version : 5.8.0.0-208812X
Console#
Table 12: show version – display description
Parameter
Serial Number
Hardware Version
EPLD Version
Number of Ports
Main Power Status
Role
Loader Version
Linux Kernel Version
Boot ROM Version
Operation Code Version
Adoptd Version
Description
The serial number of the switch.
Hardware version of the main board.
Version number of Erasable Programmable Logic Device.
Number of built-in ports.
Displays the status of the internal power supply.
Shows that this switch is operating as Master or Slave.
Version number of loader code.
Version number of Linux kernel.
Version of Power-On Self-Test (POST) and boot code.
Version number of runtime code.
Version number of adopted device code.
– 106 –
Chapter 4
| System Management Commands
Frame Size
show watchdog
This command shows if watchdog debugging is enabled.
Command Mode
Privileged Exec
Example
Console#show watchdog
Software Watchdog Information
Status : Enabled
Console#
watchdog software
This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly.
Syntax
watchdog software {disable | enable}
Default Setting
Disabled
Command Mode
Privileged Exec
Example
Console#watchdog software enable
Console#
Frame Size
This section describes commands used to configure the Ethernet frame size on the switch.
Table 13: Frame Size Commands
Command
Function
Enables support for jumbo frames
Mode
GC
jumbo frame
This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
Syntax
[no] jumbo frame
– 107 –
Chapter 4
| System Management Commands
File Management
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ This switch provides more efficient throughput for large sequential data transfers by supporting Layer 2 jumbo frames on Gigabit Ethernet ports or trunks up to 10240 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.
◆ The current setting for jumbo frames can be displayed with the
command.
Example
Console(config)#jumbo frame
Console(config)#
File Management
Managing Firmware
Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file.
Saving or Restoring Configuration Settings
Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings.
– 108 –
Chapter 4
| System Management Commands
File Management
The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the FTP/TFTP server, but cannot be used as the destination on the switch.
Table 14: Flash/File Commands
Command
General Commands
Function Mode
Specifies the file or image used to start up the system
Copies a code image or a switch configuration to or from flash memory or an FTP/TFTP server
GC
PE
Displays the files booted
Automatic Code Upgrade Commands
Deletes a file or code image
Displays a list of files in flash memory
Automatically upgrades the current image when a new version is detected on the indicated server
Specifies an FTP/TFTP server and directory in which the new opcode is stored
PE
PE
PE
GC
GC
upgrade opcode reload show upgrade
Reloads the switch automatically after the opcode upgrade is completed
GC
Shows the opcode upgrade configuration settings.
TFTP Configuration Commands
PE
Specifies the number of times the switch can retry transmitting a request to a TFTP server
GC
Specifies the time the switch can wait for a response from a
TFTP server before retransmitting a request or timing out for the last retry
GC
Displays information about TFTP settings PE
General Commands
boot system
This command specifies the file or image used to start up the system.
Syntax
boot system {boot-rom | config | opcode}: filename
boot-rom* - Boot ROM.
config* - Configuration file.
opcode* - Run-time operation code.
filename - Name of configuration file or code image.
* The colon (:) is required.
– 109 –
Chapter 4
| System Management Commands
File Management
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ A colon (:) is required after the specified file type.
◆ If the file contains an error, it cannot be set as the default file.
Example
Console(config)#boot system config: startup
Console(config)#
Related Commands
copy
This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Syntax
copy file {file | ftp | running-config | startup-config | tftp}
copy ftp {add-to-running-config | file | https-certificate | public-key |
running-config | startup-config}
copy running-config {file | ftp | startup-config | tftp}
copy startup-config {file | ftp | running-config | tftp}
copy tftp {add-to-running-config | file | https-certificate | public-key |
running-config | startup-config}
add-to-running-config - Keyword that adds the settings listed in the specified file to the running configuration.
file - Keyword that allows you to copy to/from a file.
ftp - Keyword that allows you to copy to/from an FTP server.
https-certificate - Keyword that allows you to copy the HTTPS secure site certificate.
public-key - Keyword that allows you to copy a SSH key from a TFTP server.
(
See “Secure Shell” on page 234.
)
– 110 –
Chapter 4
| System Management Commands
File Management
running-config - Keyword that allows you to copy to/from the current running configuration.
startup-config - The configuration used for system initialization.
tftp - Keyword that allows you to copy to/from a TFTP server.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ The system prompts for data required to complete the copy command.
◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”)
◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16.
◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination.
◆ To replace the startup configuration, you must use startup-config as the destination.
◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/
TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
◆ For information on specifying an https-certificate, see “Replacing the Default
Secure-site Certificate” in the System Reference Guide. For information on
configuring the switch to use HTTPS for a secure connection, see the ip http secure-server command.
◆ When logging into an FTP server, the interface prompts for a user name and password configured on the remote server. Note that “anonymous” is set as the default user name.
Example
The following example shows how to download new firmware from a TFTP server:
Console#copy tftp file
TFTP server ip address: 10.1.0.19
Choose file type:
1. config; 2. opcode; 3. loader: 2
Source file name: m360.bix
Destination file name: m360.bix
\Write to FLASH Programming.
– 111 –
Chapter 4
| System Management Commands
File Management
-Write to FLASH finish.
Success.
Console#
The following example shows how to upload the configuration settings to a file on the TFTP server:
Console#copy file tftp
Choose file type:
1. config; 2. opcode; 1
Source file name: startup
TFTP server IP address: 10.1.0.99
Destination file name: startup.01
Success.
Console#
The following example shows how to copy the running configuration to a startup file.
Console#copy running-config file
Destination configuration file name: startup
Flash programming started.
Flash programming completed.
Success.
Console#
The following example shows how to download a configuration file:
Console#copy tftp startup-config
TFTP server ip address: 10.1.0.99
Source configuration file name: startup.01
Startup configuration file name [startup]:
Flash programming started.
Flash programming completed.
Success.
Console#
This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate:
Console#copy tftp https-certificate
TFTP server ip address: 10.1.0.19
Source certificate file name: SS-certificate
Source private file name: SS-private
Private password: ********
Success.
Console#reload
System will be restarted, continue <y/n>? y
– 112 –
Chapter 4
| System Management Commands
File Management
This example shows how to copy a public-key used by SSH from an TFTP server.
Note that public key authentication via SSH is only supported for users configured locally on the switch.
Console#copy tftp public-key
TFTP server IP address: 192.168.1.19
Choose public key type:
1. RSA: 2. DSA: 1
Source file name: steve.pub
Username: steve
TFTP Download
Success.
Write to FLASH Programming.
Success.
Console#
This example shows how to copy a file to an FTP server.
Console#copy ftp file
FTP server IP address: 169.254.1.11
User[anonymous]: admin
Password[]: *****
Choose file type:
1. config: 2. opcode: 2
Source file name: BLANC.BIX
Destination file name: BLANC.BIX
Console#
delete
This command deletes a file or image.
Syntax
delete file name filename
filename - Name of configuration file or code image.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ If the file type is used for system startup, then this file cannot be deleted.
◆ “Factory_Default_Config.cfg” cannot be deleted.
– 113 –
Chapter 4
| System Management Commands
File Management
Example
This example shows how to delete the test2.cfg configuration file from flash memory.
Console#delete file name test2.cfg
Console#
Related Commands
dir
This command displays a list of files in flash memory.
Syntax
dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file.
config - Switch configuration file.
opcode - Run-time operation code image file.
filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
If you enter the command dir without any parameters, the system displays all files.
File information is shown below:
Table 15: File Directory Information
Column Heading
File Name
File Type
Startup
Create Time
Size
Description
The name of the file.
File types: Boot-Rom, Operation Code, and Config file.
Shows if this file is used when the system is started.
The date and time the file was created.
The length of the file in bytes.
– 114 –
Chapter 4
| System Management Commands
File Management
Example
The following example shows how to display all file information:
Console#dir
File Name Type Startup Modify Time Size(bytes)
-------------------------- -------------- ------- ------------------- ----------
EX3500_Op_V5.0.0.0-03D.bix OpCode Y 2014-08-22 11:37:23 8395896
EX3548_Op_V4.0.1.0-04I.bix OpCode N 1970-01-01 00:00:00 7634132
Factory_Default_Config.cfg Config N 2014-08-24 06:40:02 455 startup1.cfg Config Y 2014-09-12 13:24:06 1602
-----------------------------------------------------------------------------
Free space for compressed user config files: 1355776
Console#
whichboot
This command displays which files were booted when the system powered up.
Syntax whichboot
Default Setting
None
Command Mode
Privileged Exec
Example
This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Console#whichboot
File Name Type Startup Modify Time Size(bytes)
-------------------------------- ------- ------- ------------------- ----------
Unit 1:
EX3500_Op_V5.0.0.0-03D.bix OpCode Y 2014-08-22 11:37:23 8395896 startup1.cfg Config Y 2014-09-12 13:24:06 1602
Console#
Automatic Code Upgrade Commands
upgrade opcode auto
This command automatically upgrades the current operational code when a new
version is detected on the server indicated by the upgrade opcode path
command.
Use the no form of this command to restore the default setting.
Syntax
[no] upgrade opcode auto
– 115 –
Chapter 4
| System Management Commands
File Management
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ This command is used to enable or disable automatic upgrade of the operational code. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up:
1.
It will search for a new version of the image at the location specified by
upgrade opcode path command. The name for the new image stored on
the TFTP server must be EX3500_Op.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
2.
After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
3.
It sets the new version as the startup image.
4.
It then restarts the system to start using the new image.
◆ Any changes made to the default setting can be displayed with the
Example
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
If a new image is found at the specified location, the following type of messages will be displayed during bootup.
.
.
Automatic Upgrade is looking for a new image
New image detected: current version 1.0.1.5; new version 1.1.2.0
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The switch will now restart
.
.
– 116 –
Chapter 4
| System Management Commands
File Management
upgrade opcode path
This command specifies an TFTP server and directory in which the new opcode is stored. Use the no form of this command to clear the current setting.
Syntax
upgrade opcode path opcode-dir-url
no upgrade opcode path
opcode-dir-url - The location of the new code.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆
This command is used in conjunction with the upgrade opcode auto command
to facilitate automatic upgrade of new operational code stored at the location indicated by this command.
◆ The name for the new image stored on the TFTP server must be
EX3500_Op.bix. However, note that file name is not to be included in this command.
◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/
◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/
If the user name is omitted, “anonymous” will be used for the connection. If the password is omitted a null string (“”) will be used for the connection.
Example
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
This shows how to specify an FTP server where new code is stored.
Console(config)#upgrade opcode path ftp://zebra:[email protected]/sm24/
Console(config)#
– 117 –
Chapter 4
| System Management Commands
File Management
upgrade opcode reload
This command reloads the switch automatically after the opcode upgrade is completed. Use the no form to disable this feature.
Syntax
[no] upgrade opcode reload
Default Setting
Disabled
Command Mode
Global Configuration
Example
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode reload
Console(config)#
show upgrade
This command shows the opcode upgrade configuration settings.
Command Mode
Privileged Exec
Example
Console#show upgrade
Auto Image Upgrade Global Settings:
Status : Disabled
Reload Status : Disabled
Path :
File Name : EX3500_Op.bix
Console#
TFTP Configuration Commands
ip tftp retry
This command specifies the number of times the switch can retry transmitting a request to a TFTP server after waiting for the configured timeout period and receiving no response. Use the no form to restore the default setting.
Syntax
ip tftp retry retries
no ip tftp retry
retries - The number of times the switch can resend a request to a TFTP server before it aborts the connection. (Range: 1-16)
– 118 –
Chapter 4
| System Management Commands
File Management
Default Setting
15
Command Mode
Global Configuration
Example
Console(config)#ip tftp retry 10
Console(config)#
ip tftp timeout
This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Syntax
ip tftp timeout seconds
no ip tftp timeout
seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out. (Range: 1-65535 seconds)
Default Setting
5 seconds
Command Mode
Global Configuration
Example
Console(config)#ip tftp timeout 10
Console(config)#
show ip tftp
This command displays information about the TFTP settings configured on this switch.
Syntax show ip tftp
Command Mode
Privileged Exec
– 119 –
Chapter 4
| System Management Commands
Line
Example
Console#show ip tftp
TFTP Settings:
Retries : 15
Timeout : 5 seconds
Console#
Line
You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Table 16: Line Commands
Command
Function Mode
Identifies a specific line for configuration and starts the line configuration mode
GC
Applies an accounting method to local console, Telnet or
SSH connections
LC
Applies an authorization method to local console, Telnet or
SSH connections
LC
Sets the number of data bits per character that are interpreted and generated by hardware
LC
Sets the interval that the command interpreter waits until user input is detected
LC
Enables password checking at login
Defines the generation of a parity bit
LC
LC
Specifies a password on a line
Sets the password intrusion threshold, which limits the number of failed logon attempts
Sets the amount of time the management console is inaccessible after the number of unsuccessful logon
attempts exceeds the threshold set by the passwordthresh command
Sets the terminal baud rate
Sets the number of the stop bits transmitted per byte
LC
LC
LC
*
*
Sets the interval that the system waits for a login attempt
Terminates a line connection
Displays a terminal line's parameters
* These commands only apply to the serial port.
LC
LC
LC
PE
NE, PE
– 120 –
Chapter 4
| System Management Commands
Line
line
This command identifies a specific line for configuration, and to process subsequent line configuration commands.
Syntax
line {console | vty}
console - Console terminal line.
vty - Virtual terminal for remote console access (i.e., Telnet).
Default Setting
There is no default line.
Command Mode
Global Configuration
Command Usage
Telnet is considered a virtual terminal connection and will be shown as “VTY” in
screen displays such as show users . However, the serial communication parameters
(e.g., databits) do not affect Telnet connections.
Example
To enter console line mode, enter the following command:
Console(config)#line console
Console(config-line-console)#
Related Commands
databits
This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value.
Syntax
databits {7 | 8} no databits
7 - Seven data bits per character.
8 - Eight data bits per character.
Default Setting
8 data bits per character
Command Mode
Line Configuration
– 121 –
Chapter 4
| System Management Commands
Line
Command Usage
The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Example
To specify 7 data bits, enter this command:
Console(config-line-console)#databits 7
Console(config-line-console)#
Related Commands
exec-timeout
This command sets the interval that the system waits until user input is detected.
Use the no form to restore the default.
Syntax
exec-timeout [seconds]
no exec-timeout
seconds - Integer that specifies the timeout interval.
(Range: 60 - 65535 seconds; 0: no timeout)
Default Setting
600 seconds (10 minutes)
Command Mode
Line Configuration
Command Usage
◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
◆ This command applies to both the local console and Telnet connections.
◆ The timeout for Telnet cannot be disabled.
◆ Using the command without specifying a timeout restores the default setting.
Example
To set the timeout to two minutes, enter this command:
Console(config-line-console)#exec-timeout 120
Console(config-line-console)#
– 122 –
Chapter 4
| System Management Commands
Line
login
This command enables password checking at login. Use the no form to disable password checking and allow connections without a password.
Syntax
login [local] no login
local - Selects local password checking. Authentication is based on the user name specified with the
Default Setting login local
Command Mode
Line Configuration
Command Usage
◆ There are three authentication modes provided by the switch itself at login:
■ login selects authentication by a single global password as specified by the
password line configuration command. When using this method, the
management interface starts in Normal Exec (NE) mode.
■ login local selects authentication via the user name and password specified by the
command (i.e., default setting). When using this method, the management interface starts in Normal Exec (NE) or Privileged
Exec (PE) mode, depending on the user’s privilege level (0 or 15 respectively).
■ no login selects no authentication. When using this method, the management interface starts in Normal Exec (NE) mode.
◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the
RADIUS or TACACS software installed on those servers.
Example
Console(config-line-console)#login local
Console(config-line-console)#
Related Commands
– 123 –
Chapter 4
| System Management Commands
Line
parity
This command defines the generation of a parity bit. Use the no form to restore the default setting.
Syntax
parity {none | even | odd} no parity
none - No parity
even - Even parity
odd - Odd parity
Default Setting
No parity
Command Mode
Line Configuration
Command Usage
Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Example
To specify no parity, enter this command:
Console(config-line-console)#parity none
Console(config-line-console)#
password
This command specifies the password for a line. Use the no form to remove the password.
Syntax
password {0 | 7} password no password
{0 | 7} - 0 means plain password, 7 means encrypted password
password - Character string that specifies the line password.
(Maximum length: 32 characters plain text or encrypted, case sensitive)
Default Setting
No password is specified.
Command Mode
Line Configuration
– 124 –
Chapter 4
| System Management Commands
Line
Command Usage
◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows
a prompt. You can use the password-thresh
command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
◆ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Example
Console(config-line-console)#password 0 secret
Console(config-line-console)#
Related Commands
password-thresh
This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value.
Syntax
password-thresh [threshold]
no password-thresh
threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold)
Default Setting
The default value is three attempts.
Command Mode
Line Configuration
Command Usage
When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the
command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
– 125 –
Chapter 4
| System Management Commands
Line
Example
To set the password threshold to five attempts, enter this command:
Console(config-line-console)#password-thresh 5
Console(config-line-console)#
Related Commands
silent-time
This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the
password-thresh command. Use the no form to remove the silent time value.
Syntax
silent-time [seconds]
no silent-time
seconds - The number of seconds to disable console response.
(Range: 0-65535; where 0 means disabled)
Default Setting
Disabled
Command Mode
Line Configuration
Example
To set the silent time to 60 seconds, enter this command:
Console(config-line-console)#silent-time 60
Console(config-line-console)#
Related Commands
– 126 –
Chapter 4
| System Management Commands
Line
speed
This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.
Syntax
speed bps no speed
bps - Baud rate in bits per second.
(Options: 9600, 19200, 38400, 57600, 115200 bps)
Default Setting
115200 bps
Command Mode
Line Configuration
Command Usage
Set the speed to match the baud rate of the device connected to the serial port.
Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported.
Note: Auto-detection of baud rate is only performed at user log in.
Note: Due to a hardware limitation, the terminal program connected to the console port must be set to 8 data bits when using auto baud rate detection.
Example
To specify 57600 bps, enter this command:
Console(config-line-console)#speed 57600
Console(config-line-console)#
stopbits
This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
Syntax
stopbits {1 | 2}
no stopbits
1 - One stop bit
2 - Two stop bits
– 127 –
Chapter 4
| System Management Commands
Line
Default Setting
1 stop bit
Command Mode
Line Configuration
Example
To specify 2 stop bits, enter this command:
Console(config-line-console)#stopbits 2
Console(config-line-console)#
timeout login response
This command sets the interval that the system waits for a user to log into the CLI.
Use the no form to restore the default setting.
Syntax
timeout login response [seconds]
no timeout login response
seconds - Integer that specifies the timeout interval.
(Range: 10 - 300 seconds)
Default Setting
300 seconds
Command Mode
Line Configuration
Command Usage
◆ If a login attempt is not detected within the timeout interval, the connection is terminated for the session.
◆ This command applies to both the local console and Telnet connections.
◆ The timeout for Telnet cannot be disabled.
◆ Using the command without specifying a timeout restores the default setting.
Example
To set the timeout to two minutes, enter this command:
Console(config-line-console)#timeout login response 120
Console(config-line-console)#
– 128 –
Chapter 4
| System Management Commands
Line
disconnect
This command terminates an SSH, Telnet, or console connection.
Syntax
disconnect session-id
session-id – The session identifier for an SSH, Telnet or console connection.
(Range: 0-8)
Command Mode
Privileged Exec
Command Usage
Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Example
Console#disconnect 1
Console#
Related Commands
terminal
This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting.
Syntax
terminal {escape-character {ASCII-number | character} | history [size size] |
length length | terminal-type {ansi-bbs | vt-100 | vt-102} | width width}
escape-character - The keyboard character used to escape from current line input.
ASCII-number - ASCII decimal equivalent. (Range: 0-255)
character - Any valid keyboard character.
history - The number of lines stored in the command buffer, and recalled using the arrow keys. (Range: 0-256)
length - The number of lines displayed on the screen. (Range: 24-200, where 0 means not to pause)
terminal-type - The type of terminal emulation used.
ansi-bbs - ANSI-BBS
vt-100 - VT-100
vt-102 - VT-102
– 129 –
Chapter 4
| System Management Commands
Line
width - The number of character columns displayed on the terminal.
(Range: 0-80)
Default Setting
Escape Character: 27 (ASCII-number)
History: 10
Length: 24
Terminal Type: VT100
Width: 80
Command Mode
Privileged Exec
Example
This example sets the number of lines displayed by commands with lengthy output such as
to 48 lines.
Console#terminal length 48
Console#
show line
This command displays the terminal line’s parameters.
Syntax
show line [console | vty]
console - Console terminal line.
vty - Virtual terminal for remote console access (i.e., Telnet).
Default Setting
Shows all lines
Command Mode
Normal Exec, Privileged Exec
Example
To show all lines, enter this command:
Console#show line
Terminal Configuration for this session:
Length : 24
Width : 80
History Size : 10
Escape Character(ASCII-number) : 27
Terminal Type : VT100
Console Configuration:
Password Threshold : 3 times
EXEC Timeout : 600 seconds
Login Timeout : 300 seconds
– 130 –
Silent Time : Disabled
Baud Rate : 115200
Data Bits : 8
Parity : None
Stop Bits : 1
VTY Configuration:
Password Threshold : 3 times
EXEC Timeout : 600 seconds
Login Timeout : 300 sec.
Silent Time : Disabled
Console#
Chapter 4
| System Management Commands
Event Logging
Event Logging
This section describes commands used to configure event logging on the switch.
Table 17: Event Logging Commands
Command
Function Mode
Sets the facility type for remote logging of syslog messages GC
Limits syslog messages saved to switch memory based on severity
GC
GC Adds a syslog server host IP address that will receive logging messages
Controls logging of error messages GC
Limits syslog messages saved to a remote server based on severity
GC
Clears messages from the logging buffer
Displays log messages
Displays the state of logging
PE
PE
PE
logging facility
This command sets the facility type for remote logging of syslog messages. Use the
no form to return the type to the default.
Syntax
logging facility type
no logging facility
type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service. (Range: 16-23)
Default Setting
23
– 131 –
Chapter 4
| System Management Commands
Event Logging
Command Mode
Global Configuration
Command Usage
The command specifies the facility type tag sent in syslog messages. (See RFC
3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Example
Console(config)#logging facility 19
Console(config)#
logging history
This command limits syslog messages saved to switch memory based on severity.
The no form returns the logging of syslog messages to the default level.
Syntax
logging history {flash | ram} level
no logging history {flash | ram}
flash - Event history stored in flash memory (i.e., permanent memory).
ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7)
Table 18: Logging Levels
1
0
4
3
2
6
5
Level Severity Name
7 debugging informational notifications warnings errors critical alerts emergencies
Description
Debugging messages
Informational messages only
Normal but significant condition, such as cold start
Warning conditions (e.g., return false, unexpected return)
Error conditions (e.g., invalid input, default used)
Critical conditions (e.g., memory allocation, or free memory error - resource exhausted)
Immediate action needed
System unusable
Default Setting
Flash: errors (level 3 - 0)
RAM: debugging (level 7 - 0)
– 132 –
Chapter 4
| System Management Commands
Event Logging
Command Mode
Global Configuration
Command Usage
The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM.
Example
Console(config)#logging history ram 0
Console(config)#
logging host
This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host.
Syntax
logging host host-ip-address [port udp-port]
no logging host host-ip-address
host-ip-address - The IPv4 or IPv6 address of a syslog server.
udp-port - UDP port number used by the remote server. (Range: 1-65535)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Use this command more than once to build up a list of host IP addresses.
◆ The maximum number of host IP addresses allowed is five.
Example
Console(config)#logging host 10.1.0.3
Console(config)#
logging on
This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Syntax
[no] logging on
– 133 –
Chapter 4
| System Management Commands
Event Logging
Default Setting
None
Command Mode
Global Configuration
Command Usage
The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the
command to control the type of error messages that are stored in memory. You can use the
command to control the type of error messages that are sent to specified syslog servers.
Example
Console(config)#logging on
Console(config)#
Related Commands
logging trap
This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Syntax
logging trap [level level]
no logging trap [level]
level - One of the syslog severity levels listed in the table on
Messages sent include the selected level through level 0.
Default Setting
Disabled
Level 7
Command Mode
Global Configuration
Command Usage
◆ Using this command with a specified level enables remote logging and sets the minimum severity level to be saved.
– 134 –
Chapter 4
| System Management Commands
Event Logging
◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default.
Example
Console(config)#logging trap 4
Console(config)#
clear log
This command clears messages from the log buffer.
Syntax
clear log [flash | ram]
flash - Event history stored in flash memory (i.e., permanent memory).
ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Default Setting
Flash and RAM
Command Mode
Privileged Exec
Example
Console#clear log
Console#
Related Commands
show log
This command displays the log messages stored in local memory.
Syntax
show log {flash | ram}
flash - Event history stored in flash memory (i.e., permanent memory).
ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Default Setting
None
Command Mode
Privileged Exec
– 135 –
Chapter 4
| System Management Commands
Event Logging
Command Usage
◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
◆ All log messages are retained in Flash and purged from RAM after a cold restart
(i.e., power is turned off and then on through the power source).
Example
The following example shows the event message stored in RAM.
Console#show log ram
[1] 00:01:30 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:01:30 2001-01-01
"Unit 1, Port 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#
show logging
This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server.
Syntax
show logging {flash | ram | sendmail | trap}
flash - Displays settings for storing event messages in flash memory
(i.e., permanent memory).
ram - Displays settings for storing event messages in temporary RAM
(i.e., memory flushed on power reset).
sendmail - Displays settings for the SMTP event handler ( page 141
).
trap - Displays settings for the trap function.
Default Setting
None
Command Mode
Privileged Exec
Example
The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is
“debugging” (i.e., default level 7 - 0).
Console#show logging flash
Syslog logging: Enabled
History logging in FLASH: level errors
Console#show logging ram
Syslog logging: Enabled
– 136 –
Chapter 4
| System Management Commands
Event Logging
History logging in RAM: level debugging
Console# he following example displays settings for the trap function.Console#show logging
Table 19: show logging flash/ram - display description
Field
Syslog logging
Description
Shows if system logging has been enabled via the logging on
command.
History logging in FLASH The message level(s) reported based on the
command.
History logging in RAM The message level(s) reported based on the
command.
trap
Remote Log Status : Enabled
Remote Log Facility Type : Local use 7
Remote Log Level Type : Debugging messages
Remote Log Server IP Address : 1.2.3.4
Remote Log Server IP Address : 0.0.0.0
Remote Log Server IP Address : 0.0.0.0
Remote Log Server IP Address : 0.0.0.0
Remote Log Server IP Address : 0.0.0.0
Console#
Table 20: show logging trap - display description
Field
Remote Log Status
Remote Log Facility Type
Remote Log Level Type
Remote Log Server IP
Address
Description
Shows if remote logging has been enabled via the logging trap
command.
The facility type for remote logging of syslog messages as specified in the
command.
The severity threshold for syslog messages sent to a remote server as specified in the
command.
The address of syslog servers as specified in the
command.
Related Commands
– 137 –
Chapter 4
| System Management Commands
SMTP Alerts
SMTP Alerts
These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Table 21: Event Logging Commands
Command
logging sendmail logging sendmail host
logging sendmail destination-email logging sendmail source-email
Function
Enables SMTP event handling
SMTP servers to receive alert messages
Severity threshold used to trigger alert messages
Email recipients of alert messages
Email address used for “From” field of alert messages
Displays SMTP event handler settings
Mode
GC
GC
GC
GC
GC
NE, PE
logging sendmail
This command enables SMTP event handling. Use the no form to disable this function.
Syntax
[no] logging sendmail
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#logging sendmail
Console(config)#
logging sendmail host
This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Syntax
[no] logging sendmail host ip-address
ip-address - IPv4 address of an SMTP server that will be sent alert messages for event handling.
– 138 –
Chapter 4
| System Management Commands
SMTP Alerts
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server.
◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
◆ To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command.
If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.)
Example
Console(config)#logging sendmail host 192.168.1.19
Console(config)#
logging sendmail level
This command sets the severity threshold used to trigger alert messages. Use the
no form to restore the default setting.
Syntax
logging sendmail level level
no logging sendmail level
level - One of the system message levels ( page 132 ). Messages sent include
the selected level down to level 0. (Range: 0-7; Default: 7)
Default Setting
Level 7
Command Mode
Global Configuration
Command Usage
The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.)
– 139 –
Chapter 4
| System Management Commands
SMTP Alerts
Example
This example will send email alerts for system errors from level 3 through 0.
Console(config)#logging sendmail level 3
Console(config)#
logging sendmail destination-email
This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
Syntax
[no] logging sendmail destination-email email-address
email-address - The source email address used in alert messages.
(Range: 1-41 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient.
Example
Console(config)#logging sendmail destination-email [email protected]
Console(config)#
logging sendmail source-email
This command sets the email address used for the “From” field in alert messages.
Use the no form to restore the default value.
Syntax
logging sendmail source-email email-address no logging sendmail source-email
email-address - The source email address used in alert messages.
(Range: 1-41 characters)
Default Setting
None
Command Mode
Global Configuration
– 140 –
Chapter 4
| System Management Commands
Time
Command Usage
You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch.
Example
Console(config)#logging sendmail source-email [email protected]
Console(config)#
show logging sendmail
This command displays the settings for the SMTP event handler.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show logging sendmail
SMTP servers
-----------------------------------------------
192.168.1.19
SMTP Minimum Severity Level: 7
SMTP destination email addresses
----------------------------------------------ted@this-company.com
SMTP Source Email Address: [email protected]
SMTP Status: Enabled
Console#
Time
The system clock can be dynamically set by polling a set of specified time servers
(NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Table 22: Time Commands
Function Command
SNTP Commands
Accepts time from specified time servers
Sets the interval at which the client polls for time
Specifies one or more time servers
Shows current SNTP configuration settings
Mode
GC
GC
GC
NE, PE
– 141 –
Chapter 4
| System Management Commands
Time
Table 22: Time Commands (Continued)
Command
NTP Commands
Function
Enables authentication for NTP traffic
Configures authentication keys
Enables the NTP client for time updates from specified servers
Specifies NTP servers to poll for time updates
Shows current NTP configuration settings
Manual Configuration Commands
Configures summer time * for the switch’s internal clock
Configures summer time
* for the switch’s internal clock
Configures summer time
* for the switch’s internal clock
Sets the time zone for the switch’s internal clock
Sets the system date and time
Displays the current date and time setting
* Daylight savings time.
Mode
GC
GC
GC
GC
GC
GC
NE, PE
GC
GC
PE
NE, PE
SNTP Commands
sntp client
This command enables SNTP client requests for time synchronization from NTP or
SNTP time servers specified with the
sntp server command. Use the no form to
disable SNTP client requests.
Syntax
[no] sntp client
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (e.g., Dec 1 10:01:35 2014).
◆ This command enables client time requests to time servers specified via the
sntp server command. It issues time synchronization requests based on the
interval set via the
– 142 –
Chapter 4
| System Management Commands
Time
Example
Console(config)#sntp server 10.1.0.19
Console(config)#sntp poll 60
Console(config)#sntp client
Console(config)#end
Console#show sntp
Current Time: Dec 23 02:52:44 2002
Poll Interval: 60
Current Mode: unicast
SNTP Status : Enabled
SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0
Current Server: 137.92.140.80
Console#
Related Commands
sntp poll
This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default.
Syntax
sntp poll seconds no sntp poll
seconds - Interval between time requests. (Range: 16-16384 seconds)
Default Setting
16 seconds
Command Mode
Global Configuration
Example
Console(config)#sntp poll 60
Console#
Related Commands
– 143 –
Chapter 4
| System Management Commands
Time
sntp server
This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Syntax
sntp server [ip1 [ip2 [ip3]]]
no sntp server [ip1 [ip2 [ip3]]]
ip - IP address of a time server (NTP or SNTP). (Range: 1 - 3 addresses)
Default Setting
None
Command Mode
Global Configuration
Command Usage
This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the
Example
Console(config)#sntp server 10.1.0.19
Console#
Related Commands
show sntp
This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
– 144 –
Chapter 4
| System Management Commands
Time
Example
Console#show sntp
Current Time : Nov 5 18:51:22 2006
Poll Interval : 16 seconds
Current Mode : Unicast
SNTP Status : Enabled
SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0
Current Server : 137.92.140.80
Console#
NTP Commands
ntp authenticate
This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Syntax
[no] ntp authenticate
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Example
Console(config)#ntp authenticate
Console(config)#
Related Commands
– 145 –
Chapter 4
| System Management Commands
Time
ntp authentication-key
This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list.
Syntax
ntp authentication-key number md5 key
no ntp authentication-key [number]
number - The NTP authentication key ID number. (Range: 1-65535)
md5 - Specifies that authentication is provided by using the message digest algorithm 5.
key - An MD5 authentication key string. The key string can be up to 32 casesensitive printable ASCII characters (no spaces).
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ The key number specifies a key value in the NTP authentication key list. Up to
255 keys can be configured on the switch. Re-enter this command for each server you want to configure.
◆ Note that NTP authentication key numbers and values must match on both the server and client.
◆ NTP authentication is optional. When enabled with the ntp authenticate command, you must also configure at least one key number using this command.
◆ Use the no form of this command without an argument to clear all authentication keys in the list.
Example
Console(config)#ntp authentication-key 45 md5 thisiskey45
Console(config)#
Related Commands
– 146 –
Chapter 4
| System Management Commands
Time
ntp client
This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests.
Syntax
[no] ntp client
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the
SNTP client before using this command.
◆ The time acquired from time servers is used to record accurate dates and times for log events. Without NTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
◆ This command enables client time requests to time servers specified via the
ntp servers command. It issues time synchronization requests based on the interval set via the ntp poll command.
Example
Console(config)#ntp client
Console(config)#
Related Commands
ntp server
This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list.
Syntax
ntp server ip-address [key key-number]
no ntp server [ip-address]
ip-address - IP address of an NTP time server.
key-number - The number of an authentication key to use in communications with the server. (Range: 1-65535)
– 147 –
Chapter 4
| System Management Commands
Time
Default Setting
Version number: 3
Command Mode
Global Configuration
Command Usage
◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
◆ You can configure up to 50 NTP servers on the switch. Re-enter this command for each server you want to configure.
◆ NTP authentication is optional. If enabled with the ntp authenticate command, you must also configure at least one key number using the ntp
authentication-key command.
◆ Use the no form of this command without an argument to clear all configured servers in the list.
Example
Console(config)#ntp server 192.168.3.20
Console(config)#ntp server 192.168.3.21
Console(config)#ntp server 192.168.5.23 key 19
Console(config)#
Related Commands
show ntp
This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Example
Console#show ntp
Current Time : Apr 29 13:57:32 2011
Polling : 1024 seconds
Current Mode : unicast
– 148 –
Chapter 4
| System Management Commands
Time
NTP Status : Disabled
NTP Authenticate Status : Enabled
Last Update NTP Server : 0.0.0.0 Port: 0
Last Update Time : Jan 1 00:00:00 1970 UTC
NTP Server 192.168.3.20 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.4.22 version 3 key 19
NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885
Console#
Manual Configuration Commands
clock summer-time
(date)
This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time.
Syntax
clock summer-time name date b-date b-month b-year b-hour b-minute e-date
e-month e-year e-hour e-minute [offset] no clock summer-time
name - Name of the time zone while summer time is in effect, usually an acronym. (Range: 1-30 characters)
b-date - Day of the month when summer time will begin. (Range: 1-31)
b-month - The month when summer time will begin. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
b-year- The year summer time will begin.
b-hour - The hour summer time will begin. (Range: 0-23 hours)
b-minute - The minute summer time will begin. (Range: 0-59 minutes)
e-date - Day of the month when summer time will end. (Range: 1-31)
e-month - The month when summer time will end. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
e-year - The year summer time will end.
e-hour - The hour summer time will end. (Range: 0-23 hours)
e-minute - The minute summer time will end. (Range: 0-59 minutes)
offset - Summer time offset from the regular time zone, in minutes.
(Range: 30-120 minutes)
Default Setting
Disabled
– 149 –
Chapter 4
| System Management Commands
Time
Command Mode
Global Configuration
Command Usage
◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as
Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
◆ This command sets the summer-time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone.
Example
Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007
23 23 60
Console(config)#
Related Commands
clock summer-time
(predefined)
This command configures the summer time (daylight savings time) status and settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time.
Syntax
clock summer-time name predefined [australia | europe | new-zealand |
usa] no clock summer-time
name - Name of the timezone while summer time is in effect, usually an acronym. (Range: 1-30 characters)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as
Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
– 150 –
Chapter 4
| System Management Commands
Time
◆ This command sets the summer-time time relative to the configured time zone.
To specify the time corresponding to your local time when summer time is in effect, select the predefined summer-time time zone appropriate for your location, or manually configure summer time if these predefined configurations do not apply to your location (see
clock summer-time (recurring) .
Table 23: Predefined Summer-Time Parameters
Region
Australia
Europe
Start Time, Day,
Week, & Month
00:00:00, Sunday,
Week 5 of October
00:00:00, Sunday,
Week 5 of March
New Zealand 00:00:00, Sunday,
Week 1 of October
USA 00:00:00, Sunday,
Week 2 of March
End Time, Day,
Week, & Month
23:59:59, Sunday,
Week 5 of March
23:59:59, Sunday,
Week 5 of October
23:59:59, Sunday,
Week 3 of March
23:59:59, Sunday,
Week 1 of November
Rel. Offset
60 min
60 min
60 min
60 min
Example
The following example sets the Summer Time setting to use the predefined settings for the European region.
Console(config)#clock summer-time MESZ predefined europe
Console(config)#
Related Commands
clock summer-time
(recurring)
This command allows the user to manually configure the start, end, and offset times of summer time (daylight savings time) for the switch on a recurring basis.
Use the no form to disable summer-time.
Syntax
clock summer-time name recurring b-week b-day b-month b-hour b-minute e-
week e-day e-month e-hour e-minute [offset] no clock summer-time
name - Name of the timezone while summer time is in effect, usually an acronym. (Range: 1-30 characters)
b-week - The week of the month when summer time will begin. (Range: 1-5)
b-day - The day of the week when summer time will begin. (Options:
sunday | monday | tuesday | wednesday | thursday | friday | saturday)
– 151 –
Chapter 4
| System Management Commands
Time
b-month - The month when summer time will begin. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
b-hour - The hour when summer time will begin. (Range: 0-23 hours)
b-minute - The minute when summer time will begin. (Range: 0-59 minutes)
e-week - The week of the month when summer time will end. (Range: 1-5)
e-day - The day of the week summer time will end. (Options: sunday |
monday | tuesday | wednesday | thursday | friday | saturday)
e-month - The month when summer time will end. (Options: january |
february | march | april | may | june | july | august | september | october
| november | december)
e-hour - The hour when summer time will end. (Range: 0-23 hours)
e-minute - The minute when summer time will end. (Range: 0-59 minutes)
offset - Summer-time offset from the regular time zone, in minutes.
(Range: 30-120 minutes)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as
Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
◆ This command sets the summer-time time zone relative to the currently configured time zone. To display a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone (that is, the offset).
Example
The following example sets a recurring 60 minute offset summer-time to begin on the Friday of the 1st week of March at 01:59 hours and summer time to end on the
Saturday of the 2nd week of November at 01:59 hours.
Console(config)#clock summer-time MESZ recurring 1 friday march 01 59 2 saturday november 1 59 60
Console(config)#
Related Commands
– 152 –
Chapter 4
| System Management Commands
Time
clock timezone
This command sets the time zone for the switch’s internal clock.
Syntax
clock timezone name hour hours minute minutes
{before-utc | after-utc}
name - Name of timezone, usually an acronym. (Range: 1-30 characters)
hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC,
0-13 hours after UTC)
minutes - Number of minutes before/after UTC. (Range: 0-59 minutes)
before-utc - Sets the local time zone before (west) of UTC.
after-utc - Sets the local time zone after (east) of UTC.
Default Setting
None
Command Mode
Global Configuration
Command Usage
This command sets the local time zone relative to the Coordinated Universal Time
(UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (after) or west (before) of UTC.
Example
Console(config)#clock timezone Japan hours 8 minute 0 after-UTC
Console(config)#
Related Commands
calendar set
This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server.
Syntax
calendar set hour min sec {day month year | month day year}
hour - Hour in 24-hour format. (Range: 0 - 23)
min - Minute. (Range: 0 - 59)
sec - Second. (Range: 0 - 59)
day - Day of month. (Range: 1 - 31)
– 153 –
Chapter 4
| System Management Commands
Time
month - january | february | march | april | may | june | july | august |
september | october | november | december
year - Year (4-digit). (Range: 1970-2037)
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Note that when SNTP is enabled, the system clock cannot be manually configured.
Example
This example shows how to set the system clock to 15:12:34, February 1st, 2012.
Console#calendar set 15:12:34 1 February 2012
Console#
show calendar
This command displays the system clock.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Example
Console#show calendar
Current Time : Aug 24 13:41:56 2014
Time Zone : UTC, 00:00
Summer Time : Not configured
Summer Time in Effect : No
Console#
– 154 –
Chapter 4
| System Management Commands
Time Range
Time Range
This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Table 24: Time Range Commands
Command
Function Mode
Specifies the name of a time range, and enters time range configuration mode
GC
TR Sets the absolute time range for the execution of a command
Sets the time range for the periodic execution of a command
Shows configured time ranges.
TR
PE
time-range
This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range.
Syntax
[no] time-range name
name - Name of the time range. (Range: 1-16 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ This command sets a time range for use by other functions, such as Access
Control Lists.
◆ A maximum of eight rules can be configured for a time range.
Example
Console(config)#time-range r&d
Console(config-time-range)#
Related Commands
– 155 –
Chapter 4
| System Management Commands
Time Range
absolute
This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time.
Syntax
absolute start hour minute day month year
[end hour minutes day month year]
absolute end hour minutes day month year no absolute
hour - Hour in 24-hour format. (Range: 0-23)
minute - Minute. (Range: 0-59)
day - Day of month. (Range: 1-31)
month - january | february | march | april | may | june | july | august |
september | october | november | december
year - Year (4-digit). (Range: 2013-2037)
Default Setting
None
Command Mode
Time Range Configuration
Command Usage
◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range.
◆ If both an absolute rule and one or more periodic rules are configured for the same time range (e.g., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Example
This example configures the time for the single occurrence of an event.
Console(config)#time-range r&d
Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april
2009
Console(config-time-range)#
– 156 –
Chapter 4
| System Management Commands
Time Range
periodic
This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Syntax
[no] periodic {daily | friday | monday | saturday | sunday | thursday |
tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday |
monday | saturday | sunday | thursday | tuesday | wednesday | weekdays
| weekend | hour minute}
daily - Daily
friday - Friday
monday - Monday
saturday - Saturday
sunday - Sunday
thursday - Thursday
tuesday - Tuesday
wednesday - Wednesday
weekdays - Weekdays
weekend - Weekends
hours - Hour in 24-hour format. (Range: 0-23)
minutes - Minute. (Range: 0-59)
Default Setting
None
Command Mode
Time Range Configuration
Command Usage
◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range.
◆ If both an absolute rule and one or more periodic rules are configured for the same time range (e.g., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Example
This example configures a time range for the periodic occurrence of an event.
Console(config)#time-range sales
Console(config-time-range)#periodic daily 1 1 to 2 1
Console(config-time-range)#
– 157 –
Chapter 4
| System Management Commands
Switch Clustering
show time-range
This command shows configured time ranges.
Syntax
show time-range [name]
name - Name of the time range. (Range: 1-16 characters)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show time-range r&d
Time-range r&d:
absolute start 01:01 01 April 2009
periodic Daily 01:01 to Daily 02:01
periodic Daily 02:01 to Daily 03:01
Console#
Switch Clustering
Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Table 25: Switch Cluster Commands
Command
cluster ip-pool cluster member
show cluster show cluster members show cluster candidates
Function
Configures clustering on the switch
Configures the switch as a cluster Commander
Sets the cluster IP address pool for Members
Sets Candidate switches as cluster members
Provides configuration access to Member switches
Displays the switch clustering status
Displays current cluster Members
Displays current cluster Candidates in the network
GC
PE
PE
PE
PE
Mode
GC
GC
GC
Using Switch Clustering
◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster. The management station can use either Telnet or the web interface to communicate directly with the
– 158 –
Chapter 4
| System Management Commands
Switch Clustering
Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses.
◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN:
1.
Create VLAN 4093 (see
“Editing VLAN Groups” on page 501 ).
2.
Add the participating ports to this VLAN (see “Configuring VLAN Interfaces” on page 503
), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Note: Cluster Member switches can be managed either through a Telnet connection to the Commander, or through a web management connection to the
Commander. When using a console connection, from the Commander CLI prompt, use the
to connect to the Member switch.
cluster
This command enables clustering on the switch. Use the no form to disable clustering.
Syntax
[no] cluster
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ To create a switch cluster, first be sure that clustering is enabled on the switch
(the default is enabled), then set the switch as a Cluster Commander. Set a
Cluster IP Pool that does not conflict with any other IP subnets in the network.
Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
◆ Switch clusters are limited to the same Ethernet broadcast domain.
– 159 –
Chapter 4
| System Management Commands
Switch Clustering
◆ There can be up to 100 candidates and 36 member switches in one cluster.
◆ A switch can only be a Member of one cluster.
◆ Configured switch clusters are maintained across power resets and network changes.
Example
Console(config)#cluster
Console(config)#
cluster commander
This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander.
Syntax
[no] cluster commander
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
◆ Cluster Member switches can be managed through a Telnet connection to the
Commander. From the Commander CLI prompt, use the rcommand
id command to connect to the Member switch.
Example
Console(config)#cluster commander
Console(config)#
– 160 –
Chapter 4
| System Management Commands
Switch Clustering
cluster ip-pool
This command sets the cluster IP address pool. Use the no form to reset to the default address.
Syntax
cluster ip-pool ip-address no cluster ip-pool
ip-address - The base IP address for IP addresses assigned to cluster
Members. The IP address must start 10.x.x.x.
Default Setting
10.254.254.1
Command Mode
Global Configuration
Command Usage
◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.x.x.member-ID.
Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
◆ Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet. Cluster IP addresses are assigned to switches when they become
Members and are used for communication between Member switches and the
Commander.
◆ You cannot change the cluster IP pool when the switch is currently in
Commander mode. Commander mode must first be disabled.
Example
Console(config)#cluster ip-pool 10.2.3.4
Console(config)#
cluster member
This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster.
Syntax
cluster member mac-address mac-address id member-id
no cluster member id member-id
mac-address - The MAC address of the Candidate switch.
member-id - The ID number to assign to the Member switch. (Range: 1-36)
Default Setting
No Members
– 161 –
Chapter 4
| System Management Commands
Switch Clustering
Command Mode
Global Configuration
Command Usage
◆ The maximum number of cluster Members is 36.
◆ The maximum number of cluster Candidates is 100.
Example
Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5
Console(config)#
rcommand
This command provides access to a cluster Member CLI for configuration.
Syntax
rcommand id member-id
member-id - The ID number of the Member switch.
(Range: 1-36)
Command Mode
Privileged Exec
Command Usage
◆ This command only operates through a Telnet connection to the Commander switch. Managing cluster Members using the local console CLI on the
Commander is not supported.
◆ There is no need to enter the username and password for access to the Member switch CLI.
Example
Console#rcommand id 1
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Vty-1#
– 162 –
Chapter 4
| System Management Commands
Switch Clustering
show cluster
This command shows the switch clustering configuration.
Command Mode
Privileged Exec
Example
Console#show cluster
Role : commander
Interval Heartbeat : 30
Heartbeat Loss Count : 3 seconds
Number of Members : 1
Number of Candidates : 2
Console#
show cluster members
This command shows the current switch cluster members.
Command Mode
Privileged Exec
Example
Console#show cluster members
Cluster Members:
ID : 1
Role : Active member
IP Address : 10.254.254.2
MAC Address : 00-E0-0C-00-00-FE
Description : EX-3524 Managed POE/POE+ Switch
Console#
show cluster candidates
This command shows the discovered Candidate switches in the network.
Command Mode
Privileged Exec
Example
Console#show cluster candidates
Cluster Candidates:
Role MAC Address Description
--------------- ----------------- ----------------------------------------
Active member 00-E0-0C-00-00-FE EX-3524 Managed POE/POE+ Switch
CANDIDATE 00-12-CF-0B-47-A0 EX-3524 Managed POE/POE+ Switch
Console#
– 163 –
Chapter 4
| System Management Commands
Adopt Device
Adopt Device
The EX-3528 and EX-3548 can be managing by a centralized management
“Controller,” where the term “Controller” refers to any controller device that is capable of managing these switches. The adopt agent software component runs on the switch in order to facilitate management by remote controller. This component is included in each software release, but can also be upgraded
separately via the CLI adoptd upgrade command.
Once the switch has been adopted by a centralized controller, it can receive CLI commands from to the controller and send back status messages. Centralized management via SNMP is provided via direct communication between the adopted device agent and the SNMP daemon running on the switch.
Upon adoption, the controller will send the full set of configuration settings (a subset of the switch’s configuration settings) down to the switch. Any configuration settings not supported by the controller will not be overwritten. Subsequent configuration from the controller will result in only the modified commands being pushed down to the switch. Users will be able to directly access the switch’s CLI for configuration. This could result in the switch's configuration and the controller's view of the switch's configuration being out of sync. A re-adoption can be used to force the full configuration to be pushed down to the switch.
The controller will support configuration of a subset of the switch features. This will include but is not limited to:
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
Hostname
Ethernet Port
Shutdown
Duplex
Speed
VLANs
IP address
Static Routes
PoE
ACLs (L2/L3/L4)
QoS Policy
IGMP Snooping
■
■
■
■
■
Management Policy username/password role ssh http/https snmp
– 164 –
Chapter 4
| System Management Commands
Adopt Device
◆
◆
◆
◆
Static Link Aggregation
Port Mirroring
Storm Control
DoS Attacks
The following additional operations can also be executed on the switch from the controller:
◆
◆
◆
◆
◆
Image upgrade
Reload
Tech-support dump
File Management commands
View debug messages stored in /tmp folder
(adoption_dbg_msg, adoption_dbg_msg_1, adoption_dbg_msg_2
◆ Debugging options for adoptd (adopted device)
The following commands are supported for the adopted device:
Table 26: Switch Cluster Commands
Command
controller hello-interval adjacency-hold-time
Function
Sets the hello interval and adjacency hold time
Configures up to four controller addresses
Upgrades the adopt device software
Enables adopt device debug messages
Restarts the adopt device process
Mode
GC
Shows adopt device debug messages
Shows all adopt device related activities since boot up
PE
PE
Shows adopt device details such as controller IP, adopted time, etc.
PE
PE Shows all switch configuration settings and status and adopted device related information
Shows switch version and adopted device version PE
GC
PE
PE
PE
– 165 –
Chapter 4
| System Management Commands
Adopt Device
controller hello-interval adjacency-hold-time
Use this command to set the hello interval and adjacency hold time. Use the no form to restore the default settings.
Syntax
controller hello-interval hello-interval adjacency-hold-time hold-time
no controller {hello-interval | adjacency-hold-time}
hello-interval - Specifies the interval between sending hello packets to the controller. (Range: 1-120 seconds)
hold-time - The maximum interval after which a controller is declared dead if a keep-alive or update message has not been received. (Range: 2-600 seconds)
Default Setting hello-interval: 15 seconds hold-tme: 46 seconds
Command Mode
Global Configuration
Command Usage
Use this command to set the timers used for monitoring connectivity to the controllers. These timers will be applied to all configured controllers.
Example
Console(config)#controller hello-interval 5 adjacency-hold-time 20
Console(config)#
controller host ip address
Use this command to configure up to four controller addresses. Use the no form to remove a controller address.
Syntax
controller host ip address priority ip-address
no host ip address priority
priority - The priority controls the order in which switch tries to connect with multiple controllers. (Range: 1-4)
ip-address - IPv4 address of a controller.
Default Setting
None
Command Mode
Global Configuration
– 166 –
Chapter 4
| System Management Commands
Adopt Device
Command Usage
When more than one controller address is configured, the switch attempts to connect to the controllers in a round-robin fashion based on the priority settings.
Example
Console(config)#controller host ip address 1 192.168.0.99
Console(config)#
adoptd upgrade
Use this command to upgrade the adopt device software.
Syntax
adoptd upgrade protocol://server-address[/path]/file
protocol - Supported protocols include tftp.
server-address - IPv4 address of the file server.
path - The directory path to the software image.
file - The software image for the adopt device application.
Command Mode
Privileged Exec
Command Usage
◆ The adoptd component is included in each software release, but can also be upgraded separately using the adoptd upgrade command.
◆ The adoptd image file consists of a header, and then the contents of what is normally a tar.gz file. The header has two md5 checksums, while the tar.gz file includes the adoptd image and a log file which are all be saved in adoptd partition. The image has a the suffix “img”.
◆ Downloading the adoptd image will restart the system. You will have to reboot the switch to initiate the new image. After the switch restarts, you can view the version number using the
◆ Note that the length of the adoptd file name may be longer than that permitted by some file servers, in which case you have to shorten the file name.
Example
In the following example, the path is in the default download directory defined on the file server, and is therefore not specified here.
Console#adoptd upgrade tftp://192.168.0.99/ex3500-adoptd-5.8.0.0.img
Flash programming started
Flash programming completed
Success
– 167 –
Chapter 4
| System Management Commands
Adopt Device
Upgrade completed
Console#
debug adoption
Use this command to enable adopt device (adoptd) debug messages. Use the no form to disable adoptd debug messages.
Syntax
[no] debug adoption
Default Setting
Enabled
Command Mode
Privileged Exec
Example
Console#debug adoption
Console#
no adoption
Use this command to restart the adopt device process.
Syntax no adoption
Command Mode
Privileged Exec
Command Usage
This command will disconnect the adopted device from any configured controllers, and then restarts the adoption process.
Example
Console#no adoption
Console#
show adoption debug
Use this command to show adopt device (adoptd) debug messages.
Syntax show adoption debug
– 168 –
Chapter 4
| System Management Commands
Adopt Device
Command Mode
Privileged Exec
Command Usage
Message format for each entry includes a time stamp and event similar to that shown below.
2014-05-08 20:11:01:Unadopted,
2014-05-08 19:15:16:Adopted by 192.168.100.67,
Example
Console#show adoption debug
[2014-12-02 02:25:48] vendor_record_pid: pid 332
[2014-12-02 02:25:48] vendor_init:
[2014-12-02 02:25:48] vendor_init: SW version is '5.8.0.0-209434X'
[2014-12-02 02:25:48] vendor_init: vendor init complete
[2014-12-02 02:25:48] snmpp_init:
[2014-12-02 02:25:48] snmpp_init: Initialize snmp mutex
[2014-12-02 02:25:48] main: Waiting for adopter address(es) to be configured...
[2014-12-02 02:26:35] vendor_read_config_file: Configured adopter 1
='192.168.0.1'
[2014-12-02 02:26:35] vendor_read_config_file: Possible
.
.
.
adopter[0]='192.168.0.1'
[2014-12-02 02:26:35] main: Delay start by 15 seconds
[2014-12-02 02:26:50] main: Create the websocket context
[2014-12-02 02:26:50] Initial logging level 287
show adoption history
Use this command to show all adopt device related activities since boot up.
Syntax show adoption history
Command Mode
Privileged Exec
Command Usage
Message format for each entry includes a time stamp and event similar to that shown below.
2014-05-08 20:11:01:Unadopted,
2014-05-08 19:15:16:Adopted by 192.168.100.67,
Example
Console#show adoption history
2014-12-02 02:26:57:Adopted by 192.168.0.1
Console#
– 169 –
Chapter 4
| System Management Commands
Adopt Device
show adoption status
Use this command to show adopt device details such as controller IP, adopted time, etc.
Syntax show adoption status
Command Mode
Privileged Exec
Example
Console#show adoption status
Adopted by:
192.168.0.1
Console#
– 170 –
5
SNMP Commands
SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. To use SNMPv3, first set an SNMP engine ID (or accept the default), specify read and write access views for the MIB tree, configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy), and then assign SNMP users to these groups, along with their specific authentication and privacy passwords.
Table 27: SNMP Commands
Command
General SNMP Commands
snmp-server snmp-server community
Function
Enables the SNMP agent
Sets up the community access string to permit access to
SNMP commands
Sets the system contact string
Sets the system location string
SNMP Target Host Commands
Displays the status of SNMP communications
Mode
GC
GC
GC
GC
NE, PE
Enables the device to send SNMP traps (i.e., SNMP notifications)
snmp-server enable port-traps mac-notification
GC
Specifies the recipient of an SNMP notification operation GC
Enables the device to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed
IC
PE
show snmp-server enable port-traps
Shows if SNMP traps are enabled or disabled for the specified interfaces
SNMPv3 Engine Commands
Sets the SNMP engine ID
show snmp group show snmp engine-id
Adds an SNMP group, mapping users to views
Adds a user to an SNMP group
Adds an SNMP view
Shows the SNMP engine ID
Shows the SNMP groups
GC
GC
GC
GC
PE
PE
– 171 –
Chapter 5
| SNMP Commands
Table 27: SNMP Commands (Continued)
Command
Function
Shows the SNMP users
Shows the SNMP views
Notification Log Commands
Enables the specified notification log
Creates a notification log and specifies the target host
Shows operation status of configured notification logs
Displays the configured notification logs
ATC Trap Commands snmp-server enable porttraps atc broadcast-alarmclear snmp-server enable porttraps atc broadcast-alarmfire
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control
Mode
PE
PE
GC
GC
PE
PE
IC (Port)
IC (Port) snmp-server enable porttraps atc broadcast-controlapply
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
IC (Port) snmp-server enable porttraps atc broadcast-controlrelease
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port) snmp-server enable porttraps atc multicast-alarmclear snmp-server enable porttraps atc multicast-alarmfire
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered
IC (Port)
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control
IC (Port) snmp-server enable porttraps atc multicast-controlapply
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
IC (Port) snmp-server enable porttraps atc multicast-controlrelease
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port)
Transceiver Power Threshold Trap Commands
Sends a trap when the transceiver current falls outside the specified thresholds
IC (Port)
IC (Port)
transceiver-threshold rx-power
transceiver-threshold temperature
Sends a trap when the power level of the received signal falls outside the specified thresholds
Sends a trap when the transceiver temperature falls outside the specified thresholds
IC (Port)
transceiver-threshold tx-power
Sends a trap when the power level of the transmitted signal power outside the specified thresholds
IC (Port)
Sends a trap when the transceiver voltage falls outside the specified thresholds
IC (Port)
– 172 –
Chapter 5
| SNMP Commands
General SNMP Commands
Table 27: SNMP Commands (Continued)
Command
Additional Trap Commands
Function
Mode
Sets the rising and falling threshold for the memory utilization alarm
GC
Sets the rising and falling threshold for the CPU utilization alarm
GC
Shows memory utilization parameters
Shows CPU utilization parameters
PE
PE
General SNMP Commands
snmp-server
This command enables the SNMPv3 engine and services for all management clients
(i.e., versions 1, 2c, 3). Use the no form to disable the server.
Syntax
[no] snmp-server
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#snmp-server
Console(config)#
snmp-server community
This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string.
Syntax
snmp-server community string [ro | rw]
no snmp-server community string
string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive;
Maximum number of strings: 5)
ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects.
rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
– 173 –
Chapter 5
| SNMP Commands
General SNMP Commands
Default Setting
◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects.
◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Command Mode
Global Configuration
Example
Console(config)#snmp-server community alpha rw
Console(config)#
snmp-server contact
This command sets the system contact string. Use the no form to remove the system contact information.
Syntax
snmp-server contact string no snmp-server contact
string - String that describes the system contact information.
(Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#snmp-server contact Paul
Console(config)#
Related Commands
– 174 –
Chapter 5
| SNMP Commands
General SNMP Commands
snmp-server location
This command sets the system location string. Use the no form to remove the location string.
Syntax
snmp-server location text no snmp-server location
text - String that describes the system location.
(Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#snmp-server location WC-19
Console(config)#
Related Commands
show snmp
This command can be used to check the status of SNMP communications.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command provides information on the community access strings, counters for
SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Example
Console#show snmp
SNMP Agent : Enabled
SNMP Traps :
Authentication : Enabled
Link-up-down : Enabled
MAC-notification : Disabled
MAC-notification interval : 1 second(s)
– 175 –
Chapter 5
| SNMP Commands
SNMP Target Host Commands
SNMP Communities :
1. public, and the access level is read-only
2. private, and the access level is read/write
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP Logging: Disabled
Console#
SNMP Target Host Commands
snmp-server enable traps
This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
Syntax
[no] snmp-server enable traps [authentication | link-up-down |
mac-notification [interval seconds]]
authentication - Keyword to issue authentication failure notifications.
link-up-down - Keyword to issue link-up or link-down notifications.
mac-notification - Keyword to issue trap when a dynamic MAC address is added or removed.
interval - Specifies the interval between issuing two consecutive traps.
(Range: 1-3600 seconds; Default: 1 second)
Default Setting
Issue authentication and link-up-down traps.
Other traps are disabled.
Command Mode
Global Configuration
Command Usage
◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send
– 176 –
Chapter 5
| SNMP Commands
SNMP Target Host Commands
SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled.
◆ The snmp-server enable traps command is used in conjunction with the
snmp-server host command. Use the snmp-server host
command to specify which host or hosts receive SNMP notifications. In order to send notifications,
you must configure at least one snmp-server host command.
◆ The authentication, link-up, and link-down traps are legacy notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the
command.
Example
Console(config)#snmp-server enable traps link-up-down
Console(config)#
Related Commands
snmp-server host
This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
Syntax
snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string
[version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]}
no snmp-server host host-addr
host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
(Maximum host addresses: 5 trap destination IP address entries)
inform - Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used)
retries - The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3)
seconds - The number of seconds to wait for an acknowledgment before resending an inform message. (Range: 0-2147483647 centiseconds; Default: 1500 centiseconds)
community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend
defining it with the snmp-server community
command prior to using the
snmp-server host command. (Maximum length: 32 characters)
– 177 –
Chapter 5
| SNMP Commands
SNMP Target Host Commands
version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1)
auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple
Network Management Protocol” in the System Reference Guide for further information about these authentication and encryption options.
port - Host UDP port to use. (Range: 1-65535; Default: 162)
Default Setting
Host Address: None
Notification Type: Traps
SNMP Version: 1
UDP Port: 162
Command Mode
Global Configuration
Command Usage
◆ If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
◆ The snmp-server host command is used in conjunction with the
snmp-server enable traps command. Use the snmp-server enable traps command to enable
the sending of traps or informs and to specify which SNMP notifications are
must be enabled.
◆
enabled.
◆ Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic. You should consider these effects when deciding whether to issue notifications as traps or informs.
To send an inform to a SNMPv2c host, complete these steps:
1.
Enable the SNMP agent ( page 173 ).
2.
Create a view with the required notification messages ( page 185 ).
3.
Create a group that includes the required notify view ( page 182 ).
– 178 –
Chapter 5
| SNMP Commands
SNMP Target Host Commands
4.
Allow the switch to send SNMP traps; i.e., notifications (
).
5.
Specify the target host that will receive inform messages with the
snmp-server host command as described in this section.
To send an inform to a SNMPv3 host, complete these steps:
1.
Enable the SNMP agent ( page 173 ).
2.
Create a remote SNMPv3 user to use in the message exchange process
(
).
3.
Create a view with the required notification messages ( page 185 ).
4.
Create a group that includes the required notify view ( page 182 ).
5.
Allow the switch to send SNMP traps; i.e., notifications (
).
6.
Specify the target host that will receive inform messages with the
snmp-server host command as described in this section.
◆ The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station supports. If the
snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications.
◆ If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. The user name must first be defined with the
snmpserver user command. Otherwise, an SNMPv3 group will be automatically
created by the snmp-server host command using the name of the specified community string, and default settings for the read, write, and notify view.
Example
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#
Related Commands
snmp-server enable traps (176)
snmp-server enable port-traps mac-notification
This command enables the device to send SNMP traps (i.e., SNMP notifications) when a dynamic MAC address is added or removed. Use the no form to restore the default setting.
Syntax
[no] snmp-server enable port-traps mac-notification
mac-notification - Keyword to issue trap when a dynamic MAC address is added or removed.
Default Setting
Disabled
– 179 –
Chapter 5
| SNMP Commands
SNMP Target Host Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This command can enable MAC authentication traps on the current interface only if they are also enabled at the global level with the
macauthentication command.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps mac-notification
Console(config)#
show snmp-server enable port-traps
This command shows if SNMP traps are enabled or disabled for the specified interfaces.
Syntax
show snmp-server enable port-traps interface [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Command Mode
Privileged Exec
Example
Console#show snmp-server enable port-traps interface
Interface MAC Notification Trap
--------- ---------------------
Eth 1/1 No
Eth 1/2 No
Eth 1/3 No
.
– 180 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
SNMPv3 Commands
snmp-server engine-id
This command configures an identification string for the SNMPv3 engine. Use the
no form to restore the default.
Syntax
snmp-server engine-id {local | remote {ip-address}} engineid-string
no snmp-server engine-id {local | remote {ip-address}}
local - Specifies the SNMP engine on this switch.
remote - Specifies an SNMP engine on a remote device.
ip-address - IPv4 address of the remote device.
engineid-string - String identifying the engine ID. (Range: 9-64 hexadecimal characters)
Default Setting
A unique engine ID is automatically generated by the switch based on its MAC address.
Command Mode
Global Configuration
Command Usage
◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting
SNMPv3 packets.
◆
digest for authentication and encryption of packets passed between the switch and a user on the remote host. SNMP passwords are localized using the engine
ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID.
◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users
(
).
– 181 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
Example
Console(config)#snmp-server engine-id local 1234567890
Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210
Console(config)#
Related Commands
)
snmp-server group
This command adds an SNMP group, mapping SNMP users to SNMP views. Use the
no form to remove an SNMP group.
Syntax
snmp-server group groupname
{v1 | v2c | v3 {auth | noauth | priv}}
[read readview] [write writeview] [notify notifyview]
no snmp-server group groupname
groupname - Name of an SNMP group. (Range: 1-32 characters)
v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network
Management Protocol” in the System Reference Guide for further information about these authentication and encryption options.
readview - Defines the view for read access. (1-32 characters)
writeview - Defines the view for write access. (1-32 characters)
notifyview - Defines the view for notifications. (1-32 characters)
Default Setting
Default groups: public 1 (read only), private 2 (read/write)
readview - Every object belonging to the Internet OID space (1).
writeview - Nothing is defined.
notifyview - Nothing is defined.
Command Mode
Global Configuration
Command Usage
◆ A group sets the access policy for the assigned users.
◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the
◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
1. No view is defined.
2. Maps to the defaultview.
– 182 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
◆ For additional information on the notification messages supported by this switch, see the table for “Supported Notification Messages” in the System
Reference Guide. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with
the snmp-server enable traps command.
Example
Console(config)#snmp-server group r&d v3 auth write daily
Console(config)#
snmp-server user
This command adds a user to an SNMP group, restricting the user to a specific
SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Syntax
snmp-server user username groupname
{v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv {3des |
aes128 | aes192 | aes256 | des56} priv-password]]
snmp-server user username groupname remote ip-address
{v3 [encrypted] [auth {md5 | sha} auth-password [priv {3des | aes128 |
aes192 | aes256 | des56} priv-password]]
no snmp-server user username {v1 | v2c | v3| remote ip-address v3}
username - Name of user connecting to the SNMP agent.
(Range: 1-32 characters)
groupname - Name of an SNMP group to which the user is assigned.
(Range: 1-32 characters)
remote - Specifies an SNMP engine on a remote device.
ip-address - IPv4 address of the remote device.
v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
encrypted - Accepts the password as encrypted input.
auth - Uses SNMPv3 with authentication.
md5 | sha - Uses MD5 or SHA authentication.
auth-password - Authentication password. Enter as plain text if the
encrypted option is not used. Otherwise, enter an encrypted password.
(Range: 8-32 characters for unencrypted password)
If the encrypted option is selected, enter an encrypted password.
(Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password)
3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption.
aes128 - Uses SNMPv3 with privacy with AES128 encryption.
– 183 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
aes192 - Uses SNMPv3 with privacy with AES192 encryption.
aes256 - Uses SNMPv3 with privacy with AES256 encryption.
des56 - Uses SNMPv3 with privacy with DES56 encryption.
priv-password - Privacy password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password.
(Range: 8-32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.
◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
◆ The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the
command before using this configuration command.
◆
Before you configure a remote user, use the snmp-server engine-id
command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/privacy digests from the user’s password. If the remote engine ID is not first configured, the snmp-server user command specifying a remote user will fail.
◆ SNMP passwords are localized using the engine ID of the authoritative agent.
For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
Example
Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien
Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210
Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien
Console(config)#
– 184 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
snmp-server view
This command adds an SNMP view which controls user access to the MIB. Use the
no form to remove an SNMP view.
Syntax
snmp-server view view-name oid-tree {included | excluded}
no snmp-server view view-name
view-name - Name of an SNMP view. (Range: 1-32 characters)
oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.)
included - Defines an included view.
excluded - Defines an excluded view.
Default Setting defaultview (includes access to the entire MIB tree)
Command Mode
Global Configuration
Command Usage
◆
Views are used in the snmp-server group command to restrict user access to
specified portions of the MIB tree.
◆ The predefined view “defaultview” includes access to the entire MIB tree.
Examples
This view includes MIB-2.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#
This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table.
Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included
Console(config)#
This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included
Console(config)#
– 185 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
show snmp engine-id
This command shows the SNMP engine ID.
Command Mode
Privileged Exec
Example
This example shows the default engine ID.
Console#show snmp engine-id
Local SNMP Engine ID : 8000018403FC0A81B7C7E00000
Local SNMP Engine Boots : 29
Remote SNMP Engine ID IP address
80000000030004e2b316c54321 192.168.1.19
Console#
Table 28: show snmp engine-id - display description
Field
Local SNMP engineID
Description
String identifying the engine ID.
Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp
EngineID was last configured.
Remote SNMP engineID
IP address
String identifying an engine ID on a remote device.
IP address of the device containing the corresponding remote SNMP engine.
show snmp group
Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Command Mode
Privileged Exec
Example
Console#show snmp group
Group Name: r&d
Security Model: v3
Read View: defaultview
Write View: daily
Notify View: none
Storage Type: permanent
Row Status: active
Group Name: public
Security Model: v1
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
– 186 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
Group Name: public
Security Model: v2c
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v1
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v2c
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Console#
Table 29: show snmp group - display description
Field
Group Name
Security Model
Read View
Write View
Notify View
Storage Type
Row Status
Description
Name of an SNMP group.
The SNMP version.
The associated read view.
The associated write view.
The associated notify view.
The storage type for this entry.
The row status of this entry.
show snmp user
This command shows information on SNMP users.
Command Mode
Privileged Exec
Example
Console#show snmp user
Engine ID : 8000018403fc0a81b7c7e00000
User Name : steve
Group Name : r&d
Security Model : v3
Security Level : Authentication and privacy
Authentication Protocol : MD5
Privacy Protocol : DES56
Storage Type : Nonvolatile
– 187 –
Chapter 5
| SNMP Commands
SNMPv3 Commands
Row Status : Active
SNMP remote user
Engine ID : 9876543210
User Name : mark
Group Name : r&d
Security Model : v3
Security Level : Authentication and privacy
Authentication Protocol : MD5
Privacy Protocol : DES56
Storage Type : Nonvolatile
Row Status : Active
Console#
Table 30: show snmp user - display description
Field
Engine ID
User Name
Group Name
Security Model
Security Level
Authentication Protocol
Privacy Protocol
Storage Type
Row Status
SNMP remote user
Description
String identifying the engine ID.
Name of user connecting to the SNMP agent.
Name of an SNMP group.
Shows the SNMP version 1, 2c or 3.
Shows if authentication or privacy is used.
The authentication protocol used with SNMPv3.
The privacy protocol used with SNMPv3.
The storage type for this entry.
The row status of this entry.
A user associated with an SNMP engine on a remote device.
show snmp view
This command shows information on the SNMP views.
Command Mode
Privileged Exec
Example
Console#show snmp view
View Name: mib-2
Subtree OID : 1.2.2.3.6.2.1
View Type : included
Storage Type : permanent
Row Status : active
View Name : defaultview
Subtree OID : 1
View Type : included
Storage Type : volatile
Row Status : active
Console#
– 188 –
Chapter 5
| SNMP Commands
Notification Log Commands
Table 31: show snmp view - display description
Field
View Name
Subtree OID
View Type
Storage Type
Row Status
Description
Name of an SNMP view.
A branch in the MIB tree.
Indicates if the view is included or excluded.
The storage type for this entry.
The row status of this entry.
Notification Log Commands
nlm
This command enables or disables the specified notification log.
Syntax
[no] nlm filter-name
filter-name - Notification log name. (Range: 1-32 characters)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the
command is enabled by the nlm command.
◆ Disabling logging with this command does not delete the entries stored in the notification log.
Example
This example enables the notification log A1.
Console(config)#nlm A1
Console(config)#
– 189 –
Chapter 5
| SNMP Commands
Notification Log Commands
snmp-server notify-filter
This command creates an SNMP notification log. Use the no form to remove this log.
Syntax
[no] snmp-server notify-filter profile-name remote ip-address
profile-name - Notification log profile name. (Range: 1-64 characters)
ip-address - IPv4 or IPv6 address of a remote device. The specified target
host must already have been configured using the snmp-server host
command.
Note: The notification log is stored locally. It is not sent to a remote device. This remote host parameter is only required to complete mandatory fields in the SNMP
Notification MIB.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or
Informs that may exceed retransmission limits. The Notification Log MIB (NLM,
RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
◆ If notification logging is not configured and enabled, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
◆ To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and
commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014). Notification logging is enabled by default
(see the
command.
◆ Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes. Information
– 190 –
Chapter 5
| SNMP Commands
Notification Log Commands recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station.
◆
When a trap host is created with the snmp-server host command, a default
notify filter will be created as shown in the example under the show snmp notify-filter command.
Example
This example first creates an entry for a remote host, and then instructs the switch to record this device as the remote host for the specified notification log.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server notify-filter A1 remote 10.1.19.23
Console#
show nlm oper-status
This command shows the operational status of configured notification logs.
Command Mode
Privileged Exec
Example
Console#show nlm oper-status
Filter Name: A1
Oper-Status: Operational
Console#
show snmp notify-filter
This command displays the configured notification logs.
Command Mode
Privileged Exec
Example
This example displays the configured notification logs and associated target hosts.
Console#show snmp notify-filter
Filter profile name IP address
---------------------------- ----------------
A1 10.1.19.23
Console#
– 191 –
Chapter 5
| SNMP Commands
Additional Trap Commands
Additional Trap Commands
memory
This command sets an SNMP trap based on configured thresholds for memory utilization. Use the no form to restore the default setting.
Syntax
memory {rising rising-threshold | falling falling-threshold}
no memory {rising | falling}
rising-threshold - Rising threshold for memory utilization alarm expressed in percentage. (Range: 1-100)
falling-threshold - Falling threshold for memory utilization alarm expressed in percentage. (Range: 1-100)
Default Setting
Rising Threshold: 95%
Falling Threshold: 90%
Command Mode
Global Configuration
Command Usage
Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Example
Console(config)#memory rising 80
Console(config)#memory falling 60
Console#
Related Commands
process cpu
This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting.
Syntax
process cpu {rising rising-threshold | falling falling-threshold}
no process cpu {rising | falling}
rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage. (Range: 1-100)
falling-threshold - Falling threshold for CPU utilization alarm expressed in percentage. (Range: 1-100)
– 192 –
Chapter 5
| SNMP Commands
Additional Trap Commands
Default Setting
Rising Threshold: 90%
Falling Threshold: 70%
Command Mode
Global Configuration
Command Usage
Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered.
Example
Console(config)#process cpu rising 80
Console(config)#process cpu falling 60
Console#
Related Commands
– 193 –
Chapter 5
| SNMP Commands
Additional Trap Commands
– 194 –
6
Remote Monitoring Commands
Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance. If an event is triggered, it can automatically notify the network administrator of a failure and provide historical information about the event. If it cannot connect to the management agent, it will continue to perform any specified tasks and pass data back to the management station the next time it is contacted.
This switch supports mini-RMON, which consists of the Statistics, History, Event and
Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol. However, if the switch encounters a critical event, it can automatically send a trap message to the management agent which can then respond to the event if so configured.
Table 32: RMON Commands
Command
show rmon alarms show rmon events show rmon history
Function
Sets threshold bounds for a monitored variable
Creates a response event for an alarm
Periodically samples statistics
Enables statistics collection
Shows the settings for all configured alarms
Shows the settings for all configured events
Shows the sampling parameters for each entry
Shows the collected statistics
IC
PE
PE
PE
PE
Mode
GC
GC
IC
– 195 –
Chapter 6
| Remote Monitoring Commands
rmon alarm
This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm.
Syntax
rmon alarm index variable interval {absolute | delta}
rising-threshold threshold [event-index] falling-threshold threshold
[event-index] [owner name]
no rmon alarm index
index – Index to this entry. (Range: 1-65535)
variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.n defines the MIB variable, plus the etherStatsIndex. For example, 1.3.6.1.2.1.16.1.1.1.6.1 denotes etherStatsBroadcastPkts, plus the etherStatsIndex of 1.
interval – The polling interval. (Range: 1-31622400 seconds)
absolute – The variable is compared directly to the thresholds at the end of the sampling period.
delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
threshold – An alarm threshold for the sampled variable.
(Range: 0-2147483647)
event-index – The index of the event to use if an alarm is triggered. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 0-65535)
name – Name of the person who created this entry. (Range: 1-32 characters)
Default Setting
1.3.6.1.2.1.16.1.1.1.6.1 - 1.3.6.1.2.1.16.1.1.1.6.28/52
Taking delta samples every 30 seconds,
Rising threshold is 892800, assigned to event 0
Falling threshold is 446400, assigned to event 0
Command Mode
Global Configuration
Command Usage
◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command.
◆ If the current value is greater than or equal to the rising threshold, and the last sample value was less than this threshold, then an alarm will be generated.
After a rising event has been generated, another such event will not be
– 196 –
Chapter 6
| Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold.
◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Example
Console(config)#rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 15 delta rising-threshold 100 1 falling-threshold 30 1 owner mike
Console(config)#
rmon event
This command creates a response event for an alarm. Use the no form to remove an event.
Syntax
rmon event index [log] | [trap community] | [description string] | [owner name]
no rmon event index
index – Index to this entry. (Range: 1-65535)
log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for
event logging (see “Event Logging” on page 131 ).
trap – Sends a trap message to all configured trap managers (see “snmpserver host” on page 177 ).
community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although this string can be set using the rmon event command by itself, it is recommended that the string be
defined using the snmp-server community command prior to using the
rmon event command. (Range: 1-127 characters)
string – A comment that describes this event. (Range: 1-32 characters)
name – Name of the person who created this entry. (Range: 1-32 characters)
Default Setting
None
Command Mode
Global Configuration
– 197 –
Chapter 6
| Remote Monitoring Commands
Command Usage
◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command.
◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Example
Console(config)#rmon event 2 log description urgent owner mike
Console(config)#
rmon collection history
This command periodically samples statistics on a physical interface. Use the no form to disable periodic sampling.
Syntax
rmon collection history controlEntry index
[buckets number [interval seconds]] |
[interval seconds] |
[owner name [buckets number [interval seconds]]
no rmon collection history controlEntry index
index – Index to this entry. (Range: 1-65535)
number – The number of buckets requested for this entry. (Range: 1-65535)
seconds – The polling interval. (Range: 1-3600 seconds)
name – Name of the person who created this entry. (Range: 1-32 characters)
Default Setting
1.3.6.1.2.1.16.1.1.1.6.1 - 1.3.6.1.2.1.16.1.1.1.6.28/52
Buckets: 8
Interval: 30 seconds for even numbered entries,
1800 seconds for odd numbered entries.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use.
◆ If periodic sampling is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
– 198 –
Chapter 6
| Remote Monitoring Commands
◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization.
◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the
command will display a message indicating that this index is not available for the port to which is normally assigned.
For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
Console(config)#interface ethernet 1/5
Console(config-if)#rmon collection history controlEntry 15
Console(config-if)#end
Console#show running-config
!
interface ethernet 1/5
rmon collection history controlEntry 15 buckets 50 interval 1800
...
interface ethernet 1/8
no rmon collection history controlEntry 15
Example
Console(config)#interface ethernet 1/1
Console(config-if)#rmon collection history controlentry 21 owner mike buckets
24 interval 60 owner mike
Console(config-if)#
rmon collection rmon1
This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection.
Syntax
rmon collection rmon1 controlEntry index [owner name]
no rmon collection rmon1 controlEntry index
index – Index to this entry. (Range: 1-65535)
name – Name of the person who created this entry. (Range: 1-32 characters)
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use.
– 199 –
Chapter 6
| Remote Monitoring Commands
◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
◆ The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and packets of specified lengths
Example
Console(config)#interface ethernet 1/1
Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike
Console(config-if)#
show rmon alarms
This command shows the settings for all configured alarms.
Command Mode
Privileged Exec
Example
Console#show rmon alarms
Alarm 1 is valid, owned by
Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds
Taking delta samples, last value was 0
Rising threshold is 892800, assigned to event 0
Falling threshold is 446400, assigned to event 0
.
.
show rmon events
This command shows the settings for all configured events.
Command Mode
Privileged Exec
Example
Console#show rmon events
Event 2 is valid, owned by mike
Description is urgent
Event firing causes log and trap to community , last fired 00:00:00
Console#
show rmon history
This command shows the sampling parameters configured for each entry in the history group.
Command Mode
Privileged Exec
– 200 –
Chapter 6
| Remote Monitoring Commands
Example
Console#show rmon history
Entry 1 is valid, and owned by
Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds
Requested # of time intervals, ie buckets, is 8
Granted # of time intervals, ie buckets, is 8
Sample # 1 began measuring at 00:00:01
Received 77671 octets, 1077 packets,
61 broadcast and 978 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers packets,
0 CRC alignment errors and 0 collisions.
# of dropped packet events is 0
Network utilization is estimated at 0
.
.
show rmon statistics
This command shows the information collected for all configured entries in the statistics group.
Command Mode
Privileged Exec
Example
Console#show rmon statistics
Interface 1 is valid, and owned by
Monitors 1.3.6.1.2.1.2.2.1.1.1 which has
Received 164289 octets, 2372 packets,
120 broadcast and 2211 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions.
# of dropped packet events (due to lack of resources): 0
# of packets received of length (in octets):
64: 2245, 65-127: 87, 128-255: 31,
256-511: 5, 512-1023: 2, 1024-1518: 2
.
.
– 201 –
Chapter 6
| Remote Monitoring Commands
– 202 –
7
Authentication Commands
You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access 3 to the data ports.
Table 33: Authentication Commands
Command Group
Function
Configures the basic user names and passwords for management access, and assigns a privilege level to specified command groups or individual commands
Defines logon authentication method and precedence
Configures settings for authentication via a RADIUS server
Configures settings for authentication via a TACACS+ server
Configures authentication, authorization, and accounting for network access
Enables management access via a web browser
Enables management access via Telnet
Provides secure replacement for Telnet
Configures host authentication on specific ports using 802.1X
Configures IP addresses that are allowed management access
Configures relay parameters required for sending authentication messages between a client and broadband remote access servers
3. For other methods of controlling client access, see
“General Security Measures” on page 271 .
– 203 –
Chapter 7
| Authentication Commands
User Accounts and Privilege Levels
User Accounts and Privilege Levels
The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (
), user
authentication via a remote authentication server ( page 203 ), and host access
authentication for specific ports ( page 244 ).
Table 34: User Access Commands
Command
Function
Sets a password to control access to the Privileged Exec level
Mode
GC
Establishes a user name-based authentication system at login
GC
Assigns a privilege level to specified command groups or individual commands
GC
Shows the privilege level for the current user, or the privilege level for commands modified by the privilege command
PE
enable password
After initially logging onto the system, you should set the Privileged Exec password.
Remember to record it in a safe place. This command controls access to the
Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Syntax
enable password [level level] {0 | 7} password
no enable password [level level]
level level - Sets the command access privileges. (Range: 0-15)
Level 0, 8 and 15 are designed for users (guest), managers (network maintenance), and administrators (top-level access). The other levels can be used to configured specialized access profiles.
Level 0-7 provide the same default access privileges, all within Normal
Exec mode under the “Console>” command prompt.
Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt.
Level 15 provides full access to all commands.
The privilege level associated with any command can be changed using the
{0 | 7} - 0 means plain password, 7 means encrypted password.
password - Password for this privilege level. (Maximum length:
32 characters plain text or encrypted, case sensitive)
– 204 –
Chapter 7
| Authentication Commands
User Accounts and Privilege Levels
Default Setting
The default is level 15.
The default password is “super”
Command Mode
Global Configuration
Command Usage
◆ You cannot set a null password. You will have to enter a password to change the
command mode from Normal Exec to Privileged Exec with the enable
command.
◆ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords.
Example
Console(config)#enable password level 15 0 admin123
Console(config)#
Related Commands
username
This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Syntax
username name {access-level level | nopassword | password {0 | 7} password}
no username name
name - The name of the user. (Maximum length: 32 characters, case sensitive. Maximum users: 16)
The device has two predefined users, guest which is assigned privilege level 0 (Normal Exec) and has access to a limited number of commands, and admin which is assigned privilege level 15 and has full access to all commands.
access-level level - Specifies command access privileges. (Range: 0-15)
Level 0, 8 and 15 are designed for users (guest), managers (network maintenance), and administrators (top-level access). The other levels can be used to configured specialized access profiles.
Level 0-7 provide the same default access privileges, all within Normal
Exec mode under the “Console>” command prompt.
– 205 –
Chapter 7
| Authentication Commands
User Accounts and Privilege Levels
Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt.
Level 15 provides full access to all commands.
The privilege level associated with any command can be changed using the
Any privilege level can access all of the commands assigned to lower privilege levels. For example, privilege level 8 can access all commands assigned to privilege levels 7-0 according to default settings, and to any other commands assigned to levels 7-0 using the
nopassword - No password is required for this user to log in.
{0 | 7} - 0 means plain password, 7 means encrypted password.
password password - The authentication password for the user.
(Maximum length: 32 characters plain text or encrypted, case sensitive)
Default Setting
The default access level is Normal Exec.
The factory defaults for the user names and passwords are:
Table 35: Default Login Settings username guest admin access-level
0
15 password guest admin
Command Mode
Global Configuration
Command Usage
The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server.
There is no need for you to manually configure encrypted passwords.
Example
This example shows how the set the access level and password for a user.
Console(config)#username bob access-level 15
Console(config)#username bob password 0 smith
Console(config)#
– 206 –
Chapter 7
| Authentication Commands
User Accounts and Privilege Levels
privilege
This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting.
Syntax
privilege mode [all] level level command
no privilege mode [all] command
mode - The configuration mode containing the specified command.
(See
“Understanding Command Modes” on page 82
all - Modifies the privilege level for all subcommands under the specified
command.
level level - Specifies the privilege level for the specified command. Refer to the default settings described for the access level parameter under the
command. (Range: 0-15)
command - Specifies any command contained within the specified mode.
Default Setting
Privilege level 0 provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Level 8 provides access to all display status and configuration commands, except for those controlling various authentication and security features. Level 15 provides full access to all commands.
Command Mode
Global Configuration
Example
This example sets the privilege level for the ping command to Privileged Exec.
Console(config)#privilege exec level 15 ping
Console(config)#
show privilege
This command shows the privilege level for the current user, or the privilege level for commands modified by the
command.
Syntax
show privilege [command]
command - Displays the privilege level for all commands modified by the
command.
Command Mode
Privileged Exec
– 207 –
Chapter 7
| Authentication Commands
Authentication Sequence
Example
This example shows the privilege level for any command modified by the
command.
Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping
Console(config)#
Authentication Sequence
Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Table 36: Authentication Sequence Commands
Command
Function
Defines the authentication method and precedence for command mode change
Defines logon authentication method and precedence
Mode
GC
GC
authentication enable
This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the
enable command. Use the no form to restore the default.
Syntax
authentication enable {[local] [radius] [tacacs]} no authentication enable
local - Use local password only.
radius - Use RADIUS server password only.
tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
– 208 –
Chapter 7
| Authentication Commands
Authentication Sequence
◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server.
◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication
enable radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Example
Console(config)#authentication enable radius
Console(config)#
Related Commands
- sets the password for changing command modes (
)
authentication login
This command defines the login authentication method and precedence. Use the
no form to restore the default.
Syntax
authentication login {[local] [radius] [tacacs]} no authentication login
local - Use local password.
radius - Use RADIUS server password.
tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server.
– 209 –
Chapter 7
| Authentication Commands
RADIUS Client
◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login
radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Example
Console(config)#authentication login radius
Console(config)#
Related Commands
- for setting the local user names and passwords (
)
RADIUS Client
Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUSaware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Table 37: RADIUS Client Commands
Command
radius-server auth-port radius-server host
radius-server retransmit radius-server timeout
Function
Sets the RADIUS server network port
Sets the RADIUS server network port
Specifies the RADIUS server
Sets the RADIUS encryption key
Sets the number of retries
GC
GC
Sets the interval between sending authentication requests GC
Shows the current RADIUS settings PE
Mode
GC
GC
GC
radius-server acct-port
This command sets the RADIUS server network port for accounting messages. Use the no form to restore the default.
Syntax
radius-server acct-port port-number no radius-server acct-port
port-number - RADIUS server UDP port used for accounting messages.
(Range: 1-65535)
– 210 –
Chapter 7
| Authentication Commands
RADIUS Client
Default Setting
1813
Command Mode
Global Configuration
Example
Console(config)#radius-server acct-port 181
Console(config)#
radius-server auth-port
This command sets the RADIUS server network port. Use the no form to restore the default.
Syntax
radius-server auth-port port-number no radius-server auth-port
port-number - RADIUS server UDP port used for authentication messages.
(Range: 1-65535)
Default Setting
1812
Command Mode
Global Configuration
Example
Console(config)#radius-server auth-port 181
Console(config)#
radius-server host
This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values.
Syntax
[no] radius-server index host host-ip-address [acct-port acct-port]
[auth-port auth-port] [key key] [retransmit retransmit] [timeout timeout]
index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
host-ip-address - IP address of server.
acct-port - RADIUS server UDP port used for accounting messages.
(Range: 1-65535)
– 211 –
Chapter 7
| Authentication Commands
RADIUS Client
auth-port - RADIUS server UDP port used for authentication messages.
(Range: 1-65535)
key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30)
timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535)
Default Setting
auth-port - 1812
acct-port - 1813
timeout - 5 seconds
retransmit - 2
Command Mode
Global Configuration
Example
Console(config)#radius-server 1 host 192.168.1.20 acct-port 181 timeout 10 retransmit 5 key green
Console(config)#
radius-server key
This command sets the RADIUS encryption key. Use the no form to restore the default.
Syntax
radius-server key key-string no radius-server key
key-string - Encryption key used to authenticate logon access for client.
Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#radius-server key green
Console(config)#
– 212 –
Chapter 7
| Authentication Commands
RADIUS Client
radius-server retransmit
This command sets the number of retries. Use the no form to restore the default.
Syntax
radius-server retransmit number-of-retries no radius-server retransmit
number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1 - 30)
Default Setting
2
Command Mode
Global Configuration
Example
Console(config)#radius-server retransmit 5
Console(config)#
radius-server timeout
This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default.
Syntax
radius-server timeout number-of-seconds no radius-server timeout
number-of-seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535)
Default Setting
5
Command Mode
Global Configuration
Example
Console(config)#radius-server timeout 10
Console(config)#
– 213 –
Chapter 7
| Authentication Commands
TACACS+ Client
show radius-server
This command displays the current settings for the RADIUS server.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show radius-server
Remote RADIUS Server Configuration:
Global Settings:
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
Server 1:
Server IP Address : 192.168.1.1
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
Radius Server Group:
Group Name Member Index
------------------------- ------------radius 1
Console#
TACACS+ Client
Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Table 38: TACACS+ Client Commands
Command
tacacs-server host tacacs-server key
tacacs-server port tacacs-server retransmit
tacacs-server timeout show tacacs-server
Function
Specifies the TACACS+ server and optional parameters
Sets the TACACS+ encryption key
Specifies the TACACS+ server network port
Sets the number of retries GC
Sets the interval between sending authentication requests GC
Shows the current TACACS+ settings GC
Mode
GC
GC
GC
– 214 –
Chapter 7
| Authentication Commands
TACACS+ Client
tacacs-server host
This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values.
Syntax
tacacs-server index host host-ip-address [key key] [port port-number]
[retransmit retransmit] [timeout timeout]
no tacacs-server index
index - The index for this server. (Range: 1)
host-ip-address - IP address of a TACACS+ server.
key - Encryption key used to authenticate logon access for the client.
Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
port-number - TACACS+ server TCP port used for authentication messages.
(Range: 1-65535)
retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30)
timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540)
Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2
Command Mode
Global Configuration
Example
Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green
Console(config)#
tacacs-server key
This command sets the TACACS+ encryption key. Use the no form to restore the default.
Syntax
tacacs-server key key-string no tacacs-server key
key-string - Encryption key used to authenticate logon access for the client.
Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
– 215 –
Chapter 7
| Authentication Commands
TACACS+ Client
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#tacacs-server key green
Console(config)#
tacacs-server port
This command specifies the TACACS+ server network port. Use the no form to restore the default.
Syntax
tacacs-server port port-number no tacacs-server port
port-number - TACACS+ server TCP port used for authentication messages.
(Range: 1-65535)
Default Setting
49
Command Mode
Global Configuration
Example
Console(config)#tacacs-server port 181
Console(config)#
tacacs-server retransmit
This command sets the number of retries. Use the no form to restore the default.
Syntax
tacacs-server retransmit number-of-retries no tacacs-server retransmit
number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1 - 30)
Default Setting
2
Command Mode
Global Configuration
– 216 –
Chapter 7
| Authentication Commands
TACACS+ Client
Example
Console(config)#tacacs-server retransmit 5
Console(config)#
tacacs-server timeout
This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default.
Syntax
tacacs-server timeout number-of-seconds no tacacs-server timeout
number-of-seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540)
Default Setting
5
Command Mode
Global Configuration
Example
Console(config)#tacacs-server timeout 10
Console(config)#
show tacacs-server
This command displays the current settings for the TACACS+ server.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show tacacs-server
Remote TACACS+ Server Configuration:
Global Settings:
Server Port Number : 49
Retransmit Times : 2
Timeout : 5
Server 1:
Server IP Address : 192.168.1.25
Server Port Number : 181
Retransmit Times : 2
Timeout : 4
– 217 –
Chapter 7
| Authentication Commands
AAA
TACACS Server Group:
Group Name Member Index
------------------------- ------------tacacs+ 1
Console#
AAA
The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Table 39: AAA Commands
Command Function
Enables accounting of Exec mode commands
aaa accounting dot1x aaa accounting exec
Enables accounting of 802.1X services
Enables accounting of Exec services
Mode
GC
GC
GC
Enables periodoc updates to be sent to the accounting server
GC
Enables authorization of local console or Telnet sessions GC
accounting dot1x accounting commands
Enables authorization of Exec sessions
Groups security servers in to defined lists
Configures the IP address of a server in a group list
Applies an accounting method to an interface for 802.1X service requests
Applies an accounting method to CLI commands entered by a user
Line
Applies an accounting method to local console, Telnet or
SSH connections
Line
GC
GC
SG
IC
Applies an authorization method to local console or Telnet sessions
Line
Applies an authorization method to local console, Telnet or
SSH connections
Line
Displays all accounting information PE
– 218 –
Chapter 7
| Authentication Commands
AAA
aaa accounting commands
This command enables the accounting of Exec mode commands. Use the no form to disable the accounting service.
Syntax
aaa accounting commands level {default | method-name} start-stop group
{tacacs+ | server-group}
no aaa accounting commands level {default | method-name}
level - The privilege level for executing commands. (Range: 0-15)
default - Specifies the default accounting method for service requests.
method-name - Specifies an accounting method for service requests.
(Range: 1-64 characters)
start-stop - Records accounting from starting point and stopping point.
group - Specifies the server group to use.
tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host
command.
server-group - Specifies the name of a server group configured with the
aaa group server command. (Range: 1-64 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
◆ The accounting of Exec mode commands is only supported by TACACS+ servers.
◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Example
Console(config)#aaa accounting commands 15 default start-stop group tacacs+
Console(config)#
– 219 –
Chapter 7
| Authentication Commands
AAA
aaa accounting dot1x
This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service.
Syntax
aaa accounting dot1x {default | method-name}
start-stop group {radius | tacacs+ |server-group}
no aaa accounting dot1x {default | method-name}
default - Specifies the default accounting method for service requests.
method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters)
start-stop - Records accounting from starting point and stopping point.
group - Specifies the server group to use.
radius - Specifies all RADIUS hosts configure with the radius-server host
command.
tacacs+ - Specifies all TACACS+ hosts configure with the
command.
server-group - Specifies the name of a server group configured with the
aaa group server command. (Range: 1-64 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Example
Console(config)#aaa accounting dot1x default start-stop group radius
Console(config)#
aaa accounting exec
This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service.
Syntax
aaa accounting exec {default | method-name}
start-stop group {radius | tacacs+ | server-group}
no aaa accounting exec {default | method-name}
– 220 –
Chapter 7
| Authentication Commands
AAA
default - Specifies the default accounting method for service requests.
method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters)
start-stop - Records accounting from starting point and stopping point.
group - Specifies the server group to use.
radius - Specifies all RADIUS hosts configure with the radius-server host
command.
tacacs+ - Specifies all TACACS+ hosts configure with the
command.
server-group - Specifies the name of a server group configured with the
aaa group server command. (Range: 1-64 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
◆ This command runs accounting for Exec service requests for the local console and Telnet connections.
◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Example
Console(config)#aaa accounting exec default start-stop group tacacs+
Console(config)#
aaa accounting update
This command enables the sending of periodic updates to the accounting server.
Use the no form to restore the default setting.
Syntax
aaa accounting update [periodic interval]
no aaa accounting update
interval - Sends an interim accounting record to the server at this interval.
(Range: 0-2147483647 minutes; where 0 means disabled)
Default Setting
1 minute
– 221 –
Chapter 7
| Authentication Commands
AAA
Command Mode
Global Configuration
Command Usage
◆ When accounting updates are enabled, the switch issues periodic interim accounting records for all users on the system.
◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting.
Example
Console(config)#aaa accounting update periodic 30
Console(config)#
aaa authorization commands
This command enables the authorization for CLI commands entered via a local console or Telnet connection. Use the no form to disable the authorization service.
Syntax
aaa authorization commands level {default | method-name}
group {tacacs+ | server-group}
level - The privilege level for executing commands. (Range: 0-15)
default - Specifies the default authorization method for CLI access.
method-name - Specifies an authorization method for CLI access.
(Range: 1-64 characters)
group - Specifies the server group to use.
tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host
command.
server-group - Specifies the name of a server group configured with the
aaa group server command. (Range: 1-255 characters)
Default Setting
Authorization is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
◆ This command performs authorization to determine if a user is allowed to submit CLI commands at the specified privilege level.
◆ AAA authentication must be enabled before authorization is enabled.
– 222 –
Chapter 7
| Authentication Commands
AAA
◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Example
Console(config)#aaa authorization commands 0 default group tacacs+
Console(config)#
aaa authorization exec
This command enables the authorization for Exec access. Use the no form to disable the authorization service.
Syntax
aaa authorization exec {default | method-name}
group {tacacs+ | server-group}
no aaa authorization exec {default | method-name}
default - Specifies the default authorization method for Exec access.
method-name - Specifies an authorization method for Exec access.
(Range: 1-64 characters)
group - Specifies the server group to use.
tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host
command.
server-group - Specifies the name of a server group configured with the
aaa group server command. (Range: 1-64 characters)
Default Setting
Authorization is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
◆ This command performs authorization to determine if a user is allowed to run an Exec shell.
◆ AAA authentication must be enabled before authorization is enabled.
◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
– 223 –
Chapter 7
| Authentication Commands
AAA
Example
Console(config)#aaa authorization exec default group tacacs+
Console(config)#
aaa group server
Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command.
Syntax
[no] aaa group server {radius | tacacs+} group-name
radius - Defines a RADIUS server group.
tacacs+ - Defines a TACACS+ server group.
group-name - A text string that names a security server group.
(Range: 1-255 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#aaa group server radius tps
Console(config-sg-radius)#
server
This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group.
Syntax
[no] server {index | ip-address}
index - Specifies the server index. (Range: RADIUS 1-5, TACACS+ 1)
ip-address - Specifies the host IP address of a server.
Default Setting
None
Command Mode
Server Group Configuration
Command Usage
◆ When specifying the index for a RADIUS server, that server index must already
be defined by the radius-server host
command.
– 224 –
Chapter 7
| Authentication Commands
AAA
◆ When specifying the index for a TACACS+ server, that server index must already
be defined by the tacacs-server host command.
Example
Console(config)#aaa group server radius tps
Console(config-sg-radius)#server 10.2.68.120
Console(config-sg-radius)#
accounting dot1x
This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface.
Syntax
accounting dot1x {default | list-name} no accounting dot1x
default - Specifies the default method list created with the
list-name - Specifies a method list created with the
command.
Default Setting
None
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/2
Console(config-if)#accounting dot1x tps
Console(config-if)#
accounting commands
This command applies an accounting method to entered CLI commands. Use the
no form to disable accounting for entered CLI commands.
Syntax
accounting commands level {default | list-name}
no accounting commands level
level - The privilege level for executing commands. (Range: 0-15)
default - Specifies the default method list created with the
aaa accounting commands command.
list-name - Specifies a method list created with the
aaa accounting commands command.
– 225 –
Chapter 7
| Authentication Commands
AAA
Default Setting
None
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#accounting commands 15 default
Console(config-line)#
accounting exec
This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line.
Syntax
accounting exec {default | list-name} no accounting exec
default - Specifies the default method list created with the
command.
list-name - Specifies a method list created with the
command.
Default Setting
None
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#accounting exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#accounting exec default
Console(config-line)#
– 226 –
Chapter 7
| Authentication Commands
AAA
authorization commands
This command applies an authorization method to local console, Telnet or SSH connections at a specified privilege level. Use the no form to disable authorization on the line.
Syntax
authorization commands level {default | list-name}
no authorization commands level
level - The privilege level for executing commands. (Range: 0-15)
default - Specifies the default method list created with the aaa authorization exec
command.
list-name - Specifies a method list created with the
command.
Default Setting
None
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#authorization commands tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#authorization commands default
Console(config-line)#
authorization exec
This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
Syntax
authorization exec {default | list-name} no authorization exec
default - Specifies the default method list created with the aaa authorization exec
command.
list-name - Specifies a method list created with the
command.
Default Setting
None
Command Mode
Line Configuration
– 227 –
Chapter 7
| Authentication Commands
AAA
Example
Console(config)#line console
Console(config-line)#authorization exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#authorization exec default
Console(config-line)#
show accounting
This command displays the current accounting settings per function and per port.
Syntax
show accounting [commands [level]] |
[[dot1x [statistics [username user-name | interface interface]] |
exec [statistics] | statistics]
commands - Displays command accounting information.
level - Displays command accounting information for a specifiable command level.
dot1x - Displays dot1x accounting information.
exec - Displays Exec accounting records.
statistics - Displays accounting records.
user-name - Displays accounting records for a specifiable username.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show accounting
Accounting Type: dot1x
Method List : default
Group List : radius
Interface : Eth 1/1
Method List : tps
Group List : radius
Interface : Eth 1/2
Accounting Type: EXEC
Method List : default
Group List : tacacs+
– 228 –
Chapter 7
| Authentication Commands
Web Server
Interface : vty
Console#
Web Server
This section describes commands used to configure web browser management access to the switch.
Table 40: Web Server Commands
Command
ip http server ip http secure-port
Function Mode
Specifies the port to be used by the web browser interface GC
Allows the switch to be monitored or configured from a browser
GC
Specifies the UDP port number for HTTPS GC
Enables HTTPS (HTTP/SSL) for encrypted communications GC
ip http port
This command specifies the TCP port number used by the web browser interface.
Use the no form to use the default port.
Syntax
ip http port port-number no ip http port
port-number - The TCP port to be used by the browser interface.
(Range: 1-65535)
Default Setting
80
Command Mode
Global Configuration
Example
Console(config)#ip http port 769
Console(config)#
Related Commands
– 229 –
Chapter 7
| Authentication Commands
Web Server
ip http server
This command allows this device to be monitored or configured from a browser.
Use the no form to disable this function.
Syntax
[no] ip http server
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#ip http server
Console(config)#
Related Commands
ip http secure-port
This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port.
Syntax
ip http secure-port port_number no ip http secure-port
port_number – The TCP port used for HTTPS. (Range: 1-65535)
Default Setting
443
Command Mode
Global Configuration
Command Usage
◆ You cannot configure the HTTP and HTTPS servers to use the same port.
◆ If you change the HTTPS port number, clients attempting to connect to the
HTTPS server must specify the port number in the URL, in this format: https://
device:port_number
Example
Console(config)#ip http secure-port 1000
Console(config)#
– 230 –
Chapter 7
| Authentication Commands
Web Server
Related Commands
ip http secure-server
This command enables the secure hypertext transfer protocol (HTTPS) over the
Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
Syntax
[no] ip http secure-server
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
◆ Both HTTP and HTTPS service can be enabled independently on the switch.
However, you cannot configure the HTTP and HTTPS servers to use the same
UDP port.
◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number]
◆ When you start HTTPS, the connection is established in this way:
■ The client authenticates the server using the server’s digital certificate.
■ The client and server negotiate a set of security protocols to use for the connection.
■ The client and server generate session keys for encrypting and decrypting data.
◆ The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla
Firefox 30, or Google Chrome 29, or more recent versions.
The following web browsers and operating systems currently support HTTPS:
Table 41: HTTPS System Support
Web Browser
Internet Explorer 6.x or later
Operating System
Windows 98,Windows NT (with service pack 6a), Windows
2000, XP, Vista, 7, 8
– 231 –
Chapter 7
| Authentication Commands
Telnet Server
Table 41: HTTPS System Support (Continued)
Web Browser
Mozilla Firefox 30 or later
Google Chrome 29 or later
Operating System
Windows 2000, XP, Vista, 7, 8, Linux
Windows XP, Vista, 7, 8
◆ To specify a secure-site certificate, see “Replacing the Default Secure-site
Certificate” in the System Reference Guide. Also refer to the
tftp httpscertificate command.
◆ Connection to the web interface is not supported for HTTPS using an IPv6 link local address.
Example
Console(config)#ip http secure-server
Console(config)#
Related Commands
copy tftp https-certificate ( 110 )
Telnet Server
This section describes commands used to configure Telnet management access to the switch.
Table 42: Telnet Server Commands
Command
ip telnet max-sessions ip telnet port
ip telnet server show ip telnet
Function Mode
Specifies the maximum number of Telnet sessions that can simultaneously connect to this system
GC
Specifies the port to be used by the Telnet interface
Allows the switch to be monitored or configured from
Telnet
Displays configuration settings for the Telnet server
GC
GC
PE
Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the
Privileged Exec configuration level.
– 232 –
Chapter 7
| Authentication Commands
Telnet Server
ip telnet max-sessions
This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting.
Syntax
ip telnet max-sessions session-count no ip telnet max-sessions
session-count - The maximum number of allowed Telnet session.
(Range: 0-8)
Default Setting
8 sessions
Command Mode
Global Configuration
Command Usage
A maximum of four sessions can be concurrently opened for Telnet and Secure
Shell (i.e., both Telnet and SSH share a maximum number or four sessions).
Example
Console(config)#ip telnet max-sessions 1
Console(config)#
ip telnet port
This command specifies the TCP port number used by the Telnet interface. Use the
no form to use the default port.
Syntax
ip telnet port port-number no telnet port
port-number - The TCP port number to be used by the browser interface.
(Range: 1-65535)
Default Setting
23
Command Mode
Global Configuration
Example
Console(config)#ip telnet port 123
Console(config)#
– 233 –
Chapter 7
| Authentication Commands
Secure Shell
ip telnet server
This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function.
Syntax
[no] ip telnet server
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#ip telnet server
Console(config)#
show ip telnet
This command displays the configuration settings for the Telnet server.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show ip telnet
IP Telnet Configuration:
Telnet Status: Enabled
Telnet Service Port: 23
Telnet Max Session: 8
Console#
Secure Shell
This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Note: The switch supports both SSH Version 1.5 and 2.0 clients.
– 234 –
Chapter 7
| Authentication Commands
Secure Shell
Table 43: Secure Shell Commands
Command
ip ssh server-key size ip ssh timeout
ip ssh crypto host-key generate
ip ssh save host-key show ip ssh
Function
Specifies the number of retries allowed by a client
Enables the SSH server on the switch
Sets the SSH server key size
Specifies the authentication timeout for the SSH server
Copies the user’s public key from a TFTP server to the switch
Deletes the public key for the specified user
Terminates a line connection
Generates the host key
Mode
GC
Clear the host key from RAM
Saves the host key from RAM to flash memory
Displays the status of the SSH server and the configured values for authentication timeout and retries
Shows the public key for the specified user or for the host PE
Displays the status of current SSH sessions PE
Shows SSH users, including privilege level and public key type
PE
PE
PE
PE
PE
PE
PE
GC
GC
GC
PE
Configuration Guidelines
The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote
authentication server, as specified by the authentication login
command. If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server.
To use the SSH server, complete these steps:
1.
Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to
create a host public/private key pair.
2.
Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example:
– 235 –
Chapter 7
| Authentication Commands
Secure Shell
10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956
108259132128902337654680172627257141342876294130119619556678259566410486957427
888146206519417467729848654686157177393901647793559423035774130980227370877945
4524083971752646358058176716709574804776117
3.
Import Client’s Public Key to the Switch – Use the copy
tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be
configured locally on the switch with the username command.) The clients are
subsequently authenticated using these keys. The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA key:
1024 35
134108168560989392104094492015542534763164192187295892114317388005553616163105
177594083868631109291232226828519254374603100937187721199696317813662774141689
851320491172048303392543241016379975923714490119380060902539484084827178194372
288402533115952134861022902978982721353267131629432532818915045306393916643 [email protected]
4.
Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size.
5.
Enable SSH Service – Use the
command to enable the SSH server on the switch.
6.
Authentication – One of the following authentication methods is employed:
Password Authentication (for SSH v1.5 or V2 Clients)
a.
The client sends its password to the server.
b.
The switch compares the client's password to those stored in memory.
c.
If a match is found, the connection is allowed.
Note: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process:
Authenticating SSH v1.5 Clients
a.
The client sends its RSA public key to the switch.
b.
The switch compares the client's public key to those stored in memory.
– 236 –
Chapter 7
| Authentication Commands
Secure Shell
c.
If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client.
d.
The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
e.
The switch compares the checksum sent from the client against that computed for the original string it sent. If the two check sums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Authenticating SSH v2 Clients
a.
The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable.
b.
If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request.
c.
The client sends a signature generated using the private key to the switch.
d.
When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Note: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
ip ssh authentication-retries
This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting.
Syntax
ip ssh authentication-retries count
no ip ssh authentication-retries
count – The number of authentication attempts permitted after which the interface is reset. (Range: 1-5)
Default Setting
3
Command Mode
Global Configuration
– 237 –
Chapter 7
| Authentication Commands
Secure Shell
Example
Console(config)#ip ssh authentication-retires 2
Console(config)#
Related Commands
ip ssh server
This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service.
Syntax
[no] ip ssh server
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
◆ You must generate DSA and RSA host keys before enabling the SSH server.
Example
Console#ip ssh crypto host-key generate dsa
Console#configure
Console(config)#ip ssh server
Console(config)#
Related Commands
ip ssh crypto host-key generate (240)
– 238 –
Chapter 7
| Authentication Commands
Secure Shell
ip ssh server-key size
This command sets the SSH server key size. Use the no form to restore the default setting.
Syntax
ip ssh server-key size key-size no ip ssh server-key size
key-size – The size of server key. (Range: 512-1024 bits)
Default Setting
768 bits
Command Mode
Global Configuration
Command Usage
The server key is a private key that is never shared outside the switch.
The host key is shared with the SSH client, and is fixed at 1024 bits.
Example
Console(config)#ip ssh server-key size 512
Console(config)#
ip ssh timeout
This command configures the timeout for the SSH server. Use the no form to restore the default setting.
Syntax
ip ssh timeout seconds
no ip ssh timeout
seconds – The timeout for client response during SSH negotiation.
(Range: 1-120)
Default Setting
120 seconds
Command Mode
Global Configuration
Command Usage
The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the
exec-timeout command for vty sessions.
– 239 –
Chapter 7
| Authentication Commands
Secure Shell
Example
Console(config)#ip ssh timeout 60
Console(config)#
Related Commands
delete public-key
This command deletes the specified user’s public key.
Syntax
delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters)
dsa – DSA public key type.
rsa – RSA public key type.
Default Setting
Deletes both the DSA and RSA key.
Command Mode
Privileged Exec
Example
Console#delete public-key admin dsa
Console#
ip ssh crypto host-key generate
This command generates the host key pair (i.e., public and private).
Syntax
ip ssh crypto host-key generate [dsa | rsa]
dsa – DSA (Version 2) key type.
rsa – RSA (Version 1) key type.
Default Setting
Generates both the DSA and RSA key pairs.
Command Mode
Privileged Exec
– 240 –
Chapter 7
| Authentication Commands
Secure Shell
Command Usage
◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for
SSHv2 clients.
◆
◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it.
◆ The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it.
Example
Console#ip ssh crypto host-key generate dsa
Console#
Related Commands
ip ssh crypto zeroize
This command clears the host key from memory (i.e. RAM).
Syntax
ip ssh crypto zeroize [dsa | rsa]
dsa – DSA key type.
rsa – RSA key type.
Default Setting
Clears both the DSA and RSA key.
Command Mode
Privileged Exec
Command Usage
◆ This command clears the host key from volatile memory (RAM). Use the no
command to clear the host key from flash memory.
◆ The SSH server must be disabled before you can execute this command.
Example
Console#ip ssh crypto zeroize dsa
Console#
– 241 –
Chapter 7
| Authentication Commands
Secure Shell
Related Commands
ip ssh crypto host-key generate (240)
no
ip ssh save host-key
This command saves the host key from RAM to flash memory.
Syntax ip ssh save host-key
Default Setting
Saves both the DSA and RSA key.
Command Mode
Privileged Exec
Example
Console#ip ssh save host-key
Console#
Related Commands
ip ssh crypto host-key generate (240)
show ip ssh
This command displays the connection settings used when authenticating client access to the SSH server.
Command Mode
Privileged Exec
Example
Console#show ip ssh
SSH Enabled - Version 2.0
Negotiation Timeout : 120 seconds; Authentication Retries : 3
Server Key Size : 768 bits
Console#
– 242 –
Chapter 7
| Authentication Commands
Secure Shell
show public-key
This command shows the public key for the specified user or for the host.
Syntax
show public-key [user [username]| host]
username – Name of an SSH user. (Range: 1-32 characters)
Default Setting
Shows all public keys.
Command Mode
Privileged Exec
Command Usage
◆ If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
◆ When an RSA key is displayed, the first field indicates the size of the host key
(e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus. When a DSA key is displayed, the first field indicates that the encryption method used by SSH is based on the Digital
Signature Standard (DSS), and the last string is the encoded modulus.
Example
Console#show public-key host
Host:
RSA:
1024 65537 13236940658254764031382795526536375927835525327972629521130241
071942106165575942459093923609695405036277525755625100386613098939383452310
332802149888661921595568598879891919505883940181387440468908779160305837768
185490002831341625008348718449522087429212255691665655296328163516964040831
5547660664151657116381
DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc
YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv
JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR
2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy
DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W
Console#
– 243 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
show ssh
This command displays the current SSH server connections.
Command Mode
Privileged Exec
Example
Console#show ssh
Connection Version State Username Encryption
1 2.0 Session-Started admin ctos aes128-cbc-hmac-md5
stoc aes128-cbc-hmac-md5
Console#
Table 44: show ssh - display description
Field
Connection
Version
State
Username
Description
The session number. (Range: 1-8)
The Secure Shell version number.
The authentication negotiation state.
(Values: Negotiation-Started, Authentication-Started, Session-Started)
The user name of the client.
802.1X Port Authentication
The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Table 45: 802.1X Port Authentication Commands
Function Command
General Commands
Resets all dot1x parameters to their default values
Passes EAPOL frames to all ports in STP forwarding state when dot1x is globally disabled
Enables dot1x globally on the switch.
Authenticator Commands
dot1x max-reauth-req dot1x max-req
Mode
GC
GC
GC
Sets the port response to intrusion when authentication fails
IC
Sets the maximum number of times that the switch sends an EAP-request/identity frame to the client before restarting the authentication process
IC
Sets the maximum number of times that the switch retransmits an EAP request/identity packet to the client before it times out the authentication session
IC
– 244 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
Table 45: 802.1X Port Authentication Commands (Continued)
Command
Function
Allows single or multiple hosts on an dot1x port
Sets dot1x mode for a port interface
Enables re-authentication for all ports
Sets the time period after which a connected client must be re-authenticated
IC
Sets the time that a switch port waits after the Max Request
Count has been exceeded before attempting to acquire a new client
IC
IC
Mode
IC
IC
Sets the interval for a supplicant to respond
Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet
IC
IC
Supplicant Commands
Forces re-authentication on specific ports PE
dot1x identity profile dot1x max-start
Configures dot1x supplicant user name and password
Sets the maximum number of times that a port supplicant will send an EAP start frame to the client
Enables dot1x supplicant mode on an interface
Sets the time that a supplicant port waits for a response from the authenticator
GC
IC
IC
IC
Sets the time a port waits after the maximum start count has been exceeded before attempting to find another authenticator
IC
Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator
IC
Information Display Commands
Shows all dot1x related information PE
General Commands
dot1x default
This command sets all configurable dot1x authenticator global and port settings to their default values.
Command Mode
Global Configuration
Command Usage
This command resets the following commands to their default settings:
◆
◆
◆
◆
dot1x system-auth-control
dot1x eapol-pass-through dot1x port-control dot1x port-control multi-host max-count
– 245 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
◆
◆
◆
◆
◆
◆
◆
◆ dot1x operation-mode dot1x max-req dot1x timeout quiet-period dot1x timeout tx-period dot1x timeout re-authperiod dot1x timeout sup-timeout dot1x re-authentication dot1x intrusion-action
Example
Console(config)#dot1x default
Console(config)#
dot1x eapol-pass-through
This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default.
Syntax
[no] dot1x eapol-pass-through
Default Setting
Discards all EAPOL frames when dot1x is globally disabled
Command Mode
Global Configuration
Command Usage
◆ When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, the dot1x eapol pass-through command can be used to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
◆ When this device is functioning as an edge switch but does not require any attached clients to be authenticated, the no dot1x eapol-pass-through command can be used to discard unnecessary EAPOL traffic.
Example
This example instructs the switch to pass all EAPOL frame through to any ports in
STP forwarding state.
Console(config)#dot1x eapol-pass-through
Console(config)#
– 246 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
dot1x system-auth-control
This command enables IEEE 802.1X port authentication globally on the switch.
Use the no form to restore the default.
Syntax
[no] dot1x system-auth-control
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#dot1x system-auth-control
Console(config)#
Authenticator Commands
dot1x intrusion-action
This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Syntax
dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action
block-traffic - Blocks traffic on this port.
guest-vlan - Assigns the user to the Guest VLAN.
Default block-traffic
Command Mode
Interface Configuration
Command Usage
For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the
vlan database command) and assigned as the guest VLAN for the
port (see the
network-access guest-vlan command).
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x intrusion-action guest-vlan
Console(config-if)#
– 247 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
dot1x max-reauth-req
This command sets the maximum number of times that the switch sends an EAPrequest/identity frame to the client before restarting the authentication process.
Use the no form to restore the default.
Syntax
dot1x max-reauth-req count no dot1x max-reauth-req
count – The maximum number of requests (Range: 1-10)
Default
2
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-reauth-req 2
Console(config-if)#
dot1x max-req
This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Syntax
dot1x max-req count no dot1x max-req
count – The maximum number of requests (Range: 1-10)
Default
2
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-req 2
Console(config-if)#
– 248 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
dot1x operation-mode
This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Syntax
dot1x operation-mode {single-host | multi-host [max-count count] |
mac-based-auth}
no dot1x operation-mode [multi-host max-count]
single-host – Allows only a single host to connect to this port.
multi-host – Allows multiple host to connect to this port.
max-count – Keyword for the maximum number of hosts.
count – The maximum number of hosts that can connect to a port.
(Range: 1-1024; Default: 5)
mac-based – Allows multiple hosts to connect to this port, with each host needing to be authenticated.
Default
Single-host
Command Mode
Interface Configuration
Command Usage
◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the
command.
◆ In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails reauthentication or sends an EAPOL logoff message.
◆ In “mac-based-auth” mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x operation-mode multi-host max-count 10
Console(config-if)#
– 249 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
dot1x port-control
This command sets the dot1x mode on a port interface. Use the no form to restore the default.
Syntax
dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control
auto – Requires a dot1x-aware connected client to be authorized by the
RADIUS server. Clients that are not dot1x-aware will be denied access.
force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise.
force-unauthorized – Configures the port to deny access to all clients, either dot1x-aware or otherwise.
Default force-authorized
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x port-control auto
Console(config-if)#
dot1x re-authentication
This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication.
Syntax
[no] dot1x re-authentication
Command Mode
Interface Configuration
Command Usage
◆ The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked.
◆ The connected client is re-authenticated after the interval specified by the
dot1x timeout re-authperiod command. The default is 3600 seconds.
– 250 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x re-authentication
Console(config-if)#
Related Commands
dot1x timeout re-authperiod (251)
dot1x timeout quiet-period
This command sets the time that a switch port waits after the maximum request count (see
) has been exceeded before attempting to acquire a new client.
Use the no form to reset the default.
Syntax
dot1x timeout quiet-period seconds no dot1x timeout quiet-period
seconds - The number of seconds. (Range: 1-65535)
Default
60 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout quiet-period 350
Console(config-if)#
dot1x timeout re-authperiod
This command sets the time period after which a connected client must be reauthenticated. Use the no form of this command to reset the default.
Syntax
dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod
seconds - The number of seconds. (Range: 1-65535)
Default
3600 seconds
Command Mode
Interface Configuration
– 251 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout re-authperiod 300
Console(config-if)#
dot1x timeout supp-timeout
This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Syntax
dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout
seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Command Usage
This command sets the timeout for EAP-request frames other than EAP-request/ identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information. It may also send other EAP-request frames to the client during an active connection as required for reauthentication.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout supp-timeout 300
Console(config-if)#
dot1x timeout tx-period
This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Syntax
dot1x timeout tx-period seconds no dot1x timeout tx-period
seconds - The number of seconds. (Range: 1-65535)
– 252 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
Default
30 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout tx-period 300
Console(config-if)#
dot1x re-authenticate
This command forces re-authentication on all ports or a specific interface.
Syntax
dot1x re-authenticate [interface] interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Command Usage
The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Only if re-authentication fails is the port blocked.
Example
Console#dot1x re-authenticate
Console#
– 253 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
Supplicant Commands
dot1x identity profile
This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings.
Syntax
dot1x identity profile {username username | password password}
no dot1x identity profile {username | password}
username - Specifies the supplicant user name. (Range: 1-8 characters)
password - Specifies the supplicant password. (Range: 1-32 characters)
Default
No user name or password
Command Mode
Global Configuration
Command Usage
The global supplicant user name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. These parameters must be set when this switch passes client authentication requests to another authenticator on the network (see the
command).
Example
Console(config)#dot1x identity profile username steve
Console(config)#dot1x identity profile password excess
Console(config)#
dot1x max-start
This command sets the maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware.
Use the no form to restore the default value.
Syntax
dot1x max-start count no dot1x max-start
count - Specifies the maximum number of EAP start frames.
(Range: 1-65535)
Default
3
Command Mode
Interface Configuration
– 254 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-start 10
Console(config-if)#
dot1x pae supplicant
This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
Syntax
[no] dot1x pae supplicant
Default
Disabled
Command Mode
Interface Configuration
Command Usage
◆ When devices attached to a port must submit requests to another authenticator on the network, configure the identity profile parameters (see
command) which identify this switch as a supplicant, and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator using this command. In this mode the port will not respond to dot1x messages meant for an authenticator.
◆ This switch can be configured to serve as the authenticator on selected ports by setting the control mode to “auto” (see the
and as a supplicant on other ports by the setting the control mode to “forceauthorized” and enabling dot1x supplicant mode with this command.
◆ A port cannot be configured as a dot1x supplicant if it is a member of a trunk or
LACP is enabled on the port.
Example
Console(config)#interface ethernet 1/2
Console(config-if)#dot1x pae supplicant
Console(config-if)#
– 255 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
dot1x timeout auth-period
This command sets the time that a supplicant port waits for a response from the authenticator. Use the no form to restore the default setting.
Syntax
dot1x timeout auth-period seconds no dot1x timeout auth-period
seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Command Usage
This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL-Start.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout auth-period 60
Console(config-if)#
dot1x timeout held-period
This command sets the time that a supplicant port waits before resending its credentials to find a new an authenticator. Use the no form to reset the default.
Syntax
dot1x timeout held-period seconds no dot1x timeout held-period
seconds - The number of seconds. (Range: 1-65535)
Default
60 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout held-period 120
Console(config-if)#
– 256 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
dot1x timeout start-period
This command sets the time that a supplicant port waits before resending an
EAPOL start frame to the authenticator. Use the no form to restore the default setting.
Syntax
dot1x timeout start-period seconds no dot1x timeout start-period
seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout start-period 60
Console(config-if)#
Information Display Commands
show dot1x
This command shows general port authentication related settings on the switch or a specific interface.
Syntax
show dot1x [statistics] [interface interface]
statistics - Displays dot1x status for each port.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Command Usage
This command displays the following information:
◆ Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (
).
– 257 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is
◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (
).
◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items:
■
■
■
■ Type – Administrative state for port access control (Enabled, Authenticator, or Supplicant).
Operation Mode–Allows single or multiple hosts (
).
Control Mode – Dot1x port control mode ( page 250 ).
Authorized– Authorization status (yes or n/a - not authorized).
◆ 802.1X Port Details – Displays the port access control parameters for each interface, including the following items:
■
■
■
■
■
■
■
■
■
■
■
■
Reauthentication – Periodic re-authentication (
).
Reauth Period – Time after which a connected client must be reauthenticated (
).
Quiet Period – Time a port waits after Max Request Count is exceeded before attempting to acquire a new client ( page 251 ).
TX Period – Time a port waits during authentication session before re-
transmitting EAP packet ( page 252
).
Supplicant Timeout – Supplicant timeout.
Server Timeout – Server timeout. A RADIUS server must be set before the correct operational value of 10 seconds will be displayed in this field.
Reauth Max Retries – Maximum number of reauthentication attempts.
Max Request – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session (
Operation Mode– Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port.
Port Control–Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (
).
Intrusion Action– Shows the port response to intrusion when authentication fails (
).
Supplicant– MAC address of authorized client.
◆ Authenticator PAE State Machine
■
■
■ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized).
Reauth Count– Number of times connecting state is re-entered.
Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
– 258 –
Chapter 7
| Authentication Commands
802.1X Port Authentication
◆ Backend State Machine
■
■
■
State – Current state (including request, response, success, fail, timeout, idle, initialize).
Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response.
Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
◆ Reauthentication State Machine
State – Current state (including initialize, reauthenticate).
Example
Console#show dot1x
Global 802.1X Parameters
System Auth Control : Enabled
Authenticator Parameters:
EAPOL Pass Through : Disabled
Supplicant Parameters:
Identity Profile Username : steve
802.1X Port Summary
Port Type Operation Mode Control Mode Authorized
-------- ------------- -------------- ------------------ ----------
Eth 1/ 1 Disabled Single-Host Force-Authorized Yes
Eth 1/ 2 Disabled Single-Host Force-Authorized Yes
.
.
.
Eth 1/27 Disabled Single-Host Force-Authorized Yes
Eth 1/28 Enabled Single-Host Auto Yes
.
.
.
Console#show dot1x interface ethernet 1/28
802.1X Authenticator is enabled on port 28
Reauthentication : Enabled
Reauth Period : 3600
Quiet Period : 60
TX Period : 30
Supplicant Timeout : 30
Server Timeout : 10
Reauth Max Retries : 2
Max Request : 2
Operation Mode : Multi-host
Port Control : Auto
Intrusion Action : Block traffic
Supplicant : 00-e0-29-94-34-65
Authenticator PAE State Machine
State : Authenticated
Reauth Count : 0
Current Identifier : 3
– 259 –
Chapter 7
| Authentication Commands
Management IP Filter
Backend State Machine
State : Idle
Request Count : 0
Identifier(Server) : 2
Reauthentication State Machine
State : Initialize
Console#
Management IP Filter
This section describes commands used to configure IP management access to the switch.
Table 46: Management IP Filter Commands
Command
Function
Configures IP addresses that are allowed management access
Mode
GC
Displays the switch to be monitored or configured from a browser
PE
management
This command specifies the client IP addresses that are allowed management access to the switch through various protocols. A list of up to 15 IP addresses or IP address groups can be specified. Use the no form to restore the default setting.
Syntax
[no] management {all-client | http-client | snmp-client | telnet-client}
start-address [end-address]
all-client - Adds IP address(es) to all groups.
http-client - Adds IP address(es) to the web group.
snmp-client - Adds IP address(es) to the SNMP group.
telnet-client - Adds IP address(es) to the Telnet group.
start-address - A single IP address, or the starting address of a range.
end-address - The end address of a range.
Default Setting
All addresses
Command Mode
Global Configuration
– 260 –
Chapter 7
| Authentication Commands
Management IP Filter
Command Usage
◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
◆ IP address can be configured for SNMP, web, and Telnet access respectively.
Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.
◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
◆ You cannot delete an individual address from a specified range. You must delete the entire range, and re-enter the addresses.
◆ You can delete an address range just by specifying the start address, or by specifying both the start address and end address.
Example
This example restricts management access to the indicated addresses.
Console(config)#management all-client 192.168.1.19
Console(config)#management all-client 192.168.1.25 192.168.1.30
Console#
show management
This command displays the client IP addresses that are allowed management access to the switch through various protocols.
Syntax
show management {all-client | http-client | snmp-client | telnet-client}
all-client - Displays IP addresses for all groups.
http-client - Displays IP addresses for the web group.
snmp-client - Displays IP addresses for the SNMP group.
telnet-client - Displays IP addresses for the Telnet group.
Command Mode
Privileged Exec
– 261 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
Example
Console#show management all-client
Management Ip Filter
HTTP-Client:
Start IP address End IP address
-----------------------------------------------
1. 192.168.1.19 192.168.1.19
2. 192.168.1.25 192.168.1.30
SNMP-Client:
Start IP address End IP address
-----------------------------------------------
1. 192.168.1.19 192.168.1.19
2. 192.168.1.25 192.168.1.30
TELNET-Client:
Start IP address End IP address
-----------------------------------------------
1. 192.168.1.19 192.168.1.19
2. 192.168.1.25 192.168.1.30
Console#
PPPoE Intermediate Agent
This section describes commands used to configure the PPPoE Intermediate Agent
(PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Table 47: PPPoE Intermediate Agent Commands
Command Function
pppoe intermediate-agent Enables the PPPoE IA globally on the switch
Mode
GC
pppoe intermediate-agent format-type
Sets the access node identifier and generic error message for the switch
GC
pppoe intermediate-agent port-enable
Enables the PPPoE IA on an interface IC
IC
pppoe intermediate-agent port-format-type
Sets the circuit-id or remote-id for an interface
pppoe intermediate-agent port-format-type remoteid-delimiter
Sets the remote-id delimiter for an interface
pppoe intermediate-agent trust
Sets the trust mode for an interface
IC
IC
pppoe intermediate-agent vendor-tag strip
Enables the stripping of vendor tags from PPPoE Discovery packets sent from a PPPoE server
IC
clear pppoe intermediateagent statistics
Clears PPPoE IA statistics PE
PE
show pppoe intermediateagent info
Displays PPPoE IA configuration settings
show pppoe intermediateagent statistics
Displays PPPoE IA statistics PE
– 262 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
pppoe intermediate-agent
This command enables the PPPoE Intermediate Agent globally on the switch. Use the no form to disable this feature.
Syntax
[no] pppoe intermediate-agent
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS). The switch extracts access-loop information from the client’s PPPoE Active Discovery Request, and
subscriber’s circuit-ID tag inserted by the switch during the PPPoE discovery phase, and sends this tag as a NAS-port-ID attribute in PPP authentication and
AAA accounting requests to a RADIUS server.
◆ PPPoE IA must be enabled globally by this command before this feature can be enabled on an interface using the
pppoe intermediate-agent port-enable
command.
Example
Console(config)#pppoe intermediate-agent
Console(config)#
pppoe intermediate-agent format-type
This command sets the access node identifier and generic error message for the switch. Use the no form to restore the default settings.
Syntax
pppoe intermediate-agent format-type {access-node-identifier id-string |
generic-error-message error-message}
no pppoe intermediate-agent format-type {access-node-identifier |
generic-error-message}
id-string - String identifying this switch as an PPPoE IA to the PPPoE server.
(Range: 1-48 ASCII characters)
error-message - An error message notifying the sender that the PPPoE
Discovery packet was too large.
– 263 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
Default Setting
◆ Access Node Identifier: IP address of the first IPv4 interface on the switch.
◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added.
Command Mode
Global Configuration
Command Usage
◆ The switch uses the access-node-identifier to generate the circuit-id for PPPoE discovery stage packets sent to the BRAS, but does not modify the source or destination MAC address of these PPPoE discovery packets.
◆
Example
Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong
Console(config)#
pppoe intermediate-agent port-enable
This command enables the PPPoE IA on an interface. Use the no form to disable this feature.
Syntax
[no] pppoe intermediate-agent port-enable
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
PPPoE IA must also be enabled globally on the switch for this command to take effect.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#pppoe intermediate-agent port-enable
Console(config-if)#
– 264 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
pppoe intermediate-agent port-format-type
This command sets the circuit-id or remote-id for an interface. Use the no form to restore the default settings.
Syntax
pppoe intermediate-agent port-format-type {circuit-id | remote-id} id-string
circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected. (Range: 1-10 ASCII characters)
remote-id - String identifying the remote identifier (or interface) on this switch to which the user is connected. (Range: 1-63 ASCII characters)
Default Setting circuit-id: unit/port:vlan-id or 0/trunk-id:vlan-id remote-id: port MAC address
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The PPPoE server extracts the Line-ID tag from PPPoE discovery stage messages, and uses the Circuit-ID field of that tag as a NAS-Port-ID attribute in
AAA access and accounting requests.
◆ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE
Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server. The tag contains the Line-ID of the customer line over which the discovery packet was received, entering the switch (or access node) where the intermediate agent resides.
◆ Outgoing PAD Offer (PADO) and Session-confirmation (PADS) packets sent from the PPPoE Server include the Circuit-ID tag inserted by the switch, and should be stripped out of PADO and PADS packets which are to be passed directly to end-node clients using the
pppoe intermediate-agent vendor-tag strip
command.
◆ If the remote-id is unspecified, the port name will be used for this parameter. If the port name is not configured, the remote-id is set to the port MAC (yy-yy-yyyy-yy-yy#), where # is the default delimiter.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#pppoe intermediate-agent port-format-type circuit-id
ECS4620-28T
Console(config-if)#
– 265 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
pppoe intermediate-agent port-format-type remote-id-delimiter
This command sets the remote-id delimiter for an interface. Use the enable keyword to enable the delimiter. Use the no form with the enable keyword to disable the delimiter. Use the no form without any keywords toto restore the default settings.
Syntax
pppoe intermediate-agent port-format-type remote-id-delimiter
{enable | ascii-code}
ascii-code - ASCII character of delimiter. (Range: 0-255)
Default Setting
Disabled
ASCII code: 35 (“#”)
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
If the delimiter is enabled and it occurs in the remote ID string, the string will be truncated at that point.
Example
This command enables the delimiter for port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#pppoe intermediate-agent port-format-type remote-iddelimiter
Console(config-if)#
pppoe intermediate-agent trust
This command sets an interface to trusted mode to indicate that it is connected to a
PPPoE server. Use the no form to set an interface to untrusted mode.
Syntax
[no] pppoe intermediate-agent trust
Default Setting
Untrusted
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Set any interfaces connecting the switch to a PPPoE Server as trusted.
Interfaces that connect the switch to users (PPPoE clients) should be set as untrusted.
– 266 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
◆ At least one trusted interface must be configured on the switch for the PPPoE
IA to function.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#pppoe intermediate-agent trust
Console(config-if)#
pppoe intermediate-agent vendor-tag strip
This command enables the stripping of vendor tags from PPPoE Discovery packets sent from a PPPoE server. Use the no form to disable this feature.
Syntax
[no] pppoe intermediate-agent vendor-tag strip
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This command only applies to trusted interfaces. It is used to strip off vendorspecific tags (which carry subscriber and line identification information) in PPPoE
Discovery packets received from an upstream PPPoE server before forwarding them to a user.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#pppoe intermediate-agent vendor-tag strip
Console(config-if)#
clear pppoe intermediate-agent statistics
This command clears statistical counters for the PPPoE Intermediate Agent.
Syntax
clear pppoe intermediate-agent statistics interface [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
– 267 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
Command Mode
Privileged Exec
Example
Console#clear pppoe intermediate-agent statistics
Console#
show pppoe intermediate-agent info
This command displays configuration settings for the PPPoE Intermediate Agent.
Syntax
show pppoe intermediate-agent info [interface [interface]]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Command Mode
Privileged Exec
Example
Console#show pppoe intermediate-agent info
PPPoE Intermediate Agent Global Status : Enabled
PPPoE Intermediate Agent Admin Access Node Identifier : 192.168.0.2
PPPoE Intermediate Agent Oper Access Node Identifier : 192.168.0.2
PPPoE Intermediate Agent Admin Generic Error Message :
PPPoE Intermediate Agent Oper Generic Error Message :
PPPoE Discover packet too large to process. Try reducing the number of tags added.
Console#show pppoe intermediate-agent info interface ethernet 1/1
Interface PPPoE IA Trusted Vendor-Tag Strip Admin Circuit-ID Admin Remote-ID
--------- -------- ------- ---------------- ------------ ----------------
Eth 1/2 Yes Yes Yes 1/2:vid 00-00-E8-94-40-02
R-ID Delimiter Delimiter ASCII Oper Circuit-ID Oper Remote-ID
---------------- ---------------- ---------------- -----------------
Yes 3 1/2:vid 00-00-E8-94-40-02
Console#
– 268 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
show pppoe intermediate-agent statistics
This command displays statistics for the PPPoE Intermediate Agent.
Syntax
show pppoe intermediate-agent statistics interface [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Command Mode
Privileged Exec
Example
Console#show pppoe intermediate-agent statistics interface ethernet 1/1
Eth 1/1 statistics
-----------------------------------------------------------------------------
Received : All PADI PADO PADR PADS PADT
---------- ---------- ---------- ---------- ---------- ----------
3 0 0 0 0 3
Dropped : Response from untrusted Request towards untrusted Malformed
----------------------- ------------------------- ---------
0 0 0
Console#
Table 48: show pppoe intermediate-agent statistics - display description
Field
PADI
PADO
PADR
PADS
PADT
Description
PPPoE Active Discovery Initiation
PPPoE Active Discovery Offer
PPPoE Active Discovery Request
PPPoE Active Discovery Session-Confirmation
PPPoE Active Discovery Terminate
– 269 –
Chapter 7
| Authentication Commands
PPPoE Intermediate Agent
– 270 –
8
General Security Measures
This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter. These include port-based authentication, which can be configured to allow network client access by specifying a fixed set of MAC addresses. The addresses assigned to DHCP clients can also be carefully controlled with IP Source Guard and DHCP Snooping commands.
Table 49: General Security Commands
Command Group
*
*
Function
Configures secure addresses for a port
Configures host authentication on specific ports using 802.1X
Configures MAC authentication and dynamic VLAN assignment
Configures Web authentication
Provides filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or non-IP frames (based on MAC address or Ethernet type)
Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding table
Filters untrusted DHCPv6 messages on unsecure ports by building and maintaining a DHCPv6 snooping binding table
Filters IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping nor static source bindings
Filters IPv6 traffic on insecure ports for which the source address cannot be identified via DHCPv6 snooping nor static source bindings
Maintains IPv6 prefix table and user address binding table which can be used for stateless address auto-configuration or for address filtering by
IPv6 Source Guard
Validates the MAC-to-IP address bindings in ARP packets
Protects against Denial-of-Service attacks
Configures traffic segmentation for different client sessions based on specified downlink and uplink ports
* The priority of execution for these filtering commands is Port Security, Port Authentication,
Network Access, Web Authentication, Access Control Lists, DHCP Snooping, and then IP Source
Guard.
– 271 –
Chapter 8
| General Security Measures
Port Security
Port Security
These commands can be used to enable port security on a port.
When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. The port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.
Table 50: Management IP Filter Commands
Command
Function
Maps a static address to a port in a VLAN
Enables MAC address learning on the selected physical interface or VLAN
Configures a secure port
Displays entries in the bridge-forwarding database
Displays port security status and secure address count
IC
PE
PE
Mode
GC
IC
mac-learning
This command enables MAC address learning on the selected interface. Use the no form to disable MAC address learning.
Syntax
[no] mac-learning
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet or Port Channel)
Command Usage
◆ The no mac-learning command immediately stops the switch from learning new MAC addresses on the specified port or trunk. Only incoming traffic with source addresses stored in the static address table will be accepted. Note that the dynamic addresses stored in the address table when MAC address learning
– 272 –
Chapter 8
| General Security Measures
Port Security is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
◆ The mac-learning commands cannot be used if 802.1X Port Authentication has
been globally enabled on the switch with the dot1x system-auth-control
command, or if MAC Address Security has been enabled by the
command on the same interface.
Example
The following example disables MAC address learning for port 2.
ES-3026(config)#interface ethernet 1/2
ES-3026(config-if)#no mac-learning
ES-3026(config-if)#
Related Commands
port security
This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to a security violation or for the maximum number of allowed addresses.
Syntax
port security
[[action {shutdown | trap | trap-and-shutdown}] |
[max-mac-count address-count]]
no port security [action | max-mac-count]
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable port.
max-mac-count
address-count - The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled)
Default Setting
Status: Disabled
Action: None
Maximum Addresses: 0
Command Mode
Interface Configuration (Ethernet)
– 273 –
Chapter 8
| General Security Measures
Port Security
Command Usage
◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security
max-mac-count command.
◆ When port security is enabled using the port security command, or the maximum number or allowed addresses is set to a value lower than the current limit after port security has been enabled, the switch first clears all dynamically learned entries from the address table. It then starts learning new MAC addresses on the specified port, and stops learning addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
◆ To configure the maximum number of address entries which can be learned on a port, and then specify the maximum number of dynamic addresses allowed.
The switch will learn up to the maximum number of allowed address pairs
<source MAC address, VLAN> for frames received on the port. (The specified maximum address count is effective when port security is enabled or disabled.)
Note that you can manually add additional secure addresses to a port using the
command. When the port has reached the maximum number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out.
◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
◆ If a port is disabled due to a security violation, it must be manually re-enabled using the
◆ A secure port has the following restrictions:
■ Cannot be connected to a network interconnection device.
■ Cannot be a trunk port.
■ RSPAN and port security are mutually exclusive functions. If port security is enabled on a port, that port cannot be set as an RSPAN uplink port, source port, or destination port. Also, when a port is configured as an RSPAN uplink port, source port, or destination port, port security cannot be enabled on that port.
Example
The following example enables port security for port 5, and sets the response to a security violation to issue a trap message:
Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap
– 274 –
Chapter 8
| General Security Measures
Port Security
Related Commands
mac-address-table static (460)
show port security
This command displays port security status and the secure address count.
Syntax
show port security [interface interface]
interface - Specifies a port interface.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
This example shows the port security settings and number of secure addresses for all ports.
Console#show port security
Global Port Security Parameters
Secure MAC Aging Mode : Disabled
Port Security Port Summary
Port Port Security Port Status Intrusion Action MaxMacCnt CurrMacCnt
--------------------------------------------------------------------------
Eth 1/ 1 Disabled Secure/Down None 0 2
Eth 1/ 2 Enabled Secure/Up None 10 0
Eth 1/ 3 Disabled Secure/Down None 0 0
Eth 1/ 4 Disabled Secure/Down None 0 0
Eth 1/ 5 Disabled Secure/Down None 0 0
.
.
.
Table 51: show port security - display description
Field
Port Security
Description
The configured status (enabled or disabled).
Port Status The operational status:
◆ Secure/Down – Port security is disabled.
◆
◆
Secure/Up – Port security is enabled.
Shutdown – Port is shut down due to a response to a port security violation.
Intrusion Action The configured intrusion response.
– 275 –
Chapter 8
| General Security Measures
Port Security
Table 51: show port security - display description (Continued)
Field
MaxMacCnt
CurrMacCnt
Description
The maximum number of addresses which can be stored in the address table for this interface (either dynamic or static).
The current number of secure entries in the address table.
The following example shows the port security settings and number of secure addresses for a specific port. The Last Intrusion MAC and Last Time Detected
Intrusion MAC fields show information about the last detected intrusion MAC address. These fields are not applicable if no intrusion has been detected or port security is disabled. The MAC Filter ID field is configured by the
network-access port-mac-filter
command. If this field displays Disabled, then any unknown source
MAC address can be learned as a secure MAC address. If it displays a filter identifier, then only source MAC address entries in MAC Filter table can be learned as secure
MAC addresses.
Console#show port security interface ethernet 1/2
Global Port Security Parameters
Secure MAC Aging Mode : Disabled
Port Security Details
Port : 1/2
Port Security : Enabled
Port Status : Secure/Up
Intrusion Action : None
Max MAC Count : 0
Current MAC Count : 0
MAC Filter : Disabled
Last Intrusion MAC : NA
Last Time Detected Intrusion MAC : NA
Console#
This example shows information about a detected intrusion.
Console#show port security interface ethernet 1/2
Global Port Security Parameters
Secure MAC Aging Mode : Disabled
Port Security Details
Port : 1/2
Port Security : Enabled
Port Status : Secure/Up
Intrusion Action : None
Max MAC Count : 0
Current MAC Count : 0
MAC Filter : Disabled
Last Intrusion MAC : 00-10-22-00-00-01
Last Time Detected Intrusion MAC : 2010/7/29 15:13:03
Console#
– 276 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
Network Access (MAC Address Authentication)
Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source
MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed. Once successfully authenticated, the RADIUS server may optionally assign VLAN and QoS settings for the switch port.
Table 52: Network Access Commands
Command
Function
Enables MAC address aging
Adds a MAC address to a filter table
mac-authentication reauth-time
Sets the time period after which a connected MAC address must be re-authenticated
Enables the dynamic quality of service feature IC
Enables dynamic VLAN assignment from a RADIUS server IC
Specifies the guest VLAN
Enables the link detection feature
IC
IC
Mode
GC
GC
GC
network-access link-detection link-down network-access link-detection link-up
Configures the link detection feature to detect and act upon link-down events
Configures the link detection feature to detect and act upon link-up events
IC
IC
network-access link-detection link-up-down
network-access mode mac-authentication
Configures the link detection feature to detect and act upon both link-up and link-down events
IC
Sets the maximum number of MAC addresses that can be authenticated on a port via all forms of authentication
IC
Enables MAC authentication on an interface IC
network-access port-mac-filter
Enables the specified MAC address filter
mac-authentication intrusion-action
Determines the port response when a connected host fails MAC authentication.
mac-authentication max-mac-count
clear network-access show network-access
Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication
Clears authenticated MAC addresses from the address table
Displays the MAC authentication settings for port interfaces
IC
IC
IC
PE
PE
show network-access mac-address-table
Displays information for entries in the secure MAC address table
PE
show network-access mac-filter
Displays information for entries in the MAC filter tables PE
– 277 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
network-access aging
Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to disable address aging.
Syntax
[no] network-access aging
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The
address aging time is determined by the mac-address-table aging-time
command.
◆ This parameter applies to authenticated MAC addresses configured by the MAC
Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X
Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on
◆ The maximum number of secure MAC addresses supported for the switch system is 1024.
Example
Console(config-if)#network-access aging
Console(config-if)#
network-access mac-filter
Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address.
Syntax
[no] network-access mac-filter filter-id
mac-address mac-address [mask mask-address]
filter-id - Specifies a MAC address filter table. (Range: 1-64)
mac-address - Specifies a MAC address entry.
(Format: xx-xx-xx-xx-xx-xx)
mask - Specifies a MAC address bit mask for a range of addresses.
Default Setting
Disabled
– 278 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
Command Mode
Global Configuration
Command Usage
◆ Specified addresses are exempt from network access authentication.
◆ This command is different from configuring static addresses with the
command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or
more ports with the network-access port-mac-filter command.
◆ Up to 64 filter tables can be defined.
◆ There is no limitation on the number of entries that can entered in a filter table.
Example
Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66
Console(config)#
mac-authentication reauth-time
Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value.
Syntax
mac-authentication reauth-time seconds no mac-authentication reauth-time
seconds - The reauthentication time period. (Range: 120-1000000 seconds)
Default Setting
1800
Command Mode
Global Configuration
Command Usage
◆ The reauthentication time is a global setting and applies to all ports.
◆ When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.
Example
Console(config)#mac-authentication reauth-time 300
Console(config)#
– 279 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
network-access dynamic-qos
Use this command to enable the dynamic QoS feature for an authenticated port.
Use the no form to restore the default.
Syntax
[no] network-access dynamic-qos
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user. The “Filter-ID” attribute
(attribute 11) can be configured on the RADIUS server to pass the following
QoS information:
Table 53: Dynamic QoS Profiles
Profile
DiffServ
Rate Limit
802.1p
IP ACL
IPv6 ACL
MAC ACL
Attribute Syntax
service-policy-in=policy-map-name
rate-limit-input=rate (Kbps)
rate-limit-output=rate (Kbps)
switchport-priority-default=value
ip-access-group-in=ip-acl-name
ipv6-access-group-in=ipv6-acl-name
mac-access-group-in=mac-acl-name
Example service-policy-in=p1 rate-limit-input=100 (Kbps) rate-limit-output=200 (Kbps) switchport-priority-default=2 ip-access-group-in=ipv4acl ipv6-access-group-in=ipv6acl mac-access-group-in=macAcl
◆ When the last user logs off of a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port.
◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
◆ While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off of the port.
Note: Any configuration changes for dynamic QoS are not saved to the switch configuration file.
– 280 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
Example
The following example enables the dynamic QoS feature on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-qos
Console(config-if)#
network-access dynamic-vlan
Use this command to enable dynamic VLAN assignment for an authenticated port.
Use the no form to disable dynamic VLAN assignment.
Syntax
[no] network-access dynamic-vlan
Default Setting
Enabled
Command Mode
Interface Configuration
Command Usage
◆ When enabled, the VLAN identifiers returned by the RADIUS server through the
802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs.
◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port. Other authenticated MAC addresses on the port must have same VLAN configuration, or they are treated as an authentication failure.
◆ If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success, and the host assigned to the default untagged VLAN.
◆ When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table.
Example
The following example enables dynamic VLAN assignment on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
– 281 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
network-access guest-vlan
Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Syntax
network-access guest-vlan vlan-id no network-access guest-vlan
vlan-id - VLAN ID (Range: 1-4094)
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ The VLAN to be used as the guest VLAN must be defined and set as active (See
command).
◆ When used with 802.1X authentication, the intrusion-action must be set for
“guest-vlan” to be effective (see the
dot1x intrusion-action command).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access guest-vlan 25
Console(config-if)#
network-access link-detection
Use this command to enable link detection for the selected port. Use the no form of this command to restore the default.
Syntax
[no] network-access link-detection
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection
Console(config-if)#
– 282 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
network-access link-detection link-down
Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Syntax
network-access link-detection link-down
action [shutdown | trap | trap-and-shutdown] no network-access link-detection
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable the port.
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-down action trap
Console(config-if)#
network-access link-detection link-up
Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Syntax
network-access link-detection link-up
action [shutdown | trap | trap-and-shutdown] no network-access link-detection
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable the port.
Default Setting
Disabled
Command Mode
Interface Configuration
– 283 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up action trap
Console(config-if)#
network-access link-detection link-up-down
Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, or both. Use the
no form of this command to disable this feature.
Syntax network-access link-detection link-up-down
action [shutdown | trap | trap-and-shutdown] no network-access link-detection
action - Response to take when port security is violated.
shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable the port.
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up-down action trap
Console(config-if)#
network-access max-mac-count
Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.
Syntax
network-access max-mac-count count no network-access max-mac-count
count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed. (Range: 1-2048)
Default Setting
1024
– 284 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
Command Mode
Interface Configuration
Command Usage
The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Example
Console(config-if)#network-access max-mac-count 5
Console(config-if)#
network-access mode mac-authentication
Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication.
Syntax
[no] network-access mode mac-authentication
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ When enabled on a port, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated.
◆ On the RADIUS server, PAP user name and passwords must be configured in the
MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is
1024.
◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
◆ MAC authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied.
◆ MAC authentication cannot be configured on trunk ports.
– 285 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored.
◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.”
Example
Console(config-if)#network-access mode mac-authentication
Console(config-if)#
network-access port-mac-filter
Use this command to enable the specified MAC address filter. Use the no form of this command to disable the specified MAC address filter.
Syntax
network-access port-mac-filter filter-id
no network-access port-mac-filter
filter-id - Specifies a MAC address filter table. (Range: 1-64)
Default Setting
None
Command Mode
Interface Configuration
Command Mode
◆
Entries in the MAC address filter table can be configured with the networkaccess mac-filter
command.
◆ Only one filter table can be assigned to a port.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access port-mac-filter 1
Console(config-if)#
– 286 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
mac-authentication intrusion-action
Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default.
Syntax
mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action
Default Setting
Block Traffic
Command Mode
Interface Con figuration
Example
Console(config-if)#mac-authentication intrusion-action block-traffic
Console(config-if)#
mac-authentication max-mac-count
Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication. Use the no form of this command to restore the default.
Syntax
mac-authentication max-mac-count count no mac-authentication max-mac-count
count - The maximum number of MAC-authenticated MAC addresses allowed. (Range: 1-1024)
Default Setting
1024
Command Mode
Interface Configuration
Example
Console(config-if)#mac-authentication max-mac-count 32
Console(config-if)#
– 287 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
clear network-access
Use this command to clear entries from the secure MAC addresses table.
Syntax
clear network-access mac-address-table [static | dynamic]
[address mac-address] [interface interface]
static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
interface - Specifies a port interface.
ethernet unit/port
unit - Unit number. (Range: 1)
port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#clear network-access mac-address-table interface ethernet 1/1
Console#
show network-access
Use this command to display the MAC authentication settings for port interfaces.
Syntax
show network-access [interface interface]
interface - Specifies a port interface.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Default Setting
Displays the settings for all interfaces.
Command Mode
Privileged Exec
– 288 –
Chapter 8
| General Security Measures
Network Access (MAC Address Authentication)
Example
Console#show network-access interface ethernet 1/1
Global secure port information
Reauthentication Time : 1800
MAC Address Aging : Disabled
Port : 1/1
MAC Authentication : Disabled
MAC Authentication Intrusion Action : Block traffic
MAC Authentication Maximum MAC Counts : 1024
Maximum MAC Counts : 2048
Dynamic VLAN Assignment : Enabled
Dynamic QoS Assignment : Disabled
MAC Filter ID : Disabled
Guest VLAN : Disabled
Link Detection : Disabled
Detection Mode : Link-down
Detection Action : Trap
Console#
show network-access mac-address-table
Use this command to display secure MAC address table entries.
Syntax
show network-access mac-address-table [static | dynamic]
[address mac-address [mask]] [interface interface] [sort {address |
interface}]
static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry.
(Format: xx-xx-xx-xx-xx-xx)
mask - Specifies a MAC address bit mask for filtering displayed addresses.
interface - Specifies a port interface.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
sort - Sorts displayed entries by either MAC address or interface.
Default Setting
Displays all filters.
Command Mode
Privileged Exec
Command Usage
When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-
– 289 –
Chapter 8
| General Security Measures
Web Authentication
00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-
FF-FF to be displayed. All other MACs would be filtered out.
Example
Console#show network-access mac-address-table
---- ----------------- --------------- --------- -------------------------
Port MAC-Address RADIUS-Server Attribute Time
---- ----------------- --------------- --------- -------------------------
1/1 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s
1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s
1/1 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s
1/3 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s
Console#
show network-access mac-filter
Use this command to display information for entries in the MAC filter tables.
Syntax
show network-access mac-filter [filter-id]
filter-id - Specifies a MAC address filter table. (Range: 1-64)
Default Setting
Displays all filters.
Command Mode
Privileged Exec
Example
Console#show network-access mac-filter
Filter ID MAC Address MAC Mask
--------- ----------------- -----------------
1 00-00-01-02-03-08 FF-FF-FF-FF-FF-FF
Console#
Web Authentication
Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked. The switch intercepts HTTP protocol traffic and redirects it to a switch-generated web page that facilitates user name and password authentication via RADIUS. Once authentication is successful, the web browser is forwarded on to the originally requested web page. Successful authentication is valid for all hosts connected to the port.
– 290 –
Chapter 8
| General Security Measures
Web Authentication
Note: RADIUS authentication must be activated and configured for the web
authentication feature to work properly (see “Authentication Sequence” on page 208 ).
Note: Web authentication cannot be configured on trunk ports.
Table 54: Web Authentication
Command
Function
Defines the limit for failed web authentication login attempts
Defines the amount of time to wait after the limit for failed login attempts is exceeded.
Defines the amount of time a session remains valid
Enables web authentication globally for the switch
Enables web authentication for an interface
web-auth re-authenticate (Port)
Ends all web authentication sessions on the port and forces the users to re-authenticate
Mode
GC
GC
GC
GC
IC
PE
Ends the web authentication session associated with the designated IP address and forces the user to reauthenticate
PE
show web-auth show web-auth interface
Displays global web authentication parameters
Displays interface-specific web authentication parameters and statistics
Displays a summary of web authentication port parameters and statistics
PE
PE
PE
web-auth login-attempts
This command defines the limit for failed web authentication login attempts. After the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default.
Syntax
web-auth login-attempts count no web-auth login-attempts
count - The limit of allowed failed login attempts. (Range: 1-3)
Default Setting
3 login attempts
Command Mode
Global Configuration
– 291 –
Chapter 8
| General Security Measures
Web Authentication
Example
Console(config)#web-auth login-attempts 2
Console(config)#
web-auth quiet-period
This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Syntax
web-auth quiet-period time no web-auth quiet period
time - The amount of time the host must wait before attempting authentication again. (Range: 1-180 seconds)
Default Setting
60 seconds
Command Mode
Global Configuration
Example
Console(config)#web-auth quiet-period 120
Console(config)#
web-auth session-timeout
This command defines the amount of time a web-authentication session remains valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.
Syntax
web-auth session-timeout timeout no web-auth session timeout
timeout - The amount of time that an authenticated session remains valid.
(Range: 300-3600 seconds, or 0 for disabled)
Default Setting
3600 seconds
Command Mode
Global Configuration
– 292 –
Chapter 8
| General Security Measures
Web Authentication
Example
Console(config)#web-auth session-timeout 1800
Console(config)#
web-auth system-authcontrol
This command globally enables web authentication for the switch. Use the no form to restore the default.
Syntax
[no] web-auth system-auth-control
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Both web-auth system-auth-control for the switch and
for an interface must be enabled for the web authentication feature to be active.
Example
Console(config)#web-auth system-auth-control
Console(config)#
web-auth
This command enables web authentication for an interface. Use the no form to restore the default.
Syntax
[no] web-auth
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
Both web-auth system-auth-control
for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
– 293 –
Chapter 8
| General Security Measures
Web Authentication
Example
Console(config-if)#web-auth
Console(config-if)#
web-auth re-authenticate
(Port)
This command ends all web authentication sessions connected to the port and forces the users to re-authenticate.
Syntax
web-auth re-authenticate interface interface
interface - Specifies a port interface.
ethernet unit/port
unit - This is unit 1.
port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#web-auth re-authenticate interface ethernet 1/2
Console#
web-auth re-authenticate
(IP)
This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate.
Syntax
web-auth re-authenticate interface interface ip
interface - Specifies a port interface.
ethernet unit/port
unit - This is unit 1.
port - Port number. (Range: 1-28/52)
ip - IPv4 formatted IP address
Default Setting
None
Command Mode
Privileged Exec
– 294 –
Chapter 8
| General Security Measures
Web Authentication
Example
Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5
Console#
show web-auth
This command displays global web authentication parameters.
Command Mode
Privileged Exec
Example
Console#show web-auth
Global Web-Auth Parameters
System Auth Control : Enabled
Session Timeout : 3600
Quiet Period : 60
Max Login Attempts : 3
Console#
show web-auth interface
This command displays interface-specific web authentication parameters and statistics.
Syntax
show web-auth interface interface
interface - Specifies a port interface.
ethernet unit/port
unit - This is unit 1.
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show web-auth interface ethernet 1/2
Web Auth Status : Enabled
Host Summary
IP address Web-Auth-State Remaining-Session-Time
--------------- -------------- ----------------------
1.1.1.1 Authenticated 295
1.1.1.2 Authenticated 111
Console#
– 295 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
show web-auth summary
This command displays a summary of web authentication port parameters and statistics.
Command Mode
Privileged Exec
Example
Console#show web-auth summary
Global Web-Auth Parameters
System Auth Control : Enabled
Port Status Authenticated Host Count
---- ------ ------------------------
1/ 1 Disabled 0
1/ 2 Enabled 8
1/ 3 Disabled 0
1/ 4 Disabled 0
1/ 5 Disabled 0
.
.
DHCPv4 Snooping
DHCPv4 snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv4 snooping.
Table 55: DHCP Snooping Commands
Command
Function
Enables DHCP snooping globally
Mode
GC
ip dhcp snooping information option
Enables or disables the use of DHCP Option 82 information, and specifies frame format for the remote-id
GC
ip dhcp snooping information option encode no-subtype
Disables use of sub-type and sub-length for the
CID/RID in Option 82 information
GC
ip dhcp snooping information option remote-id
Sets the remote ID to the switch’s IP address, MAC address, arbitrary string, or TR-101 compliant node identifier
GC
ip dhcp snooping information policy
Sets the information option policy for DHCP client packets that include Option 82 information
Sets the maximum number of DHCP packets that can be trapped for DHCP snooping
GC
ip dhcp snooping verify mac-address
Verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header
GC
GC
Enables DHCP snooping on the specified VLAN
ip dhcp snooping information option circuit-id
Enables or disables the use of DHCP Option 82 information circuit-id suboption
GC
IC
– 296 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
Table 55: DHCP Snooping Commands
Command
clear ip dhcp snooping binding clear ip dhcp snooping database flash
ip dhcp snooping database flash show ip dhcp snooping
Function Mode
Configures the specified interface as trusted IC
Clears DHCP snooping binding table entries from RAM PE
Removes all dynamically learned snooping entries from flash memory.
PE
Writes all dynamically learned snooping entries to flash memory
PE
Shows the DHCP snooping configuration settings
Shows the DHCP snooping binding table entries
PE
PE
ip dhcp snooping
This command enables DHCP snooping globally. Use the no form to restore the default setting.
Syntax
[no] ip dhcp snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall. When
DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the
command, DHCP messages received on an untrusted interface (as specified by the
command) from a device not listed in the DHCP snooping table will be dropped.
◆ When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
◆ Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any
DHCP packets in excess of this limit are dropped.
◆ Filtering rules are implemented as follows:
– 297 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
■ If global DHCP snooping is disabled, all DHCP packets are forwarded.
■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows:
■ If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.
■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table.
■
■
If the DHCP packet is from client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC
enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header.
If the DHCP packet is not a recognizable type, it is dropped.
■ If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
■ If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN.
◆ If DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (using the
ip dhcp snooping trust command). Note that
the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out
DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
– 298 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
Example
This example enables DHCP snooping globally for the switch.
Console(config)#ip dhcp snooping
Console(config)#
Related Commands
ip dhcp snooping information option
This command enables the use of DHCP Option 82 information for the switch, and specifies the frame format to use for the remote-id when Option 82 information is generated by the switch. Use the no form without any keywords to disable this function, the no form with the encode no-subtype keyword to enable use of subtype and sub-length in CID/RID fields, or the no form with the remote-id keyword to set the remote ID to the switch’s MAC address encoded in hexadecimal.
Syntax ip dhcp snooping information option
[encode no-subtype] [remote-id {ip-address [encode {ascii | hex}] |
mac-address [encode {ascii | hex}] | string string}]
no ip dhcp snooping information option [encode no-subtype]
[remote-id [ip-address encode] | [mac-address encode]]
encode no-subtype - Disables use of sub-type and sub-length fields in circuit-ID (CID) and remote-ID (RID) in Option 82 information.
mac-address - Inserts a MAC address in the remote ID sub-option for the
DHCP snooping agent (that is, the MAC address of the switch’s CPU).
ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface).
encode - Indicates encoding in ASCII or hexadecimal.
string - An arbitrary string inserted into the remote identifier field.
(Range: 1-32 characters)
Default Setting
Option 82: Disabled
CID/RID sub-type: Enabled
Remote ID: MAC address (hexadecimal)
Command Mode
Global Configuration
Command Usage
◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows
– 299 –
Chapter 8
| General Security Measures
DHCPv4 Snooping compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
◆ When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
◆ When the DHCP Snooping Information Option is enabled, clients can be identified by the switch port to which they are connected rather than just their
MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/remove option
82 information in incoming DCHP packets but not relay them. Packets are processed as follows:
■
■
■
If an incoming packet is a DHCP request packet with option 82 information, it will modify the option 82 information according to settings specified with
ip dhcp snooping information policy command.
If an incoming packet is a DHCP request packet without option 82 information, enabling the DHCP snooping information option will add option 82 information to the packet.
If an incoming packet is a DHCP reply packet with option 82 information, enabling the DHCP snooping information option will remove option 82 information from the packet.
Example
This example enables the DHCP Snooping Information Option.
Console(config)#ip dhcp snooping information option
Console(config)#
ip dhcp snooping information option encode no-subtype
This command disables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID) in Option 82 information generated by the switch. Use the no form to enable the use of these fields.
Syntax
[no] ip dhcp snooping information option encode no-subtype
Default Setting
Enabled
Command Mode
Global Configuration
– 300 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
Command Usage
See the Command Usage section under the
ip dhcp snooping information option circuit-id
command for a description of how these fields are included in TR-101 syntax.
E
XAMPLE
This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID).
Console(config)#no ip dhcp snooping information option encode no-subtype
Console(config)#
ip dhcp snooping information option remote-id
This command sets the remote ID to the switch’s IP address, MAC address, arbitrary string, or TR-101 compliant node identifier. Use the no form to restore the default setting.
Syntax
ip dhcp snooping information option remote-id
{ip-address [encode {ascii | hex}] |
mac-address [encode {ascii | hex}] | string |
tr101 node-identifier {ip | sysname}] no ip dhcp snooping information option remote-id
[ip-address encode] | [mac-address encode]
mac-address - Inserts a MAC address in the remote ID sub-option for the
DHCP snooping agent (that is, the MAC address of the switch’s CPU).
ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface).
encode - Indicates encoding in ASCII or hexadecimal.
string - An arbitrary string inserted into the remote identifier field.
(Range: 1-32 characters)
tr101 node-identifier - The remote ID generated by the switch is based on
TR-101 syntax (R-124, Access_Node_ID).
ip - Specifies the switch’s IP address as the node identifier.
sysname - Specifies the system name as the node identifier.
Default Setting
MAC address (hexadecimal)
Command Mode
Global Configuration
– 301 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
Example
This example sets the remote ID to the switch’s IP address.
Console(config)#ip dhcp snooping information option remote-id tr101 node-identifier ip
Console(config)#
ip dhcp snooping information policy
This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Use the no form to restore the default setting.
Syntax
ip dhcp snooping information policy {drop | keep | replace} no ip dhcp snooping information policy
drop - Drops the client’s request packet instead of relaying it.
keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
replace - Replaces the Option 82 information circuit-id and remote-id fields in the client’s request with information about the relay agent itself, inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports.
Default Setting replace
Command Mode
Global Configuration
Command Usage
When the switch receives DHCP packets from clients that already include DHCP
Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Example
Console(config)#ip dhcp snooping information policy drop
Console(config)#
– 302 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
ip dhcp snooping limit rate
This command sets the maximum number of DHCP packets that can be trapped by the switch for DHCP snooping. Use the no form to restore the default setting.
Syntax
ip dhcp snooping limit rate rate
no dhcp snooping limit rate
rate - The maximum number of DHCP packets that may be trapped for
DHCP snooping. (Range: 1-2048 packets/second)
Default Setting
Disabled
Command Mode
Global Configuration
Example
This example sets the DHCP snooping rate limit to 100 packets per second.
Console(config)#ip dhcp snooping limit rate 100
Console(config)#
ip dhcp snooping verify mac-address
This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
Syntax
[no] ip dhcp snooping verify mac-address
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped.
– 303 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
Example
This example enables MAC address verification.
Console(config)#ip dhcp snooping verify mac-address
Console(config)#
Related Commands
ip dhcp snooping vlan
This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Syntax
[no] ip dhcp snooping vlan vlan-id
vlan-id - ID of a configured VLAN (Range: 1-4094)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆
When DHCP snooping is enabled globally using the ip dhcp snooping
command, and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the
command.
◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
◆ When DHCP snooping is globally enabled, and then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
Example
This example enables DHCP snooping for VLAN 1.
Console(config)#ip dhcp snooping vlan 1
Console(config)#
– 304 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
Related Commands
ip dhcp snooping information option circuit-id
This command specifies DHCP Option 82 circuit-id suboption information. Use the
no form to use the default settings.
Syntax
ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id
string - An arbitrary string inserted into the circuit identifier field.
(Range: 1-32 characters)
Default Setting
VLAN-Unit-Port
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible
DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients. For more information of this process, refer to the
Command Usage section under the ip dhcp snooping information option
command.
◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below:
Table 56: Option 82 information
82 3-69 1 1-67 opt82 opt-len sub-opt1 string-len x1 x2 x3 x4
R-124 string x5 x63
The circuit identifier used by this switch starts at sub-option1 and goes to the end of the R-124 string. The R-124 string includes the following information:
■ sub-type - Distinguishes different types of circuit IDs.
■
■ sub-length - Length of the circuit ID type access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the
ip dhcp snooping information option
command,
■
■ eth - The second field is the fixed string “eth” slot - The slot represents the stack unit for this system.
– 305 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
■
■ vlan - Tag of the VLAN which received the DHCP request.
Note that the sub-type and sub-length fields can be enabled or disabled using the
ip dhcp snooping information option command.
The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above.
Example
This example sets the DHCP Snooping Information circuit-id suboption string.
Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping information option circuit-id string mv2
Console(config-if)#
ip dhcp snooping trust
This command configures the specified interface as trusted. Use the no form to restore the default setting.
Syntax
[no] ip dhcp snooping trust
Default Setting
All interfaces are untrusted
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
◆ Set all ports connected to DHCP servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
◆
When DHCP snooping is enabled globally using the ip dhcp snooping
command, and enabled on a VLAN with
command,
DHCP packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command.
◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed.
– 306 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ip dhcp snooping trust
Console(config-if)#
Related Commands
clear ip dhcp snooping binding
This command clears DHCP snooping binding table entries from RAM. Use this command without any optional keywords to clear all entries from the binding table.
Syntax
clear ip dhcp snooping binding [mac-address vlan vlan-id]
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
vlan-id - ID of a configured VLAN (Range: 1-4094)
Command Mode
Privileged Exec
Example
Console#clear ip dhcp snooping binding 11-22-33-44-55-66 vlan 1
Console#
clear ip dhcp snooping database flash
This command removes all dynamically learned snooping entries from flash memory.
Command Mode
Privileged Exec
Example
Console#clear ip dhcp snooping database flash
Console#
– 307 –
Chapter 8
| General Security Measures
DHCPv4 Snooping
ip dhcp snooping database flash
This command writes all dynamically learned snooping entries to flash memory.
Command Mode
Privileged Exec
Command Usage
This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Example
Console#ip dhcp snooping database flash
Console#
show ip dhcp snooping
This command shows the DHCP snooping configuration settings.
Command Mode
Privileged Exec
Example
Console#show ip dhcp snooping
Global DHCP Snooping status: disable
DHCP Snooping Information Option Status: disable
DHCP Snooping Information Option Sub-option Format: extra subtype included
DHCP Snooping Information Option Remote ID: MAC Address (hex encoded)
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
1
Verify Source Mac-Address: enable
DHCP Snooping rate limit: unlimited
Interface Trusted Circuit-ID mode Circuit-ID Value
---------- ---------- --------------- --------------------------------
Eth 1/1 No VLAN-Unit-Port ---
Eth 1/2 No VLAN-Unit-Port ---
Eth 1/3 No VLAN-Unit-Port ---
Eth 1/4 No VLAN-Unit-Port ---
Eth 1/5 No VLAN-Unit-Port ---
.
.
.
– 308 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
show ip dhcp snooping binding
This command shows the DHCP snooping binding table entries.
Command Mode
Privileged Exec
Example
Console#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- ------
11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5
Console#
DHCPv6 Snooping
DHCPv6 snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Table 57: DHCP Snooping Commands
Command
ipv6 dhcp snooping option remote-id
ipv6 dhcp snooping option remote-id policy
ipv6 dhcp snooping max-binding ipv6 dhcp snooping trust
clear ipv6 dhcp snooping binding
clear ipv6 dhcp snooping statistics show ipv6 dhcp snooping
show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics
Function
Enables DHCPv6 snooping globally
Enables insertion of DHCPv6 Option 37 relay agent remote-id
Sets the information option policy for DHCPv6 client packets that include Option 37 information
GC
Enables DHCPv6 snooping on the specified VLAN
Sets the maximum number of entries which can be stored in the binding database for an interface
GC
IC
Configures the specified interface as trusted IC
Clears DHCPv6 snooping binding table entries from RAM PE
Mode
GC
GC
Clears statistical counters for DHCPv6 snooping client, server and relay packets
Shows the DHCPv6 snooping configuration settings
Shows the DHCPv6 snooping binding table entries
PE
PE
PE
Shows statistics for DHCPv6 snooping client, server and relay packets
PE
– 309 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
ipv6 dhcp snooping
This command enables DHCPv6 snooping globally. Use the no form to restore the default setting.
Syntax
[no] ipv6 dhcp snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall. When DHCPv6 snooping is enabled globally by this command, and
enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP
messages received on an untrusted interface (as specified by the
no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping
table will be dropped.
◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping.
◆ Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IPv6 address, lease time, binding type, VLAN identifier, and port identifier.
◆ When DHCPv6 snooping is enabled, the rate limit for the number of DHCPv6 messages that can be processed by the switch is 100 packets per second. Any
DHCPv6 packets in excess of this limit are dropped.
◆ Filtering rules are implemented as follows:
■ If global DHCPv6 snooping is disabled, all DHCPv6 packets are forwarded.
■ If DHCPv6 snooping is enabled globally, and also enabled on the VLAN where the DHCPv6 packet is received, DHCPv6 packets are forwarded for a
trusted port as described below.
■ If DHCPv6 snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, DHCP packets are processed according to message type as follows:
DHCP Client Packet
■ Request: Update entry in binding cache, recording client’s DHCPv6
Unique Identifier (DUID), server’s DUID, Identity Association (IA) type, IA
– 310 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
Identifier, and address (4 message exchanges to get IPv6 address), and forward to trusted port.
■ Solicit: Add new entry in binding cache, recording client’s DUID, IA type,
IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port.
■ Decline: If no matching entry is found in binding cache, drop this packet.
■ Renew, Rebind, Release, Confirm: If no matching entry is found in binding cache, drop this packet.
■ If the DHCPv6 packet is not a recognizable type, it is dropped.
If a DHCPv6 packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
DHCP Server Packet
■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system.
■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner:
A.
Check if IPv6 address in IA option is found in binding table:
■
■
If yes, continue to C.
If not, continue to B.
B.
Check if IPv6 address in IA option is found in binding cache:
■
■
If yes, continue to C.
If not, check failed, and forward packet to trusted port.
C.
Check status code in IA option:
■
■
■
If successful, and entry is in binding table, update lease time and forward to original destination.
If successful, and entry is in binding cache, move entry from binding cache to binding table, update lease time and forward to original destination.
Otherwise, remove binding entry. and check failed.
■ If a DHCPv6 Relay packet is received, check the relay message option in
Relay-Forward or Relay-Reply packet, and process client and server packets as described above.
◆ If DHCPv6 snooping is globally disabled, all dynamic bindings are removed from the binding table.
– 311 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which the switch submits a client request to the DHCPv6 server must be configured as trusted (using the
command). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCPv6 server. Also, when the switch sends out DHCPv6 client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCPv6 server, any packets received from untrusted ports are dropped.
Example
This example enables DHCPv6 snooping globally for the switch.
Console(config)#ipv6 dhcp snooping
Console(config)#
Related Commands
ipv6 dhcp snooping trust (315)
ipv6 dhcp snooping option remote-id
This command enables the insertion of remote-id option 37 information into
DHCPv6 client messages. Remote-id option information such as the port attached to the client, DUID, and VLAN ID is used by the DHCPv6 server to assign preassigned configuration data specific to the DHCPv6 client. Use the no form of the command to disable this function.
Syntax
[no] ipv6 dhcp snooping option remote-id
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ DHCPv6 provides a relay mechanism for sending information about the switch and its DHCPv6 clients to the DHCPv6 server. Known as DHCPv6 Option 37, it allows compatible DHCPv6 servers to use the information when assigning IP addresses, or to set other services or policies for clients.
◆ When DHCPv6 Snooping Information Option 37 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCPv6 request packets forwarded by the switch and in reply packets sent back from the DHCPv6 server.
◆ When the DHCPv6 Snooping Option 37 is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address.
– 312 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
DHCPv6 client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
◆ DHCPv6 snooping must be enabled for the DHCPv6 Option 37 information to be inserted into packets. When enabled, the switch will either drop, keep or remove option 37 information in incoming DCHPv6 packets. Packets are processed as follows:
■ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings
specified with ipv6 dhcp snooping option remote-id policy command.
■
■
If an incoming packet is a DHCPv6 request packet without option 37 information, enabling the DHCPv6 snooping information option will add option 37 information to the packet.
If an incoming packet is a DHCPv6 reply packet with option 37 information, enabling the DHCPv6 snooping information option will remove option 37 information from the packet.
◆ When this switch inserts Option 37 information in DHCPv6 client request packets, the switch’s MAC address (hexadecimal) is used for the remote ID.
Example
This example enables the DHCPv6 Snooping Remote-ID Option.
Console(config)#ipv6 dhcp snooping option remote-id
Console(config)#
ipv6 dhcp snooping option remote-id policy
This command sets the remote-id option policy for DHCPv6 client packets that include Option 37 information. Use the no form to disable this function.
Syntax
ipv6 dhcp snooping option remote-id policy {drop | keep | replace} no ipv6 dhcp snooping option remote-id policy
drop - Drops the client’s request packet instead of relaying it.
keep - Retains the Option 37 information in the client request, and forwards the packets to trusted ports.
replace - Replaces the Option 37 remote-ID in the client’s request with the relay agent’s remote-ID (when DHCPv6 snooping is enabled), and forwards the packets to trusted ports.
Default Setting drop
Command Mode
Global Configuration
– 313 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
Command Usage
When the switch receives DHCPv6 packets from clients that already include DHCP
Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Example
This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it.
Console(config)#ipv6 dhcp snooping option remote-id policy keep
Console(config)#
ipv6 dhcp snooping vlan
This command enables DHCPv6 snooping on the specified VLAN. Use the no form to restore the default setting.
Syntax
[no] ipv6 dhcp snooping vlan {vlan-id | vlan-range}
vlan-id - ID of a configured VLAN (Range: 1-4094)
vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When DHCPv6 snooping enabled globally using the
command, and enabled on a VLAN with this command, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN as specified
by the ipv6 dhcp snooping trust
command.
◆ When the DHCPv6 snooping is globally disabled, DHCPv6 snooping can still be configured for specific VLANs, but the changes will not take effect until DHCPv6 snooping is globally re-enabled.
◆ When DHCPv6 snooping is enabled globally, and then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
– 314 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
Example
This example enables DHCP6 snooping for VLAN 1.
Console(config)#ipv6 dhcp snooping vlan 1
Console(config)#
Related Commands
ipv6 dhcp snooping trust (315)
ipv6 dhcp snooping max-binding
This command sets the maximum number of entries which can be stored in the binding database for an interface. Use the no form to restore the default setting.
Syntax
ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding
count - Maximum number of entries. (Range: 1-5)
Default Setting
5
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
This example sets the maximum number of binding entries to 1.
Console(config)#interface ethernet 1/1
Console(config-if)#ipv6 dhcp snooping max-binding 1
Console(config-if)#
ipv6 dhcp snooping trust
This command configures the specified interface as trusted. Use the no form to restore the default setting.
Syntax
[no] ipv6 dhcp snooping trust
Default Setting
All interfaces are untrusted
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 315 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
Command Usage
◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
◆ Set all ports connected to DHCv6 servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
◆
When DHCPv6 snooping is enabled globally using the ipv6 dhcp snooping
command, and enabled on a VLAN with
ipv6 dhcp snooping vlan command,
DHCPv6 packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command.
◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which it submits a client request to the DHCPv6 server must be configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ipv6 dhcp snooping trust
Console(config-if)#
Related Commands
clear ipv6 dhcp snooping binding
This command clears DHCPv6 snooping binding table entries from RAM. Use this command without any optional keywords to clear all entries from the binding table.
Syntax
clear ipv6 dhcp snooping binding [mac-address ipv6-address]
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
– 316 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
Command Mode
Privileged Exec
Example
Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1
Console(config)#
clear ipv6 dhcp snooping statistics
This command clears statistical counters for DHCPv6 snooping client, server and relay packets.
Command Mode
Privileged Exec
Example
Console(config)#clear ipv6 dhcp snooping statistics
Console(config)#
show ipv6 dhcp snooping
This command shows the DHCPv6 snooping configuration settings.
Command Mode
Privileged Exec
Example
Console#show ipv6 dhcp snooping
Global DHCPv6 Snooping status: disabled
DHCPv6 Snooping remote-id option status: disabled
DHCPv6 Snooping remote-id policy: drop
DHCPv6 Snooping is configured on the following VLANs:
1,
Interface Trusted Max-binding Current-binding
--------- --------- ----------- ---------------
Eth 1/1 No 5 0
Eth 1/2 No 5 0
Eth 1/3 No 5 0
Eth 1/4 No 5 0
Eth 1/5 Yes 5 0
.
.
.
– 317 –
Chapter 8
| General Security Measures
DHCPv6 Snooping
show ipv6 dhcp snooping binding
This command shows the DHCPv6 snooping binding table entries.
Command Mode
Privileged Exec
Example
Console#show ipv6 dhcp snooping binding
NA - Non-temporary address
TA - Temporary address
-------------------------------------- ----------- ---- ------- ----
Link-layer Address: 00-13-49-aa-39-26
IPv6 Address Lifetime VLAN Port Type
--------------------------------------- ---------- ---- ------- ----
2001:b021:1435:5612:ab3c:6792:a452:6712 2591998 1 Eth 1/5 NA
--------------------------------------- ---------- ---- ------- ----
Link-layer Address: 00-12-cf-01-02-03
IPv6 Address Lifetime VLAN Port Type
--------------------------------------- ---------- ---- ------- ----
2001:b000::1 2591912 1 Eth 1/3 NA
Console#
show ipv6 dhcp snooping statistics
This command shows statistics for DHCPv6 snooping client, server and relay packets.
Command Mode
Privileged Exec
Example
Console#show ipv6 dhcp snooping statistics
DHCPv6 Snooping Statistics:
Client Packet: Solicit, Request, Confirm, Renew, Rebind,
Decline, Release, Information-request
Server Packet: Advertise, Reply, Reconfigure
Relay Packet: Relay-forward, Relay-reply
State Client Server Relay Total
-------- -------- -------- -------- --------
Received 10 9 0 19
Sent 9 9 0 18
Droped 1 0 0 1
Console#
– 318 –
Chapter 8
| General Security Measures
IPv4 Source Guard
IPv4 Source Guard
IP Source Guardv4 is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IPv4 Source Guard table, or dynamic
host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IPv4 Source Guard.
Table 58: IP Source Guard Commands
Command
Function Mode
Adds a static address to the source-guard binding table GC
Configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address
IC
Sets the maximum number of entries that can be bound to an interface
IC
Sets the source-guard learning mode to search for addresses in the ACL binding table or the MAC address binding table
Remove all blocked records
IC
IC
clear ip source-guard binding blocked
show ip source-guard show ip source-guard binding
Shows whether source guard is enabled or disabled on each interface
Shows the source guard binding table
PE
PE
ip source-guard binding
This command adds a static address to the source-guard ACL or MAC address binding table. Use the no form to remove a static entry.
Syntax
ip source-guard binding [mode {acl | mac}] mac-address
vlan vlan-id ip-address interface ethernet unit/port-list
no ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id
mode - Specifies the binding mode.
acl - Adds binding to ACL table.
mac - Adds binding to MAC address table.
mac-address - A valid unicast MAC address.
vlan-id - ID of a configured VLAN for an ACL filtering table or a range of
VLANs for a MAC address filtering table. To specify a list separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094)
ip-address - A valid unicast IP address, including classful types A, B or C.
– 319 –
Chapter 8
| General Security Measures
IPv4 Source Guard
unit - Unit identifier. (Range: 1)
port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers. (Range: 1-28/52)
Default Setting
No configured entries
Command Mode
Global Configuration
Command Usage
◆ If the binding mode is not specified in this command, the entry is bound to the
ACL table by default.
◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-
SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier.
◆ All static entries are configured with an infinite lease time, which is indicated
with a value of zero by the show ip source-guard command ( page 325
).
◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command.
◆ Static bindings are processed as follows:
■ If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding.
■ If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
■ If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Example
This example configures a static source-guard binding on port 5. Since the binding mode is not specified, the entry is bound to the ACL table by default.
Console(config)#ip source-guard binding 00-ab-cd-11-22-33 vlan 1 192.168.0.99 interface ethernet 1/5
Console(config-if)#
– 320 –
Chapter 8
| General Security Measures
IPv4 Source Guard
Related Commands
ip source-guard
This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function.
Syntax
ip source-guard {sip | sip-mac}
no ip source-guard
sip - Filters traffic based on IP addresses stored in the binding table.
sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
◆ Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port. Use the “sip” option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the “sip-mac” option to check these same parameters, plus the source MAC address. Use the no ip
source guard command to disable this function on the selected port.
◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table.
◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-
SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
◆
Static addresses entered in the source guard binding table with the ip sourceguard binding
command are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself.
◆ If the IP source guard is enabled, an inbound packet’s IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) will be
– 321 –
Chapter 8
| General Security Measures
IPv4 Source Guard checked against the binding table. If no matching entry is found, the packet will be dropped.
◆ Filtering rules are implemented as follows:
■
If DHCPv4 snooping is disabled (see page 297 ), IP source guard will check
the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
■ If IP source guard if enabled on an interface for which IP source bindings
(dynamically learned via DHCP snooping or manually configured) are not yet configured, the switch will drop all IP traffic on that port, except for
DHCP packets.
■ Only unicast addresses are accepted for static bindings.
Example
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#
Related Commands
– 322 –
Chapter 8
| General Security Measures
IPv4 Source Guard
ip source-guard max-binding
This command sets the maximum number of entries that can be bound to an interface. Use the no form to restore the default setting.
Syntax
ip source-guard [mode {acl | mac}] max-binding number
no ip source-guard [mode {acl | mac}] max-binding
mode - Specifies the learning mode.
acl - Searches for addresses in the ACL table.
mac - Searches for addresses in the MAC address table.
number - The maximum number of IP addresses that can be mapped to an interface in the binding table. (Range: 1-16 for ACL mode; 1-1024 for MAC mode)
Default Setting
5
Command Mode
Interface Configuration (Ethernet)
Command Usage
This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by
DHCP snooping and static entries set by the ip source-guard
command.
Example
This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. The mode is not specified, and therefore defaults to the ACL binding table.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard max-binding 1
Console(config-if)#
clear ip source-guard binding blocked
This command clears source-guard binding table entries from RAM.
Syntax clear ip source-guard binding blocked
Command Mode
Privileged Exec
Command Usage
When IP Source-Guard detects an invalid packet it creates a blocked
record. These records can be viewed using the show ip source-guard
– 323 –
Chapter 8
| General Security Measures
IPv4 Source Guard
blocked command. A maximum of 512 blocked records can be stored before the switch overwrites the oldest record with new blocked records. Use the clear ip source-guard binding blocked command to clear this table.
Example
This command clears the blocked record table.
Console(config)#clear ip source-guard binding blocked
Console(config)#
ip source-guard mode
This command sets the source-guard learning mode to search for addresses in the
ACL binding table or the MAC address binding table. Use the no form to restore the default setting.
Syntax
ip source-guard mode {acl | mac}
no ip source-guard mode
mode - Specifies the learning mode.
acl - Searches for addresses in the ACL binding table.
mac - Searches for addresses in the MAC address binding table.
Default Setting
ACL
Command Mode
Interface Configuration (Ethernet)
Command Usage
There are two modes for the filtering table:
◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table.
◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Example
This command sets the binding table mode for the specified interface to MAC mode:
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard mode mac
Console(config-if)#
– 324 –
Chapter 8
| General Security Measures
IPv4 Source Guard
show ip source-guard
This command shows whether source guard is enabled or disabled on each interface.
Command Mode
Privileged Exec
Example
Console#show ip source-guard
ACL Table MAC Table
Interface Filter-type Filter-table Max-binding Max-binding
--------- ----------- ------------ ----------- -----------
Eth 1/1 DISABLED ACL 5 1024
Eth 1/2 DISABLED ACL 5 1024
Eth 1/3 DISABLED ACL 5 1024
Eth 1/4 DISABLED ACL 5 1024
Eth 1/5 DISABLED ACL 5 1024
.
show ip source-guard binding
This command shows the source guard binding table.
Syntax
show ip source-guard binding [dhcp-snooping | static [acl | mac] |
blocked [vlan vlan-id | interface interface]
dhcp-snooping - Shows dynamic entries configured with DHCP Snooping
)
static - Shows static entries configured with the
command (see
).
acl - Shows static entries in the ACL binding table.
mac - Shows static entries in the MAC address binding table.
blocked - Shows MAC addresses which have been blocked by IP Source
Guard.
vlan-id - ID of a configured VLAN (Range: 1-4094)
interface - Specifies a port interface.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
– 325 –
Chapter 8
| General Security Measures
IPv6 Source Guard
Example
Console#show ip source-guard binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- --------
11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5
Console#
IPv6 Source Guard
IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6
a host tries to use the IPv6 address of a neighbor to access the network. This section describes commands used to configure IPv6 Source Guard.
Table 59: IPv6 Source Guard Commands
Command
show ipv6 source-guard binding
Function Mode
Adds a static address to the source-guard binding table GC
Configures the switch to filter inbound traffic based on source IP address
IC
Sets the maximum number of entries that can be bound to an interface
IC
Shows whether source guard is enabled or disabled on each interface
Shows the source guard binding table
PE
PE
ipv6 source-guard binding
This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
Syntax
ipv6 source-guard binding mac-address vlan vlan-id ipv6-address
interface interface
no ipv6 source-guard binding mac-address vlan vlan-id
mac-address - A valid unicast MAC address.
vlan-id - ID of a configured VLAN (Range: 1-4094)
ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
– 326 –
Chapter 8
| General Security Measures
IPv6 Source Guard
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Default Setting
No configured entries
Command Mode
Global Configuration
Command Usage
◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-
Snooping), VLAN identifier, and port identifier.
◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
◆ All static entries are configured with an infinite lease time, which is indicated
with a value of zero by the show ipv6 source-guard
command.
◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via ND snooping, DHCPv6 snooping, or static addresses configured in the source guard binding table with this command.
◆ Static bindings are processed as follows:
■ If there is no entry with same and MAC address and IPv6 address, a new entry is added to binding table using static IPv6 source guard binding.
■ If there is an entry with same MAC address and IPv6 address, and the type of entry is static IPv6 source guard binding, then the new entry will replace the old one.
■ If there is an entry with same MAC address and IPv6 address, and the type of the entry is either a dynamic ND snooping binding or DHCPv6 snooping binding, then the new entry will replace the old one and the entry type will be changed to static IPv6 source guard binding.
■ Only unicast addresses are accepted for static bindings.
– 327 –
Chapter 8
| General Security Measures
IPv6 Source Guard
Example
This example configures a static source-guard binding on port 5.
Console(config)#ipv6 source-guard binding 00-ab-11-cd-23-45 vlan 1 2001::1 interface ethernet 1/5
Console(config)#
Related Commands
ipv6 source-guard
This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Syntax
ipv6 source-guard sip no ipv6 source-guard
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
◆ This command checks the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table. Use the no ipv6 source
guard command to disable this function on the selected port.
◆ After IPv6 source guard is enabled on an interface, the switch initially blocks all
IPv6 traffic received on that interface, except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6 snooping. A port access control list (ACL) is applied to the interface. Traffic is then filtered based upon dynamic entries learned via ND snooping or DHCPv6 snooping, or static addresses configured in the source guard binding table. The port allows only
IPv6 traffic with a matching entry in the binding table and denies all other IPv6 traffic.
◆ Table entries include a MAC address, IPv6 global unicast address, entry type
(Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-Snooping),
VLAN identifier, and port identifier.
– 328 –
Chapter 8
| General Security Measures
IPv6 Source Guard
◆
Static addresses entered in the source guard binding table with the ipv6 source-guard binding
command are automatically configured with an infinite lease time. Dynamic entries learned via DHCPv6 snooping are configured by the DHCPv6 server itself.
◆ If IPv6 source guard is enabled, an inbound packet’s source IPv6 address will be checked against the binding table. If no matching entry is found, the packet will be dropped.
◆ Filtering rules are implemented as follows:
■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded.
■
■
■
If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, dynamic ND snooping binding, or dynamic DHCPv6 snooping binding, the packet will be forwarded.
If IPv6 source guard if enabled on an interface for which IPv6 source bindings (dynamically learned via ND snooping or DHCPv6 snooping, or manually configured) are not yet configured, the switch will drop all IPv6 traffic on that port, except for ND packets and DHCPv6 packets.
Only IPv6 global unicast addresses are accepted for static bindings.
Example
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ipv6 source-guard sip
Console(config-if)#
R ELATED C OMMANDS
ipv6 source-guard binding (326)
ipv6 source-guard max-binding
This command sets the maximum number of entries that can be bound to an interface. Use the no form to restore the default setting.
Syntax
ipv6 source-guard max-binding number
no ipv6 source-guard max-binding
number - The maximum number of IPv6 addresses that can be mapped to an interface in the binding table. (Range: 1-5)
– 329 –
Chapter 8
| General Security Measures
IPv6 Source Guard
Default Setting
5
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the
◆ IPv6 source guard maximum bindings must be set to a value higher than
DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
◆ If IPv6 source guard, ND snooping, and DHCPv6 snooping are enabled on a port, the dynamic bindings used by ND snooping, DHCPv6 snooping, and IPv6 source guard static bindings cannot exceed the maximum allowed bindings set by the ipv6 source-guard max-binding command. In other words, no new entries will be added to the IPv6 source guard binding table.
◆ If IPv6 source guard is enabled on a port, and the maximum number of allowed bindings is changed to a lower value, precedence is given to deleting entries learned through DHCPv6 snooping, ND snooping, and then manually configured IPv6 source guard static bindings, until the number of entries in the binding table reaches the newly configured maximum number of allowed bindings.
Example
This example sets the maximum number of allowed entries in the binding table for port 5 to one entry.
Console(config)#interface ethernet 1/5
Console(config-if)#ipv6 source-guard max-binding 1
Console(config-if)#
show ipv6 source-guard
This command shows whether IPv6 source guard is enabled or disabled on each interface, and the maximum allowed bindings.
Command Mode
Privileged Exec
Example
Console#show ipv6 source-guard
Interface Filter-type Max-binding
--------- ----------- -----------
Eth 1/1 DISABLED 5
Eth 1/2 DISABLED 5
– 330 –
Chapter 8
| General Security Measures
ARP Inspection
Eth 1/3 DISABLED 5
Eth 1/4 DISABLED 5
Eth 1/5 SIP 1
Eth 1/6 DISABLED 5
.
.
show ipv6 source-guard binding
This command shows the IPv6 source guard binding table.
Syntax
show ipv6 source-guard binding [dynamic | static]
dynamic - Shows dynamic entries configured with ND Snooping or
DHCPv6 Snooping commands (see
)
static - Shows static entries configured with the
command.
Command Mode
Privileged Exec
Example
Console#show ipv6 source-guard binding
MAC Address IPv6 Address VLAN Interface Type
-------------- --------------------------------------- ---- --------- ----
00AB-11CD-2345 2001::1 1 Eth 1/5 STA
Console#
ARP Inspection
ARP Inspection validates the MAC-to-IP address bindings in Address Resolution
Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database – the DHCP snooping binding database. ARP Inspection can also validate ARP packets against user-configured
ARP access control lists (ACLs) for hosts with statically configured IP addresses.
– 331 –
Chapter 8
| General Security Measures
ARP Inspection
This section describes commands used to configure ARP Inspection.
Table 60: ARP Inspection Commands
Command
ip arp inspection log-buffer logs
Function
Enables ARP Inspection globally on the switch
Specifies an ARP ACL to apply to one or more VLANs
Sets the maximum number of entries saved in a log message, and the rate at these messages are sent
Specifies additional validation of address components in an ARP packet
GC
Enables ARP Inspection for a specified VLAN or range of
VLANs
GC
Mode
GC
GC
GC
ip arp inspection limit ip arp inspection trust
Sets a rate limit for the ARP packets received on a port IC
Sets a port as trusted, and thus exempted from ARP
Inspection
IC
show ip arp inspection configuration show ip arp inspection interface
Displays the global configuration settings for ARP
Inspection
PE
Shows the trust status and inspection rate limit for ports PE
show ip arp inspection statistics
Shows information about entries stored in the log, including the associated VLAN, port, and address components
Shows statistics about the number of ARP packets processed, or dropped for various reasons
Shows configuration setting for VLANs, including ARP
Inspection status, the ARP ACL name, and if the DHCP
Snooping database is used after ACL validation is completed
PE
PE
PE
ip arp inspection
This command enables ARP Inspection globally on the switch. Use the no form to disable this function.
Syntax
[no] ip arp inspection
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When ARP Inspection is enabled globally with this command, it becomes active
only on those VLANs where it has been enabled with the ip arp inspection vlan
command.
– 332 –
Chapter 8
| General Security Measures
ARP Inspection
◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all
ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the
ARP Inspection engine and their manner of switching matches that of all other packets.
◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration for any VLANs.
◆ When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again.
Example
Console(config)#ip arp inspection
Console(config)#
ip arp inspection filter
This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Use the no form to remove an ACL binding.
Syntax
ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static]
no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range}
arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters)
vlan-id - VLAN ID. (Range: 1-4094)
vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
static - ARP packets are only validated against the specified ACL, address bindings in the DHCP snooping database is not checked.
Default Setting
ARP ACLs are not bound to any VLAN
Static mode is not enabled
Command Mode
Global Configuration
– 333 –
Chapter 8
| General Security Measures
ARP Inspection
Command Usage
◆
ARP ACL configuration commands are described under “ARP ACLs” on page 370 .
◆ If static mode is enabled, the switch compares ARP packets to the specified ARP
ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked.
◆ If static mode is not enabled, packets are first validated against the specified
ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database.
Example
Console(config)#ip arp inspection filter sales vlan 1
Console(config)#
ip arp inspection log-buffer logs
This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default settings.
Syntax
ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs
message-number - The maximum number of entries saved in a log message.
(Range: 0-256, where 0 means no events are saved and no messages sent)
seconds - The interval at which log messages are sent. (Range: 0-86400)
Default Setting
Message Number: 5
Interval: 1 second
Command Mode
Global Configuration
Command Usage
◆ ARP Inspection must be enabled with the
ip arp inspection command before
this command will be accepted by the switch.
◆ By default, logging is active for ARP Inspection, and cannot be disabled.
◆ When the switch drops a packet, it places an entry in the log buffer. Each entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
– 334 –
Chapter 8
| General Security Measures
ARP Inspection
◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message.
◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
◆ The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer.
Example
Console(config)#ip arp inspection log-buffer logs 1 interval 10
Console(config)#
ip arp inspection validate
This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting.
Syntax
ip arp inspection validate
{dst-mac [ip [allow-zeros] [src-mac]] |
ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate
dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
ip - Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
allow-zeros - Allows sender IP address to be 0.0.0.0.
src-mac - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both
ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
Default Setting
No additional validation is performed
Command Mode
Global Configuration
– 335 –
Chapter 8
| General Security Measures
ARP Inspection
Command Usage
By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database.
Example
Console(config)#ip arp inspection validate dst-mac
Console(config)#
ip arp inspection vlan
This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function.
Syntax
[no] ip arp inspection vlan {vlan-id | vlan-range}
vlan-id - VLAN ID. (Range: 1-4094)
vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Default Setting
Disabled on all VLANs
Command Mode
Global Configuration
Command Usage
◆ When ARP Inspection is enabled globally with the
it becomes active only on those VLANs where it has been enabled with this command.
◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all
ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the
ARP Inspection engine and their manner of switching matches that of all other packets.
◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration for any VLANs.
◆ When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again.
– 336 –
Example
Console(config)#ip arp inspection vlan 1,2
Console(config)#
Chapter 8
| General Security Measures
ARP Inspection
ip arp inspection limit
This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting.
Syntax
ip arp inspection limit {rate pps | none} no ip arp inspection limit
pps - The maximum number of ARP packets that can be processed by the
CPU per second on trusted or untrusted ports. (Range: 0-2048, where 0 means that no ARP packets can be forwarded)
none - There is no limit on the number of ARP packets that can be processed by the CPU.
Default Setting
15
Command Mode
Interface Configuration (Port, Static Aggregation)
Command Usage
◆ This command applies to both trusted and untrusted ports.
◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection limit rate 150
Console(config-if)#
ip arp inspection trust
This command sets a port as trusted, and thus exempted from ARP Inspection. Use the no form to restore the default setting.
Syntax
[no] ip arp inspection trust
Default Setting
Untrusted
– 337 –
Chapter 8
| General Security Measures
ARP Inspection
Command Mode
Interface Configuration (Port, Static Aggregation)
Command Usage
Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection trust
Console(config-if)#
show ip arp inspection configuration
This command displays the global configuration settings for ARP Inspection.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection configuration
ARP inspection global information:
Global IP ARP Inspection status : disabled
Log Message Interval : 10 s
Log Message Number : 1
Need Additional Validation(s) : Yes
Additional Validation Type : Destination MAC address
Console#
show ip arp inspection interface
This command shows the trust status and ARP Inspection rate limit for ports.
Syntax
show ip arp inspection interface [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
– 338 –
Chapter 8
| General Security Measures
ARP Inspection
Example
Console#show ip arp inspection interface ethernet 1/1
Port Number Trust Status Rate Limit (pps)
------------- -------------------- ------------------------------
Eth 1/1 trusted 150
Console#
show ip arp inspection log
This command shows information about entries stored in the log, including the associated VLAN, port, and address components.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection log
Total log entries number is 1
Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address
--- ---- ---- -------------- -------------- --------------- --------------
1 1 11 192.168.2.2 192.168.2.1 00-04-E2-A0-E2-7C FF-FF-FF-FF-FF-FF
Console#
show ip arp inspection statistics
This command shows statistics about the number of ARP packets processed, or dropped for various reasons.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection statistics
ARP packets received before rate limit : 150
ARP packets dropped due to rate limt : 5
Total ARP packets processed by ARP Inspection : 150
ARP packets dropped by additional validation (source MAC address) : 0
ARP packets dropped by additional validation (destination MAC address): 0
ARP packets dropped by additional validation (IP address) : 0
ARP packets dropped by ARP ACLs : 0
ARP packets dropped by DHCP snooping : 0
Console#
– 339 –
Chapter 8
| General Security Measures
Denial of Service Protection
show ip arp inspection vlan
This command shows the configuration settings for VLANs, including ARP
Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed.
Syntax
show ip arp inspection vlan [vlan-id | vlan-range]
vlan-id - VLAN ID. (Range: 1-4094)
vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection vlan 1
VLAN ID DAI Status ACL Name ACL Status
-------- --------------- -------------------- --------------------
1 disabled sales static
Console#
Denial of Service Protection
A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all. In general, DoS attacks are implemented by either forcing the target to reset, to consume most of its resources so that it can no longer provide its intended service, or to obstruct the communication media between the intended users and the target so that they can no longer communicate adequately.
This section describes commands used to protect against DoS attacks.
Table 61: DoS Protection Commands
Command
dos-protection echo-chargen dos-protection smurf
Function
Protects against DoS echo/chargen attacks
Protects against DoS smurf attacks
Protects against DoS TCP-flooding attacks
dos-protection tcp-syn-fin-scan
Protects against DoS TCP-null-scan attacks
Protects against DoS TCP-SYN/FIN-scan attacks
GC
GC
dos-protection tcp-udp-port-zero
Protects against attacks which set the Layer 4 source or destination port to zero
GC
Protects against DoS TCP-XMAS-scan attacks GC
Mode
GC
GC
GC
– 340 –
Chapter 8
| General Security Measures
Denial of Service Protection
Table 61: DoS Protection Commands (Continued)
Command
dos-protection win-nuke show dos-protection
Function
Protects against DoS UDP-flooding attacks
Protects against DoS WinNuke attacks
Mode
GC
GC
Shows the configuration settings for DoS protection PE
dos-protection echo-chargen
This command protects against DoS echo/chargen attacks in which the echo service repeats anything sent to it, and the chargen (character generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service. Use the no form without the bit rate parameter to disable this feature, or with the bit rate parameter to restore the defautl rate limit.
Syntax
dos-protection echo-chargen [bit-rate-in-kilo rate]
no dos-protection echo-chargen [bit-rate-in-kilo rate]
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection echo-chargen bit-rate-in-kilo 65
Console(config)#
dos-protection smurf
This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination
IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets. Use the no form to disable this feature.
Syntax
[no] dos-protection smurf
Default Setting
Enabled
Command Mode
Global Configuration
– 341 –
Chapter 8
| General Security Measures
Denial of Service Protection
Example
Console(config)#dos-protection smurf
Console(config)#
dos-protection tcp-flooding
This command protects against DoS TCP-flooding attacks in which a perpetrator sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service. Use the no form without the bit rate parameter to disable this feature, or with the bit rate parameter to restore the defaultl rate limit.
Syntax
dos-protection tcp-flooding [bit-rate-in-kilo rate]
no dos-protection tcp-flooding [bit-rate-in-kilo rate]
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65
Console(config)#
dos-protection tcp-null-scan
This command protects against DoS TCP-null-scan attacks in which a TCP NULL scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP NULL scan. Use the
no form to disable this feature.
Syntax
[no] dos-protection tcp-null-scan
Default Setting
Enabled
Command Mode
Global Configuration
– 342 –
Chapter 8
| General Security Measures
Denial of Service Protection
Example
Console(config)#dos-protection tcp-null-scan
Console(config)#
dos-protection tcp-syn-fin-scan
This command protects against DoS TCP-SYN/FIN-scan attacks in which a TCP SYN/
FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan. Use the no form to disable this feature.
Syntax
[no] dos-protection tcp-syn-fin-scan
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection tcp-syn-fin-scan
Console(config)#
dos-protection tcp-udp-port-zero
This command protects against DoS attacks in which the TCP or UDP source port or destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device. When this command is enabled, the switch will drop these packets. Use the no form to restore the default setting.
Syntax
[no] dos-protection tcp-udp-port-zero
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection tcp-udp-port-zero
Console(config)#
– 343 –
Chapter 8
| General Security Measures
Denial of Service Protection
dos-protection tcp-xmas-scan
This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the
URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a
TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
Use the no form to disable this feature.
Syntax
[no] dos-protection tcp-xmas-scan
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection tcp-xmas-scan
Console(config)#
dos-protection udp-flooding
This command protects against DoS UDP-flooding attacks in which a perpetrator sends a large number of UDP packets (with or without a spoofed-Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet. It will be forced to send many ICMP packets, eventually leading it to be unreachable by other clients. Use the no form without the bit rate parameter to disable this feature, or with the bit rate parameter to restore the default rate limit.
Syntax
dos-protection udp-flooding [bit-rate-in-kilo rate]
no dos-protection udp-flooding [bit-rate-in-kilo rate]
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection udp-flooding bit-rate-in-kilo 65
Console(config)#
– 344 –
Chapter 8
| General Security Measures
Denial of Service Protection
dos-protection win-nuke
This command protects against DoS WinNuke attacks in which affected the
Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP
URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.” This did not cause any damage to, or change data on, the computer’s hard disk, but any unsaved data would be lost. Microsoft made patches to prevent the WinNuke attack, but the OOB packets still put the service in a tight loop that consumed all available CPU time. Use the no form without the bit rate parameter to disable this feature, or with the bit rate parameter to restore the default rate limit.
Syntax
dos-protection win-nuke [bit-rate-in-kilo rate]
no dos-protection udp-flooding [bit-rate-in-kilo rate]
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection win-nuke bit-rate-in-kilo 65
Console(config)#
show dos-protection
This command shows the configuration settings for the DoS protection commands.
Command Mode
Privileged Exec
Example
Console#show dos-protection
Global DoS Protection:
Echo/Chargen Attack : Disabled, 1000 kilobits per second
Smurf Attack : Enabled
TCP Flooding Attack : Disabled, 1000 kilobits per second
TCP Null Scan : Enabled
TCP SYN/FIN Scan : Enabled
TCP/UDP Packets with Port 0 : Enabled
TCP XMAS Scan : Enabled
UDP Flooding Attack : Disabled, 1000 kilobits per second
WinNuke Attack : Disabled, 1000 kilobits per second
Console#
– 345 –
Chapter 8
| General Security Measures
Port-based Traffic Segmentation
Port-based Traffic Segmentation
If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Traffic belonging to each client is isolated to the allocated downlink ports. But the switch can be configured to either isolate traffic passing across a client’s allocated uplink ports from the uplink ports assigned to other clients, or to forward traffic through the uplink ports used by other clients, allowing different clients to share access to their uplink ports where security is less likely to be compromised.
Table 62: Commands for Configuring Traffic Segmentation
Command
traffic-segmentation uplink/ downlink
traffic-segmentation uplink-to-uplink
Function
Enables traffic segmentation
Creates a client session
Configures uplink/downlink ports for client sessions
Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions
Displays the configured traffic segments
Mode
GC
GC
GC
GC
PE
traffic-segmentation
This command enables traffic segmentation. Use the no form to disable traffic segmentation.
Syntax
[no] traffic-segmentation
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group.
◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs.
– 346 –
Chapter 8
| General Security Measures
Port-based Traffic Segmentation
◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Table 63: Traffic Segmentation Forwarding
Destination
Source
Session #1
Downlink Ports
Session #1
Uplink Ports
Session #1
Downlinks
Blocking
Session #1
Uplinks
Session #2
Downlinks
Forwarding Blocking
Session #2
Uplinks
Blocking
Normal
Ports
Blocking
Forwarding Forwarding Blocking Blocking/
Forwarding *
Forwarding
Forwarding Blocking Session #2
Downlink Ports
Session #2
Uplink Ports
Blocking Blocking Blocking
Blocking Blocking/
Forwarding<
Superscript>*
Forwarding Forwarding Forwarding
Forwarding Forwarding Forwarding Forwarding Forwarding Normal Ports
* The forwarding state for uplink-to-uplink ports is configured by the
trafficsegmentation uplink-to-uplink command.
◆ When traffic segmentation is disabled, all ports operate in normal forwarding mode based on the settings specified by other functions such as VLANs and spanning tree protocol.
◆ Enter the traffic-segmentation command without any parameters to enable traffic segmentation. Then set the interface members for segmented groups using the
traffic-segmentation uplink/downlink command.
◆ Enter no traffic-segmentation to disable traffic segmentation and clear the configuration settings for segmented groups.
Example
This example enables traffic segmentation globally on the switch.
Console(config)#traffic-segmentation
Console(config)#
traffic-segmentation session
This command creates a traffic-segmentation client session. Use the no form to remove a client session.
Syntax
[no] pvlan session session-id
session-id – Traffic segmentation session. (Range: 1-4)
Default Setting
None
– 347 –
Chapter 8
| General Security Measures
Port-based Traffic Segmentation
Command Mode
Global Configuration
Command Usage
◆ Use this command to create a new traffic-segmentation client session.
◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Example
Console(config)#traffic-segmentation session 1
Console(config)#
traffic-segmentation uplink/downlink
This command configures the uplink and down-link ports for a segmented group of ports. Use the no form to remove a port from the segmented group.
Syntax
[no] traffic-segmentation [session session-id] {uplink interface-list
[downlink interface-list] | downlink interface-list}
session-id – Traffic segmentation session. (Range: 1-4)
uplink – Specifies an uplink interface.
downlink – Specifies a downlink interface.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
Session 1 if not defined
No segmented port groups are defined.
Command Mode
Global Configuration
Command Usage
◆ A port cannot be configured in both an uplink and downlink list.
◆ A port can only be assigned to one traffic-segmentation session.
◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the
channel-id field.
– 348 –
Chapter 8
| General Security Measures
Port-based Traffic Segmentation
◆ A downlink port can only communicate with an uplink port in the same session.
Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports.
◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
Example
This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks.
Console(config)#traffic-segmentation
Console(config)#traffic-segmentation uplink ethernet 1/10 downlink ethernet 1/5-8
Console(config)#
traffic-segmentation uplink-to-uplink
This command specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions. Use the no form to restore the default.
Syntax
[no] traffic-segmentation uplink-to-uplink {blocking | forwarding}
blocking – Blocks traffic between uplink ports assigned to different sessions.
forwarding – Forwards traffic between uplink ports assigned to different sessions.
Default Setting
Blocking
Command Mode
Global Configuration
Example
This example enables forwarding of traffic between uplink ports assigned to different client sessions.
Console(config)#traffic-segmentation uplink-to-uplink forwarding
Console(config)#
– 349 –
Chapter 8
| General Security Measures
Port-based Traffic Segmentation
show traffic-segmentation
This command displays the configured traffic segments.
Command Mode
Privileged Exec
Example
Console#show traffic-segmentation
Private VLAN Status : Enabled
Uplink-to-Uplink Mode : Forwarding
Session Uplink Ports Downlink Ports
--------- ------------------------------ -----------------------------
1 Ethernet 1/1 Ethernet 1/2
Ethernet 1/3
Ethernet 1/4
Console#
– 350 –
9
Access Control Lists
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, DSCP traffic class, next header type, or any frames (based on
MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the
Access Control List commands.
Table 64: Access Control List Commands
Command Group
Function
Configures ACLs based on IPv4 addresses, TCP/UDP port number, protocol type, and TCP control code
Configures ACLs based on IPv6 addresses, DSCP traffic class, or next header type
Configures ACLs based on hardware addresses, packet format, and
Ethernet type
Configures ACLs based on ARP messages addresses
Displays ACLs and associated rules; shows ACLs assigned to each port
IPv4 ACLs
The commands in this section configure ACLs based on IPv4 addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IPv4 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Table 65: IPv4 ACL Commands
Command
show ip access-group show ip access-list
Function
Creates an IP ACL and enters configuration mode for standard or extended IPv4 ACLs
Filters packets matching a specified source IPv4 address
Filters packets meeting the specified criteria, including source and destination IPv4 address, TCP/UDP port number, protocol type, and TCP control code
Binds an IPv4 ACL to a port
Shows port assignments for IPv4 ACLs
Displays the rules for configured IPv4 ACLs
Mode
GC
IPv4-STD-ACL
IPv4-EXT-ACL
IC
PE
PE
– 351 –
Chapter 9
| Access Control Lists
IPv4 ACLs
access-list ip
This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL.
Syntax
[no] access-list ip {standard | extended} acl-name
standard – Specifies an ACL that filters packets based on the source IP address.
extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria.
acl-name – Name of the ACL. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 128 rules.
Example
Console(config)#access-list ip standard david
Console(config-std-acl)#
Related Commands
permit, deny, redirect-to (353)
– 352 –
Chapter 9
| Access Control Lists
IPv4 ACLs
permit, deny
(Standard IP ACL)
This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
Syntax
{permit | deny}
{any | source bitmask | host source}
[time-range time-range-name]
no {permit | deny}
{any | source bitmask | host source}
any – Any source IP address.
source – Source IP address.
bitmask – Dotted decimal number representing the address bits to match.
host – Keyword followed by a specific IP address.
time-range-name - Name of the time range. (Range: 1-32 characters)
Default Setting
None
Command Mode
Standard IPv4 ACL
Command Usage
◆ New rules are appended to the end of the list.
◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Example
This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.
Console(config-std-acl)#permit host 10.1.1.21
Console(config-std-acl)#permit 168.92.16.0 255.255.240.0
Console(config-std-acl)#
Related Commands
– 353 –
Chapter 9
| Access Control Lists
IPv4 ACLs
permit, deny
(Extended IPv4 ACL)
This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Syntax
{permit | deny} [protocol-number | udp]
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [dscp dscp]
[source-port sport [bitmask]]
[destination-port dport [port-bitmask]]
[time-range time-range-name]
no {permit | deny} [protocol-number | udp]
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [dscp dscp]
[source-port sport [bitmask]]
[destination-port dport [port-bitmask]]
{permit | deny} tcp
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [dscp dscp]
[source-port sport [bitmask]]
[destination-port dport [port-bitmask]]
[control-flag control-flags flag-bitmask]
[time-range time-range-name]
no {permit | deny} tcp
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [dscp dscp]
[source-port sport [bitmask]]
[destination-port dport [port-bitmask]]
[control-flag control-flags flag-bitmask]
protocol-number – A specific protocol number. (Range: 0-255)
source – Source IP address.
destination – Destination IP address.
address-bitmask – Decimal number representing the address bits to match.
host – Keyword followed by a specific IP address.
precedence – IP precedence level. (Range: 0-7)
dscp – DSCP priority level. (Range: 0-63)
sport – Protocol 4 source port number. (Range: 0-65535)
dport – Protocol
4
destination port number. (Range: 0-65535)
4. Includes TCP, UDP or other protocol types.
– 354 –
Chapter 9
| Access Control Lists
IPv4 ACLs
port-bitmask – Decimal number representing the port bits to match.
(Range: 0-65535)
control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63)
flag-bitmask – Decimal number representing the code bits to match.
time-range-name - Name of the time range.
(Range: 1-32 characters)
Default Setting
None
Command Mode
Extended IPv4 ACL
Command Usage
◆ All new rules are appended to the end of the list.
◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The bit mask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
◆ You can specify both Precedence and ToS in the same rule. However, if DSCP is used, then neither Precedence nor ToS can be specified.
◆
■
■
■
■
■
■
The control-code bitmask is a decimal number (representing an equivalent bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
The following bits may be specified:
1 (fin) – Finish
2 (syn) – Synchronize
4 (rst) – Reset
8 (psh) – Push
16 (ack) – Acknowledgement
32 (urg) – Urgent pointer
■
■
■
For example, use the code value and mask below to catch packets with the following flags set:
SYN flag valid, use “control-code 2 2”
Both SYN and ACK valid, use “control-code 18 18”
SYN valid and ACK invalid, use “control-code 2 18”
– 355 –
Chapter 9
| Access Control Lists
IPv4 ACLs
Example
This example accepts any incoming packets if the source address is within subnet
10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any
Console(config-ext-acl)#
This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port
80
Console(config-ext-acl)#
This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.”
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2
Console(config-ext-acl)#
Related Commands
ip access-group
This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Syntax
ip access-group acl-name in [time-range time-range-name] [counter]
no ip access-group acl-name in
acl-name – Name of the ACL. (Maximum length: 32 characters)
in – Indicates that this list applies to ingress packets.
time-range-name - Name of the time range. (Range: 1-32 characters)
counter – Enables counter for ACL statistics.
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
– 356 –
Chapter 9
| Access Control Lists
IPv4 ACLs
Command Usage
◆ Only one ACL can be bound to a port.
◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Example
Console(config)#int eth 1/2
Console(config-if)#ip access-group david in
Console(config-if)#
Related Commands
show ip access-group
This command shows the ports assigned to IP ACLs.
Command Mode
Privileged Exec
Example
Console#show ip access-group
Interface ethernet 1/2
IP access-list david in
Console#
Related Commands
show ip access-list
This command displays the rules for configured IPv4 ACLs.
Syntax
show ip access-list {standard | extended} [acl-name]
standard – Specifies a standard IP ACL.
extended – Specifies an extended IP ACL.
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
– 357 –
Chapter 9
| Access Control Lists
IPv6 ACLs
Example
Console#show ip access-list standard
IP standard access-list david:
permit host 10.1.1.21
permit 168.92.0.0 255.255.15.0
Console#
Related Commands
permit, deny, redirect-to (353)
IPv6 ACLs
The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Table 66: IPv6 ACL Commands
Command
show ipv6 access-group show ipv6 access-list
Function
Creates an IPv6 ACL and enters configuration mode for standard or extended IPv6 ACLs
Mode
GC
Filters packets matching a specified source IPv6 address IPv6- STD-
ACL
Filters packets meeting the specified criteria, including destination IPv6 address, DSCP traffic class, or next header type
IPv6- EXT-
ACL
Adds a port to an IPv6 ACL
Shows port assignments for IPv6 ACLs
Displays the rules for configured IPv6 ACLs
IC
PE
PE
access-list ipv6
This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL.
Syntax
[no] access-list ipv6 {standard | extended} acl-name
standard – Specifies an ACL that filters packets based on the source IP address.
extended – Specifies an ACL that filters packets based on the destination IP address, and other more specific criteria.
acl-name – Name of the ACL. (Maximum length: 32 characters)
– 358 –
Chapter 9
| Access Control Lists
IPv6 ACLs
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 64 rules.
Example
Console(config)#access-list ipv6 standard david
Console(config-std-ipv6-acl)#
Related Commands
permit, deny (Standard IPv6 ACL) (359)
permit, deny (Extended IPv6 ACL) (360)
permit, deny
(Standard IPv6 ACL)
This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
Syntax
{permit | deny}
{any | host source-ipv6-address | source-ipv6-address/prefix-length}
[time-range time-range-name]
no {permit | deny} {any | host source-ipv6-address |
source-ipv6-address/prefix-length}
any – Any source IP address.
host – Keyword followed by a specific IP address.
source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
– 359 –
Chapter 9
| Access Control Lists
IPv6 ACLs
prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128)
time-range-name - Name of the time range. (Range: 1-32 characters)
Default Setting
None
Command Mode
Standard IPv6 ACL
Command Usage
New rules are appended to the end of the list.
Example
This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79
Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64
Console(config-std-ipv6-acl)#
Related Commands
permit, deny
(Extended IPv6 ACL)
This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, or next header type.
Use the no form to remove a rule.
Syntax
{permit | deny}
{any | host source-ipv6-address |
source-ipv6-address[/prefix-length]}
{any | destination-ipv6-address/prefix-length}
[dscp dscp] [next-header next-header]
[time-range time-range-name]
no {permit | deny} {any | host source-ipv6-address |
source-ipv6-address[/prefix-length]}
{any | destination-ipv6-address/prefix-length}
[dscp dscp] [next-header next-header]
any – Any IP address (an abbreviation for the IPv6 prefix ::/0).
host – Keyword followed by a specific source IP address.
source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,”
– 360 –
Chapter 9
| Access Control Lists
IPv6 ACLs using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (The switch only checks the first 64 bits of the destination address.)
prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-8 for destination prefix)
dscp – DSCP traffic class. (Range: 0-63)
next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255)
time-range-name - Name of the time range. (Range: 1-32 characters)
Default Setting
None
Command Mode
Extended IPv6 ACL
Command Usage
◆ All new rules are appended to the end of the list.
◆ Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next
Header value. IPv6 supports the values defined for the IPv4 Protocol field in RFC
1700, including these commonly used headers:
0 : Hop-by-Hop Options
6 : TCP Upper-layer Header
17 : UDP Upper-layer Header
43 : Routing
44 : Fragment
51 : Authentication
50 : Encapsulating Security Payload
60 : Destination Options
(RFC 2460)
(RFC 1700)
(RFC 1700)
(RFC 2460)
(RFC 2460)
(RFC 2402)
(RFC 2406)
(RFC 2460)
Example
This example accepts any incoming packets if the destination address is
2009:DB9:2229::79/8.
Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8
Console(config-ext-ipv6-acl)#
– 361 –
Chapter 9
| Access Control Lists
IPv6 ACLs
This allows packets to any destination address when the DSCP value is 5.
Console(config-ext-ipv6-acl)#permit any dscp 5
Console(config-ext-ipv6-acl)#
This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.”
Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43
Console(config-ext-ipv6-acl)#
Related Commands
ipv6 access-group
This command binds a port to an IPv6 ACL. Use the no form to remove the port.
Syntax
ipv6 access-group acl-name in [time-range time-range-name] [counter]
no ipv6 access-group acl-name in
acl-name – Name of the ACL. (Maximum length: 32 characters)
in – Indicates that this list applies to ingress packets.
time-range-name - Name of the time range. (Range: 1-32 characters)
counter – Enables counter for ACL statistics.
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ A port can only be bound to one ACL.
◆ If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one.
◆ IPv6 ACLs can only be applied to ingress packets.
– 362 –
Chapter 9
| Access Control Lists
IPv6 ACLs
Example
Console(config)#interface ethernet 1/2
Console(config-if)#ipv6 access-group standard david in
Console(config-if)#
Related Commands
show ipv6 access-group
This command shows the ports assigned to IPv6 ACLs.
Command Mode
Privileged Exec
Example
Console#show ipv6 access-group
Interface ethernet 1/2
IPv6 standard access-list david in
Console#
Related Commands
show ipv6 access-list
This command displays the rules for configured IPv6 ACLs.
Syntax
show ipv6 access-list {standard | extended} [acl-name]
standard – Specifies a standard IPv6 ACL.
extended – Specifies an extended IPv6 ACL.
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show ipv6 access-list standard
IPv6 standard access-list david:
permit host 2009:DB9:2229::79
permit 2009:DB9:2229:5::/64
Console#
– 363 –
Chapter 9
| Access Control Lists
MAC ACLs
Related Commands
permit, deny (Standard IPv6 ACL) (359)
permit, deny (Extended IPv6 ACL) (360)
MAC ACLs
The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Table 67: MAC ACL Commands
Command
mac access-group show mac access-group
Function
Creates a MAC ACL and enters configuration mode
Mode
GC
Filters packets matching a specified source and destination address, packet format, and Ethernet type. They can be further specified using optional IP and IPv6 addresses including protocol type and upper layer ports.
MAC-ACL
Binds a MAC ACL to a port
Shows port assignments for MAC ACLs
Displays the rules for configured MAC ACLs
IC
PE
PE
access-list mac
This command enters MAC ACL configuration mode. Rules can be added to filter packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also be used to filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types. Use the no form to remove the specified ACL.
Syntax
[no] access-list mac acl-name
acl-name – Name of the ACL. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
– 364 –
Chapter 9
| Access Control Lists
MAC ACLs
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 128 rules.
Example
Console(config)#access-list mac jerry
Console(config-mac-acl)#
Related Commands
permit, deny, redirect-to (365)
permit, deny
(MAC
ACL)
This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or
Ethernet protocol type. Use the no form to remove a rule.
Syntax
{permit | deny}
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[ethertype protocol [protocol-bitmask]]
{{ip {any | host source-ip | source-ip network-mask}
{any | host destination-ip | destination-ip network-mask}
{ipv6 {any | host source-ipv6 | source-ipv6/prefix-length}
{any | host destination-ipv6 | destination-ipv6/prefix-length}}
[protocol protocol]
[l4-source-port sport [port-bitmask]]
[l4-destination-port dport [port-bitmask]}]
[time-range time-range-name]
no {permit | deny | redirect-to interface}
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[ethertype protocol [protocol-bitmask]]
{{ip {any | host source-ip | source-ip network-mask}
{any | host destination-ip | destination-ip network-mask}
{ipv6 {any | host source-ipv6 | source-ipv6/prefix-length}
{any | host destination-ipv6 | destination-ipv6/prefix-length}}
[protocol protocol]
[l4-source-port sport [port-bitmask]]
[l4-destination-port dport [port-bitmask]}]
– 365 –
Chapter 9
| Access Control Lists
MAC ACLs
Note: The default is for Ethernet II packets.
{permit | deny} tagged-eth2
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[ethertype protocol [protocol-bitmask]]
{{ip {any | host source-ip | source-ip network-mask}
{any | host destination-ip | destination-ip network-mask}
{ipv6 {any | host source-ipv6 | source-ipv6/prefix-length}
{any | host destination-ipv6 | destination-ipv6/prefix-length}}
[protocol protocol]
[l4-source-port sport [port-bitmask]]
[l4-destination-port dport [port-bitmask]}]
[time-range time-range-name]
no {permit | deny} tagged-eth2
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[ethertype protocol [protocol-bitmask]]
{{ip {any | host source-ip | source-ip network-mask}
{any | host destination-ip | destination-ip network-mask}
{ipv6 {any | host source-ipv6 | source-ipv6/prefix-length}
{any | host destination-ipv6 | destination-ipv6/prefix-length}}
[protocol protocol]
[l4-source-port sport [port-bitmask]]
[l4-destination-port dport [port-bitmask]}]
{permit | deny} untagged-eth2
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[ethertype protocol [protocol-bitmask]]
{{ip {any | host source-ip | source-ip network-mask}
{any | host destination-ip | destination-ip network-mask}
{ipv6 {any | host source-ipv6 | source-ipv6/prefix-length}
{any | host destination-ipv6 | destination-ipv6/prefix-length}}
[protocol protocol]
[l4-source-port sport [port-bitmask]]
[l4-destination-port dport [port-bitmask]}]
[time-range time-range-name]
no {permit | deny} untagged-eth2
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[ethertype protocol [protocol-bitmask]]
{{ip {any | host source-ip | source-ip network-mask}
{any | host destination-ip | destination-ip network-mask}
– 366 –
Chapter 9
| Access Control Lists
MAC ACLs
{ipv6 {any | host source-ipv6 | source-ipv6/prefix-length}
{any | host destination-ipv6 | destination-ipv6/prefix-length}}
[protocol protocol]
[l4-source-port sport [port-bitmask]]
[l4-destination-port dport [port-bitmask]}]
{permit | deny} tagged-802.3
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
[time-range time-range-name]
no {permit | deny} tagged-802.3
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[cos cos cos-bitmask] [vid vid vid-bitmask]
{permit | deny} untagged-802.3
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
[time-range time-range-name]
no {permit | deny} untagged-802.3
{any | host source | source address-bitmask}
{any | host destination | destination address-bitmask}
tagged-eth2 – Tagged Ethernet II packets.
untagged-eth2 – Untagged Ethernet II packets.
tagged-802.3 – Tagged Ethernet 802.3 packets.
untagged-802.3 – Untagged Ethernet 802.3 packets.
any – Any MAC source or destination address.
host – A specific MAC address.
source – Source MAC, IPv4 or IPv6 address.
destination – Destination MAC, IPv4 or IPv6 address.
address-bitmask 5 – Bitmask for MAC address (in hexadecimal format).
network-mask – Network mask for IP subnet. This mask identifies the host address bits used for routing to specific subnets.
prefix-length - Length of IPv6 prefix. A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128)
cos – Class-of-Service value (Range: 0-7) cos-bitmask
5
– Class-of-Service bitmask. (Range: 0-7)
vid – VLAN ID. (Range: 1-4094) vid-bitmask
5
– VLAN bitmask. (Range: 1-4095)
ethertype – A specific Ethernet protocol number. (Range: 0-ffff hex)
5. For all bitmasks, “1” means care and “0” means ignore.
– 367 –
Chapter 9
| Access Control Lists
MAC ACLs
ethertype-bitmask
5
– Protocol bitmask. (Range: 0-ffff hex)
protocol - IP protocol. (Range: 0-255)
protocol-bitmask
5
– Protocol bitmask. (Range: 600-ffff hex.) sport 6 – Protocol source port number. (Range: 0-65535) dport
6
– Protocol destination port number. (Range: 0-65535)
port-bitmask – Decimal number representing the port bits to match.
(Range: 0-65535)
time-range-name - Name of the time range. (Range: 1-32 characters)
Default Setting
None
Command Mode
MAC ACL
Command Usage
◆ New rules are added to the end of the list.
◆ The ethertype option can only be used to filter Ethernet II formatted packets.
◆
■
■
■
A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following:
0800 - IP
0806 - ARP
8137 - IPX
Example
This rule permits packets from any source MAC address to the destination address
00-e0-29-94-34-de where the Ethernet type is 0800.
Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800
Console(config-mac-acl)#
Related Commands
6. Includes TCP, UDP or other protocol types.
– 368 –
Chapter 9
| Access Control Lists
MAC ACLs
mac access-group
This command binds a MAC ACL to a port. Use the no form to remove the port.
Syntax
mac access-group acl-name in [time-range time-range-name] [counter]
acl-name – Name of the ACL. (Maximum length: 32 characters)
in – Indicates that this list applies to ingress packets.
time-range-name - Name of the time range. (Range: 1-16 characters)
counter – Enables counter for ACL statistics.
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Only one ACL can be bound to a port.
◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Example
Console(config)#interface ethernet 1/2
Console(config-if)#mac access-group jerry in
Console(config-if)#
Related Commands
show mac access-group
This command shows the ports assigned to MAC ACLs.
Command Mode
Privileged Exec
Example
Console#show mac access-group
Interface ethernet 1/5
MAC access-list M5 in
Console#
Related Commands
– 369 –
Chapter 9
| Access Control Lists
ARP ACLs
show mac access-list
This command displays the rules for configured MAC ACLs.
Syntax
show mac access-list [acl-name]
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show mac access-list
MAC access-list jerry:
permit any 00-e0-29-94-34-de ethertype 0800
Console#
Related Commands
permit, deny, redirect-to (365)
ARP ACLs
The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access
list to one or more VLANs using the ip arp inspection vlan
command (
).
Table 68: ARP ACL Commands
Command
Function
Creates a ARP ACL and enters configuration mode
Mode
GC
Filters packets matching a specified source or destination address in ARP messages
ARP-ACL
Displays the rules for configured ARP ACLs
Displays the rules for configured ARP ACLs
PE
PE
access-list arp
This command adds an ARP access list and enters ARP ACL configuration mode. Use the no form to remove the specified ACL.
Syntax
[no] access-list arp acl-name
acl-name – Name of the ACL. (Maximum length: 32 characters)
– 370 –
Chapter 9
| Access Control Lists
ARP ACLs
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 128 rules.
Example
Console(config)#access-list arp factory
Console(config-arp-acl)#
Related Commands
permit, deny
(ARP ACL)
This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Syntax
[no] {permit | deny}
ip {any | host source-ip | source-ip ip-address-bitmask}
mac {any | host source-mac | source-mac mac-address-bitmask} [log]
This form indicates either request or response packets.
[no] {permit | deny} request
ip {any | host source-ip | source-ip ip-address-bitmask}
mac {any | host source-mac | source-mac mac-address-bitmask} [log]
[no] {permit | deny} response
ip {any | host source-ip | source-ip ip-address-bitmask}
{any | host destination-ip | destination-ip ip-address-bitmask}
mac {any | host source-mac | source-mac mac-address-bitmask}
[any | host destination-mac | destination-mac mac-address-bitmask] [log]
source-ip – Source IP address.
destination-ip – Destination IP address with bitmask.
– 371 –
Chapter 9
| Access Control Lists
ARP ACLs ip-address-bitmask 7 – IPv4 number representing the address bits to match.
source-mac – Source MAC address.
destination-mac – Destination MAC address range with bitmask.
mac-address-bitmask 7 – Bitmask for MAC address (in hexadecimal format).
log - Logs a packet when it matches the access control entry.
Default Setting
None
Command Mode
ARP ACL
Command Usage
New rules are added to the end of the list.
Example
This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0.
Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any
Console(config-mac-acl)#
Related Commands
show access-list arp
This command displays the rules for configured ARP ACLs.
Syntax
show access-list arp [acl-name]
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show access-list arp
ARP access-list factory:
permit response ip any 192.168.0.0 255.255.0.0 mac any any
Console#
7. For all bitmasks, binary “1” means care and “0” means ignore.
– 372 –
Chapter 9
| Access Control Lists
ACL Information
Related Commands
, deny
show arp access-list
This command displays the rules for configured ARP ACLs.
Syntax
show arp access-list [acl-name]
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show arp access-list
ARP access-list factory:
permit response ip any 192.168.0.0 255.255.0.0 mac any any
Console#
Related Commands
ACL Information
This section describes commands used to display ACL information.
Table 69: ACL Information Commands
Command
clear access-list hardware counters
show access-group show access-list
Function Mode
Clears hit counter for rules in all ACLs, or in a specified ACL. PE
Shows the ACLs assigned to each port
Show all ACLs and associated rules
PE
PE
clear access-list hardware counters
This command clears the hit counter for the rules in all ACLs, or for the rules in a specified ACL.
Syntax
clear access-list hardware counters
[direction {in | out} [interface interface]] |
[interface interface] | [name acl-name]
in – Clears counter for ingress rules.
– 373 –
Chapter 9
| Access Control Lists
ACL Information
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#clear access-list hardware counters
Console#
show access-group
This command shows the port assignments of ACLs.
Command Mode
Privileged Executive
Example
Console#show access-group
Interface ethernet 1/2
IP access-list david
MAC access-list jerry
Console#
show access-list
This command shows all ACLs and associated rules.
Syntax
show access-list
[[arp [acl-name]] |
[ip [extended [acl-name] | standard [acl-name]] |
[ipv6 [extended [acl-name] | standard [acl-name]] |
[mac [acl-name]] | [tcam-utilization] | [hardware counters]]
arp – Shows ingress or egress rules for ARP ACLs.
hardware counters – Shows statistics for all ACLs.
8
ip extended – Shows ingress rules for Extended IPv4 ACLs.
ip standard – Shows ingress rules for Standard IPv4 ACLs.
ipv6 extended – Shows ingress rules for Extended IPv6 ACLs.
ipv6 standard – Shows ingress rules for Standard IPv6 ACLs.
8. Due to a hardware limitation, this option only displays statistics for permit rules.
– 374 –
Chapter 9
| Access Control Lists
ACL Information
mac – Shows ingress rules for MAC ACLs.
tcam-utilization – Shows the percentage of user configured ACL rules as a percentage of total ACL rules
acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show access-list
IP standard access-list david:
permit host 10.1.1.21
permit 168.92.0.0 255.255.15.0
IP extended access-list bob:
permit 10.7.1.1 255.255.255.0 any
permit 192.168.1.0 255.255.255.0 any destination-port 80 80
permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2
MAC access-list jerry:
permit any host 00-30-29-94-34-de ethertype 800 800
IP extended access-list A6:
deny tcp any any control-flag 2 2
permit any any
Console#
– 375 –
Chapter 9
| Access Control Lists
ACL Information
– 376 –
10
Interface Commands
These commands are used to display or set communication parameters for an
Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Table 70: Interface Commands
Command
Interface Configuration
Function Mode
Configures an interface type and enters interface configuration mode
Configures an alias name for the interface
Advertises the capabilities of a given interface for use in autonegotiation
GC
IC
IC
Adds a description to an interface configuration
Enables flow control on a given interface
Forces transceiver mode to use for ports
Enables autonegotiation of a given interface
interface
Configures the speed and duplex operation of a given interface when autonegotiation is disabled
Clears statistics on an interface
IC
IC
PE
Displays a summary of key information, including operational status, native VLAN ID, default priority, speed/ duplex mode, and port type
PE
Displays statistics for the specified interfaces
Displays status for the specified interface
Displays the administrative and operational status of an interface
IC
IC
IC
IC
NE, PE
NE, PE
NE, PE
Transceiver Threshold Configuration
Sends a trap when any of the transceiver’s operational values fall outside specified thresholds
Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent
IC
transceiver-threshold rx-power
Sets thresholds for transceiver current which can be used to trigger an alarm or warning message
Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message
IC
IC
IC
– 377 –
Chapter 10
| Interface Commands
Interface Configuration
Table 70: Interface Commands (Continued)
Command
transceiver-threshold temperature
Function Mode
Sets thresholds for the transceiver temperature which can be used to trigger an alarm or warning message
IC
transceiver-threshold tx-power
Sets thresholds for the transceiver power level of the transmitted signal which can be used to trigger an alarm or warning message
IC
IC
Sets thresholds for the transceiver voltage which can be used to trigger an alarm or warning message
Displays the temperature, voltage, bias current, transmit power, and receive power
PE
PE
show interfaces transceiverthreshold
Displays the alarm/warning thresholds for temperature, voltage, bias current, transmit power, and receive power
Cable Diagnostics
Power Savings
Power Savings
Performs cable diagnostics on the specified port
Shows the results of a cable diagnostics test
Enables power savings mode on the specified port
Shows the configuration settings for power savings
PE
PE
IC
PE
Enables power savings mode on the specified port
Shows the configuration settings for power savings
IC
PE
Interface Configuration
interface
This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface.
Syntax
[no] interface interface-list
interface-list – One or more ports. Use a hyphen to indicate a consecutive list of ports or a comma between non-consecutive ports.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
vlan vlan-id (Range: 1-4094)
Default Setting
None
– 378 –
Chapter 10
| Interface Commands
Interface Configuration
Command Mode
Global Configuration
Example
To specify several different ports, enter the following command:
Console(config)#interface ethernet 1/17-20,23
Console(config-if)#shutdown
alias
This command configures an alias name for the interface. Use the no form to remove the alias name.
Syntax
alias string no alias
string - A mnemonic name to help you remember what is attached to this interface. (Range: 1-64 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the
(Telco's) circuit number/identifier of the interface.
Example
The following example adds an alias to port 4.
Console(config)#interface ethernet 1/4
Console(config-if)#alias finance
Console(config-if)#
capabilities
This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Syntax
[no] capabilities { 10000full | 10000full | 1000full | 100full | 100half | 10full |
10half | flowcontrol}
– 379 –
Chapter 10
| Interface Commands
Interface Configuration
10000full - Supports 10 Gbps full-duplex operation
10000full - Supports 10 Gbps full-duplex operation
1000full - Supports 1 Gbps full-duplex operation
100full - Supports 100 Mbps full-duplex operation
100half - Supports 100 Mbps half-duplex operation
10full - Supports 10 Mbps full-duplex operation
10half - Supports 10 Mbps half-duplex operation
flowcontrol - Supports flow control
Default Setting
100BASE-FX: 100full (SFP)
1000BASE-T: 10half, 10full, 100half, 100full, 1000full
1000BASE-SX/LX/LH (SFP): 1000full
10GBASE-SR/LR/ER (XFP): 10000full
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
◆
When auto-negotiation is enabled with the negotiation command, the switch
will negotiate the best settings for a link based on the capabilities command.
When auto-negotiation is disabled, you must manually specify the link attributes with the
commands.
Example
The following example configures Ethernet port 5 capabilities to include 100half and 100full.
Console(config)#interface ethernet 1/5
Console(config-if)#capabilities 100half
Console(config-if)#capabilities 100full
Console(config-if)#capabilities flowcontrol
Console(config-if)#
Related Commands
– 380 –
Chapter 10
| Interface Commands
Interface Configuration
description
This command adds a description to an interface. Use the no form to remove the description.
Syntax
description string no description
string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The description is displayed by the show interfaces status
command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Example
The following example adds a description to port 4.
Console(config)#interface ethernet 1/4
Console(config-if)#description RD-SW#3
Console(config-if)#
flowcontrol
This command enables flow control. Use the no form to disable flow control.
Syntax
[no] flowcontrol
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
◆ Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled,
– 381 –
Chapter 10
| Interface Commands
Interface Configuration back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally
IEEE 802.3x) for full-duplex operation.
◆ To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface.
◆
When using the negotiation command to enable auto-negotiation, the optimal
settings will be determined by the
command. To enable flow control under auto-negotiation, “flowcontrol” must be included in the capabilities list for any port
Example
The following example enables flow control on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#flowcontrol
Console(config-if)#no negotiation
Console(config-if)#
Related Commands
capabilities (flowcontrol, symmetric) ( 379 )
media-type
This command forces the transceiver mode to use for ports. Use the no form to restore the default mode.
Syntax
media-type sfp-forced [mode] no media-type
1000sfp - Forces the port to use 1000BASE SFP mode
100fx - Forces the port to use 100BASE-FX mode
Default Setting
None Command Mode
Interface Configuration (SFP Ports)
Example
This forces the switch to use the 1000sfp mode for SFP port 28.
Console(config)#interface ethernet 1/28
Console(config-if)#media-type sfp-forced 1000sfp
Console(config-if)#
– 382 –
Chapter 10
| Interface Commands
Interface Configuration
negotiation
This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation.
Syntax
[no] negotiation
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
◆ When auto-negotiation is enabled the switch will negotiate the best settings
for a link based on the capabilities command. When auto-negotiation is
disabled, you must manually specify the link attributes with the
and
◆ If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports.
Example
The following example configures port 11 to use auto-negotiation.
Console(config)#interface ethernet 1/11
Console(config-if)#negotiation
Console(config-if)#
Related Commands
shutdown
This command disables an interface. To restart a disabled interface, use the no form.
Syntax
[no] shutdown
Default Setting
All interfaces are enabled.
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 383 –
Chapter 10
| Interface Commands
Interface Configuration
Command Usage
This command allows you to disable a port due to abnormal behavior
(e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons.
Example
The following example disables port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#shutdown
Console(config-if)#
speed-duplex
This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
Syntax
speed-duplex { 10000full | 100full | 100half | 10full | 10half } no speed-duplex 10000full - Forces 10 Gbps full-duplex operation
10000full - Forces 10 Gbps full-duplex operation
100full - Forces 100 Mbps full-duplex operation
100half - Forces 100 Mbps half-duplex operation
10full - Forces 10 Mbps full-duplex operation
10half - Forces 10 Mbps half-duplex operation
Default Setting
◆ Auto-negotiation is enabled by default.
◆
■
■
When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports.
10 Gigabit Ethernet ports – 10000full (10 Gbps full-duplex)
10 Gigabit Ethernet ports – 10000full (10 Gbps full-duplex)
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches.
◆ To force operation to the speed and duplex mode specified in a speed-duplex command, use the no
negotiation command to disable auto-negotiation on
the selected interface.
– 384 –
Chapter 10
| Interface Commands
Interface Configuration
◆
When using the negotiation command to enable auto-negotiation, the optimal
settings will be determined by the
command. To set the speed/ duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface.
Example
The following example configures port 5 to 100 Mbps, half-duplex operation.
Console(config)#interface ethernet 1/5
Console(config-if)#speed-duplex 100half
Console(config-if)#no negotiation
Console(config-if)#
Related Commands
clear counters
This command clears statistics on an interface.
Syntax
clear counters interface
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Example
The following example clears statistics on port 5.
Console#clear counters ethernet 1/5
Console#
– 385 –
Chapter 10
| Interface Commands
Interface Configuration
show interfaces brief
This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
Command Mode
Privileged Exec
Command Usage
◆ If an SFP transceiver is inserted in a port, the Type field will show the SFP type as interpreted from Ethernet Compliance Codes (Data Byte 6 in Address A0h).
The Ethernet Compliance Code is a bitmap value, of which one bit is supposedly turned on. However, if the read-out is not recognizable (e.g., 2 or more bits on, or all 0s), the Type field just displays the raw data (hexadecimal value).
◆ The Type field will always display “NA” for a trunk entry because a trunk allows for mixed port types such as 1000Base T and 1000Base SFP.
Example
Console#show interfaces brief
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ------------------ ------- ---- --- ------------- ----------- -----
Eth 1/ 1 Up 1 0 Auto-100full 1000BASE-T None
Eth 1/ 2 Down 1 0 Auto 1000BASE-T None
Eth 1/ 3 Down 1 0 Auto 1000BASE-T None
Eth 1/ 4 Down 1 0 Auto 1000BASE-T None
Eth 1/ 5 Down 1 0 Auto 1000BASE-T None
Eth 1/ 6 Down 1 0 Auto 1000BASE-T None
.
show interfaces counters
This command displays interface statistics.
Syntax
show interfaces counters [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
Shows the counters for all interfaces.
Command Mode
Normal Exec, Privileged Exec
– 386 –
Chapter 10
| Interface Commands
Interface Configuration
Command Usage
If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk
Statistics” in the System Reference Guide.
Example
Console#show interfaces counters ethernet 1/17
Ethernet 1/ 17
===== IF table Stats =====
2166458 Octets Input
14734059 Octets Output
14707 Unicast Input
19806 Unicast Output
0 Discard Input
0 Discard Output
0 Error Input
0 Error Output
0 Unknown Protocols Input
0 QLen Output
===== Extended Iftable Stats =====
23 Multi-cast Input
5525 Multi-cast Output
170 Broadcast Input
11 Broadcast Output
===== Ether-like Stats =====
0 Alignment Errors
0 FCS Errors
0 Single Collision Frames
0 Multiple Collision Frames
0 SQE Test Errors
0 Deferred Transmissions
0 Late Collisions
0 Excessive Collisions
0 Internal Mac Transmit Errors
0 Internal Mac Receive Errors
0 Frames Too Long
0 Carrier Sense Errors
0 Symbol Errors
0 Pause Frames Input
0 Pause Frames Output
===== RMON Stats =====
0 Drop Events
16900558 Octets
40243 Packets
170 Broadcast PKTS
23 Multi-cast PKTS
0 Undersize PKTS
0 Oversize PKTS
0 Fragments
0 Jabbers
0 CRC Align Errors
0 Collisions
21065 Packet Size <= 64 Octets
3805 Packet Size 65 to 127 Octets
2448 Packet Size 128 to 255 Octets
797 Packet Size 256 to 511 Octets
2941 Packet Size 512 to 1023 Octets
9187 Packet Size 1024 to 1518 Octets
===== Port Utilization (recent 300 seconds) =====
0 Octets Input in kbits per second
0 Packets Input per second
0.00 % Input Utilization
– 387 –
Chapter 10
| Interface Commands
Interface Configuration
0 Octets Output in kbits per second
0 Packets Output per second
0.00 % Output Utilization
Console#
show interfaces status
This command displays the status for an interface.
Syntax
show interfaces status [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
vlan vlan-id (Range: 1-4094)
Default Setting
Shows the status for all interfaces.
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed.
Example
Console#show interfaces status ethernet 1/21
Information of Eth 1/21
Port Type : 1000BASE-T
MAC Address : B4-0E-DC-34-E6-3D
Configuration:
Name :
Port Admin : Up
Speed-Duplex : Auto
Capabilities : 10half, 10full, 100half, 100full, 1000full
Broadcast Storm : Enabled
Broadcast Storm Limit : 500 packets/second
Multicast Storm : Disabled
Multicast Storm Limit : 500 packets/second
Unknown Unicast Storm : Disabled
Unknown Unicast Storm Limit : 500 packets/second
Flow Control : Disabled
VLAN Trunking : Disabled
LACP : Disabled
Media Type : None
Giga PHY Mode : Master
Current Status:
Link Status : Up
– 388 –
Chapter 10
| Interface Commands
Interface Configuration
Port Operational Status : Up
Console#
show interfaces switchport
This command displays the administrative and operational status of the specified interfaces.
Syntax
show interfaces switchport [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
Shows all interfaces.
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed.
Example
This example shows the configuration setting for port 21.
Console#show interfaces switchport ethernet 1/21
Information of Eth 1/21
Broadcast Threshold : Enabled, 500 packets/second
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
LACP Status : Disabled
Ingress Rate Limit : Disabled, 1000M bits per second
Egress Rate Limit : Disabled, 1000M bits per second
VLAN Membership Mode : Hybrid
Ingress Rule : Disabled
Acceptable Frame Type : All frames
Native VLAN : 1
Priority for Untagged Traffic : 0
GVRP Status : Disabled
Allowed VLAN : 1(u)
Forbidden VLAN :
802.1Q-Tunnel Status : Disable
802.1Q-Tunnel Mode : NORMAL
802.1Q-Tunnel TPID : 8100(Hex)
Layer 2 Protocol Tunnel : None
Console#
– 389 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
Table 71: show interfaces switchport - display description
Field
Broadcast
Threshold
Description
Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (
).
Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (
).
Unknown Unicast
Threshold
LACP Status
Shows if unknown unicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (
).
Shows if Link Aggregation Control Protocol has been enabled or disabled
Ingress/Egress Rate
Limit
Shows if rate limiting is enabled, and the current rate limit ( page 765 ).
VLAN Membership
Mode
Indicates membership mode as Trunk or Hybrid ( page 508
).
Ingress Rule
Acceptable Frame
Type
Native VLAN
Priority for
Untagged Traffic
GVRP Status
Allowed VLAN
Shows if ingress filtering is enabled or disabled (
).
Shows if GARP VLAN Registration Protocol is enabled or disabled (
Shows the VLANs this interface has joined, where “(u)” indicates untagged and
“(t)” indicates tagged ( page 506
).
Shows if acceptable VLAN frames include all types or tagged frames only
Indicates the default Port VLAN ID ( page 509
).
Indicates the default priority for untagged frames (
Forbidden VLAN
802.1Q-tunnel
Status
802.1Q-tunnel
Mode
Shows the VLANs this interface can not dynamically join via GVRP (
Shows if 802.1Q tunnel is enabled on this interface (
Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink
).
802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets
).
Layer 2 Protocol
Tunnel
Shows if L2 Protocol Tunnel is enabled for spanning tree protocol (
Transceiver Threshold Configuration
transceiver-monitor
This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Syntax transceiver-monitor
Default Setting
Disabled
– 390 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
Command Mode
Interface Configuration ( Ports)
Example
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-monitor
Console#
transceiver-thresholdauto
This command uses default threshold settings obtained from the transceiver to determine when an alarm or warning message should be sent. Use the no form to disable this feature.
Syntax transceiver-threshold-auto
Default Setting
Enabled
Command Mode
Interface Configuration ( Ports)
Example
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-threshold-auto
Console#
transceiver-threshold current
This command sets thresholds for transceiver current which can be used to trigger an alarm or warning message.
Syntax
transceiver-threshold current {high-alarm | high-warning | low-alarm |
low-warning} threshold-value
high-alarm – Sets the high current threshold for an alarm message.
high-warning – Sets the high current threshold for a warning message.
low-alarm – Sets the low current threshold for an alarm message.
low-warning – Sets the low current threshold for a warning message.
threshold-value – The threshold of the transceiver current.
(Range: 0-13100 in units of 0.01 mA)
Default Setting
High Alarm: 100 mA
HIgh Warning: 90 mA
– 391 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
Low Warning: 7 mA
Low Alarm: 6 mA
Command Mode
Interface Configuration ( Ports)
Command Usage
◆ If trap messages are enabled with the
command, and a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the high threshold and reaches the low threshold.
◆ If trap messages are enabled with the
command, and a low-threshold alarm or warning message is sent if the current value is less than or equal to the threshold, and the last sample value was greater than the threshold. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the low threshold and reaches the high threshold.
◆ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold.
◆ Trap messages enabled by the
command are sent to any management station configured by the
command.
Example
The following example sets alarm thresholds for the transceiver current at port 1.
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-threshold current low-alarm 100
Console(config-if)#transceiver-threshold rx-power high-alarm 700
Console#
– 392 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
transceiver-threshold rx-power
This command sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message.
Syntax
transceiver-threshold rx-power {high-alarm | high-warning | low-alarm |
low-warning} threshold-value
high-alarm – Sets the high power threshold for an alarm message.
high-warning – Sets the high power threshold for a warning message.
low-alarm – Sets the low power threshold for an alarm message.
low-warning – Sets the low power threshold for a warning message.
threshold-value – The power threshold of the received signal.
(Range: -4000 - 820 in units of 0.01 dBm)
Default Setting
High Alarm: -3.00 dBm
HIgh Warning: -3.50 dBm
Low Warning: -21.00 dBm
Low Alarm: -21.50 dBm
Command Mode
Interface Configuration ( Ports)
Command Usage
◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW).
◆
Refer to the Command Usage section under the transceiver-threshold current
command for more information on configuring transceiver thresholds.
◆ Trap messages enabled by the
command are sent to any management station configured by the
command.
Example
The following example sets alarm thresholds for the signal power received at port
1.
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-threshold rx-power low-alarm -21
Console(config-if)#transceiver-threshold rx-power high-alarm -3
Console#
– 393 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
transceiver-threshold temperature
This command sets thresholds for the transceiver temperature which can be used to trigger an alarm or warning message.
Syntax
transceiver-threshold temperature {high-alarm | high-warning | low-alarm
| low-warning} threshold-value
high-alarm – Sets the high temperature threshold for an alarm message.
high-warning – Sets the high temperature threshold for a warning message.
low-alarm – Sets the low temperature threshold for an alarm message.
low-warning – Sets the low temperature threshold for a warning message.
threshold-value – The threshold of the transceiver temperature.
(Range: -12800 - 12800 in units of 0.01 Celsius)
Default Setting
High Alarm: 75.00
°
C
HIgh Warning: 70.00
°
C
Low Alarm: -123.00
°
C
Low Warning: 0.00
°
C
Command Mode
Interface Configuration ( Ports)
Command Usage
◆
Refer to the Command Usage section under the transceiver-threshold current
command for more information on configuring transceiver thresholds.
◆ Trap messages enabled by the
command are sent to any management station configured by the
command.
Example
The following example sets alarm thresholds for the transceiver temperature at port 1.
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-threshold temperature low-alarm 97
Console(config-if)#transceiver-threshold temperature high-alarm -83
Console#
– 394 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
transceiver-threshold tx-power
This command sets thresholds for the transceiver power level of the transmitted signal which can be used to trigger an alarm or warning message.
Syntax
transceiver-threshold tx-power {high-alarm | high-warning | low-alarm |
low-warning} threshold-value
high-alarm – Sets the high power threshold for an alarm message.
high-warning – Sets the high power threshold for a warning message.
low-alarm – Sets the low power threshold for an alarm message.
low-warning – Sets the low power threshold for a warning message.
threshold-value – The power threshold of the transmitted signal.
(Range: -4000 - 820 in units of 0.01 dBm)
Default Setting
High Alarm: -9.00 dBm
HIgh Warning: -9.50 dBm
Low Warning: -21.00 dBm
Low Alarm: -21.50 dBm
Command Mode
Interface Configuration ( Ports)
Command Usage
◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW).
◆
Refer to the Command Usage section under the transceiver-threshold current
command for more information on configuring transceiver thresholds.
◆ Trap messages enabled by the
command are sent to any management station configured by the
command.
Example
The following example sets alarm thresholds for the signal power transmitted at port 1.
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-threshold tx-power low-alarm 8
Console(config-if)#transceiver-threshold tx-power high-alarm -3
Console#
– 395 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
transceiver-threshold voltage
This command sets thresholds for the transceiver voltage which can be used to trigger an alarm or warning message.
Syntax
transceiver-threshold voltage {high-alarm | high-warning | low-alarm |
low-warning} threshold-value
high-alarm – Sets the high voltage threshold for an alarm message.
high-warning – Sets the high voltage threshold for a warning message.
low-alarm – Sets the low voltage threshold for an alarm message.
low-warning – Sets the low voltage threshold for a warning message.
threshold-value – The threshold of the transceiver voltage.
(Range: 0-655 in units of 0.01 Volt)
Default Setting
High Alarm: 3.50 Volts
HIgh Warning: 3.45 Volts
Low Warning: 3.15 Volts
Low Alarm: 3.10 Volts
Command Mode
Interface Configuration ( Ports)
Command Usage
◆
Refer to the Command Usage section under the transceiver-threshold current
command for more information on configuring transceiver thresholds.
◆ Trap messages enabled by the
command are sent to any management station configured by the
command.
Example
The following example sets alarm thresholds for the transceiver voltage at port 1.
Console(config)interface ethernet 1/1
Console(config-if)#transceiver-threshold voltage low-alarm 4
Console(config-if)#transceiver-threshold voltage high-alarm 2
Console#
– 396 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
show interfaces transceiver
This command displays identifying information for the specified transceiver, including connector type and vendor-related parameters, as well as the temperature, voltage, bias current, transmit power, and receive power.
Syntax
show interfaces transceiver [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. ()
Default Setting
Shows all SFP interfaces.
Command Mode
Privileged Exec
Command Usage
The switch can display diagnostic information for SFP modules which support the
SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers.
This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, and received optical power, and related alarm thresholds.
Example
Console#show interfaces transceiver ethernet 1/25
Information of Eth 1/25
Connector Type : LC
Fiber Type : [0x00]
Eth Compliance Codes : 1000BASE-ZX
Baud Rate : 1300 MBd
Vendor OUI : 00-00-5F
Vendor Name : SumitomoElectric
Vendor PN : SCP6G94-FN-BWH
Vendor Rev : Z
Vendor SN : SE08T712Z00006
Date Code : 10-09-14
DDM Info
Temperature : 35.64 degree C
Vcc : 3.25 V
Bias Current : 12.13 mA
TX Power : 2.36 dBm
RX Power : -24.20 dBm
DDM Thresholds
Low Alarm Low Warning High Warning High Alarm
----------- ------------ ------------ ------------ ------------
Temperature(Celsius) -45.00 -40.00 85.00 90.00
Voltage(Volts) 2.90 3.00 3.60 3.70
Current(mA) 1.00 3.00 50.00 60.00
TxPower(dBm) -11.50 -10.50 -2.00 -1.00
– 397 –
Chapter 10
| Interface Commands
Transceiver Threshold Configuration
RxPower(dBm) -23.98 -23.01 -1.00 0.00
Console#
show interfaces transceiver-threshold
This command Displays the alarm/warning thresholds for temperature, voltage, bias current, transmit power, and receive power. Syntax
Syntax
show interfaces transceiver-threshold [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. ()
Default Setting
Shows all SFP interfaces.
Command Mode
Privileged Exec
Command Usage
◆ The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical
Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic
Monitoring (DDM) in the command display, provides information on transceiver parameters including temperature, supply voltage, laser bias current, laser power, received optical power, and related alarm thresholds.
◆ The DDM thresholds displayed by this command only apply to ports which have a DDM-compliant transceiver inserted.
Example
Console#show interfaces transceiver-threshold ethernet 1/25
Information of Eth 1/25
DDM Thresholds
Transceiver-monitor : Disabled
Transceiver-threshold-auto : Enabled
Low Alarm Low Warning High Warning High Alarm
----------- ------------ ------------ ------------ ------------
Temperature(Celsius) -123.00 0.00 70.00 75.00
Voltage(Volts) 3.10 3.15 3.45 3.50
Current(mA) 6.00 7.00 90.00 100.00
TxPower(dBm) -12.00 -11.50 -9.50 -9.00
RxPower(dBm) -21.50 -21.00 -3.50 -3.00
Console#
– 398 –
Chapter 10
| Interface Commands
Cable Diagnostics
Cable Diagnostics
test cable-diagnostics
This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length.
Syntax
test cable-diagnostics interface interface
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Command Usage
◆ Cable diagnostics are performed using Digital Signal Processing (DSP) test methods when the port link-up speed is 1 Gbps. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse. If the port link-up speed is not 1 Gbps, then Time Domain
Reflectometry (TDR) test method is used. TDR also detects a cable fault by sending a signal through the cable and reading the signal that is reflected back.
However, TDR can only determine if a link is valid or faulty.
◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long.
◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length of each cable pair.
◆
■
■
■
■
Potential conditions which may be listed by the diagnostics include:
■
OK: Correctly terminated pair
Open: Open pair, no link partner
Short: Shorted pair
Not Supported: This message is displayed for Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps.
Impedance mismatch: Terminating impedance is not in the reference range.
◆ Ports are linked down while running cable diagnostics.
◆ To ensure more accurate measurement of the length to a fault, first disable power-saving mode (using the
no power-save command) on the link partner
before running cable diagnostics.
– 399 –
Chapter 10
| Interface Commands
Cable Diagnostics
Example
Console#test cable-diagnostics interface ethernet 1/23
Console#show cable-diagnostics interface ethernet 1/23
Port Type Link Status Pair A (meters) Pair B (meters) Last Update
-------- ---- ----------- ---------------- ---------------- -----------------
Eth 1/23 GE Up OK (21) OK (21) 2009-11-13 09:44:19
Console#
show cable-diagnostics
This command shows the results of a cable diagnostics test.
Syntax
show cable-diagnostics interface [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Command Usage
◆ The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
◆ To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics.
◆ For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters. For link-up ports, the accuracy is +/- 10 meters.
Example
Console#show cable-diagnostics interface ethernet 1/23
Port Type Link Status Pair A (meters) Pair B (meters) Last Update
-------- ---- ----------- ---------------- ---------------- -----------------
Eth 1/23 GE Up OK (21) OK (21) 2009-11-13 09:44:19
Console#
– 400 –
Chapter 10
| Interface Commands
Power Savings
Power Savings
power-save
This command enables power savings mode on the specified port.
Syntax
[no] power-save
Command Mode
Interface Configuration (Ethernet, Ports 1-24/48)
Command Usage
◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
◆ Power saving mode only applies to the Gigabit Ethernet ports using copper media.
◆ Power savings can be enabled on Gigabit Ethernet RJ-45 ports.
◆ The power-saving methods provided by this switch include:
■ Power saving when there is no link partner:
Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists. When using power-savings mode, the switch checks for energy on the circuit to determine if there is a link partner. If none is detected, the switch automatically turns off the transmitter, and most of the receive circuitry (entering Sleep Mode). In this mode, the low-power energy-detection circuit continuously checks for energy on the cable. If none is detected, the MAC interface is also powered down to save additional energy. If energy is detected, the switch immediately turns on both the transmitter and receiver functions, and powers up the MAC interface.
■ Power saving when there is a link partner:
Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter. When cable length is shorter, power consumption can be reduced since signal attenuation is proportional to cable length. When power-savings mode is enabled, the switch analyzes cable length to determine whether or not it can reduce the signal amplitude used on a particular link.
– 401 –
Chapter 10
| Interface Commands
Power Savings
Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power-save
Console(config-if)#
show power-save
This command shows the configuration settings for power savings.
Syntax
show power-save [interface interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Example
Console#show power-save interface ethernet 1/4
Power Saving Status:
Ethernet 1/1 : Enabled
Console#
– 402 –
11
Link Aggregation Commands
Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the
Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.
Table 72: Link Aggregation Commands
Command Function
Manual Configuration Commands
port-channel Configures a trunk and enters interface configuration mode for the trunk
Sets the load-distribution method among ports in aggregated links
Mode
GC
GC
IC (Ethernet)
Adds a port to a trunk
Dynamic Configuration Commands
Configures LACP for the current interface
Configures a port's administration key
lacp system-priority lacp admin-key
Configures a port's LACP port priority
Configures a port's LACP system priority
Configures an port channel’s administration key
Configures the timeout to wait for next LACPDU
IC (Ethernet)
IC (Ethernet)
IC (Ethernet)
IC (Ethernet)
IC (Port Channel)
IC (Port Channel)
Trunk Status Display Commands
port-channel
Shows trunk information
Shows LACP information
Shows the load-distribution method used on aggregated links
NE, PE
PE
PE
Guidelines for Creating Trunks
General Guidelines –
◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop.
◆ A trunk can have up to 8 ports.
– 403 –
Chapter 11
| Link Aggregation Commands
Manual Configuration Commands
◆
◆
◆
◆
◆
The ports at both ends of a connection must be configured as trunk ports.
All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and
CoS settings.
Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
Dynamically Creating a Port Channel –
Ports assigned to a common port channel must meet the following criteria:
◆
◆
◆
◆
◆
Ports must have the same LACP system priority.
Ports must have the same port admin key (Ethernet Interface).
If the port channel admin key ( lacp admin key - Port Channel) is not set when a
channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (
lacp admin key - Ethernet Interface) used by
the interfaces that joined the group.
However, if the port channel admin key is set, then the port admin key must be set to the same value for a port to be allowed to join a channel group.
If a link goes down, LACP port priority is used to select the backup link.
Manual Configuration Commands
port-channel load-balance
This command sets the load-distribution method among ports in aggregated links
(for both static and dynamic trunks). Use the no form to restore the default setting.
Syntax
port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip
| src-mac} no port channel load-balance
dst-ip - Load balancing based on destination IP address.
dst-mac - Load balancing based on destination MAC address.
src-dst-ip - Load balancing based on source and destination IP address.
src-dst-mac - Load balancing based on source and destination MAC address.
src-ip - Load balancing based on source IP address.
src-mac - Load balancing based on source MAC address.
– 404 –
Chapter 11
| Link Aggregation Commands
Manual Configuration Commands
Default Setting src-dst-ip
Command Mode
Global Configuration
Command Usage
◆ This command applies to all static and dynamic trunks on the switch.
◆ To ensure that the switch traffic load is distributed evenly across all links in a trunk, select the source and destination addresses used in the load-balance calculation to provide the best result for trunk connections:
■ dst-ip: All traffic with the same destination IP address is output on the same link in a trunk. This mode works best for switch-to-router trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-server trunk links where the destination IP address is the same for all traffic.
■ dst-mac: All traffic with the same destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is destined for many different hosts. Do not use this mode for switch-to-router trunk links where the destination
MAC address is the same for all traffic.
■ src-dst-ip: All traffic with the same source and destination IP address is output on the same link in a trunk. This mode works best for switch-torouter trunk links where traffic through the switch is received from and destined for many different hosts.
■ src-dst-mac: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-toswitch trunk links where traffic through the switch is received from and destined for many different hosts.
■ src-ip: All traffic with the same source IP address is output on the same link in a trunk. This mode works best for switch-to-router or switch-to-server trunk links where traffic through the switch is received from many different hosts.
■ src-mac: All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts.
Example
Console(config)#port-channel load-balance dst-ip
Console(config)#
– 405 –
Chapter 11
| Link Aggregation Commands
Dynamic Configuration Commands
channel-group
This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Syntax
channel-group channel-id no channel-group
channel-id - Trunk index (Range: 1-16)
Default Setting
The current port will be added to this trunk.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ When configuring static trunks, the switches must comply with the Cisco
EtherChannel standard.
◆ Use no channel-group to remove a port group from a trunk.
◆ Use
to remove a trunk from the switch.
Example
The following example creates trunk 1 and then adds port 11:
Console(config)#interface port-channel 1
Console(config-if)#exit
Console(config)#interface ethernet 1/11
Console(config-if)#channel-group 1
Console(config-if)#
Dynamic Configuration Commands
lacp
This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Syntax
[no] lacp
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
– 406 –
Chapter 11
| Link Aggregation Commands
Dynamic Configuration Commands
Command Usage
◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
◆ If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Example
The following shows LACP enabled on ports 10-12. Because LACP has also been enabled on the ports at the other end of the links, the
channel 1 command shows that Trunk1 has been established.
Console(config)#interface ethernet 1/10
Console(config-if)#lacp
Console(config-if)#interface ethernet 1/11
Console(config-if)#lacp
Console(config-if)#interface ethernet 1/12
Console(config-if)#lacp
Console(config-if)#end
Console#show interfaces status port-channel 1
Information of Trunk 1
Basic Information:
Port Type : 1000T
MAC Address : 00-E0-0C-00-00-FF
Configuration:
Name :
Port Admin : Up
Speed-Duplex : Auto
Capabilities : 10half, 10full, 100half, 100full, 1000full
Broadcast Storm : Enabled
Broadcast Storm Limit : 500 packets/second
Multicast Storm : Disabled
Multicast Storm Limit : 500 packets/second
Unknown Unicast Storm : Disabled
Unknown Unicast Storm Limit : 500 packets/second
Flow Control : Disabled
VLAN Trunking : Disabled
MAC Learning : Enabled
Current Status:
Created By : User
Link Status : Up
Port Operational Status : Up
Operational Speed-Duplex : 100full
Member Ports : Eth1/10, Eth1/11, Eth1/12,
Console#
– 407 –
Chapter 11
| Link Aggregation Commands
Dynamic Configuration Commands
lacp admin-key
(Ethernet Interface)
This command configures a port's LACP administration key. Use the no form to restore the default setting.
Syntax
lacp {actor | partner} admin-key key
no lacp {actor | partner} admin-key
actor - The local side an aggregate link.
partner - The remote side of an aggregate link.
key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG). (Range: 0-65535)
Default Setting
Actor: 1, Partner: 0
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
◆
If the port channel admin key ( lacp admin key - Port Channel) is not set when a
channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state.
◆ By default, the actor’s operational key is determined by port's link speed
(1000f - 4, 100f - 3, 10f - 2), and copied to the admin key.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#lacp actor admin-key 120
Console(config-if)#
– 408 –
Chapter 11
| Link Aggregation Commands
Dynamic Configuration Commands
lacp port-priority
This command configures LACP port priority. Use the no form to restore the default setting.
Syntax
lacp {actor | partner} port-priority priority
no lacp {actor | partner} port-priority
actor - The local side an aggregate link.
partner - The remote side of an aggregate link.
priority - LACP port priority is used to select a backup link. (Range: 0-65535)
Default Setting
32768
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Setting a lower value indicates a higher effective priority.
◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
◆ If an LAG already exists with the maximum number of allowed port members, and LACP is subsequently enabled on another port using a higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority.
◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#lacp actor port-priority 128
– 409 –
Chapter 11
| Link Aggregation Commands
Dynamic Configuration Commands
lacp system-priority
This command configures a port's LACP system priority. Use the no form to restore the default setting.
Syntax
lacp {actor | partner} system-priority priority
no lacp {actor | partner} system-priority
actor - The local side an aggregate link.
partner - The remote side of an aggregate link.
priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535)
Default Setting
32768
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Port must be configured with the same system priority to join the same LAG.
◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#lacp actor system-priority 3
Console(config-if)#
lacp admin-key
(Port Channel)
This command configures a port channel's LACP administration key string. Use the
no form to restore the default setting.
Syntax
lacp admin-key key
no lacp admin-key
key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
(Range: 0-65535)
– 410 –
Chapter 11
| Link Aggregation Commands
Dynamic Configuration Commands
Default Setting
0
Command Mode
Interface Configuration (Port Channel)
Command Usage
◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (
lacp admin key - Ethernet Interface) used by
the interfaces that joined the group. Note that when the LAG is no longer used, the port channel admin key is reset to 0.
◆ If the port channel admin key is set to a non-default value, the operational key is based upon LACP PDUs received from the partner, and the channel admin key is reset to the default value. The trunk identifier will also be changed by this process.
Example
Console(config)#interface port-channel 1
Console(config-if)#lacp admin-key 3
Console(config-if)#
lacp timeout
This command configures the timeout to wait for the next LACP data unit
(LACPDU). Use the no form to restore the default setting.
Syntax
lacp timeout {long | short} no lacp timeout
long - Specifies a slow timeout of 90 seconds.
short - Specifies a fast timeout of 3 seconds.
Default Setting long
Command Mode
Interface Configuration (Port Channel)
Command Usage
◆ The timeout configured by this command is set in the LACP timeout bit of the
Actor State field in transmitted LACPDUs. When the partner switch receives an
– 411 –
Chapter 11
| Link Aggregation Commands
Trunk Status Display Commands
LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds.
◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group.
◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port.
◆ When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used.
Example
Console(config)#interface port-channel 1
Console(config-if)#lacp timeout short
Console(config-if)#
Trunk Status Display Commands
show lacp
This command displays LACP information.
Syntax
show lacp [port-channel] {counters | internal | neighbors | sys-id}
port-channel - Local identifier for a link aggregation group. (Range: 1-12)
counters - Statistics for LACP protocol messages.
internal - Configuration settings and operational state for local side.
neighbors - Configuration settings and operational state for remote side.
sys-id - Summary of system priority and MAC address for all channel groups.
Default Setting
Port Channel: all
Command Mode
Privileged Exec
– 412 –
Chapter 11
| Link Aggregation Commands
Trunk Status Display Commands
Example
Console#show lacp 1 counters
Port Channel: 1
-------------------------------------------------------------------------
Eth 1/ 2
-------------------------------------------------------------------------
LACPDUs Sent : 12
LACPDUs Received : 6
Marker Sent : 0
Marker Received : 0
LACPDUs Unknown Pkts : 0
LACPDUs Illegal Pkts : 0
.
Table 73: show lacp counters - display description
Field
LACPDUs Sent
Description
Number of valid LACPDUs transmitted from this channel group.
LACPDUs Received Number of valid LACPDUs received on this channel group.
Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Marker Received Number of valid Marker PDUs received by this channel group.
LACPDUs Unknown
Pkts
Number of frames received that either (1) Carry the Slow Protocols Ethernet
Type value, but contain an unknown PDU, or (2) are addressed to the Slow
Protocols group MAC Address, but do not carry the Slow Protocols Ethernet
Type.
LACPDUs Illegal
Pkts
Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
Console#show lacp 1 internal
Port Channel : 1
-------------------------------------------------------------------------
Oper Key : 3
Admin Key : 0
Timeout : long
Eth 1/ 1
-------------------------------------------------------------------------
LACPDUs Internal : 30 seconds
LACP System Priority : 32768
LACP Port Priority : 32768
Admin Key : 3
Oper Key : 3
Admin State : defaulted, aggregation, long timeout, LACP-activity
Oper State : distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
Table 74: show lacp internal - display description
Field
Oper Key
Description
Current operational value of the key for the aggregation port.
Admin Key Current administrative value of the key for the aggregation port.
LACPDUs Internal Number of seconds before invalidating received LACPDU information.
– 413 –
Chapter 11
| Link Aggregation Commands
Trunk Status Display Commands
Table 74: show lacp internal - display description (Continued)
Field
LACP System
Priority
Description
LACP system priority assigned to this port channel.
LACP Port Priority LACP port priority assigned to this interface within the channel group.
Admin State,
Oper State
Administrative or operational values of the actor’s state parameters:
◆ Expired – The actor’s receive machine is in the expired state;
◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
◆ Distributing – If false, distribution of outgoing frames on this link is disabled; i.e., distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information.
◆ Collecting – Collection of incoming frames on this link is enabled; i.e., collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information.
◆ Synchronization – The System considers this link to be IN_SYNC; i.e., it has been allocated to the correct Link Aggregation Group, the group has been associated with a compatible Aggregator, and the identity of the Link
Aggregation Group is consistent with the System ID and operational Key information transmitted.
◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation.
◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate.
◆ LACP-Activity – Activity control value with regard to this link.
(0: Passive; 1: Active)
Console#show lacp 1 neighbors
Port Channel 1 neighbors
-------------------------------------------------------------------------
Eth 1/ 1
-------------------------------------------------------------------------
Partner Admin System ID : 32768, 00-00-00-00-00-00
Partner Oper System ID : 32768, 00-12-CF-61-24-2F
Partner Admin Port Number : 1
Partner Oper Port Number : 1
Port Admin Priority : 32768
Port Oper Priority : 32768
Admin Key : 0
Oper Key : 3
Admin State: defaulted, distributing, collecting,
synchronization, long timeout,
Oper State: distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
Table 75: show lacp neighbors - display description
Field
Partner Admin
System ID
Partner Oper
System ID
Description
LAG partner’s system ID assigned by the user.
LAG partner’s system ID assigned by the LACP protocol.
– 414 –
Chapter 11
| Link Aggregation Commands
Trunk Status Display Commands
Table 75: show lacp neighbors - display description (Continued)
Field
Partner Admin
Port Number
Description
Current administrative value of the port number for the protocol Partner.
Partner Oper
Port Number
Operational port number assigned to this aggregation port by the port’s protocol partner.
Port Admin Priority Current administrative value of the port priority for the protocol partner.
Port Oper Priority Priority value assigned to this aggregation port by the partner.
Admin Key
Oper Key
Admin State
Oper State
Current administrative value of the Key for the protocol partner.
Current operational value of the Key for the protocol partner.
Administrative values of the partner’s state parameters. (See preceding table.)
Operational values of the partner’s state parameters. (See preceding table.)
Console#show lacp sysid
Port Channel System Priority System MAC Address
-------------------------------------------------------------------------
1 32768 00-30-F1-8F-2C-A7
2 32768 00-30-F1-8F-2C-A7
3 32768 00-30-F1-8F-2C-A7
4 32768 00-30-F1-8F-2C-A7
5 32768 00-30-F1-8F-2C-A7
6 32768 00-30-F1-8F-2C-A7
7 32768 00-30-F1-D4-73-A0
8 32768 00-30-F1-D4-73-A0
9 32768 00-30-F1-D4-73-A0
10 32768 00-30-F1-D4-73-A0
11 32768 00-30-F1-D4-73-A0
12 32768 00-30-F1-D4-73-A0
.
Table 76: show lacp sysid - display description
Field
Channel group
System Priority *
System MAC
Address*
Description
A link aggregation group configured on this switch.
LACP system priority for this channel group.
System MAC address.
* The LACP system priority and system MAC address are concatenated to form the LAG system ID.
show port-channel load-balance
This command shows the load-distribution method used on aggregated links.
Command Mode
Privileged Exec
– 415 –
Chapter 11
| Link Aggregation Commands
Trunk Status Display Commands
Example
Console#show port-channel load-balance
Trunk Load Balance Mode: Destination IP address
Console#
– 416 –
12
Power over Ethernet Commands
The commands in this group control the power that can be delivered to attached
PoE devices through RJ-45 ports 1-24 on the EX-3524 and RJ-45 ports 1-48 on the
EX-3548.
The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
When a device is connected to a switch port, its power requirements are detected by the switch before power is supplied. If the power required by a device exceeds the power budget of the port or the whole switch, power is not supplied.
Table 77: PoE Commands
Command Function
Provides power to pre-standard PoE devices
power mainpower maximum allocation
Sets the maximum power available to all switch ports
power inline maximum allocation
Turns power on and off for specific ports
Sets the maximum power available to specific switch ports
Sets the priority for power supplied to specific ports
Binds a time-range to a port during which PoE is supplied
IC
IC
IC
IC
Displays the current status of power management on specific ports or all ports
PE
Shows the time-range and current status for specific ports or for all ports
PE
Mode
GC
GC
power inline compatible
This command allows the switch to detect and provide power to powered devices that were designed prior to the IEEE 802.3af PoE standard. Use the no form to disable this feature.
Syntax
[no] power inline compatible
Default Setting
Disabled
– 417 –
Chapter 12
| Power over Ethernet Commands
Command Mode
Global Configuration
Command Usage
◆ The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Ethernet copper-media ports.
When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device. When the power inline compatible command is used, this switch can detect IEEE 802.3af or 802.3at compliant devices and the more recent 802.3af non-compliant devices that also reflect the test voltages back to the switch. It cannot detect other legacy devices that do not reflect back the test voltages.
◆ For legacy devices to be supported by this switch, they must be able to accept power over the data pairs connected to the RJ-45 ports.
Example
Console(config)#power inline compatible
Console(config)#end
Console#show power inline status
Unit: 1
Compatible mode : Enabled
Time Max Used
Interface Admin Range Oper Power Power Priority
--------- -------- -------- ---- -------- -------- --------
Eth 1/ 1 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 2 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 3 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 4 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 5 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 6 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 7 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 8 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 9 Enabled -- Off 34200 mW 0 mW Low
Eth 1/10 Enabled -- Off 34200 mW 0 mW Low
Eth 1/11 Enabled -- Off 34200 mW 0 mW Low
Eth 1/12 Enabled -- Off 34200 mW 0 mW Low
.
.
power mainpower maximum allocation
This command defines a power budget for the switch (i.e., the power available to all switch ports). Use the no form to restore the default setting.
Syntax
power mainpower maximum allocation watts
watts - The power budget for the switch.
(EX-3524: 50000-390000 milliwatts
EX-3548: 50000-779000 milliwatts)
– 418 –
Chapter 12
| Power over Ethernet Commands
Default Setting
EX-3524: 390000 milliwatts
EX-3548: 779000 milliwatts
Command Mode
Global Configuration
Command Usage
◆ Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source.
◆ If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Example
Console(config)#power mainpower maximum allocation 180
Console(config)#
Related Commands
power inline
This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port, or the no form with the time-range keyword to remove the time range settings.
Syntax
power inline [time-range time-range-name]
no power inline [time-range]
time-range-name - Name of a time-range during which PoE is supplied to the attached device. (Range: 1-32 characters)
Default Setting
Detection is enabled for PoE-compliant devices.
Command Mode
Interface Configuration (Ethernet ports 1-24/48)
Command Usage
◆ The switch only provides power to the Gigabit Ethernet copper-media ports.
◆ When detection is enabled for PoE-compliant devices, power is automatically supplied when a device is detected on the port, providing that the power
– 419 –
Chapter 12
| Power over Ethernet Commands demanded does not exceed the port’s power budget or the switch’s power budget.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline
Console(config-if)#exit
Console(config)#interface ethernet 1/2
Console(config-if)#no power inline
Console(config-if)#
Related Commands
power inline maximum allocation
This command limits the power allocated to specific ports. Use the no form to restore the default setting.
Syntax power inline maximum allocation milliwatts no power inline maximum allocation
milliwatts - The maximum power budget for the port.
(Range: 3000 - 34200 milliwatts)
Default Setting
34200 milliwatts
Command Mode
Interface Configuration (Ethernet ports 1-24/48)
Command Usage
◆ For the EX-3524, the total PoE power delivered by all ports cannot exceed the maximum power budget of 390W. For the EX-3548, the total PoE power delivered by all ports cannot exceed the maximum power budget of 779W. All the RJ-45 ports support both the IEEE 802.3af and IEEE 802.3at standards. The maximum number of ports which can supply power simultaneously at the specified levels are shown in the following table.
Table 78: Maximum Number of Ports Providing Simultaneous Power
Switch
EX-3524
EX-3524
34.2W (802.3at)
11
22
15.4W (802.3af)
24
48
7.5W (802.3af)
24
48
◆ If a device is connected to a switch port and the switch detects that it requires more than the maximum power allocated to the port or to the overall switch, no power is supplied to the device (i.e., port power remains off ).
– 420 –
Chapter 12
| Power over Ethernet Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline maximum allocation 8000
Console(config-if)#
power inline priority
This command sets the power priority for specific ports. Use the no form to restore the default setting.
Syntax
power inline priority priority no power inline priority
priority - The power priority for the port.
Options: 1 (critical), 2 (high), or 3 (low)
Default Setting
3 (low)
Command Mode
Interface Configuration
Command Usage
◆ If the power demand from devices connected to the switch exceeds the power budget setting as determined during bootup, the switch uses port power priority settings to control the supplied power. For example:
■ A device connected to a low-priority port that causes the switch to exceed its budget is not supplied power.
■ If a device is connected to a critical or high-priority port and would cause the switch to exceed its power budget as determined during bootup, power is provided to the port only if the switch can drop power to one or more lower-priority ports and thereby remain within its overall budget.
■ If a device is connected to a port after the switch has finished booting up and would cause the switch to exceed its budget, power will not be provided to that port regardless of its priority setting.
– 421 –
Chapter 12
| Power over Ethernet Commands
■ If priority is not set for any ports, and PoE consumption exceeds the maximum power provided by the switch, power is shut down in the following sequence:
Table 79: PoE Shut Down Sequence
Switch
EX-3524
EX-3548
PoE Port Shut Down Sequence
PSE#1: 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1,
PSE#2: 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13
PSE#1: 1,3,2,5,4,7,6,9,8,11,10 ,
PSE#2: 13,12,15,14,17,16 19,18,21,20,23,22,25,
PSE#3: 24,27,26,29,28,31,30,33,32,35,34,37,
PSE#4: 36,39,38,41,40,43,42,45,44,47,46
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline priority 2
Console(config-if)#
power inline time-range
This command binds a time-range to a port during which PoE is supplied to the attached device. Use the no form to remove this binding.
Syntax
power inline time-range time-range-name no power inline time-range
time-range-name - Name of the time range. (Range: 1-32 characters)
Default Setting
None
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline time-range rd
Console(config-if)#
Related Commands
– 422 –
Chapter 12
| Power over Ethernet Commands
show power inline status
This command displays the current power status for all ports or for specific ports.
Syntax
show power inline status [interface]
interface
ethernet
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Example
Console#show power inline status
Unit: 1
Compatible mode : Enabled
Time Max Used
Interface Admin Range Oper Power Power Priority
--------- -------- -------- ---- -------- -------- --------
Eth 1/ 1 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 2 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 3 Enabled -- On 34200 mW 7505 mW Low
Eth 1/ 4 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 5 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 6 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 7 Enabled -- On 15400 mW 8597 mW Low
Eth 1/ 8 Enabled -- Off 15400 mW 0 mW Low
Eth 1/ 9 Enabled -- Off 15400 mW 0 mW Low
Eth 1/10 Enabled -- Off 15400 mW 0 mW Low
Eth 1/11 Enabled -- Off 15400 mW 0 mW Low
Eth 1/12 Enabled -- Off 15400 mW 0 mW Low
.
.
Table 80: show power inline status - display description
Field
Admin
Time Range
Oper
Power (mWatt)
Power (used)
Priority
Description
The power mode set on the port (see power inline
)
Time during which power is supplied
The current operating power status (displays on or off )
The maximum power allocated to this port (see
power inline maximum allocation )
The current power consumption on the port in milliwatts
The port’s power priority setting (see power inline priority
)
– 423 –
Chapter 12
| Power over Ethernet Commands
show power inline time-range
This command displays the time-range and current status for specific ports or for all ports.
Syntax
show power inline time-range time-range-name [interface]
time-range-name - Name of the time range. (Range: 1-32 characters)
interface
ethernet
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Example
Console#show power inline time-range ethernet 1/5
Interface Time Range Name Status
--------- ---------------- --------
Eth 1/ 5 r&d Inactive
Console#
Related Commands
show power mainpower
Use this command to display the current power status for the switch.
Command Mode
Privileged Exec
Example
This example shows the maximum available PoE power and maximum allocated
PoE power for the EX-3424.
Console#show power mainpower
Unit 1 PoE Status
PoE Maximum Available Power : 390.0 Watts
PoE Maximum Allocation Power : 390.0 Watts
System Operation Status : On
PoE Power Consumption : 0.0 Watts
Software Version : Version 0068 (Hex), Build 00 (Hex)
Console#
– 424 –
13
Port Mirroring Commands
Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Table 81: Port Mirroring Commands
Command
Function
Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port
Mirrors data from remote switches over a dedicated VLAN
Local Port Mirroring Commands
This section describes how to mirror traffic from a source port to a target port.
Table 82: Mirror Port Commands
Command
Function
Configures a mirror session
Shows the configuration for a mirror port
Mode
IC
PE
port monitor
This command configures a mirror session. Use the no form to clear a mirror session.
Syntax
port monitor {interface [rx | tx | both] | vlan vlan-id |
mac-address mac-address | access-list acl-name}
no port monitor {interface | vlan vlan-id |
mac-address mac-address | access-list acl-name} interface
ethernet unit/port (source port)
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
rx - Mirror received packets.
tx - Mirror transmitted packets.
– 425 –
Chapter 13
| Port Mirroring Commands
Local Port Mirroring Commands
both - Mirror both received and transmitted packets.
vlan-id - VLAN ID (Range: 1-4094)
mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters)
Default Setting
◆ No mirror session is defined.
◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Command Mode
Interface Configuration (Ethernet, destination port)
Command Usage
◆ You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner.
◆ Set the destination port by specifying an Ethernet interface with the
configuration command, and then use the port monitor command to specify the source of the traffic to mirror. Note that the destination port cannot be a trunk or trunk member port.
◆ When mirroring traffic from a port , the mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. When mirroring traffic from a VLAN, traffic may also be dropped under heavy loads.
◆ When VLAN mirroring and port mirroring are both enabled, the target port can receive a mirrored packet twice; once from the source mirror port and again from the source mirror VLAN.
◆ When mirroring traffic from a MAC address, ingress traffic with the specified source address entering any port in the switch, other than the target port, will be mirrored to the destination port.
◆ When traffic matches the rules for both port mirroring, and for mirroring of
VLAN traffic or packets based on a MAC address, the matching packets will not be sent to the target port specified for port mirroring.
◆ When mirroring VLAN traffic or packets based on a source MAC address, the target port cannot be set to the same target port as that used for basic port mirroring.
– 426 –
Chapter 13
| Port Mirroring Commands
Local Port Mirroring Commands
◆ Spanning Tree BPDU packets are not mirrored to the target port.
◆ You can create multiple mirror sessions which can share the same destination port, or mirror traffic to different destination ports.
◆ The destination port cannot be a trunk or trunk member port.
◆
◆
RSPAN and 802.1X are mutual exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source ports and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. Also, RSPAN uplink ports cannot be configured to use IEEE802.1X Port Authentication, but
RSPAN source ports and destination ports can be configured to use it.
ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps:
1.
Use the access-list command to add an ACL.
2.
Use the access-group command to add a mirrored port to access control list.
3.
Use the port monitor access-list command to specify the destination port to which traffic matching the ACL will be mirrored.
Example
The following example configures the switch to mirror all packets from port 6 to 11:
Console(config)#interface ethernet 1/11
Console(config-if)#port monitor ethernet 1/6 both
Console(config-if)#
This example configures port 2 to monitor packets matching the MAC address 00-
12-CF-XX-XX-XX received by port 1:
Console(config)#access-list mac m1
Console(config-mac-acl)#permit 00-12-cf-00-00-00 ff-ff-ff-00-00-00 any
Console(config-mac-acl)#exit
Console(config)#interface ethernet 1/1
Console(config-if)#mac access-group m1 in
Console(config-if)#interface ethernet 1/2
Console(config-if)#port monitor access-list m1
Console(config-if)#
– 427 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
show port monitor
This command displays mirror information.
Syntax
show port monitor [interface | vlan vlan-id | mac-address mac-address]
interface - ethernet unit/port (source port)
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
vlan-id - VLAN ID (Range: 1-4094)
mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Default Setting
Shows all sessions.
Command Mode
Privileged Exec
Command Usage
This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Example
The following shows mirroring configured from port 6 to port 11:
Console(config)#interface ethernet 1/11
Console(config-if)#port monitor ethernet 1/6
Console(config-if)#end
Console#show port monitor
Port Mirroring
-------------------------------------
Destination Port (listen port): Eth1/11
Source Port (monitored port) : Eth1/ 6
Mode :RX/TX
Console#
RSPAN Mirroring Commands
Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
Table 83: RSPAN Commands
Command
rspan
Function Mode
Creates a VLAN dedicated to carrying RSPAN traffic VC
Specifies the source port and traffic type to be mirrored
GC
– 428 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
Table 83: RSPAN Commands (Continued)
Command
Function
Specifies the destination port to monitor the mirrored traffic
Specifies the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports
Deletes a configured RSPAN session
Displays the configuration settings for an RSPAN session
Mode
GC
GC
GC
PE
Configuration Guidelines
Take the following steps to configure an RSPAN session:
1.
rspan command to configure a VLAN to use for RSPAN. (Default
VLAN 1 is prohibited.)
2.
Use the rspan source command to specify the interfaces and the traffic type
(RX, TX or both) to be monitored.
3.
Use the rspan destination command to specify the destination port for the
traffic mirrored by an RSPAN session.
4.
command to specify the VLAN to be used for an
RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
RSPAN Limitations
The following limitations apply to the use of RSPAN on this switch:
◆ RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface – source, destination, or uplink. Also, note that the source port and destination port cannot be configured on the same switch.
Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an
RSPAN uplink or destination port – access ports are not allowed (see
).
◆ Local/Remote Mirror – The destination of a local mirror session (created with the
port monitor command) cannot be used as the destination for RSPAN traffic.
Only one mirror session is allowed, including both local and remote mirroring.
If local mirroring is enabled, then no session can be configured for RSPAN.
– 429 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
◆ Spanning Tree – If the spanning tree is disabled, BPDUs will not be flooded onto the RSPAN VLAN.
MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re-started on the
RSPAN uplink ports.
◆ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though
RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
RSPAN uplink ports cannot be configured to use IEEE 802.1X Port
Authentication, but RSPAN source ports and destination ports can be configured to use it
◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
rspan source
Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.
Syntax
[no] rspan session session-id source interface interface-list [rx | tx | both]
session-id – A number identifying this RSPAN session. (Range: 1)
Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the
then no session can be configured for RSPAN.
interface-list – One or more source ports. Use a hyphen to indicate a consecutive list of ports or a comma between non-consecutive ports.
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
rx - Mirror received packets.
tx - Mirror transmitted packets.
both - Mirror both received and transmitted packets.
Default Setting
Both TX and RX traffic is mirrored
– 430 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
Command Mode
Global Configuration
Command Usage
◆ One or more source ports can be assigned to the same RSPAN session, either on the same switch or on different switches.
◆ Only ports can be configured as an RSPAN source – static and dynamic trunks are not allowed.
◆ The source port and destination port cannot be configured on the same switch.
Example
The following example configures the switch to mirror received packets from port 2 and 3:
Console(config)#rspan session 1 source interface ethernet 1/2
Console(config)#rspan session 1 source interface ethernet 1/3
Console(config)#
rspan destination
Use this command to specify the destination port to monitor the mirrored traffic.
Use the no form to disable RSPAN on the specified port.
Syntax
rspan session session-id destination interface interface [tagged | untagged]
no rspan session session-id destination interface interface
session-id – A number identifying this RSPAN session. (Range: 1)
Only one mirror session is allowed, including both local and remote
mirroring. If local mirroring is enabled with the port monitor command,
then no session can be configured for RSPAN.
interface - ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
tagged - Traffic exiting the destination port carries the RSPAN VLAN tag.
untagged - Traffic exiting the destination port is untagged.
Default Setting
Traffic exiting the destination port is untagged.
Command Mode
Global Configuration
– 431 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
Command Usage
◆ Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an
RSPAN destination port – access ports are not allowed (see
◆ Only ports can be configured as an RSPAN destination – static and dynamic trunks are not allowed.
◆ The source port and destination port cannot be configured on the same switch.
◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Example
The following example configures port 4 to receive mirrored RSPAN traffic:
Console(config)#rspan session 1 destination interface ethernet 1/2
Console(config)#
rspan remote vlan
Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
Syntax
[no] rspan session session-id remote vlan vlan-id
{source | intermediate | destination} uplink interface
session-id – A number identifying this RSPAN session. (Range: 1)
Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the
then no session can be configured for RSPAN.
vlan-id - ID of configured RSPAN VLAN. (Range: 1-4094)
Use the
rspan command to reserve a VLAN for RSPAN mirroring before enabling RSPAN with this command.
source - Specifies this device as the source of remotely mirrored traffic.
intermediate - Specifies this device as an intermediate switch, transparently passing mirrored traffic from one or more sources to one or more destinations.
destination - Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session.
uplink - A port configured to receive or transmit remotely mirrored traffic.
– 432 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
interface - ethernet unit/port
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an
RSPAN uplink port – access ports are not allowed (see switchport mode ).
◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch.
◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN. Ports cannot be manually assigned to an RSPAN VLAN with the
command. Nor can GVRP dynamically add port
members to an RSPAN VLAN. Also, note that the show vlan
command will not display any members for an RSPAN VLAN, but will only show configured RSPAN
VLAN identifiers.
Example
The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3:
Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3
Console(config)#
no rspan session
Use this command to delete a configured RSPAN session.
Syntax
no rspan session session-id
session-id – A number identifying this RSPAN session. (Range: 1)
Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the
then no session can be configured for RSPAN.
Command Mode
Global Configuration
– 433 –
Chapter 13
| Port Mirroring Commands
RSPAN Mirroring Commands
Command Usage
The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the
Example
Console(config)#no rspan session 1
Console(config)#
show rspan
Use this command to displays the configuration settings for an RSPAN session.
Syntax
show rspan session [session-id]
session-id – A number identifying this RSPAN session. (Range: 1)
Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the
then no session can be configured for RSPAN.
Command Mode
Privileged Exec
Example
Console#show rspan session
RSPAN Session ID : 1
Source Ports (mirrored ports) : None
RX Only : None
TX Only : None
BOTH : None
Destination Port (monitor port) : Eth 1/2
Destination Tagged Mode : Untagged
Switch Role : Destination
RSPAN VLAN : 2
RSPAN Uplink Ports : Eth 1/3
Operation Status : Up
Console#
– 434 –
14
Congestion Control Commands
The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Table 84: Congestion Control Commands
Command Group
Function
Sets the input and output rate limits for a port.
Sets the traffic storm threshold for each port.
Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
Rate Limit Commands
Rate limit commands allow the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Packets that exceed the acceptable amount of traffic are dropped.
Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity. Non-conforming traffic is dropped.
Table 85: Rate Limit Commands
Command
Function Mode
Configures the maximum input or output rate for an interface
IC
– 435 –
Chapter 14
| Congestion Control Commands
Rate Limit Commands
rate-limit
This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting.
Syntax
rate-limit {input | output} [rate]
no rate-limit {input | output}
input – Input rate for specified interface
output – Output rate for specified interface
rate – Maximum value in kbps. (Range: 64-1000000 kbps)
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#rate-limit input 64
Console(config-if)#
Related Command
show interfaces switchport (389)
– 436 –
Chapter 14
| Congestion Control Commands
Storm Control Commands
Storm Control Commands
Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
You can protect your network from traffic storms by setting a threshold for broadcast, multicast or unknown unicast traffic. Any packets exceeding the specified threshold will then be dropped.
Table 86: Rate Limit Commands
Command
*
Function
Configures broadcast, multicast, and unknown unicast storm control thresholds
Displays the administrative and operational status of an interface
Mode
IC
NE, PE
* Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the
switchport packet-rate
This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting.
Syntax
switchport {broadcast | multicast | unknown-unicast} packet-rate rate
no switchport {broadcast | multicast | unknown-unicast}
broadcast - Specifies storm control for broadcast traffic.
multicast - Specifies storm control for multicast traffic.
unknown-unicast - Specifies storm control for unknown unicast traffic.
rate - Threshold level as a rate. (Range: 500-1488100 pps)
Default Setting
Broadcast Storm Control: Enabled, 500 pps
Multicast Storm Control: Disabled
Unknown Unicast Storm Control: Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
– 437 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the
command. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
◆ The rate limits set by this command are also used by automatic storm control
when the control response is set to rate limiting by the auto-traffic-control action
command.
◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Example
The following shows how to configure broadcast storm control at 600 packets per second:
Console(config)#interface ethernet 1/5
Console(config-if)#switchport broadcast packet-rate 600
Console(config-if)#
R ELATED C OMMANDS
show interfaces switchport (389)
Automatic Traffic Control Commands
Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
Table 87: ATC Commands
Function Command
Threshold Commands
auto-traffic-control apply-timer
auto-traffic-control release-timer
auto-traffic-control * auto-traffic-control action
auto-traffic-control alarm-clear-threshold
Mode
Sets the time at which to apply the control response after ingress traffic has exceeded the upper threshold
GC
Sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold
GC
Enables automatic traffic control for broadcast or multicast storms
IC (Port)
Sets the control action to limit ingress traffic or shut down the offending port
IC (Port)
Sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent
IC (Port)
– 438 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Table 87: ATC Commands (Continued)
Command
auto-traffic-control alarm-fire-threshold
Function Mode
Sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires
IC (Port)
IC (Port)
auto-traffic-control autocontrol-release
Automatically releases a control response
Manually releases a control response
auto-traffic-control control-release
SNMP Trap Commands
PE
snmp-server enable port-traps atc broadcast-alarm-clear
snmp-server enable port-traps atc broadcast-alarm-fire
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control
IC (Port)
IC (Port)
snmp-server enable port-traps atc broadcast-control-apply
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port)
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control
IC (Port)
IC (Port)
IC (Port)
snmp-server enable port-traps atc multicast-controlrelease
ATC Display Commands
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
IC (Port)
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port)
Shows global configuration settings for automatic storm control
PE
show auto-traffic-control interface
Shows interface configuration settings and storm control status for the specified port
PE
* Enabling automatic storm control on a port will disable hardware-level storm control on the
same port if configured by the switchport packet-rate command.
– 439 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Usage Guidelines
ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Figure 1: Storm Control by Limiting the Traffic Rate
The key elements of this diagram are described below:
◆ Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it.
◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged.
◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it.
◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control
Release Trap sent and logged. Note that if the control action has shut down a
port, it can only be manually re-enabled using the auto-traffic-control controlrelease
command).
◆ The traffic control response of rate limiting can be released automatically or manually. The control response of shutting down a port can only be released manually.
– 440 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Figure 2: Storm Control by Shutting Down a Port
The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided.
When traffic control is applied, you must manually re-enable the port.
Functional Limitations
Automatic storm control is a software level control function. Traffic storms can also
be controlled at the hardware level using the switchport packet-rate
command.
However, only one of these control types can be applied to a port. Enabling automatic storm control on a port will disable hardware-level storm control on that port.
Threshold Commands
auto-traffic-control apply-timer
This command sets the time at which to apply the control response after ingress traffic has exceeded the upper threshold. Use the no form to restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} apply-timer seconds
no auto-traffic-control {broadcast | multicast} apply-timer
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
seconds - The interval after the upper threshold has been exceeded at which to apply the control response. (Range: 5-300 seconds)
Default Setting
300 seconds
Command Mode
Global Configuration
– 441 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Command Usage
After the apply timer expires, a control action may be triggered as specified by the
command and a trap message sent as specified by the
snmp-server enable port-traps atc broadcast-control-apply command or
snmpserver enable port-traps atc multicast-control-apply command.
Example
This example sets the apply timer to 200 seconds for all ports.
Console(config)#auto-traffic-control broadcast apply-timer 200
Console(config)#
auto-traffic-control release-timer
This command sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold. Use the no form to restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} release-timer seconds
no auto-traffic-control {broadcast | multicast} release-timer
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 5-900 seconds)
Default Setting
900 seconds
Command Mode
Global Configuration
Command Usage
This command sets the delay after which the control response can be terminated.
The
auto-traffic-control auto-control-release command must be used to enable or
disable the automatic release of a control response of rate-limiting. To re-enable a port which has been shut down by automatic traffic control, you must manually re-
enable the port using the auto-traffic-control control-release
command.
Example
This example sets the release timer to 800 seconds for all ports.
Console(config)#auto-traffic-control broadcast release-timer 800
Console(config)#
– 442 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
auto-traffic-control
This command enables automatic traffic control for broadcast or multicast storms.
Use the no form to disable this feature.
Syntax
[no] auto-traffic-control {broadcast | multicast}
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Automatic storm control can be enabled for either broadcast or multicast traffic. It cannot be enabled for both of these traffic types at the same time.
◆ Automatic storm control is a software level control function. Traffic storms can
also be controlled at the hardware level using the switchport packet-rate
command. However, only one of these control types can be applied to a port.
Enabling automatic storm control on a port will disable hardware-level storm control on that port.
Example
This example enables automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast
Console(config-if)#
auto-traffic-control action
This command sets the control action to limit ingress traffic or shut down the offending port. Use the no form to restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} action {rate-control | shutdown}
no auto-traffic-control {broadcast | multicast} action
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
rate-control - If a control response is triggered, the rate of ingress traffic is limited based on the threshold configured by the
auto-traffic-control alarm-clear-threshold
command.
– 443 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled.
Default Setting rate-control
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
◆ When the control response is set to rate limiting by this command, the rate limits are determined by the
auto-traffic-control alarm-clear-threshold
command.
◆ If the control response is to limit the rate of ingress traffic, it can be automatically terminated once the traffic rate has fallen beneath the lower threshold and the release timer has expired.
◆ If a port has been shut down by a control response, it will not be re-enabled by
Example
This example sets the control response for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast action shutdown
Console(config-if)#
auto-traffic-control alarm-clear-threshold
This command sets the lower threshold for ingress traffic beneath which a control response for rate limiting will be released after the Release Timer expires, if so configured by the
auto-traffic-control auto-control-release
command. Use the no form to restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} alarm-clear-threshold threshold
no auto-traffic-control {broadcast | multicast} alarm-clear-threshold
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
threshold - The lower threshold for ingress traffic beneath which a cleared storm control trap is sent. (Range: 1-255 kilo-packets per second)
– 444 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Default Setting
250 kilo-packets per second
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Once the traffic rate falls beneath the lower threshold, a trap message may be
sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear
command or snmp-server enable port-traps atc multicast-alarm-clear
command.
◆ If rate limiting has been configured as a control response, it will be discontinued after the traffic rate has fallen beneath the lower threshold, and the release timer has expired. Note that if a port has been shut down by a control response, it will not be re-enabled by automatic traffic control. It can only be manually re-enabled using the
auto-traffic-control control-release
command.
Example
This example sets the clear threshold for automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155
Console(config-if)#
auto-traffic-control alarm-fire-threshold
This command sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. Use the no form to restore the default setting.
Syntax
auto-traffic-control {broadcast | multicast} alarm-fire-threshold threshold
no auto-traffic-control {broadcast | multicast} alarm-fire-threshold
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
threshold - The upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. (Range: 1-255 kilo-packets per second)
Default Setting
250 kilo-packets per second
Command Mode
Interface Configuration (Ethernet)
– 445 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Command Usage
◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the
snmp-server enable port-traps atc broadcast-alarm-fire
command or
snmp-server enable port-traps atc multicast-alarm-fire command.
◆ After the upper threshold is exceeded, the control timer must first expire as configured by the
auto-traffic-control apply-timer
command before a control
response is triggered if configured by the auto-traffic-control action
command.
Example
This example sets the trigger threshold for automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast alarm-fire-threshold 255
Console(config-if)#
auto-traffic-control auto-control-release
This command automatically releases a control response of rate-limiting after the time specified in the
auto-traffic-control release-timer command has expired.
Syntax
auto-traffic-control {broadcast | multicast} auto-control-release
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ This command can be used to automatically stop a control response of ratelimiting after the specified action has been triggered and the release timer has expired.
◆ To release a control response which has shut down a port after the specified action has been triggered and the release timer has expired, use the
autotraffic-control control-release command.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast auto-control-release
Console(config-if)#
– 446 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
auto-traffic-control control-release
This command manually releases a control response.
Syntax
auto-traffic-control {broadcast | multicast} control-release
interface interface
broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
interface
ethernet unit/port-list
unit - Unit identifier. (Range: 1)
port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers. (Range: 1-28/52)
Command Mode
Privileged Exec
Command Usage
This command can be used to manually stop a control response of rate-limiting or port shutdown any time after the specified action has been triggered.
Example
Console#auto-traffic-control broadcast control-release interface ethernet 1/1
Console#
SNMP Trap Commands
snmp-server enable port-traps atc broadcast-alarm-clear
This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc broadcast-alarm-clear
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
– 447 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear
Console(config-if)#
Related Commands
auto-traffic-control action (443)
auto-traffic-control alarm-clear-threshold (444)
snmp-server enable port-traps atc broadcast-alarm-fire
This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc broadcast-alarm-fire
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire
Console(config-if)#
Related Commands
auto-traffic-control alarm-fire-threshold (445)
snmp-server enable port-traps atc broadcast-controlapply
This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc broadcast-control-apply
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
– 448 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply
Console(config-if)#
Related Commands
auto-traffic-control alarm-fire-threshold (445)
auto-traffic-control apply-timer (441)
snmp-server enable port-traps atc broadcast-controlrelease
This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc broadcast-control-release
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-controlrelease
Console(config-if)#
Related Commands
auto-traffic-control alarm-clear-threshold (444)
auto-traffic-control action (443)
auto-traffic-control release-timer (442)
snmp-server enable port-traps atc multicast-alarm-clear
This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc multicast-alarm-clear
Default Setting
Disabled
– 449 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear
Console(config-if)#
Related Commands
auto-traffic-control action (443)
auto-traffic-control alarm-clear-threshold (444)
snmp-server enable port-traps atc multicast-alarm-fire
This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc multicast-alarm-fire
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire
Console(config-if)#
Related Commands
auto-traffic-control alarm-fire-threshold (445)
snmp-server enable port-traps atc multicast-controlapply
This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc multicast-control-apply
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
– 450 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-control-apply
Console(config-if)#
Related Commands
auto-traffic-control alarm-fire-threshold (445)
auto-traffic-control apply-timer (441)
snmp-server enable port-traps atc multicast-controlrelease
This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires.
Use the no form to disable this trap.
Syntax
[no] snmp-server enable port-traps atc multicast-control-release
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-controlrelease
Console(config-if)#
Related Commands
auto-traffic-control alarm-clear-threshold (444)
auto-traffic-control action (443)
auto-traffic-control release-timer (442)
ATC Display Commands
show auto-trafficcontrol
This command shows global configuration settings for automatic storm control.
Command Mode
Privileged Exec
Example
Console#show auto-traffic-control
Storm-control: Broadcast
Apply-timer (sec) : 300
– 451 –
Chapter 14
| Congestion Control Commands
Automatic Traffic Control Commands
release-timer (sec) : 900
Storm-control: Multicast
Apply-timer(sec) : 300
release-timer(sec) : 900
Console#
show auto-trafficcontrol interface
This command shows interface configuration settings and storm control status for the specified port.
Syntax
show auto-traffic-control interface [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show auto-traffic-control interface ethernet 1/1
Eth 1/1 Information
------------------------------------------------------------------------
Storm Control: Broadcast Multicast
State: Disabled Disabled
Action: rate-control rate-control
Auto Release Control: Disabled Disabled
Alarm Fire Threshold(Kpps): 250 250
Alarm Clear Threshold(Kpps):250 250
Trap Storm Fire: Disabled Disabled
Trap Storm Clear: Disabled Disabled
Trap Traffic Apply: Disabled Disabled
Trap Traffic Release: Disabled Disabled
Console#
– 452 –
15
Loopback Detection Commands
The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Table 88: Loopback Detection Commands
Command
loopback-detection loopback-detection action
loopback-detection recover-time
Function
Enables loopback detection globally on the switch or on a specified interface
GC, IC
Specifies the response to take for a detected loopback condition
Specifies the interval to wait before releasing an interface from shutdown state
Mode
GC
GC
loopback-detection transmit-interval
Specifies the interval at which to transmit loopback detection control frames
Configures the switch to send a trap when a loopback condition is detected or the switch recover from a loopback
GC
GC
Manually releases all interfaces currently shut down by the loopback detection feature
Shows loopback detection configuration settings for the switch or for a specified interface
PE
PE
Usage Guidelines
◆ The default settings for the control frame transmit interval and recover time may be adjusted to improve performance for your specific environment. The shutdown mode may also need to be changed once you determine what kind of packets are being looped back.
◆ General loopback detection provided by the commands described in this section and loopback detection provided by the spanning tree protocol cannot both be enabled at the same time. If loopback detection is enabled for the spanning tree protocol, general loopback detection cannot be enabled on the same interface.
◆ When a loopback event is detected on an interface or when a interface is released from a shutdown state caused by a loopback event, a trap message is sent and the event recorded in the system log.
◆ Loopback detection must be enabled both globally and on an interface for loopback detection to take effect.
– 453 –
Chapter 15
| Loopback Detection Commands
loopback-detection
This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection.
Syntax
[no] loopback-detection
Default Setting
Disabled
Command Mode
Global Configuration
Interface Configuration (Ethernet, Port Channel)
Command Usage
Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Example
This example enables general loopback detection on the switch, disables loopback detection provided for the spanning tree protocol on port 1, and then enables general loopback detection for that port.
Console(config)#loopback-detection
Console(config)#interface ethernet 1/1
Console(config-if)#no spanning-tree loopback-detection
Console(config-if)#loopback-detection
Console(config)#
loopback-detection action
This command specifies the protective action the switch takes when a loopback condition is detected. Use the no form to restore the default setting.
Syntax
loopback-detection action {block | none | shutdown} no loopback-detection action
block - When a loopback is detected on a port which a member of a specific VLAN, packets belonging to that VLAN are dropped at the offending port.
none - No action is taken.
shutdown - Shuts down the interface.
Default Setting
Shut down
Command Mode
Global Configuration
– 454 –
Chapter 15
| Loopback Detection Commands
Command Usage
◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type.
◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by
the switchport ingress-filtering
command. The port’s original setting for ingress filtering will be restored when loopback detection is disabled.
◆ When a port receives a control frame sent by itself, this means that the port is in looped state, and the VLAN in the frame payload is also in looped state. with the wrong VLAN tag. The looped port therefore be shut down.
◆
Use the loopback-detection recover-time
command to set the time to wait before re-enabling an interface shut down by the loopback detection process.
◆ When the loopback detection response is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time.
Example
This example sets the loopback detection mode to block user traffic.
Console(config)#loopback-detection action block
Console(config)#
loopback-detection recover-time
This command specifies the interval to wait before the switch automatically releases an interface from shutdown state. Use the no form to restore the default setting.
Syntax
loopback-detection recover-time seconds
no loopback-detection recover-time
seconds - Recovery time from shutdown state. (Range: 60-1,000,000 seconds, or 0 to disable automatic recovery)
Default Setting
60 seconds
Command Mode
Global Configuration
– 455 –
Chapter 15
| Loopback Detection Commands
Command Usage
◆ When the loopback detection mode is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time.
◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the
command. To restore a specific port, use the no
command.
Example
Console(config)#loopback-detection recover-time 120
Console(config-if)#
loopback-detection transmit-interval
This command specifies the interval at which to transmit loopback detection control frames. Use the no form to restore the default setting.
Syntax
loopback-detection transmit-interval seconds
no loopback-detection transmit-interval
seconds - The transmission interval for loopback detection control frames.
(Range: 1-32767 seconds)
Default Setting
10 seconds
Command Mode
Global Configuration
Example
Console(config)#loopback-detection transmit-interval 60
Console(config)#
loopback detection trap
This command sends a trap when a loopback condition is detected, or when the switch recovers from a loopback condition. Use the no form to restore the default state.
Syntax
loopback-detection trap [both | detect | none | recover]
no loopback-detection trap
both - Sends an SNMP trap message when a loopback condition is detected, or when the switch recovers from a loopback condition.
– 456 –
Chapter 15
| Loopback Detection Commands
detect - Sends an SNMP trap message when a loopback condition is detected.
none - Does not send an SNMP trap for loopback detection or recovery.
recover - Sends an SNMP trap message when the switch recovers from a loopback condition.
Default Setting
None
Command Mode
Global Configuration
Command Usage
Refer to the
loopback-detection recover-time
command for information on conditions which constitute loopback recovery.
Example
Console(config)#loopback-detection trap both
Console(config)#
loopback-detection release
This command releases all interfaces currently shut down by the loopback detection feature.
Syntax loopback-detection release
Command Mode
Privileged Exec
Example
Console#loopback-detection release
Console(config)#
– 457 –
Chapter 15
| Loopback Detection Commands
show loopbackdetection
This command shows loopback detection configuration settings for the switch or for a specified interface.
Syntax
show loopback-detection [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1-8)
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show loopback-detection
Loopback Detection Global Information
Global Status : Enabled
Transmit Interval : 10
Recover Time : 60
Action : Shutdown
Trap : None
Loopback Detection Port Information
Port Admin State Oper State
-------- ----------- ----------
Eth 1/ 1 Enabled Normal
Eth 1/ 2 Disabled Disabled
Eth 1/ 3 Disabled Disabled
.
Console#show loopback-detection ethernet 1/1
Loopback Detection Information of Eth 1/1
Admin State : Enabled
Oper State : Normal
Looped VLAN : None
Console#
– 458 –
16
Address Table Commands
These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Table 89: Address Table Commands
Command
Function
Sets the aging time of the address table
mac-address-table static Maps a static address to a port in a VLAN
Mode
GC
clear mac-address-table dynamic
Removes any learned entries from the forwarding database
GC
PE
Displays entries in the bridge-forwarding database PE
show mac-address-table aging-time
Shows the aging time for the address table PE
Shows the number of MAC addresses used and the number of available MAC addresses
PE
mac-address-table aging-time
This command sets the aging time for entries in the address table. Use the no form to restore the default aging time.
Syntax
mac-address-table aging-time seconds
no mac-address-table aging-time
seconds - Aging time. (Range: 10-844 seconds; 0 to disable aging)
Default Setting
300 seconds
Command Mode
Global Configuration
Command Usage
The aging time is used to age out dynamically learned forwarding information.
Example
Console(config)#mac-address-table aging-time 100
Console(config)#
– 459 –
Chapter 16
| Address Table Commands
mac-address-table static
This command maps a static address to a destination port in a VLAN. Use the no form to remove an address.
Syntax
mac-address-table static mac-address interface interface vlan vlan-id [action]
no mac-address-table static mac-address vlan vlan-id
mac-address - MAC address.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
vlan-id - VLAN ID (Range: 1-4094)
action -
delete-on-reset - Assignment lasts until the switch is reset.
permanent - Assignment is permanent.
Default Setting
No static addresses are defined. The default mode is permanent.
Command Mode
Global Configuration
Command Usage
The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.
Static addresses have the following characteristics:
◆ Static addresses will not be removed from the address table when a given interface link is down.
◆ Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
◆ A static address cannot be learned on another port until the address is removed with the no form of this command.
Example
Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet
1/1 vlan 1 delete-on-reset
Console(config)#
– 460 –
Chapter 16
| Address Table Commands
clear mac-address-table dynamic
This command removes any learned entries from the forwarding database.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#clear mac-address-table dynamic
Console#
show mac-address-table
This command shows classes of entries in the bridge-forwarding database.
Syntax
show mac-address-table [address mac-address [mask]] [interface interface]
[vlan vlan-id] [sort {address | vlan | interface}]
mac-address - MAC address.
mask - Bits to match in the address.
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
vlan-id - VLAN ID (Range: 1-4094)
sort - Sort by address, vlan or interface.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types:
■
■
Learn - Dynamic address entries
Config - Static entry
◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0” means
– 461 –
Chapter 16
| Address Table Commands to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-
00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.”
◆ The maximum number of address entries is 16K.
Example
Console#show mac-address-table
Interface MAC Address VLAN Type Life Time
--------- ----------------- ---- -------- -----------------
CPU FC-0A-81-B7-C7-E0 1 CPU Delete on Reset
Eth 1/ 1 00-E0-29-94-34-DE 1 Config Delete on Reset
Eth 1/21 00-01-EC-F8-D8-D9 1 Learn Delete on Timeout
Console#
show mac-address-table aging-time
This command shows the aging time for entries in the address table.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show mac-address-table aging-time
Aging Status : Enabled
Aging Time: 300 sec.
Console#
show mac-address-table count
This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface.
Syntax
show mac-address-table count interface interface
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
None
Command Mode
Privileged Exec
– 462 –
Chapter 16
| Address Table Commands
Example
Console#show mac-address-table count interface ethernet 1/1
MAC Entries for Eth 1/1
Total Address Count :0
Static Address Count :0
Dynamic Address Count :0
Console#
– 463 –
Chapter 16
| Address Table Commands
– 464 –
17
Spanning Tree Commands
This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Table 90: Spanning Tree Commands
Command
spanning-tree cisco-prestandard
Function
Enables the spanning tree protocol
Mode
GC
Configures spanning tree operation to be compatible with
Cisco prestandard versions
GC
Configures the spanning tree bridge forward time
Configures the spanning tree bridge hello time
spanning-tree max-age spanning-tree mode
Configures the spanning tree bridge maximum age
Configures STP, RSTP or MSTP mode
Configures the path cost method for RSTP/MSTP
spanning-tree pathcost method spanning-tree priority
spanning-tree mst configuration spanning-tree system-bpdu-flooding
Configures the spanning tree bridge priority
Changes to MSTP configuration mode
Floods BPDUs to all other ports or just to all other ports in the same VLAN when global spanning tree is disabled
Configures the transmission limit for RSTP/MSTP
GC
GC
GC
GC
GC
GC
GC
GC
GC
spanning-tree transmission-limit
Configures the maximum number of hops allowed in the region before a BPDU is discarded
Configures the priority of a spanning tree instance
Adds VLANs to a spanning tree instance
MST
MST
MST
Configures the name for the multiple spanning tree MST
Configures the revision number for the multiple spanning tree
MST
spanning-tree link-type spanning-tree loopback-detection
Filters BPDUs for edge ports
Shuts down an edge port if it receives a BPDU
Configures the spanning tree path cost of an interface
Enables fast forwarding for edge ports
Configures the link type for RSTP/MSTP
Enables BPDU loopback detection for a port
IC
IC
IC
IC
IC
IC
– 465 –
Chapter 17
| Spanning Tree Commands
Table 90: Spanning Tree Commands (Continued)
Command
spanning-tree loopback-detection action
spanning-tree loopback-detection release-mode
spanning-tree loopback-detection trap spanning-tree mst cost
spanning-tree mst port-priority
Function
Configures the response for loopback detection to block user traffic or shut down the interface
Configures loopback release mode for a port
Enables BPDU loopback SNMP trap notification for a port
Mode
IC
IC
IC
Configures the path cost of an interface in the MST instance IC
Configures the priority of an interface in the MST instance IC
spanning-tree port-bpdu-flooding
Floods BPDUs to other ports when global spanning tree is disabled
IC
Configures the spanning tree priority of an interface
Prevents a designated port from passing superior BPDUs
IC
IC
IC
spanning-tree spanning-disabled
Disables spanning tree for an interface
Stops propagation of topology change information
spanning-tree loopback-detection release
Manually releases a port placed in discarding state by loopback-detection
Re-checks the appropriate BPDU format
IC
PE
PE
spanning-tree protocol-migration show spanning-tree
PE
show spanning-tree mst configuration
Shows spanning tree configuration for the common spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree
Shows the multiple spanning tree configuration PE
spanning-tree
This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.
Syntax
[no] spanning-tree
Default Setting
Spanning tree is enabled.
Command Mode
Global Configuration
Command Usage
The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant
– 466 –
Chapter 17
| Spanning Tree Commands switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Example
This example shows how to enable the Spanning Tree Algorithm for the switch:
Console(config)#spanning-tree
Console(config)#
spanning-tree cisco-prestandard
This command configures spanning tree operation to be compatible with Cisco prestandard versions. Use the no form to restore the default setting.
[no] spanning-tree cisco-prestandard
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Cisco prestandard versions prior to Cisco IOS Release 12.2(25)SEC do not fully follow the IEEE standard, causing some state machine procedures to function incorrectly. The command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions.
Example
Console(config)#spanning-tree cisco-prestandard
Console(config)#
spanning-tree forward-time
This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default.
Syntax
spanning-tree forward-time seconds
no spanning-tree forward-time
seconds - Time in seconds. (Range: 4 - 30 seconds)
The minimum value is the higher of 4 or [(max-age / 2) + 1].
Default Setting
15 seconds
– 467 –
Chapter 17
| Spanning Tree Commands
Command Mode
Global Configuration
Command Usage
This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
Example
Console(config)#spanning-tree forward-time 20
Console(config)#
spanning-tree hello-time
This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default.
Syntax
spanning-tree hello-time time
no spanning-tree hello-time
time - Time in seconds. (Range: 1-10 seconds).
The maximum value is the lower of 10 or [(max-age / 2) - 1].
Default Setting
2 seconds
Command Mode
Global Configuration
Command Usage
This command sets the time interval (in seconds) at which the root device transmits a configuration message.
Example
Console(config)#spanning-tree hello-time 5
Console(config)#
Related Commands
spanning-tree forward-time (467)
– 468 –
Chapter 17
| Spanning Tree Commands
spanning-tree max-age
This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default.
Syntax
spanning-tree max-age seconds
no spanning-tree max-age
seconds - Time in seconds. (Range: 6-40 seconds)
The minimum value is the higher of 6 or [2 x (hello-time + 1)].
The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Default Setting
20 seconds
Command Mode
Global Configuration
Command Usage
This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Example
Console(config)#spanning-tree max-age 40
Console(config)#
Related Commands
spanning-tree forward-time (467)
spanning-tree hello-time (468)
spanning-tree mode
This command selects the spanning tree mode for this switch. Use the no form to restore the default.
Syntax
spanning-tree mode {stp | rstp | mstp} no spanning-tree mode
stp - Spanning Tree Protocol (IEEE 802.1D)
rstp - Rapid Spanning Tree Protocol (IEEE 802.1w)
mstp - Multiple Spanning Tree (IEEE 802.1s)
– 469 –
Chapter 17
| Spanning Tree Commands
Default Setting rstp
Command Mode
Global Configuration
Command Usage
◆ Spanning Tree Protocol
This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
◆ Rapid Spanning Tree Protocol
RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below:
■ STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
■ RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP
BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
◆ Multiple Spanning Tree Protocol
■ To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances.
■ A spanning tree instance can exist only on bridges that have compatible
VLAN instance assignments.
■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Example
The following example configures the switch to use Rapid Spanning Tree:
Console(config)#spanning-tree mode rstp
Console(config)#
– 470 –
Chapter 17
| Spanning Tree Commands
spanning-tree pathcost method
This command configures the path cost method used for Rapid Spanning Tree and
Multiple Spanning Tree. Use the no form to restore the default.
Syntax
spanning-tree pathcost method {long | short} no spanning-tree pathcost method
long - Specifies 32-bit based values that range from 1-200,000,000.
This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol.
short - Specifies 16-bit based values that range from 1-65535.
This method is based on the IEEE 802.1 Spanning Tree Protocol.
Default Setting
Long method
Command Mode
Global Configuration
Command Usage
◆ The path cost method is used to determine the best path between devices.
Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost
(
) takes precedence over port priority (
).
◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP).
Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP.
Example
Console(config)#spanning-tree pathcost method long
Console(config)#
spanning-tree priority
This command configures the spanning tree priority globally for this switch. Use the no form to restore the default.
Syntax
spanning-tree priority priority
no spanning-tree priority
priority - Priority of the bridge. (Range – 0-61440, in steps of 4096;
Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864,
40960, 45056, 49152, 53248, 57344, 61440)
Default Setting
32768
– 471 –
Chapter 17
| Spanning Tree Commands
Command Mode
Global Configuration
Command Usage
Bridge priority is used in selecting the root device, root port, and designated port.
The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Example
Console(config)#spanning-tree priority 40960
Console(config)#
spanning-tree mst configuration
This command changes to Multiple Spanning Tree (MST) configuration mode.
Default Setting
No VLANs are mapped to any MST instance.
The region name is set the switch’s MAC address.
Command Mode
Global Configuration
Example
Console(config)#spanning-tree mst configuration
Console(config-mstp)#
Related Commands
spanning-tree system-bpdu-flooding
This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default.
Syntax
spanning-tree system-bpdu-flooding {to-all | to-vlan}
no spanning-tree system-bpdu-flooding
to-all - Floods BPDUs to all other ports on the switch.
– 472 –
Chapter 17
| Spanning Tree Commands
to-vlan - Floods BPDUs to all other ports within the receiving port’s native
VLAN (i.e., as determined by port’s PVID).
Default Setting
Floods to all other ports in the same VLAN.
Command Mode
Global Configuration
Command Usage
The spanning-tree system-bpdu-flooding command has no effect if BPDU
flooding is disabled on a port (see the spanning-tree port-bpdu-flooding
command).
Example
Console(config)#spanning-tree system-bpdu-flooding
Console(config)#
spanning-tree transmission-limit
This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default.
Syntax
spanning-tree transmission-limit count no spanning-tree transmission-limit
count - The transmission limit in seconds. (Range: 1-10)
Default Setting
3
Command Mode
Global Configuration
Command Usage
This command limits the maximum transmission rate for BPDUs.
Example
Console(config)#spanning-tree transmission-limit 4
Console(config)#
– 473 –
Chapter 17
| Spanning Tree Commands
max-hops
This command configures the maximum number of hops in the region before a
BPDU is discarded. Use the no form to restore the default.
Syntax
max-hops hop-number
hop-number - Maximum hop number for multiple spanning tree.
(Range: 1-40)
Default Setting
20
Command Mode
MST Configuration
Command Usage
An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped.
Example
Console(config-mstp)#max-hops 30
Console(config-mstp)#
mst priority
This command configures the priority of a spanning tree instance. Use the no form to restore the default.
Syntax
mst instance-id priority priority
no mst instance-id priority
instance-id - Instance identifier of the spanning tree. (Range: 0-4094)
priority - Priority of the a spanning tree instance.
(Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344,
61440)
Default Setting
32768
Command Mode
MST Configuration
– 474 –
Chapter 17
| Spanning Tree Commands
Command Usage
◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
◆ You can set this switch to act as the MSTI root device by specifying a priority of
0, or as the MSTI alternate device by specifying a priority of 16384.
Example
Console(config-mstp)#mst 1 priority 4096
Console(config-mstp)#
mst vlan
This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all
VLANs.
Syntax
[no] mst instance-id vlan vlan-range
instance-id - Instance identifier of the spanning tree. (Range: 0-4094)
vlan-range - Range of VLANs. (Range: 1-4094)
Default Setting none
Command Mode
MST Configuration
Command Usage
◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
◆ By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 16 instances. You should try to group VLANs which cover the same general area of your network. However, remember that you must configure all bridges
within the same MSTI Region ( page 476
) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that
RSTP treats each MSTI region as a single node, connecting all regions to the
Common Spanning Tree.
– 475 –
Chapter 17
| Spanning Tree Commands
Example
Console(config-mstp)#mst 1 vlan 2-5
Console(config-mstp)#
name
This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name.
Syntax
name name
name - Name of the spanning tree.
Default Setting
Switch’s MAC address
Command Mode
MST Configuration
Command Usage
The MST region name and revision number ( page 476 ) are used to designate a
unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Example
Console(config-mstp)#name R&D
Console(config-mstp)#
Related Commands
revision
This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default.
Syntax
revision number
number - Revision number of the spanning tree. (Range: 0-65535)
Default Setting
0
Command Mode
MST Configuration
– 476 –
Chapter 17
| Spanning Tree Commands
Command Usage
The MST region name ( page 476
) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Example
Console(config-mstp)#revision 1
Console(config-mstp)#
Related Commands
spanning-tree bpdu-filter
This command allows you to avoid transmitting BPDUs on configured edge ports that are connected to end nodes. Use the no form to disable this feature.
Syntax
[no] spanning-tree bpdu-filter
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command stops all Bridge Protocol Data Units (BPDUs) from being transmitted on configured edge ports to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process
BPDUs. However, note that if a trunking port connected to another switch or bridging device is mistakenly configured as an edge port, and BPDU filtering is enabled on this port, this might cause a loop in the spanning tree.
◆ Before enabling BPDU Filter, the interface must first be configured as an edge port with the
spanning-tree edge-port command.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree bpdu-filter
Console(config-if)#
Related Commands
– 477 –
Chapter 17
| Spanning Tree Commands
spanning-tree bpdu-guard
This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
Syntax
spanning-tree bpdu-guard [auto-recovery [interval interval]]
no spanning-tree bpdu-guard [auto-recovery [interval]]
auto-recovery - Automatically re-enables an interface after the specified interval.
interval - The time to wait before re-enabling an interface. (Range: 30-86400 seconds)
Default Setting
BPDU Guard: Disabled
Auto-Recovery: Disabled
Auto-Recovery Interval: 300 seconds
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ An edge port should only be connected to end nodes which do not generate
BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker. If an interface is shut down by BPDU Guard, it must be manually re-enabled using the no
spanning-tree spanning-disabled command if the auto-recovery
interval is not specified.
◆ Before enabling BPDU Guard, the interface must be configured as an edge port
with the spanning-tree edge-port command. Also note that if the edge port
attribute is disabled on an interface, BPDU Guard will also be disabled on that interface.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree bpdu-guard
Console(config-if)#
Related Commands
spanning-tree spanning-disabled (488)
– 478 –
Chapter 17
| Spanning Tree Commands
spanning-tree cost
This command configures the spanning tree path cost for the specified interface.
Use the no form to restore the default auto-configuration mode.
Syntax
spanning-tree cost cost no spanning-tree cost
cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method) 9
Table 91: Recommended STA Path Cost Range
Port Type
Ethernet
Fast Ethernet
Gigabit Ethernet
Short Path Cost
(IEEE 802.1D-1998)
50-600
10-60
3-10
Long Path Cost
(IEEE 802.1D-2004)
200,000-20,000,000
20,000-2,000,000
2,000-200,000
Default Setting
By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Table 92: Default STA Path Costs
Port Type Short Path Cost (IEEE
802.1D-1998)
Ethernet 65,535
Fast Ethernet 65,535
Gigabit Ethernet 10,000
Long Path Cost
(IEEE 802.1D-2004)
1,000,000
100,000
10,000
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
◆ Path cost takes precedence over port priority.
9. Use the spanning-tree pathcost method command to set the path cost method. The range
displayed in the CLI prompt message shows the maximum value for path cost. However, note that the switch still enforces the rules for path cost based on the specified path cost method (long or short).
– 479 –
Chapter 17
| Spanning Tree Commands
◆ When the path cost method (
) is set to short, the maximum value for path cost is 65,535.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree cost 50
Console(config-if)#
spanning-tree edge-port
This command specifies an interface as an edge port. Use the no form to restore the default.
Syntax
spanning-tree edge-port [auto]
no spanning-tree edge-port
auto - Automatically determines if an interface is an edge port.
Default Setting
Auto
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related time out problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#
– 480 –
Chapter 17
| Spanning Tree Commands
spanning-tree link-type
This command configures the link type for Rapid Spanning Tree and Multiple
Spanning Tree. Use the no form to restore the default.
Syntax
spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type
auto - Automatically derived from the duplex mode setting.
point-to-point - Point-to-point link.
shared - Shared medium.
Default Setting auto
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges.
◆ When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
◆ RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree link-type point-to-point
spanning-tree loopback-detection
This command enables the detection and response to Spanning Tree loopback
BPDU packets on the port. Use the no form to disable this feature.
Syntax
[no] spanning-tree loopback-detection
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 481 –
Chapter 17
| Spanning Tree Commands
Command Usage
◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-
2001 9.3.4 (Note 1).
◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection
spanning-tree loopback-detection action
This command configures the response for loopback detection to block user traffic or shut down the interface. Use the no form to restore the default.
Syntax
spanning-tree loopback-detection action {block | shutdown duration} no spanning-tree loopback-detection action
block - Blocks user traffic.
shutdown - Shuts down the interface.
duration - The duration to shut down the interface.
(Range: 60-86400 seconds)
Default Setting block
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ If an interface is shut down by this command, and the release mode is set to
“auto” with the
spanning-tree loopback-detection release-mode
command, the selected interface will be automatically enabled when the shutdown interval has expired.
◆ If an interface is shut down by this command, and the release mode is set to
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection action shutdown 600
Console(config-if)#
– 482 –
Chapter 17
| Spanning Tree Commands
spanning-tree loopback-detection release-mode
This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore the default.
Syntax
spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode
auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
manual - The port can only be released from the discarding state manually.
Default Setting auto
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied:
■ The port receives any other BPDU except for it’s own, or;
■
■
The port’s link status changes to link down and then link up again, or;
The port ceases to receive it’s own BPDUs in a forward delay interval.
◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-
2001 9.3.4 (Note 1).
◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the
spanning-tree loopback-detection release command.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection release-mode manual
Console(config-if)#
– 483 –
Chapter 17
| Spanning Tree Commands
spanning-tree loopback-detection trap
This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default.
Syntax
[no] spanning-tree loopback-detection trap
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection trap
spanning-tree mst cost
This command configures the path cost on a spanning instance in the Multiple
Spanning Tree. Use the no form to restore the default auto-configuration mode.
Syntax
spanning-tree mst instance-id cost cost
no spanning-tree mst instance-id cost
instance-id - Instance identifier of the spanning tree. (Range: 0-4094)
cost - Path cost for an interface. (Range: 0 for auto-configuration, 1-65535 for short path cost method 10 , 1-200,000,000 for long path cost method)
The recommended path cost range is listed in
.
Default Setting
By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. The default path costs are
listed in Table 92 on page 479
.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Each spanning-tree instance is associated with a unique set of VLAN IDs.
10. Use the spanning-tree pathcost method command to set the path cost method.
– 484 –
Chapter 17
| Spanning Tree Commands
◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
◆ Use the no spanning-tree mst cost command to specify auto-configuration mode.
◆ Path cost takes precedence over interface priority.
Example
Console(config)#interface Ethernet 1/5
Console(config-if)#spanning-tree mst 1 cost 50
Console(config-if)#
Related Commands
spanning-tree mst port-priority (485)
spanning-tree mst port-priority
This command configures the interface priority on a spanning instance in the
Multiple Spanning Tree. Use the no form to restore the default.
Syntax
spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority
instance-id - Instance identifier of the spanning tree. (Range: 0-4094)
priority - Priority for an interface. (Range: 0-240 in steps of 16)
Default Setting
128
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
– 485 –
Chapter 17
| Spanning Tree Commands
Example
Console(config)#interface Ethernet 1/5
Console(config-if)#spanning-tree mst 1 port-priority 0
Console(config-if)#
Related Commands
spanning-tree port-bpdu-flooding
This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port. Use the no form to restore the default setting.
Syntax
[no] spanning-tree port-bpdu-flooding
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ When enabled, BPDUs are flooded to all other ports on the switch or to all other ports within the receiving port’s native VLAN as specified by the
spanning-tree system-bpdu-flooding command.
◆ The
spanning-tree system-bpdu-flooding command has no effect if BPDU
flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree port-bpdu-flooding
Console(config-if)#
spanning-tree port-priority
This command configures the priority for the specified interface. Use the no form to restore the default.
Syntax
spanning-tree port-priority priority no spanning-tree port-priority
priority - The priority for a port. (Range: 0-240, in steps of 16)
– 486 –
Chapter 17
| Spanning Tree Commands
Default Setting
128
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command defines the priority for the use of a port in the Spanning Tree
Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
◆ The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree port-priority 0
Related Commands
spanning-tree root-guard
This command prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable this feature.
Syntax
[no] spanning-tree root-guard
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time.
◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a
– 487 –
Chapter 17
| Spanning Tree Commands fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
◆ Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location. Root Guard should be enabled on any designated port connected to low-speed bridges which could potentially overload a slower link by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed.
◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree root-guard
Console(config-if)#
spanning-tree spanning-disabled
This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the specified interface.
Syntax
[no] spanning-tree spanning-disabled
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
This example disables the spanning tree algorithm for port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree spanning-disabled
Console(config-if)#
spanning-tree tc-propstop
This command stops the propagation of topology change notifications (TCN). Use the no form to allow propagation of TCN messages.
Syntax
[no] spanning-tree tc-prop-stop
– 488 –
Chapter 17
| Spanning Tree Commands
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
When this command is enabled on an interface, topology change information originating from the interface will still be propagated.
This command should not be used on an interface which is purposely configured in a ring topology.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#spanning-tree tc-prop-stop
Console(config-if)#
spanning-tree loopback-detection release
This command manually releases a port placed in discarding state by loopbackdetection.
Syntax
spanning-tree loopback-detection release interface
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Command Mode
Privileged Exec
Command Usage
Use this command to release an interface from discarding state if loopback detection release mode is set to “manual” by the
spanning-tree loopback-detection release-mode
command and BPDU loopback occurs.
Example
Console#spanning-tree loopback-detection release ethernet 1/1
Console#
– 489 –
Chapter 17
| Spanning Tree Commands
spanning-tree protocol-migration
This command re-checks the appropriate BPDU format to send on the selected interface.
Syntax
spanning-tree protocol-migration interface
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Command Mode
Privileged Exec
Command Usage
If at any time the switch detects STP BPDUs, including Configuration or Topology
Change Notification BPDUs, it will automatically set the selected interface to forced
STP-compatible mode. However, you can also use the spanning-tree protocol-
migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Example
Console#spanning-tree protocol-migration ethernet 1/5
Console#
show spanning-tree
This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST).
Syntax
show spanning-tree [interface | mst instance-id | brief | stp-enabled-only]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
instance-id - Instance identifier of the multiple spanning tree.
(Range: 0-4094)
brief - Shows a summary of global and interface settings.
– 490 –
Chapter 17
| Spanning Tree Commands
stp-enabled-only - Displays global settings, and settings for interfaces for which STP is enabled.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree
(CST) and for every interface in the tree.
◆ Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
◆ Use the show spanning-tree mst configuration command to display the configuration name, revision level, and VLANs associated with each instance.
◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree
(MST), including global settings and settings for all interfaces.
Example
Console#show spanning-tree
Spanning Tree Information
---------------------------------------------------------------
Spanning Tree Mode : MSTP
Spanning Tree Enabled/Disabled : Enabled
Instance : 0
VLANs Configured : 1-4094
Priority : 32768
Bridge Hello Time (sec.) : 2
Bridge Max. Age (sec.) : 20
Bridge Forward Delay (sec.) : 15
Root Hello Time (sec.) : 2
Root Max. Age (sec.) : 20
Root Forward Delay (sec.) : 15
Max. Hops : 20
Remaining Hops : 20
Designated Root : 32768.0.0001ECF8D8C6
Current Root Port : 21
Current Root Cost : 100000
Number of Topology Changes : 5
Last Topology Change Time (sec.): 11409
Transmission Limit : 3
Path Cost Method : Long
Flooding Behavior : To VLAN
Cisco Prestandard : Disabled
---------------------------------------------------------------
Eth 1/ 1 information
---------------------------------------------------------------
Admin Status : Enabled
Role : Disabled
State : Discarding
– 491 –
Chapter 17
| Spanning Tree Commands
Admin Path Cost : 0
Oper Path Cost : 100000
Priority : 128
Designated Cost : 10000
Designated Port : 128.1
Designated Root : 32768.00E00C0000FD
Designated Bridge : 32768.FC0A81B7C7E0
Forward Transitions : 2
Admin Edge Port : Auto
Oper Edge Port : Disabled
Admin Link Type : Auto
Oper Link Type : Point-to-point
Flooding Behavior : Enabled
Spanning-Tree Status : Enabled
Loopback Detection Status : Enabled
Loopback Detection Release Mode : Auto
Loopback Detection Trap : Disabled
Loopback Detection Action : Block
Root Guard Status : Disabled
BPDU Guard Status : Disabled
.
.
.
BPDU Guard Auto Recovery : Disabled
BPDU Guard Auto Recovery Interval : 300
BPDU Filter Status : Disabled
TC Propagate Stop : Disabled
This example shows a brief summary of global and interface setting for the spanning tree.
Console#show spanning-tree brief
Spanning Tree Mode : RSTP
Spanning Tree Enabled/Disabled : Enabled
Designated Root : 32768.0000E8944000
Current Root Port (Eth) : 1/24
Current Root Cost : 10000
Interface Pri Designated Designated Oper STP Role State Oper
Bridge ID Port ID Cost Status Edge
--------- --- --------------------- ---------- -------- ------ ---- ----- ---
Eth 1/ 1 128 32768.0000E89382A0 128.1 100000 EN DESG FWD No
.
.
.
Eth 1/ 2 128 32768.0000E89382A0 128.2 10000 EN DISB BLK No
Eth 1/ 3 128 32768.0000E89382A0 128.3 10000 EN DISB BLK No
Eth 1/ 4 128 32768.0000E89382A0 128.4 10000 EN DISB BLK No
Eth 1/ 5 128 32768.0000E89382A0 128.5 10000 EN DISB BLK No
– 492 –
Chapter 17
| Spanning Tree Commands
show spanning-tree mst configuration
This command shows the configuration of the multiple spanning tree.
Command Mode
Privileged Exec
Example
Console#show spanning-tree mst configuration
Mstp Configuration Information
--------------------------------------------------------------
Configuration Name : R&D
Revision Level :0
Instance VLANs
--------------------------------------------------------------
0 1-4094
Console#
– 493 –
Chapter 17
| Spanning Tree Commands
– 494 –
18
VLAN Commands
A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how
VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Table 93: VLAN Commands
Command Group Function
Configures GVRP settings that permit automatic VLAN learning; shows the configuration for bridge extension MIB
Sets up VLAN groups, including name, VID and state
Configures VLAN interface parameters, including ingress and egress tagging mode, ingress filtering, PVID, and GVRP
Displays VLAN groups, status, port members, and MAC addresses
Configures 802.1Q Tunneling (QinQ Tunneling)
Configures Layer 2 Control Protocol (L2CP) tunneling, either by discarding, processing, or transparently passing control packets across a QinQ tunnel
*
Configures protocol-based VLANs based on frame type and protocol
*
*
Configures IP Subnet-based VLANs
Configures MAC-based VLANs
Configures VoIP traffic detection and enables a Voice VLAN
* If a packet matches the rules defined by more than one of these functions, only one of them is applied, with the precedence being MAC-based, IP subnet-based, protocol-based, and then
native port-based (see the switchport priority default
command).
– 495 –
Chapter 18
| VLAN Commands
GVRP and Bridge Extension Commands
GVRP and Bridge Extension Commands
GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Table 94: GVRP and Bridge Extension Commands
Command
Function
Enables GVRP globally for the switch
Sets the GARP timer for the selected function
Configures forbidden VLANs for an interface
switchport gvrp show bridge-ext
Enables GVRP for an interface
Shows the global bridge extension configuration
Shows the GARP timer for the selected function
Displays GVRP configuration for the selected interface
IC
IC
Mode
GC
IC
PE
NE, PE
NE, PE
bridge-ext gvrp
This command enables GVRP globally for the switch. Use the no form to disable it.
Syntax
[no] bridge-ext gvrp
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
GVRP defines a way for switches to exchange VLAN information in order to register
VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
Example
Console(config)#bridge-ext gvrp
Console(config)#
– 496 –
Chapter 18
| VLAN Commands
GVRP and Bridge Extension Commands
garp timer
This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values.
Syntax
garp timer {join | leave | leaveall} timer-value
no garp timer {join | leave | leaveall}
{join | leave | leaveall} - Timer to set.
timer-value - Value of timer.
Ranges: join: 20-1000 centiseconds leave: 60-3000 centiseconds leaveall: 500-18000 centiseconds
Default Setting join: 20 centiseconds leave: 60 centiseconds leaveall: 1000 centiseconds
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration.
◆ Timer values are applied to GVRP for all the ports on all VLANs.
◆ Timer values must meet the following restrictions:
■
■ leave > (2 x join) leaveall > leave
Note: Set GVRP timers on all Layer 2 devices connected in the same network to the same values. Otherwise, GVRP may not operate successfully.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#garp timer join 100
Console(config-if)#
– 497 –
Chapter 18
| VLAN Commands
GVRP and Bridge Extension Commands
Related Commands
switchport forbidden vlan
This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
Syntax
switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan
add vlan-list - List of VLAN identifiers to add.
remove vlan-list - List of VLAN identifiers to remove.
vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094).
Default Setting
No VLANs are included in the forbidden list.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command prevents a VLAN from being automatically added to the specified interface via GVRP.
◆ If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface.
◆ GVRP cannot be enabled for ports set to Access mode (see the
command).
Example
The following example shows how to prevent port 1 from being added to VLAN 3:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport forbidden vlan add 3
Console(config-if)#
– 498 –
Chapter 18
| VLAN Commands
GVRP and Bridge Extension Commands
switchport gvrp
This command enables GVRP for a port. Use the no form to disable it.
Syntax
[no] switchport gvrp
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
GVRP cannot be enabled for ports set to Access mode using the
command.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#switchport gvrp
Console(config-if)#
show bridge-ext
This command shows the configuration for bridge extension commands.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show bridge-ext
Maximum Supported VLAN Numbers : 4094
Maximum Supported VLAN ID : 4094
Extended Multicast Filtering Services : No
Static Entry Individual Port : Yes
VLAN Version Number : 2
VLAN Learning : IVL
Configurable PVID Tagging : Yes
Local VLAN Capable : No
Traffic Classes : Enabled
Global GVRP Status : Disabled
GMRP : Disabled
Console#
– 499 –
Chapter 18
| VLAN Commands
GVRP and Bridge Extension Commands
Table 95: show bridge-ext - display description
Field
Maximum
Supported VLAN
Numbers
Description
The maximum number of VLANs supported on this switch.
Maximum
Supported VLAN ID
The maximum configurable VLAN identifier supported on this switch.
Extended Multicast
Filtering Services
This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Static Entry
Individual Port
VLAN Learning
This switch allows static filtering for unicast and multicast addresses. (Refer to
the mac-address-table static command.)
This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database.
Configurable PVID
Tagging
This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to the
switchport allowed vlan command.)
Local VLAN Capable This switch does not support multiple local bridges outside of the scope of
802.1Q defined VLANs.
Traffic Classes This switch provides mapping of user priorities to multiple traffic classes. (Refer
to “Class of Service Commands” on page 541 .)
Global GVRP Status GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This field shows if GVRP is globally enabled or disabled.
(Refer to the bridge-ext gvrp command.)
show garp timer
This command shows the GARP timers for the selected interface.
Syntax
show garp timer [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
Shows all GARP timers.
Command Mode
Normal Exec, Privileged Exec
– 500 –
Chapter 18
| VLAN Commands
Editing VLAN Groups
Example
Console#show garp timer ethernet 1/1
Eth 1/ 1 GARP Timer Status:
Join Timer: 20 centiseconds
Leave Timer: 60 centiseconds
Leaveall Timer: 1000 centiseconds
Console#
Related Commands
show gvrp configuration
This command shows if GVRP is enabled.
Syntax
show gvrp configuration [interface]
interface
ethernet unit/port
unit - Unit identifier. (Range: 1)
port - Port number. (Range: 1-28/52)
port-channel channel-id (Range: 1-16)
Default Setting
Shows both global and interface-specific configuration.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show gvrp configuration ethernet 1/7
Eth 1/ 7:
GVRP Configuration : Disabled
Console#
Editing VLAN Groups
Table 96: Commands for Editing VLAN Groups
Command
Function
Enters VLAN database mode to add, change, and delete
VLANs
Configures a VLAN, including VID, name and state
Mode
GC
VC
– 501 –
Chapter 18
| VLAN Commands
Editing VLAN Groups
vlan database
This command enters VLAN database mode. All commands in this mode will take effect immediately.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Use the VLAN database command mode to add, change, and delete VLANs.
After finishing configuration changes, you can display the VLAN settings by
entering the show vlan command.
◆
command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by
entering the show running-config
command.
Example
Console(config)#vlan database
Console(config-vlan)#
Related Commands
vlan
This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN.
Syntax
vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}]
[rspan]
no vlan vlan-id [name | state]
vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094)
name - Keyword to be followed by the VLAN name.
vlan-name - ASCII string from 1 to 32 characters.
media ethernet - Ethernet media type.
– 502 –
Chapter 18
| VLAN Commands
Configuring VLAN Interfaces
state - Keyword to be followed by the VLAN state.
active - VLAN is operational.
suspend - VLAN is suspended. Suspended VLANs do not pass packets.
rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on
configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 428
.
Default Setting
By default only VLAN 1 exists and is active.
Command Mode
VLAN Database Configuration
Command Usage
◆ no vlan vlan-id deletes the VLAN.
◆
◆
◆
no vlan vlan-i