350X Series Stackable Managed Switches | 350X Series Stackable Managed Switches | Reference guide | Cisco 350X Series Switches Command Line Interface Reference

350X Series Stackable Managed Switches |  350X Series Stackable Managed Switches | Reference guide | Cisco 350X Series Switches Command Line Interface Reference | Manualzz
CLI GUIDE
SG350X and SG350XG Ph. 2.2.5 Devices - Command Line
Interface Reference Guide
1
Table of Contents
1
Introduction....................................................................................................... 26
2
802.1X Commands .......................................................................................... 50
aaa authentication dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
authentication open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
clear dot1x statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
dot1x auth-not-req . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
dot1x authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
dot1x guest-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
dot1x guest-vlan enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
dot1x guest-vlan timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
dot1x host-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
dot1x max-hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
dot1x max-login-attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
dot1x max-req . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
dot1x page customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
dot1x port-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
dot1x radius-attributes vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
dot1x re-authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
dot1x reauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
dot1x system-auth-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
dot1x timeout quiet-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
dot1x timeout reauth-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
dot1x timeout server-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
dot1x timeout silence-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
dot1x timeout supp-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
dot1x timeout tx-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
dot1x traps authentication failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
dot1x traps authentication quiet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
dot1x traps authentication success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
dot1x unlock client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
dot1x violation-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
show dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
show dot1x locked clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
show dot1x statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
show dot1x users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3
ACL Commands............................................................................................... 93
ip access-list (IP extended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
permit ( IP ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
deny ( IP ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
ipv6 access-list (IPv6 extended) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
permit ( IPv6 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
deny ( IPv6 ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
mac access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
permit ( MAC ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
deny (MAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
service-acl input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
service-acl output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
show time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
show access-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
show interfaces access-lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
clear access-lists counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
show interfaces access-lists trapped packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
ip access-list (IP standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
ipv6 access-list (IP standard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
4
Address Table Commands ............................................................................ 127
bridge multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
bridge multicast mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
bridge multicast address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
bridge multicast forbidden address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
bridge multicast ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
bridge multicast forbidden ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
bridge multicast source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
bridge multicast forbidden source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
bridge multicast ipv6 mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
bridge multicast ipv6 ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
bridge multicast ipv6 forbidden ip-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
bridge multicast ipv6 source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
bridge multicast ipv6 forbidden source group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
bridge multicast unregistered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
bridge multicast forward-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
bridge multicast forbidden forward-all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
bridge unicast unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
show bridge unicast unknown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
mac address-table static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
clear mac address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
mac address-table aging-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
port security mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
port security max . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
port security routed secure-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
show mac address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
show mac address-table count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
show bridge multicast mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
show bridge multicast address-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
1
show bridge multicast address-table static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
show bridge multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
show bridge multicast unregistered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
show ports security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
show ports security addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
bridge multicast reserved-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
show bridge multicast reserved-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
5
Authentication, Authorization and Accounting (AAA) Commands ........... 175
aaa authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
aaa authentication enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
login authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
enable authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ip http authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
show authentication methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
service password-recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
show users accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
aaa accounting login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
aaa accounting dot1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
show accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
passwords complexity enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
passwords complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
passwords aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
show passwords configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6
Auto-Update and Auto-Configuration ......................................................... 200
boot host auto-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
boot host auto-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
show boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
ip dhcp tftp-server ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
ip dhcp tftp-server file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
ip dhcp tftp-server image file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
show ip dhcp tftp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
7
Bonjour Commands ....................................................................................... 209
bonjour enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
bonjour interface range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
show bonjour . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8
CDP Commands ............................................................................................. 212
cdp advertise-v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
cdp appliance-tlv enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
cdp device-id format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
cdp enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
cdp holdtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
3
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
cdp log mismatch duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
cdp log mismatch native . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
cdp log mismatch voip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
cdp mandatory-tlvs validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
cdp pdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
cdp run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
cdp source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
cdp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
clear cdp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
clear cdp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
show cdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
show cdp entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
show cdp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
show cdp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
show cdp tlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
show cdp traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
9
Clock Commands ........................................................................................... 240
absolute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
clock dhcp timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
clock set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
clock source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
clock summer-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
clock timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
periodic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
sntp anycast client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
sntp authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
sntp authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
sntp broadcast client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
sntp client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
sntp client enable (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
sntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
sntp source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
sntp source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
sntp trusted-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
sntp unicast client enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
sntp unicast client poll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
show clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
show sntp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
show sntp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
show time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
10
Denial of Service (DoS) Commands ............................................................ 267
security-suite deny fragmented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
security-suite deny icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
security-suite deny martian-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
1
security-suite deny syn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
security-suite deny syn-fin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
security-suite dos protect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
security-suite dos syn-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
security-suite enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
security-suite syn protection mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
security-suite syn protection recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
security-suite syn protection threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
show security-suite configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
show security-suite syn protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
11
DHCP Relay Commands................................................................................ 284
ip dhcp relay enable (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
ip dhcp relay enable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
ip dhcp relay address (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
ip dhcp relay address (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
show ip dhcp relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
ip dhcp information option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
show ip dhcp information option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
12
DHCP Server Commands .............................................................................. 292
address (DHCP Host) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
address (DHCP Network) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
auto-default-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
bootfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
clear ip dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
client-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
default-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
dns-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
domain-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
ip dhcp excluded-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
ip dhcp pool host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
ip dhcp pool network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
ip dhcp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
lease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
netbios-name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
netbios-node-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
next-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
next-server-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
show ip dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
show ip dhcp allocated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
show ip dhcp binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
show ip dhcp declined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
show ip dhcp excluded-addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
show ip dhcp expired . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
show ip dhcp pool host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
5
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show ip dhcp pool network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
show ip dhcp pre-allocated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
show ip dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
time-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
13
DHCP Snooping Commands ......................................................................... 324
ip dhcp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
ip dhcp snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
ip dhcp snooping trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
ip dhcp snooping information option allowed-untrusted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
ip dhcp snooping verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
ip dhcp snooping database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
ip dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
clear ip dhcp snooping database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
show ip dhcp snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
show ip dhcp snooping binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
ip source-guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
ip source-guard binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
ip source-guard tcam retries-freq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
ip source-guard tcam locate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
show ip source-guard configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
show ip source-guard status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
show ip source-guard inactive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
show ip source-guard statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
ip arp inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
ip arp inspection vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
ip arp inspection trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
ip arp inspection validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
ip arp inspection list create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
ip mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
ip arp inspection list assign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
ip arp inspection logging interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
show ip arp inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
show ip arp inspection list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
show ip arp inspection statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
clear ip arp inspection statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
14
DHCPv6 Commands ...................................................................................... 351
clear ipv6 dhcp client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
ipv6 dhcp client information refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
ipv6 dhcp client information refresh minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
ipv6 dhcp client stateless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
ipv6 dhcp duid-en . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
ipv6 dhcp relay destination (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
ipv6 dhcp relay destination (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
show ipv6 dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
show ipv6 dhcp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
6
1
15
DNS Client Commands .................................................................................. 366
clear host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
ip domain lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
ip domain name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
ip domain polling-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
ip domain retry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
ip domain timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
ip host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ip name-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
show hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
16
EEE Commands .............................................................................................. 376
eee enable (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
eee enable (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
eee lldp enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
show eee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
17
Ethernet Configuration Commands ............................................................. 385
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
interface range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
operation time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
duplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
flowcontrol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
mdix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
back-pressure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
port jumbo-frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
link-flap prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
clear counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
set interface active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
errdisable recovery cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
errdisable recovery interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
errdisable recovery reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
show interfaces configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
show interfaces status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
show interfaces advertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
show interfaces description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
show interfaces counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
show ports jumbo-frame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
show link-flap prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
show errdisable recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
show errdisable interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
clear switchport monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
show switchport monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
7
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
18
File System Commands ................................................................................ 420
File Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
System Flash Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Flash File System on Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
boot config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
boot localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
boot system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
cd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
mkdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
pwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
rmdir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
service mirror-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
show bootvar / show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
show mirror-configuration service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
show running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
write . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
19
GARP VLAN Registration Protocol (GVRP) Commands ............................ 456
clear gvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
gvrp enable (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
gvrp enable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
gvrp registration-forbid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
gvrp vlan-creation-forbid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
show gvrp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
show gvrp error-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
show gvrp statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
20
Green Ethernet ............................................................................................... 464
green-ethernet energy-detect (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
green-ethernet energy-detect (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
green-ethernet short-reach (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
green-ethernet short-reach (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
green-ethernet power-meter reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
show green-ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
21
IGMP Commands ........................................................................................... 470
clear ip igmp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
ip igmp last-member-query-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
ip igmp last-member-query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
1
ip igmp query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
ip igmp query-max-response-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
ip igmp robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
ip igmp version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
show ip igmp counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
show ip igmp groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
show ip igmp groups summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
show ip igmp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
22
IGMP Proxy Commands ................................................................................ 482
ip igmp-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
ip igmp-proxy downstream protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
ip igmp-proxy downstream protected interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
ip igmp-proxy ssm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
show ip igmp-proxy interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
23
IGMP Snooping Commands .......................................................................... 489
ip igmp snooping (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
ip igmp snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
ip igmp snooping vlan mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
ip igmp snooping vlan mrouter interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
ip igmp snooping vlan forbidden mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
ip igmp snooping vlan static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
ip igmp snooping vlan multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
ip igmp snooping map cpe vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
ip igmp snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
ip igmp snooping vlan querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
ip igmp snooping vlan querier address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
ip igmp snooping vlan querier election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
ip igmp snooping vlan querier version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
ip igmp snooping vlan immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
show ip igmp snooping cpe vlans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
show ip igmp snooping groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
show ip igmp snooping interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
show ip igmp snooping mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
show ip igmp snooping multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
24
IP Addressing Commands............................................................................. 507
ip address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
ip address dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
renew dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
ip default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
show ip interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
arp timeout (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
ip arp proxy disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
ip proxy-arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
clear arp-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
9
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
show arp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
interface ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
ip helper-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
show ip helper-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
show ip dhcp client interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
25
IP Routing Protocol-Independent Commands ........................................... 525
ip policy route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
ip redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
ip routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
show ip route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
26
IP System Management Commands ........................................................... 537
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
27
IPv4 IPM Router Commands......................................................................... 549
ip multicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
ip multicast ttl-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
show ip mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
show ip multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
28
IPv6 Commands ............................................................................................. 556
clear ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
ipv6 address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
ipv6 address anycast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
ipv6 address autoconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
ipv6 address eui-64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
ipv6 address link-local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
ipv6 default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
ipv6 enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
ipv6 hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
ipv6 icmp error-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
ipv6 link-local default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
ipv6 nd advertisement-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
ipv6 nd dad attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
ipv6 nd hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
ipv6 nd managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
ipv6 nd ns-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
ipv6 nd other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
ipv6 nd prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
ipv6 nd ra interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
ipv6 nd ra lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
1
ipv6 nd ra suppress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
ipv6 nd reachable-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
ipv6 nd router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
ipv6 neighbor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
ipv6 policy route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
ipv6 redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
ipv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
ipv6 unicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
ipv6 unreachables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
show ipv6 interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
show ipv6 link-local default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
show ipv6 nd prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
show ipv6 neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
show ipv6 route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
show ipv6 route summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
show ipv6 static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
29
IPv6 First Hop Security.................................................................................. 615
address-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
address-prefix-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
clear ipv6 first hop security counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
clear ipv6 first hop security error counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
clear ipv6 neighbor binding prefix table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
clear ipv6 neighbor binding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
device-role (IPv6 DHCP Guard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
device-role (Neighbor Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
device-role (ND Inspection Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
device-role (RA Guard Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
drop-unsecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
ipv6 dhcp guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
ipv6 dhcp guard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
ipv6 dhcp guard attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
ipv6 dhcp guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
ipv6 dhcp guard preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
ipv6 first hop security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
ipv6 first hop security attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
ipv6 first hop security attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
ipv6 first hop security logging packet drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
ipv6 first hop security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
ipv6 nd inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
ipv6 nd inspection attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
ipv6 nd inspection attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
ipv6 nd inspection drop-unsecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
ipv6 nd inspection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
ipv6 nd inspection sec-level minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653
ipv6 nd inspection validate source-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
11
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
ipv6 nd raguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
ipv6 nd raguard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
ipv6 nd raguard attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
ipv6 nd raguard hop-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
ipv6 nd raguard managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
ipv6 nd raguard other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
ipv6 nd raguard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
ipv6 nd raguard router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
ipv6 neighbor binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
ipv6 neighbor binding address-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
ipv6 neighbor binding address-prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
ipv6 neighbor binding address-prefix-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
ipv6 neighbor binding attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
ipv6 neighbor binding attach-policy (VLAN mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
ipv6 neighbor binding lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676
ipv6 neighbor binding logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
ipv6 neighbor binding max-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
ipv6 neighbor binding policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
ipv6 neighbor binding static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
ipv6 source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
ipv6 source guard attach-policy (port mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
ipv6 source guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
logging binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
logging packet drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
managed-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
match ra address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
match ra prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
match reply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
match server address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
max-entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
other-config-flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
router-preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
sec-level minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
show ipv6 dhcp guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
show ipv6 dhcp guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
show ipv6 first hop security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
show ipv6 first hop security active policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
show ipv6 first hop security attached policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
show ipv6 first hop security counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
show ipv6 first hop security error counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
show ipv6 first hop security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
show ipv6 nd inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
show ipv6 nd inspection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
show ipv6 nd raguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
show ipv6 nd raguard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
show ipv6 neighbor binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
1
show ipv6 neighbor binding policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
show ipv6 neighbor binding prefix table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
show ipv6 neighbor binding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
show ipv6 source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
show ipv6 source guard policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
trusted-port (IPv6 Source Guard) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
validate source-mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
30
IPv6 IPM Router Commands......................................................................... 728
ipv6 multicast-routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
ipv6 multicast hop-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
show ipv6 mroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
show ipv6 multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
31
IPv6 Prefix List Commands .......................................................................... 735
clear ipv6 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
ipv6 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
show ipv6 prefix-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740
32
iSCSI QoS Commands ................................................................................... 744
iscsi enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744
iscsi flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745
iscsi qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
show iscsi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
33
IPv6 Tunnel Commands ................................................................................ 750
interface tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
tunnel destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751
tunnel isatap solicitation-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
tunnel isatap robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
tunnel isatap router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
tunnel mode ipv6ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
tunnel source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
show ipv6 tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
34
Line Commands.............................................................................................. 763
autobaud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
exec-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
show line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
35
Link Aggregation Control Protocol (LACP) Commands ............................ 768
lacp port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 768
lacp system-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
lacp timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
show lacp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
show lacp port-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
13
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
36
Link Layer Discovery Protocol (LLDP) Commands.................................... 774
clear lldp table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
lldp chassis-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
lldp hold-multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
lldp lldpdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776
lldp management-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
lldp med . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779
lldp med notifications topology-change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780
lldp med fast-start repeat-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
lldp med location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781
lldp med network-policy (global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782
lldp med network-policy (interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
lldp med network-policy voice auto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
lldp notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786
lldp notifications interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
lldp optional-tlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788
lldp optional-tlv 802.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789
lldp run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
lldp receive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790
lldp reinit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791
lldp timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792
lldp transmit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
lldp tx-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794
show lldp configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795
show lldp local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797
show lldp local tlvs-overloading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 800
show lldp med configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801
show lldp neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
37
Loopback Detection Commands .................................................................. 812
loopback-detection enable (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
loopback-detection enable (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
loopback-detection interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813
show loopback-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814
38
Macro Commands .......................................................................................... 816
macro name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816
macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
macro description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822
macro global . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
macro global description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825
show parser macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826
39
Management ACL Commands...................................................................... 829
deny (Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 829
permit (Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 830
management access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
1
management access-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833
show management access-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
show management access-class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
40
MLD Commands ............................................................................................. 836
clear ipv6 mld counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
ipv6 mld last-member-query-count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
ipv6 mld last-member-query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
ipv6 mld query-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
ipv6 mld query-max-response-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 839
ipv6 mld robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
ipv6 mld version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 841
show ipv6 mld counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 842
show ipv6 mld groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
show ipv6 mld groups summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
show ipv6 mld interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 846
41
MLD Proxy Commands.................................................................................. 848
ipv6 mld-proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 848
ipv6 mld-proxy downstream protected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
ipv6 mld-proxy downstream protected interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 850
ipv6 mld-proxy ssm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851
show ipv6 mld-proxy interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 852
42
MLD Snooping Commands............................................................................ 855
ipv6 mld snooping (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
ipv6 mld snooping vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855
ipv6 mld snooping querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 856
ipv6 mld snooping vlan querier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
ipv6 mld snooping vlan querier election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 858
ipv6 mld snooping vlan querier version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
ipv6 mld snooping vlan mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 860
ipv6 mld snooping vlan mrouter interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 861
ipv6 mld snooping vlan forbidden mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
ipv6 mld snooping vlan static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863
ipv6 mld snooping vlan immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
show ipv6 mld snooping groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 864
show ipv6 mld snooping interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866
show ipv6 mld snooping mrouter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
43
Network Management Protocol (SNMP) Commands ................................ 869
snmp-server community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 869
snmp-server community-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 871
snmp-server server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 872
snmp-server source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 873
snmp-server source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874
snmp-server view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
snmp-server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
15
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show snmp views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 878
show snmp groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879
snmp-server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 880
show snmp users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
snmp-server filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
show snmp filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
snmp-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
snmp-server engineID local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
snmp-server engineID remote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
show snmp engineID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 891
snmp-server enable traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892
snmp-server trap authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
snmp-server contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893
snmp-server location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 894
snmp-server set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895
snmp trap link-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
show snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
44
PHY Diagnostics Commands ........................................................................ 899
test cable-diagnostics tdr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899
show cable-diagnostics tdr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
show cable-diagnostics cable-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
show fiber-ports optical-transceiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 902
45
Power over Ethernet (PoE) Commands ....................................................... 904
power inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 904
power inline inrush test disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 905
power inline legacy support disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
power inline powered-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 906
power inline priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
power inline usage-threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 908
power inline traps enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
power inline limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 909
power inline limit-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 910
power inline four-pair forced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 911
show power inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 912
show power inline savings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917
clear power inline counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
clear power inline monitor consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
show power inline monitor consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 920
46
Port Channel Commands .............................................................................. 923
channel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 923
port-channel load-balance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 924
show interfaces port-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 925
47
Quality of Service (QoS) Commands............................................................ 926
qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
1
qos advanced-mode trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927
show qos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 928
class-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 929
show class-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 930
match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
policy-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 932
class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 933
show policy-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934
trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935
set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 937
redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 938
mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
police . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 941
service-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943
qos aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944
show qos aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 947
police aggregate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 948
wrr-queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 949
wrr-queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 950
priority-queue out num-of-queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 951
traffic-shape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 952
traffic-shape queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 953
qos wrr-queue wrtd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 954
show qos wrr-queue wrtd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 955
show qos interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956
qos map policed-dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 960
qos map dscp-queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 961
qos trust (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 962
qos trust (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
qos cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 964
qos dscp-mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 965
qos map dscp-mutation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 966
show qos map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 967
clear qos statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 969
qos statistics policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970
qos statistics aggregate-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 970
qos statistics queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
show qos statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 972
48
RADIUS Commands ....................................................................................... 975
radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975
radius-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
radius-server retransmit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 978
radius-server host source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
radius-server host source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 980
radius-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
radius-server deadtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 981
17
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show radius-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 982
show radius-servers key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983
49
Radius Server Commands............................................................................. 984
allowed-time-range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
clear radius server accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
clear radius server rejected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985
clear radius server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 986
privilege-level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 987
radius server accounting-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988
radius server authentication-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 989
radius server enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
radius server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 990
radius server nas secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
radius server traps accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
radius server traps authentication failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994
radius server traps authentication success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 995
radius server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996
show radius server accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 997
show radius server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 999
show radius server group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1000
show radius server rejected users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
show radius server nas secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
show radius server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1005
show radius server user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1007
vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1008
50
Rate Limit and Storm Control Commands ................................................1010
clear storm-control counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rate-limit (Ethernet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rate-limit vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
storm-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rate-limit interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rate-limit vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show storm-control interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
51
1010
1011
1012
1014
1016
1016
1017
Remote Network Monitoring (RMON) Commands...................................1020
rmon alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon alarm-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmon event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmon table-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
rmon collection stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon collection stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show rmon history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1020
1022
1023
1024
1026
1027
1028
1029
1031
1032
1033
18
1
52
Router Resources Commands ....................................................................1036
system router resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1036
show system router resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1040
53
Route Map Commands ...............................................................................1042
match ip address (Policy Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
match ipv6 address (Policy Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
route-map (Policy Routing) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ip next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
set ipv6 next-hop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show route-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
54
RSA and Certificate Commands.................................................................1052
crypto key generate dsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto key generate rsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto key import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show crypto key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto certificate generate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto certificate request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto certificate import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show crypto certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
55
1070
1071
1073
1074
1074
1075
1076
1077
1078
1080
1081
1082
1085
1086
1088
sFlow Commands .........................................................................................1090
sflow receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sflow flow-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sflow counters-sampling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear sflow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sflow configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sflow statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
sflow receiver source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
1053
1054
1055
1057
1058
1060
1062
1068
Smartport Commands .................................................................................1070
macro auto (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto built-in parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto persistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto processing cdp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto processing lldp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto processing type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto smartport (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto smartport type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto trunk refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
macro auto user smartport macro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show macro auto ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show macro auto processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show macro auto smart-macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
smartport storm-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
1042
1043
1044
1047
1048
1049
1090
1091
1092
1092
1093
1094
1095
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
sflow receiver source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1096
57
SPAN and RSPAN Commands....................................................................1098
monitor session destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
monitor session source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
remote-span . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show monitor session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan remote-span . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
58
Spanning-Tree Commands .........................................................................1111
spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree forward-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree max-age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree portfast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree link-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree pathcost method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpdu (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpdu (Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree guard root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree bpduguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear spanning-tree detected-protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst max-hops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst port-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree mst configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
instance (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
name (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
revision (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
abort (MST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show spanning-tree bpdu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
spanning-tree loopback-guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
59
1098
1101
1104
1106
1109
1111
1112
1113
1114
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1125
1126
1127
1128
1129
1130
1131
1132
1132
1133
1134
1135
1135
1147
1148
SSH Client Commands ................................................................................1150
ip ssh-client authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client change server password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client server authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1150
1151
1152
1155
1156
20
1
ip ssh-client server fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ipv6 ssh-client source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh-client username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip ssh-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip ssh-client server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60
SSD Commands............................................................................................1167
ssd config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show SSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd session read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ssd session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd file passphrase control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ssd file integrity control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
61
1178
1179
1180
1182
1183
1184
SYSLOG Commands ....................................................................................1186
aaa logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
clear logging file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
file-system logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging buffered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging aggregation on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging aggregation aging-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
logging origin-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show logging file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show syslog-servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
63
1167
1167
1169
1171
1173
1174
1175
1176
Stack Commands .........................................................................................1178
set stack unit-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
stack unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
stack configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show stack configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show stack links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
62
1157
1158
1159
1160
1161
1164
1186
1187
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1197
1198
1200
1201
System Management Commands ..............................................................1203
disable ports leds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203
hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204
reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1204
21
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
service cpu-utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cpu input rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show cpu utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system tcam utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show services tcp-udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system power-supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show system id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ports leds configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show hardware version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
system recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
64
TACACS+ Commands..................................................................................1229
tacacs-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server host source-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server host source-interface-ipv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
tacacs-server timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tacacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show tacacs key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
65
1229
1230
1231
1232
1233
1234
1235
Telnet, Secure Shell (SSH) and Secure Login (Slogin) Commands........1237
ip telnet server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh password-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip ssh pubkey-auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
crypto key pubkey-chain ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
user-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
key-string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show crypto key pubkey-chain ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
66
1206
1207
1208
1209
1209
1212
1213
1214
1215
1217
1218
1218
1219
1221
1222
1222
1224
1225
1225
1226
1227
1228
1237
1238
1238
1239
1240
1241
1242
1244
1245
1246
UDLD Commands.........................................................................................1248
show udld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1248
udld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1252
udld message time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
22
1
udld port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1254
67
User Interface Commands ..........................................................................1256
banner exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
banner login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit (Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
exit (EXEC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
history size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal datadump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal history size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
terminal width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
68
Virtual Local Area Network (VLAN) Commands .......................................1276
vlan database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
interface range vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport protected-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces protected-ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport access vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport trunk allowed vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport trunk native vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general allowed vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general pvid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general ingress-filtering disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general acceptable-frame-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general forbidden vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport customer vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
map protocol protocols-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general map protocols-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
23
1256
1257
1259
1260
1260
1261
1262
1263
1264
1264
1265
1266
1268
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1279
1280
1281
1282
1283
1284
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
show vlan protocols-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
map mac macs-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general map macs-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan macs-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
map subnet subnets-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport general map subnets-group vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan subnets-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show interfaces switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
private-vlan association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport private-vlan mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport private-vlan host-association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan private-vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport access multicast-tv vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
switchport customer multicast-tv vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan multicast-tv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vlan prohibit-internal-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show vlan internal usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
69
Voice VLAN Commands...............................................................................1318
show voice vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show voice vlan local . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan vpt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan dscp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan oui-table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan cos mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan cos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan aging-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
voice vlan enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
1297
1298
1299
1301
1301
1302
1303
1304
1306
1307
1308
1309
1310
1311
1312
1313
1314
1316
1318
1322
1324
1327
1328
1329
1330
1331
1333
1333
1334
1335
Web Server Commands...............................................................................1337
ip https certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http secure-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ip http timeout-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
show ip https . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1337
1338
1338
1339
1340
1341
1341
24
1
25
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
This section describes how to use the Command Line Interface (CLI). It contains
the following topics:
•
Product Notes
•
Overview
•
User (Privilege) Levels
•
CLI Command Modes
•
Accessing the CLI
•
CLI Command Conventions
•
Editing Features
•
Interface Naming Conventions
•
IPv6z Address Conventions
•
Loopback Interface
•
Remote IP Address and OutOfBand Port
•
PHY Diagnostics
•
CLI Output Modifiers
Product Notes
This CLI guide provides CLI commands and guidelines for both the SG350XG
product line and the SG350X product line. Besides a few CLI commands, which
will be mentioned below, the CLI commands included in this document can be
applied to both product lines. Following are the notes and differences in CLI
command support in regards to these product lines:
•
Ports types—On the SG350XG product line all ports support
TengigabitEthernet (XG) speed. The SG350X supports the Gigabitethernet
(GE) network ports and 4 XG uplink ports SKUs.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
26
1
Introduction
CLI examples in this document use the XG port type in examples, but the
same commands can be applied to GE port type, unless there is a
difference in feature implementation between port types.
•
Speed and negotiation settings—Each port type supports the negotiation
and speed setting relevant to the port type. For example a GE interface
does not support speed or negotiation of 10G interface.
•
OOB interface—The SG350XG supports an OOB interface, while the
SG350X does not. Therefore, OOB as a configurable interface is relevant
only to the SG350XG product line.
•
Power Over Ethernet—PoE is supported on some of the SG350X SKUs and
not on the SG350XG, therefore PoE commands are relevant only to the
SG350 SKUs.
•
Stacking:
-
Stack members—Stack members must be of the same SKU type,
meaning either all SG350XG or all SG350X. A stack cannot consist of a
mixture of SG350XG and SG350X devices.
-
Stacking interfaces—On the SG350XG, any interface can be defined as
a stacking interface. On the SG350X, only the 4 XG uplink interfaces can
be defined as stacking interfaces.
•
Short reach and energy detect—These settings are always enabled on XG
ports (all SKUs); on FE or GE ports these features can be enabled or
disabled.
•
MAC address aging time—The maximum value for SG350XG is 630
seconds, while the maximum value for SG350 is 400 seconds. The default
value for both product lines is the same – 300 seconds.
•
IPv6 tunnels—IPv6 Manual, 6to4 and ISATAP routing tunnels are supported
on the SG350XG, and are not supported on SG350X. Therefore commands
relevant for these tunnel types are supported only for the SG350XG and not
on the SG350X.
Overview
The CLI is divided into various command modes. Each mode includes a group of
commands. These modes are described in CLI Command Modes.
27
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
Users are assigned privilege levels. Each user privilege level can access specific
CLI modes. User levels are described in the section below.
User (Privilege) Levels
Users can be created with one of the following user levels:
•
Level 1—Users with this level can only run User EXEC mode commands.
Users at this level cannot access the web GUI or commands in the
Privileged EXEC mode.
•
Level 7—Users with this level can run commands in the User EXEC mode
and a subset of commands in the Privileged EXEC mode. Users at this level
cannot access the web GUI.
•
Level 15—Users with this level can run all commands. Only users at this
level can access the web GUI.
A system administrator (user with level 15) can create passwords that allow a
lower level user to temporarily become a higher level user. For example, the user
may go from level 1 to level 7, level 1 to 15, or level 7 to level 15.
The passwords for each level are set (by an administrator) using the following
command:
enable password [level privilege-level]{password|encrypted
encrypted-password}
Using these passwords, you can raise your user level by entering the command:
enable and the password for level 7 or 15. You can go from level 1 to level 7 or
directly to level 15. The higher level holds only for the current session.
The disable command returns the user to a lower level.
To create a user and assign it a user level, use the username command. Only users
with command level 15, can create users at this level.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
1
Introduction
Example—Create passwords for level 7 and 15 (by the administrator):
switchxxxxxx#configure
switchxxxxxx<conf># enable password level 7 level7@abc
switchxxxxxx<conf># enable password level 15 level15@abc
switchxxxxxx<conf>#
Create a user with user level 1:
switchxxxxxx#configure
switchxxxxxx<conf> username john password john1234
privilege 1
switchxxxxxx<conf>
Example 2— Switch between Level 1 to Level 15. The user must know the
password:
switchxxxxxx#
switchxxxxxx# enable
Enter Password: ****** (this is the password for level 15
- level15@abc)
switchxxxxxx#
NOTE If authentication of passwords is performed on RADIUS or TACACS+ servers, the
passwords assigned to user level 7 and user level 15 must be configured on the
external server and associated with the $enable7$ and $enable15$ user names,
respectively. See the Authentication, Authorization and Accounting (AAA)
Commands chapter for details.
CLI Command Modes
The CLI is divided into four command modes. The command modes are (in the
order in which they are accessed):
29
•
User EXEC mode
•
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
•
Global Configuration mode
•
Interface Configuration mode
Each command mode has its own unique console prompt and set of CLI
commands. Entering a question mark at the console prompt displays a list of
available commands for the current mode and for the level of the user. Specific
commands are used to switch from one mode to another.
Users are assigned privilege levels that determine the modes and commands
available to them. User levels are described in User (Privilege) Levels.
User EXEC Mode
Users with level 1 initially log into User EXEC mode. User EXEC mode is used for
tasks that do not change the configuration, such as performing basic tests and
listing system information.
The user-level prompt consists of the switch host name followed by a #. The
default host name is switchxxxxxx where xxxxxx is the last six digits of the
device’s MAC address, as shown below
switchxxxxxx#
The default host name can be changed via the hostname command in Global
Configuration mode.
Privileged EXEC Mode
A user with level 7 or 15 automatically logs into Privileged EXEC mode.
Users with level 1 can enter Privileged Exec mode by entering the enable
command, and when prompted, the password for level 15.
To return from the Privileged EXEC mode to the User EXEC mode, use the disable
command.
Global Configuration Mode
The Global Configuration mode is used to run commands that configure features
at the system level, as opposed to the interface level.
Only users with command level of 7 or 15 can access this mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
30
1
Introduction
To access Global Configuration mode from Privileged EXEC mode, enter the
configure command at the Privileged EXEC mode prompt and press Enter. The
Global Configuration mode prompt, consisting of the device host name followed
by (config)#, is displayed:
switchxxxxxx(config)#
Use any of the following commands to return from Global Configuration mode to
the Privileged EXEC mode:
•
exit
•
end
•
Ctrl+Z
The following example shows how to access Global Configuration mode and
return to Privileged EXEC mode:
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# exit
switchxxxxxx#
Interface or Line Configuration Modes
Various submodes may be entered from Global Configuration mode. These
submodes enable performing commands on a group of interfaces or lines.
For instance to perform several operations on a specific port or range of ports, you
can enter the Interface Configuration mode for that interface.
The following example enters Interface Configuration mode for vlan1 and then sets
their speed:
31
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
The exit command returns to Global Configuration mode.
switchxxxxxx#
switchxxxxxx# configure
switchxxxxxx(config)# interface range vlan1
switchxxxxxx(config-if)#speed 10
switchxxxxxx(config-if)#exit
switchxxxxxx(config)#
The following is a sample of some of the available submodes:
•
Interface—Contains commands that configure a specific interface (port,
VLAN, port channel, or tunnel) or range of interfaces. The Global
Configuration mode command interface is used to enter the Interface
Configuration mode. The interface Global Configuration command is used
to enter this mode.
•
Line Interface—Contains commands used to configure the management
connections for the console, Telnet and SSH. These include commands such
as line timeout settings, etc. The line Global Configuration command is used
to enter the Line Configuration command mode.
•
VLAN Database—Contains commands used to configure a VLAN as a
whole. The vlan database Global Configuration mode command is used to
enter the VLAN Database Interface Configuration mode.
•
Management Access List—Contains commands used to define
management access-lists. The management access-list Global
Configuration mode command is used to enter the Management Access
List Configuration mode.
•
MAC Access-List, IPv6 Access List, IP Access List—Configures
conditions required to allow traffic based on MAC addresses, IPv6 address
and IPv4 address, respectively. The mac access-list, ipv6 access-list and ip
access-list Global Configuration mode commands are used to enter the
these configuration mode.
To return from any Interface Configuration mode to the Global Configuration mode,
use the exit command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
32
1
Introduction
Accessing the CLI
The CLI can be accessed from a terminal or computer by performing one of the
following tasks:
•
Running a terminal application, such as HyperTerminal, on a computer’s com
port that is directly connected to the switch’s console port,
—or—
•
Running a Telnet session from a command prompt on a computer with a
network connection to the switch.
•
Using SSH from an application that supports SSH client running on a
computer with a network connection to the switch.
NOTE Telnet and SSH are disabled by default on the switch.
If access is via a Telnet or SSH connection, ensure that the following conditions are
met before using CLI commands:
•
The switch has a defined IP address.
•
Corresponding management access is enabled.
•
There is an IP path such that the computer and the switch can reach each
other.
Using HyperTerminal over the Console Interface
The switch’s RJ45 port provides a direct connection to a computer’s serial port
using a standard DB-9 null-modem or crossover cable. After the computer and
switch are connected, run a terminal application to access the CLI.
The terminal emulator must be configured to databits=8 and parity=none.
Click Enter twice, so that the device sets the serial port speed to match the PC's
serial port speed.
When the CLI appears, enter cisco at the User Name prompt and then enter cisco
for the Password prompt.
The switchxxxxxx# prompt is displayed. You can now enter CLI commands to
manage the switch. For detailed information on CLI commands, refer to the
appropriate chapter(s) of this reference guide.
33
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
Using Telnet over an Ethernet Interface
Telnet provides a method of connecting to the CLI over an IP network.
To establish a telnet session from the command prompt, perform the following
steps:
STEP 1 Click Start, then select All Programs > Accessories > Command Prompt to open a
command prompt.
Figure 1
Start > All Programs > Accessories > Command Prompt
STEP 2 At the prompt, enter telnet 1<IP address of switch>, then press Enter.
Figure 2
Command Prompt
STEP 3 CLI will be displayed.
CLI Command Conventions
When entering commands there are certain command entry standards that apply
to all commands. The following table describes the command conventions.
Convention
Description
[ ]
In a command line, square brackets indicate an optional entry.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
34
1
Introduction
Convention
Description
{ }
In a command line, curly brackets indicate a selection of
compulsory parameters separated the | character. One option must
be selected. For example, flowcontrol {auto|on|off} means that for
the flowcontrol command, either auto, on, or off must be selected.
"" (inverted
commas)
When the input string contains space and/or reserved words (i.e.
VLAN), put the string in inverted commas.
parameter
Italic text indicates a parameter.
press key
Names of keys to be pressed are shown in bold.
Ctrl+F4
Keys separated by the + character are to be pressed
simultaneously on the keyboard
Screen Display
Fixed-width font indicates CLI prompts, CLI commands entered by
the user, and system messages displayed on the console.
all
When a parameter is required to define a range of ports or
parameters and all is an option, the default for the command is all
when no parameters are defined. For example, the command
interface range port-channel has the option of either entering a
range of channels, or selecting all. When the command is entered
without a parameter, it automatically defaults to all.
text
When free text can be entered as a parameter for a command (for
example in command: snmp-server contact) if the text consists of
multiple words separated by blanks, the entire string must appear
in double quotes. For example: snmp-server contact "QA on floor 8"
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a
command, and arguments specify configuration parameters. For example, in the
command show interfaces status Gigabitethernet 1, show, interfaces and status
are keywords, Gigabitethernet is an argument that specifies the interface type,
and1 specifies the port.
To enter commands that require parameters, enter the required parameters after
the command keyword. For example, to set a password for the administrator,
enter:
35
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
switchxxxxxx(config)# username admin password alansmith
When working with the CLI, the command options are not displayed. The standard
command to request help is ?.
There are two instances where help information can be displayed:
•
Keyword lookup—The character ? is entered in place of a command. A list
of all valid commands and corresponding help messages are is displayed.
•
Partial keyword lookup—If a command is incomplete and or the character ?
is entered in place of a parameter, the matched keyword or parameters for
this command are displayed.
To assist in using the CLI, there is an assortment of editing features. The following
features are described:
•
Terminal Command Buffer
•
Command Completion
•
Interface Naming Conventions
•
Keyboard Shortcuts
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally
managed Command History buffer. Commands stored in the buffer are maintained
on a First In First Out (FIFO) basis. These commands can be recalled, reviewed,
modified, and reissued. This buffer is not preserved across device resets.
Keyword
Description
Up-Arrow key
Recalls commands in the history buffer,
beginning with the most recent command.
Repeat the key sequence to recall successively
older commands.
Ctrl+P
Down-Arrow key
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Returns to more recent commands in the history
buffer after recalling commands with the
up-arrow key. Repeating the key sequence will
recall successively more recent commands.
36
1
Introduction
By default, the history buffer system is enabled, but it can be disabled at any time.
For more information on enabling or disabling the history buffer, refer to the history
command.
There is a standard default number of commands that are stored in the buffer. The
standard number of 10 commands can be increased to 216. By configuring 0, the
effect is the same as disabling the history buffer system. For more information on
configuring the command history buffer, refer to the history size command.
To display the history buffer, refer to the show history command.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be entered to
cancel the effect of a command or reset the configuration to the default value. This
Reference Guide provides a description of the negation effect for each CLI
command.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid parameters,
then the appropriate error message is displayed. This assists in entering the
correct command. By pressing Tab after an incomplete command is entered, the
system will attempt to identify and complete the command. If the characters
already entered are not enough for the system to identify a single matching
command, press ? to display the available commands matching the characters
already entered.
37
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands.
The following table describes the CLI shortcuts.
Keyboard Key
Description
Up-arrow
Recalls commands from the history buffer,
beginning with the most recent command. Repeat
the key sequence to recall successively older
commands.
Down-arrow
Returns the most recent commands from the
history buffer after recalling commands with the
up arrow key. Repeating the key sequence will
recall successively more recent commands.
Ctrl+A
Moves the cursor to the beginning of the
command line.
Ctrl+E
Moves the cursor to the end of the command line.
Ctrl+Z / End
Returns back to the Privileged EXEC mode from
any configuration mode.
Backspace
Deletes one character left to the cursor position.
Copying and Pasting Text
Up to 1000 lines of text (or commands) can be copied and pasted into the device.
NOTE It is the user’s responsibility to ensure that the text copied into the device consists
of legal commands only.
When copying and pasting commands from a configuration file, make sure that the
following conditions exist:
•
A device Configuration mode has been accessed.
The commands contain no encrypted data, like encrypted passwords or keys.
Encrypted data cannot be copied and pasted into the device except for encrypted
passwords where the keyword encrypted is used before the encrypted data (for
instance in the enable password command).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
38
1
Introduction
Interface Naming Conventions
Interfaces on the device can be one of the following types:
•
Fast Ethernet (10/100 kbits) ports—This can be written as FastEthernet,
fa or fe.
•
Gigabit Ethernet (10/100/1000 kbits) ports—These can be written as
either GigabitEthernet or gi or GE.
•
Ten Gigabit Ethernet (10,000 kbits) ports—This can be written as either
TenGigabitEthernet or te or XG.
•
LAG (Port Channel)—Written as either Port-Channel or po.
•
VLAN—Written as VLAN
•
Tunnel—Written as tunnel or tu
•
OOB—Written as OutOfBand or oob
Within the CLI, interfaces are denoted by concatenating the following elements:
•
Type of Interface—As described above
•
Unit Number—Unit in stack.
•
Slot Number—The slot number is always 0.
•
The syntax for interface names in stacking mode is:
{<port-type>[ ][<unit-number>/]<slot-number>/<port-number>} |
{port-channel | po | }[ ]<port-channel-number> |
{tunnel | tu}[ ]<tunnel-number> | vlan[ ]<vlan-id>
•
Interface Number—Port, LAG, tunnel or VLAN numbers
Samples of these various options are shown in the example below:
switchxxxxxx((config)#interface te1/0/1
switchxxxxxx(config)#interface po1
switchxxxxxx(config)# interface vlan 1
NOTE See Loopback Interface for a description of the loopback interface.
39
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
Interface Range
Interfaces may be described on an individual basis or within a range. The interface
range command has the following syntax:
<interface-range> ::=
{<port-type>[
][<unit-number>/]<slot-number>/<first-port-number>[ <last-port-number]} |
port-channel[ ]<first-port-channel-number>[ <last-port-channel-number>] |
tunnel[ ]<first-tunnel-number>[ - <last-tunnel-number>] |
vlan[ ]<first-vlan-id>[ - <last-vlan-id>]
A sample of this command is shown in the example below:
switchxxxxxx#configure
switchxxxxxx(config-if)#interface range te1/0/1-5
List of Multiple Interface Types
A combination of interface types can be specified in the interface range
command in the following format:
<range-list> ::= <interface-range> | <range-list>, <
interface-range>
Up to five ranges can be included.
NOTE Range lists can contain either ports and port-channels or VLANs. Combinations of
port/port-channels and VLANs are not allowed
The space after the comma is optional.
When a range list is defined, a space after the first entry and before the comma (,)
must be entered.
A sample of this command is shown in the example below:
switchxxxxxx#configure
switchxxxxxx(config)#interface range te1/0/1-5, vlan 1-2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
40
1
Introduction
IPv6z Address Conventions
The following describes how to write an IPv6z address, which is a link-local IPv6
address.
The format is: <ipv6-link-local-address>%<egress-interface>
where:
egress-interface (also known as zone) = vlan<vlan-id> | po<number> |
tunnel<number> | port<number> | 0
If the egress interface is not specified, the default interface is selected. Specifying
egress interface = 0 is equal to not defining an egress interface.
The following combinations are possible:
•
ipv6_address%egress-interface—Refers to the IPv6 address on the
interface specified.
•
ipv6_address%0—Refers to the IPv6 address on the single interface on
which an IPv6 address is defined.
•
ipv6_address—Refers to the IPv6 address on the single interface on which
an IPv6 address is defined.
Loopback Interface
When an IP application on a router wants to communicate with a remote IP
application, it must select the local IP address to be used as its IP address. It can
use any IP address defined on the router, but if this link goes down, the
communication is aborted, even though there might well be another IP route
between these IP applications.
The loopback interface is a virtual interface whose operational state is always up.
If the IP address that is configured on this virtual interface is used as the local
address when communicating with remote IP applications, the communication will
not be aborted even if the actual route to the remote application was changed.
The name of the loopback interface is loopback1.
A loopback interface does not support bridging; it cannot be a member of any
VLAN, and no layer 2 protocol can be enabled on it.
41
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
Layer 3 Specification
IP Interface
IPv4 and IPv6 addresses can be assigned to a loopback interface.
The IPv6 link-local interface identifier is 1.
Routing Protocols
A routing protocol running on the switch supports the advertising of the IP prefixes
defined on the loopback interfaces via the routing protocol redistribution
mechanism.
If a layer 2 switch with one IPv4 address supports a loopback interface, the above
rules are replaced by the following ones:
This is the definition of the IP configuration when the device is in layer 2 mode:
•
Only one loopback interface is supported.
•
Two IPv4 interfaces can be configured: one on a VLAN and one on the
loopback interface.
•
If the IPv4 address was configured on the default VLAN and the default
VLAN is changed, the switch moves the IPv4 address to the new default
VLAN.
•
The ip address command does the following:
-
In VLAN context, it replaces the existing configured IPv4 address on the
specified interface by the new one.
-
In Loopback Interface context, it replaces the existing, configured IPv4
address on the loopback interface with the new one.
-
In the Loopback Interface context, it does not support the keyword
default-gateway.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
42
1
Introduction
Configuration Examples
Static Routing
The following example shows you how to configure IP on a switch with static
routing :
Switch# configure terminal
Switch(config)# interface vlan 1
Switch(config-if)# ip address 10.10.10.2 /24
Switch(config-if)# ipv6 address 2001:DB8:2222:7270::2312/64
Switch(config-if)# exit
Switch(config)# interface vlan 2
Switch(config-if)# ip address 10.11.11.2 /24
Switch(config-if)# ipv6 address 2001:DB8:3333:7271::2312/64
Switch(config-if)# exit
Switch(config)# interface loopback 1
Switch(config-if)# ip address 172.25.13.2 /32
Switch(config-if)# ipv6 address 2001:DB8:2222:7272::72/128
Switch(config-if)# exit
Switch(config)# ip route 0.0.0.0/0 10.10.11.1
Switch(config)# ip route 10.11.0.0 /16 10.11.11.1
Switch(config)# ipv6 route 0::/0
2001:DB8:2222:7270::1
Switch(config)# ipv6 route 2001:DB8:3333::/48
2001:DB8:3333:7271::1
The neighbor router 10.10.11.1 should be configured with the following static
route: ip route 172.25.13.2 /32 10.10.10.2.
The neighbor router 10.11.11.1 should be configured with the following static
route: ip route 172.25.13.2 /32 10.11.11.2.
43
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
The neighbor router 2001:DB8:2222:7270::1 connected to VLAN 1 should be
configured with the following static route:
ipv6 route 2001:DB8:2222:7272::72/128 2001:DB8:2222:7270::2312
The neighbor router 2001:DB8:3333:7271::1 connected to VLAN 1 should be
configured with the static route defined immediately below.
IPv6 Route 2001:DB8:2222:7272::72/128 2001:DB8:3333:7271::2312
Remote IP Address and OutOfBand Port
The switch supports an IP stack on the OutOfBand (OOB) port. This IP stack is
separate from the IP stack running on the ASIC ports, and it requires specific route
table configuration
If the switch supports more than one IP interface, when you specify a remote IP
address or a DNS name, you must also specify the IP stack that is being referred
to.
PHY Diagnostics
The following exceptions exist:
•
Copper Ports—PHY diagnostics are only supported on copper ports.
•
10G ports—TDR test is supported when the operational port speed is 10G.
Cable length resolution is 20 meters.
CLI Output Modifiers
To all show and more commands (except show technical support) an output
modifier may be added as follows:
<show/more command> | <output-modifier> <regular-expression-pattern>
The output modifiers are:
•
begin: Start output from the first line that has a sequence of characters
matching the given regular expression pattern
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
44
1
Introduction
•
include: Includes only lines that have a sequence of characters matching the
given regular expression pattern.
•
exclude: Excludes all lines that have a sequence of characters matching the
given regular expression pattern.
•
count: Counts all lines that have a sequence of characters matching the
given regular expression pattern and displays the result (no other output is
displayed).
NOTE Only 1 output modifier can be used in each command. The remainder of the text
typed in is part of the regular expression pattern.
A regular expression is a pattern (a phrase, number, or more complex pattern). The
CLI String Search feature matches regular expressions to the show or more
command output. Regular expressions are case-sensitive and allow for complex
matching requirements.
A regular expression can be a single-character pattern or a multiple-character
pattern. That is, a regular expression can be a single character that matches the
same single character in the command output or multiple characters that match
the same multiple characters in the command output. The pattern in the command
output is referred to as a string. This section describes creating both
single-character patterns and multiple-character patterns. It also discusses
creating more complex regular expressions, using multipliers, alternation,
anchoring, and parentheses.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single
character in the command output. You can use any letter (A-Z, a-z) or digit (0-9) as
a single-character pattern. You can also use other keyboard characters (such as !
or ~) as single-character patterns, but certain keyboard characters have special
meaning when used in regular expressions. Table lists the keyboard characters
that have special meanings.
Character
45
Meaning
.
Matches any single character, including white space.
*
Matches 0 or more sequences of the pattern.
+
Matches 1 or more sequences of the pattern.
?
Matches 0 or 1 occurrences of the pattern.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
Character
Meaning
^
Matches the beginning of the string.
$
Matches the end of the string.
To use these special characters as single-character patterns, remove the special
meaning by preceding each character with a backslash (\).
The following examples are single-character patterns matching a dollar sign, an
underscore, and a plus sign, respectively.
\$ \_ \+
You can specify a range of single-character patterns to match against command
output. For example, you can create a regular expression that matches a string
containing one of the following letters: a, e, i, o, or u. Only one of these characters
must exist in the string for pattern matching to succeed. To specify a range of
single-character patterns, enclose the single-character patterns in square
brackets ([ ]). For example, [aeiou] matches any one of the five vowels of the
lowercase alphabet, while [abcdABCD] matches any one of the first four letters of
the lower- or uppercase alphabet.
You can simplify ranges by entering only the endpoints of the range separated by
a dash (-). Simplify the previous range as follows:
[a-dA-D]
To add a dash as a single-character pattern in your range, include another dash
and precede it with a backslash:
[a-dA-D\-]
You can also include a right square bracket (]) as a single-character pattern in your
range, as shown here:
[a-dA-D\-\]]
The previous example matches any one of the first four letters of the lower- or
uppercase alphabet, a dash, or a right square bracket.
You can reverse the matching of the range by including a caret (^) at the start of
the range. The following example matches any letter except the ones listed:
[^a-dqsv]
The following example matches anything except a right square bracket (]) or the
letter d:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
46
1
Introduction
[^\]d]
Multiple-Character Patterns
When creating regular expressions, you can also specify a pattern containing
multiple characters. You create multiple-character regular expressions by joining
letters, digits, or keyboard characters that do not have special meaning. For
example, a4% is a multiple-character regular expression.
With multiple-character patterns, order is important. The regular expression a4%
matches the character a followed by a 4 followed by a % sign. If the string does
not have a4%, in that order, pattern matching fails. The multiple-character regular
expression a. uses the special meaning of the period character to match the letter
a followed by any single character. With this example, the strings ab, a!, or a2 are
all valid matches for the regular expression.
You can remove the special meaning of the period character by inserting a
backslash before it. For example, when the expression a\. is used in the command
syntax, only the string a. will be matched.
You can create a multiple-character regular expression containing all letters, all
digits, all keyboard characters, or a combination of letters, digits, and other
keyboard characters. For example, telebit 3107 v32bis is a valid regular
expression.
Multipliers
You can create more complex regular expressions that instruct the system to
match multiple occurrences of a specified regular expression. To do so, use some
special characters with your single-character and multiple-character patterns.
Table 1 lists the special characters that specify multiples of a regular expression.
Table 1:
Special Characters Used as Multipliers
Character
Description
*
Matches 0 or more single-character or
multiple-character patterns.
+
Matches 1 or more single-character or
multiple-character patterns.
?
Matches 0 or 1 occurrences of a single-character or
multiple-character pattern.
The following example matches any number of occurrences of the letter a,
including none:
47
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
1
Introduction
a*
The following pattern requires that at least one letter a be in the string to be
matched:
a+
The following pattern matches the string bb or bab:
ba?b
The following string matches any number of asterisks (*):
\**
To use multipliers with multiple-character patterns, enclose the pattern in
parentheses. In the following example, the pattern matches any number of the
multiple-character string ab:
(ab)*
The following pattern matches one or more instances of alphanumeric pairs, but
not none (that is, an empty string is not a match):
([A-Za-z][0-9])+
The order for matches using multipliers (*, +, or ?) is to put the longest construct
first. Nested constructs are matched from outside to inside. Concatenated
constructs are matched beginning at the left side of the construct. Thus, the
regular expression above matches A9b3, but not 9Ab3 because the letters are
specified before the numbers.
Alternation
Alternation allows you to specify alternative patterns to match against a string. You
separate the alternative patterns with a vertical bar (|). Only one of the alternatives
can match the string. For example, the regular expression codex|telebit either
matches the string codex or the string telebit, but not both codex and telebit.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
48
1
Introduction
Anchoring
You can instruct the system to match a regular expression pattern against the
beginning or the end of the string. You anchor these regular expressions to a
portion of the string using the special characters shown in Table 2..
Table 2:
Special Characters Used for Anchoring
Character
Description
^
Matches the beginning of the string.
$
Matches the end of the string.
For example, the regular expression ^con matches any string that starts with con,
and $sole matches any string that ends with sole.
In addition to indicating the beginning of a string, the ^ symbol can be used to
indicate the logical function not when used in a bracketed range. For example, the
expression [^abcd] indicates a range that matches any single letter, as long as it is
not the letters a, b, c, or d.
49
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
2.0
2.1
aaa authentication dot1x
To specify which servers are used for authentication when 802.1X authentication
is enabled, use the aaa authentication dot1x command in Global Configuration
mode. To restore the default configuration, use the no form of this command.
Syntax
aaa authentication dot1x default {radius | none | {radius none}}
no aaa authentication dot1x default
Parameters
•
radius - Uses the list of all RADIUS servers for authentication
•
none - Uses no authentication
Default Configuration
RADIUS server.
Command Mode
Global Configuration mode
User Guidelines
You can select either authentication by a RADIUS server, no authentication (none),
or both methods.
If you require that authentication succeeds even if no RADIUS server response
was received, specify none as the final method in the command line.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
50
2
802.1X Commands
Example
The following example sets the 802.1X authentication mode to RADIUS server
authentication. Even if no response was received, authentication succeeds.
switchxxxxxx(config)# aaa authentication dot1x default radius none
2.2
authentication open
To enable open access (monitoring mode) on this port, use the authentication
open command in Interface Configuration mode. To disable open access on this
port, use the no form of this command.
Syntax
authentication open
no authentication open
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
Open Access or Monitoring mode allows clients or devices to gain network
access before authentication is performed. In the mode the switch performs
failure replies received from a Radius server as success.
Example
The following example enables open mode on interface te1/0/1:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# authentication open
51
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
2.3
clear dot1x statistics
To clear 802.1X statistics, use the clear dot1x statistics command in Privileged
EXEC mode.
Syntax
clear dot1x statistics [interface-id]
Parameters
• interface-id—Specify an Ethernet port ID.
Default Configuration
Statistics on all ports are cleared.
Command Mode
Privileged EXEC mode
User Guidelines
This command clears all the counters displayed in the show dot1x and show dot1x
statistics command.
Example
switchxxxxxx# clear dot1x statistics
2.4
data
To specify web-based page customizing, the data command is used in
Web-Based Page Customization Configuration mode.
Syntax
data value
Parameters
• value—String of hexadecimal digit characters up to 320 characters.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
52
2
802.1X Commands
Default Configuration
No user customization.
Command Mode
Web-Based Page Customization Configuration mode
User Guidelines
The command should not be entered or edited manually (unless using
copy-paste). It is a part of the configuration file produced by the switch.
A user can only customize the web-based authentication pages by using the WEB
interface.
Examples
Example 1—The following example shows a partial web-based page
customization configuration:
switchxxxxxx(config)# dot1x page customization
switchxxxxxx(config-web-page)# data 1feabcde
switchxxxxxx(config-web-page)# data 17645874
switchxxxxxx(config-web-page)# exit
Example 2—The following example shows how Web-Based Page customization is displayed when
running the show running-config command:
switchxxxxxx# show running-config
.
.
.
dot1x page customization
data ********
exit
.
.
53
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
.
2.5
dot1x auth-not-req
To enable unauthorized devices access to a VLAN, use the dot1x auth-not-req
command in Interface (VLAN) Configuration mode. To disable access to a VLAN,
use the no form of this command.
Syntax
dot1x auth-not-req
no dot1x auth-not-req
Parameters
N/A
Default Configuration
Access is enabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
The guest VLAN cannot be configured as unauthorized VLAN.
Example
The following example enables unauthorized devices access to VLAN 5.
switchxxxxxx(config)# interface vlan 5
switchxxxxxx(config-if)# dot1x auth-not-req
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
54
2
802.1X Commands
2.6
dot1x authentication
To enable authentication methods on a port, use the dot1x authentication
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x authentication [802.1x] [mac] [web]
no dot1x authentication
Parameters
•
802.1x—Enables authentication based on 802.1X (802.1X-based
authentication).
•
mac—Enables authentication based on the station's MAC address
(MAC-Based authentication).
•
web—Enables WEB-Based authentication.
Default Configuration
802.1X-Based authentication is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Static MAC addresses cannot be authorized by the MAC-based method.
It is not recommended to change a dynamic MAC address to a static one or delete
it if the MAC address was authorized by the MAC-based authentication:
a. If a dynamic MAC address authenticated by MAC-based authentication is
changed to a static one, it will not be manually re-authenticated.
b. Removing a dynamic MAC address authenticated by the MAC-based
authentication causes its re-authentication.
55
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Example
The following example enables authentication based on 802.1x and the station’s
MAC address on port te1/0/1:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x authentication 802.1x mac
2.7
dot1x guest-vlan
To define a guest VLAN, use the dot1x guest-vlan mode command in Interface
(VLAN) Configuration mode. To restore the default configuration, use the no form of
this command.
Syntax
dot1x guest-vlan
no dot1x guest-vlan
Parameters
N/A
Default Configuration
No VLAN is defined as a guest VLAN.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the dot1x guest-vlan enable command to enable unauthorized users on an
interface to access the guest VLAN.
A device can have only one global guest VLAN.
The guest VLAN must be a static VLAN and it cannot be removed.
An unauthorized VLAN cannot be configured as guest VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
56
2
802.1X Commands
Example
The following example defines VLAN 2 as a guest VLAN.
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# dot1x guest-vlan
2.8
dot1x guest-vlan enable
To enable unauthorized users on the access interface to the guest VLAN, use the
dot1x guest-vlan enable command in Interface Configuration mode. To disable
access, use the no form of this command.
Syntax
dot1x guest-vlan enable
no dot1x guest-vlan enable
Parameters
N/A
Default Configuration
The default configuration is disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The port cannot belong to the guest VLAN.
The guest VLAN and the WEB-Based authentication cannot be configured on a
port at the same time.
This command cannot be configured if the monitoring VLAN is enabled on the
interface.
If the port does not belong to the guest VLAN itThe port is added to the guest
VLAN as an egress untagged port.
57
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
If the authentication mode is single-host or multi-host, the value of PVID is set to
the guest VLAN_ID.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
from unauthorized hosts are mapped to the guest VLAN.
If 802.1X is disabled, the port static configuration is reset.
See the User Guidelines of the dot1x host-mode command for more information.
Example
The following example enables unauthorized users on te1/0/1 to access the guest
VLAN.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x guest-vlan enable
2.9
dot1x guest-vlan timeout
To set the time delay between enabling 802.1X (or port up) and adding a port to
the guest VLAN, use the dot1x guest-vlan timeout command in Global
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x guest-vlan timeout timeout
no dot1x guest-vlan timeout
Parameters
• timeout—Specifies the time delay in seconds between enabling 802.1X (or
port up) and adding the port to the guest VLAN. (Range: 30–180).
Default Configuration
The guest VLAN is applied immediately.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
58
2
802.1X Commands
User Guidelines
This command is relevant if the guest VLAN is enabled on the port. Configuring the
timeout adds a delay from enabling 802.1X (or port up) to the time the device adds
the port to the guest VLAN.
Example
The following example sets the delay between enabling 802.1X and adding a port
to a guest VLAN to 60 seconds.
switchxxxxxx(config)# dot1x guest-vlan timeout 60
2.10 dot1x host-mode
To allow a single host (client) or multiple hosts on an IEEE 802.1X-authorized port,
use the dot1x host-mode command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x host-mode {multi-host | single-host | multi-sessions}
Parameters
•
multi-host—Enable multiple-hosts mode.
•
single-host—Enable single-hosts mode.
•
multi-sessions—Enable multiple-sessions mode.
Default Configuration
Default mode is multi-host.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Single-Host Mode
59
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
The single-host mode manages the authentication status of the port: the port is
authorized if there is an authorized host. In this mode, only a single host can be
authorized on the port.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is
remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the
guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the
port, only tagged traffic belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from the authorized host is
bridged based on the static vlan membership configured at the port. Traffic from
other hosts is dropped.
A user can specify that untagged traffic from the authorized host will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. In this case, tagged traffic is dropped unless the VLAN tag
is the RADIUS-assigned VLAN or the unauthenticated VLANs. See the dot1x
radius-attributes vlan command to enable RADIUS VLAN assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Host Mode
The multi-host mode manages the authentication status of the port: the port is
authorized after at least one host is authorized.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is
remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the
guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the
port, only tagged traffic belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from all hosts connected to
the port is bridged based on the static vlan membership configured at the port.
A user can specify that untagged traffic from the authorized port will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. In this case, tagged traffic is dropped unless the VLAN tag
is the RADIUS assigned VLAN or the unauthenticated VLANs. See the dot1x
radius-attributes vlan command to enable RADIUS VLAN assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Sessions Mode
Unlike the single-host and multi-host modes (port-based modes) the
multi-sessions mode manages the authentication status for each host connected
to the port (session-based mode). If the multi-sessions mode is configured on a
port the port does have any authentication status. Any number of hosts can be
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
60
2
802.1X Commands
authorized on the port. The dot1x max-hosts command can limit the maximum
number of authorized hosts allowed on the port.
Each authorized client requires a TCAM rule. If there is no available space in the
TCAM, the authentication is rejected.
When using the dot1x host-mode command to change the port mode to
single-host or multi-host when authentication is enabled, the port state is set to
unauthorized.
If the dot1x host-mode command changes the port mode to multi-session when
authentication is enabled, the state of all attached hosts is set to unauthorized.
To change the port mode to single-host or multi-host, set the port (dot1x
port-control) to force-unauthorized, change the port mode to single-host or
multi-host, and set the port to authorization auto.
multi-sessions mode cannot be configured on the same interface together with
Policy Based VLANs configured by the following commands:
-
switchport general map protocol-group vlans
-
switchport general map macs-group vlans
Tagged traffic belonging to the unauthenticated VLANs is always bridged
regardless if a host is authorized or not.
When the guest VLAN is enabled, untagged and tagged traffic from unauthorized
hosts not belonging to the unauthenticated VLANs is bridged via the guest VLAN.
Traffic from an authorized hosts is bridged in accordance with the port static
configuration. A user can specify that untagged and tagged traffic from the
authorized host not belonging to the unauthenticated VLANs will be remapped to
a VLAN that is assigned by a RADIUS server during the authentication process.
See the dot1x radius-attributes vlan command to enable RADIUS VLAN
assignment at a port.
The switch does not remove from FDB the host MAC address learned on the port
when its authentication status is changed from authorized to unauthorized. The
MAC address will be removed after the aging timeout expires.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x host-mode multi-host
61
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
2.11 dot1x max-hosts
To configure the maximum number of authorized hosts allowed on the interface,
use the dot1x max-hosts command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x max-hosts count
no dot1x max-hosts
Parameters
• count—Specifies the maximum number of authorized hosts allowed on the
interface. May be any 32 bits positive number.
Default Configuration
No limitation.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the number of authorized hosts allowed on an interface is not limited.
To limit the number of authorized hosts allowed on an interface, use the dot1x
max-hosts command.
This command is relevant only for multi-session mode.
Example
The following example limits the maximum number of authorized hosts on Ethernet
port te1/0/1 to 6:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x max-hosts 6
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
62
2
802.1X Commands
2.12 dot1x max-login-attempts
To set the maximum number of allowed login attempts, use the dot1x
max-login-attempts command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x max-login-attempts count
no dot1x max-login-attempts
Parameters
• count—Specifies the maximum number of allowed login attempts. A value
of 0 means an infinite numbers of attempts. The valid range is 3-10.
Default Configuration
Unlimited.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the switch does not limit the number of failed login attempts. To specify
the number of allowed fail login attempts, use this command. After this number of
failed login attempts, the switch does not allow the host to be authenticated for a
period defined by the dot1x timeout quiet-period command.
The command is applied only to the Web-based authentication.
Example
The following example sets maximum number of allowed login attempts to 5:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x max-login-attempts 5
63
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
2.13 dot1x max-req
To set the maximum number of times that the device sends an Extensible
Authentication Protocol (EAP) request/identity frame (assuming that no response
is received) to the client before restarting the authentication process, use the
dot1x max-req command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
dot1x max-req count
no dot1x max-req
Parameters
• count—Specifies the maximum number of times that the device sends an
EAP request/identity frame before restarting the authentication process.
(Range: 1–10).
Default Configuration
The default maximum number of attempts is 2.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
Example
The following example sets the maximum number of times that the device sends
an EAP request/identity frame to 6.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x max-req 6
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
64
2
802.1X Commands
2.14 dot1x page customization
To enter Web-Based Page Customization Configuration mode, use the dot1x page
customization command in Global Configuration mode.
Syntax
dot1x page customization
Parameters
N/A
Default Configuration
No user customization.
Command Mode
Global Configuration mode
User Guidelines
The command should not be entered or edited manually (unless when using
copy-paste). It is a part of the configuration file produced by the switch.
A user must customize the web-based authentication pages by using the browser
Interface.
Example
The following example shows part of a web-based page customization
configuration:
switchxxxxxx(config)# dot1x page customization
switchxxxxxx(config-web-page)# data 1feabcde
switchxxxxxx(config-web-page)# data 17645874
switchxxxxxx(config-web-page)# exit
65
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
2.15 dot1x port-control
To enable manual control of the port authorization state, use the dot1x port-control
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x port-control {auto | force-authorized | force-unauthorized} [time-range
time-range-name]
Parameters
•
auto—Enables 802.1X authentication on the port and causes it to transition
to the authorized or unauthorized state, based on the 802.1X authentication
exchange between the device and the client.
•
force-authorized—Disables 802.1X authentication on the interface and
causes the port to transition to the authorized state without any
authentication exchange required. The port sends and receives traffic
without 802.1X-based client authentication.
•
force-unauthorized—Denies all access through this port by forcing it to
transition to the unauthorized state and ignoring all attempts by the client to
authenticate. The device cannot provide authentication services to the
client through this port.
•
time-range time-range-name—Specifies a time range. When the Time
Range is not in effect, the port state is Unauthorized. (Range: 1-32
characters).
Default Configuration
The port is in the force-authorized state.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The switch removes all MAC addresses learned on a port when its authorization
control is changed from force-authorized to another.
Note. It is recommended to disable spanning tree or to enable spanning-tree
PortFast mode on 802.1X edge ports in auto state that are connected to end
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
66
2
802.1X Commands
stations, in order to proceed to the forwarding state immediately after successful
authentication.
Example
The following example sets 802.1X authentication on te1/0/1 to auto mode.
sing
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x port-control auto
2.16 dot1x radius-attributes vlan
To enable RADIUS-based VLAN assignment, use the dot1x radius-attributes vlan
command in Interface Configuration mode. To disable RADIUS-based VLAN
assignment, use the no form of this command.
Syntax
dot1x radius-attributes vlan [reject | static]
no dot1x radius-attributes vlan
Parameters
•
reject—If the RADIUS server authorized the supplicant, but did not provide
a supplicant VLAN the supplicant is rejected. If the parameter is omitted,
this option is applied by default.
•
static—If the RADIUS server authorized the supplicant, but did not provide
a supplicant VLAN, the supplicant is accepted.
Default Configuration
reject
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
If RADIUS provides invalid VLAN information, the authentication is rejected.
67
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
If a RADIUS server assigns a client with a non-existing VLAN, the switch creates
the VLAN. The VLAN is removed when it is no longer being used.
If RADIUS provides valid VLAN information and the port does not belong to the
VLAN received from RADIUS, it is added to the VLAN as an egress untagged port.
When the last authorized client assigned to the VLAN becomes unauthorized or
802.1x is disabled on the port, the port is excluded from the VLAN.
If the authentication mode is single-host or multi-host, the value of PVID is set to
the VLAN_ID.
If an authorized port in the single-host or multi-host mode changes its status to
unauthorized, the port static configuration is reset.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
are mapped to the VLAN using TCAM.
If the last authorized host assigned to a VLAN received from RADIUS connected to
a port in the multi-sessions mode changes its status to unauthorized, the port is
removed from the VLAN if it is not in the static configuration.
See the User Guidelines of the dot1x host-mode command for more information.
If 802.1X is disabled the port static configuration is reset.
If the reject keyword is configured and the RADIUS server authorizes the host but
the RADIUS accept message does not assign a VLAN to the supplicant,
authentication is rejected.
If the static keyword is configured and the RADIUS server authorizes the host then
even though the RADIUS accept message does not assign a VLAN to the
supplicant, authentication is accepted and the traffic from the host is bridged in
accordance with port static configuration.
If this command is used when there are authorized ports/hosts, it takes effect at
subsequent authentications. To manually re-authenticate, use the dot1x
re-authenticate command.
The command cannot be configured on a port if it together with
•
WEB-Based authentication
•
Multicast TV-VLAN
•
Q-in-Q
•
Voice VLAN
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
68
2
802.1X Commands
Examples
Example 1. This example enables user-based VLAN assignment. If the RADIUS
server authorized the supplicant, but did not provide a supplicant VLAN, the
supplicant is rejected.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x radius-attributes vlan
switchxxxxxx(config-if)# exit
Example 2. This example enables user-based VLAN assignment. If the RADIUS
server authorized the supplicant but did not provide a supplicant VLAN, the
supplicant is accepted and the static VLAN configurations is used.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x radius-attributes static
switchxxxxxx(config-if)# exit
2.17 dot1x re-authenticate
To initiate manually re-authentication of all 802.1X-enabled ports or the specified
802.1X-enabled port, use the dot1x re-authenticate command in Privileged EXEC
mode.
Syntax
dot1x re-authenticate [interface-id]
Parameters
• interface-id—Specifies an Ethernet port or OOB port.
Default Configuration
If no port is specified, command is applied to all ports.
Command Mode
Privileged EXEC mode
69
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Example
The following command manually initiates re-authentication of 802.1X-enabled
te1/0/1:
switchxxxxxx# dot1x re-authenticate te1/0/1
2.18 dot1x reauthentication
To enable periodic re-authentication of the client, use the dot1x reauthentication
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x reauthentication
no dot1x reauthentication
Parameters
N/A
Default Configuration
Periodic re-authentication is disabled.
Command Mode
Interface (Ethernet, OOB) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x reauthentication
2.19 dot1x system-auth-control
To enable 802.1X globally, use the dot1x system-auth-control command in Global
Configuration mode. To restore the default configuration, use the no form of this
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
70
2
802.1X Commands
Syntax
dot1x system-auth-control
no dot1x system-auth-control
Parameters
N/A
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
The following example enables 802.1X globally.
switchxxxxxx(config)# dot1x system-auth-control
2.20 dot1x timeout quiet-period
To set the time interval that the device remains in a quiet state following a failed
authentication exchange, use the dot1x timeout quiet-period command in Interface
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x timeout quiet-period seconds
no dot1x timeout quiet-period
Parameters
• seconds—Specifies the time interval in seconds that the device remains in
a quiet state following a failed authentication exchange with a client. (Range:
10–65535 seconds).
71
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Default Configuration
The default quiet period is 60 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
During the quiet period, the device does not accept or initiate authentication
requests.
The default value of this command should only be changed to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
To provide faster response time to the user, a smaller number than the default
value should be entered.
For 802.1x and MAC-based authentication, the number of failed logins is 1.
For WEB-based authentication, the quite period is applied after a number of failed
attempts. This number is configured by the dot1x max-login-attempts command.
For 802.1x-based and MAC-based authentication methods, the quite period is
applied after each failed attempt.
Example
The following example sets the time interval that the device remains in the quiet
state following a failed authentication exchange to 120 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout quiet-period 120
2.21 dot1x timeout reauth-period
To set the number of seconds between re-authentication attempts, use the dot1x
timeout reauth-period command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x timeout reauth-period seconds
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
72
2
802.1X Commands
no dot1x timeout reauth-period
Parameters
•
reauth-period seconds—Number of seconds between re-authentication
attempts. (Range: 300-4294967295).
Default Configuration
3600
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The command is only applied to the 802.1x authentication method.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout reauth-period 5000
2.22 dot1x timeout server-timeout
To set the time interval during which the device waits for a response from the
authentication server, use the dot1x timeout server-timeout command in Interface
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x timeout server-timeout seconds
no dot1x timeout server-timeout
Parameters
•
73
server-timeout seconds—Specifies the time interval in seconds during
which the device waits for a response from the authentication server.
(Range: 1–65535 seconds).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Default Configuration
The default timeout period is 30 seconds.
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The actual timeout period can be determined by comparing the value specified by
this command to the result of multiplying the number of retries specified by the
radius-server retransmit command by the timeout period specified by the
radius-server retransmit command, and selecting the lower of the two values.
Example
The following example sets the time interval between retransmission of packets to
the authentication server to 3600 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout server-timeout 3600
2.23 dot1x timeout silence-period
To set the authentication silence time, use the dot1x timeout silence-period
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x timeout silence-period seconds
no dot1x timeout silence-period
Parameters
• seconds—Specifies the silence interval in seconds. The valid range is 60 65535.
Default Configuration
The silence period is not limited.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
74
2
802.1X Commands
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The silence time is the number of seconds that if an authorized client does not
send traffic during this period, the client is changed to unauthorized.
If an authorized client does not send traffic during the silence period specified by
the command, the state of the client is changed to unauthorized.
The command is only applied to WEB-based authentication.
Example
The following example sets the authentication silence time to 100 seconds:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout silence-period 100
2.24 dot1x timeout supp-timeout
To set the time interval during which the device waits for a response to an
Extensible Authentication Protocol (EAP) request frame from the client before
resending the request, use the dot1x timeout supp-timeout command in Interface
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x timeout supp-timeout seconds
no dot1x timeout supp-timeout
Parameters
•
supp-timeout seconds—Specifies the time interval in seconds during
which the device waits for a response to an EAP request frame from the
client before resending the request. (Range: 1–65535 seconds).
Default Configuration
The default timeout period is 30 seconds.
75
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
The command is only applied to the 802.1x authentication method.
Example
The following example sets the time interval during which the device waits for a
response to an EAP request frame from the client before resending the request to
3600 seconds.
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x timeout supp-timeout 3600
2.25 dot1x timeout tx-period
To set the time interval during which the device waits for a response to an
Extensible Authentication Protocol (EAP) request/identity frame from the client
before resending the request, use the dot1x timeout tx-period command in
Interface Configuration mode. To restore the default configuration, use the no form
of this command.
Syntax
dot1x timeout tx-period seconds
no dot1x timeout tx-period
Parameters
• seconds—Specifies the time interval in seconds during which the device
waits for a response to an EAP-request/identity frame from the client before
resending the request. (Range: 30–65535 seconds).
Default Configuration
The default timeout period is 30 seconds.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
76
2
802.1X Commands
Command Mode
Interface (Ethernet, OOB) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
The command is only applied to the 802.1x authentication method.
Example
The following command sets the time interval during which the device waits for a
response to an EAP request/identity frame to 60 seconds.
switchxxxxxx(config)# interface te1/0/1:
switchxxxxxx(config-if)# dot1x timeout tx-period 60
2.26 dot1x traps authentication failure
To enable sending traps when an 802.1X authentication method failed, use the
dot1x traps authentication failure command in Global Configuration mode. To
restore the default configuration, use the no form of this command.
Syntax
dot1x traps authentication failure {[802.1x] [mac] [web]}
no dot1x traps authentication failure
Parameters
•
802.1x—Enables traps for 802.1X-based authentication.
•
mac—Enables traps for MAC-based authentication.
•
web—Enables traps for WEB-based authentication.
Default Configuration
All traps are disabled.
77
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Command Mode
Global Configuration mode
User Guidelines
Any combination of the keywords are allowed. At least one keyword must be
configured.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a MAC address fails to be
authorized by the 802.1X mac-authentication access control.
switchxxxxxx(config)# dot1x traps authentication failure 802.1x
2.27 dot1x traps authentication quiet
To enable sending traps when a host state is set to the quiet state after failing the
maximum sequential attempts of login, use the dot1x traps authentication quiet
command in Global Configuration mode. To disable the traps, use the no form of
this command.
Syntax
dot1x traps authentication quiet
no dot1x traps authentication quiet
Parameters
N/A
Default Configuration
Quiet traps are disabled.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
78
2
802.1X Commands
User Guidelines
The traps are sent after the client is set to the quiet state after the maximum
sequential attempts of login.
The command is only applied to the web-based authentication.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a host is set in the quiet state:
switchxxxxxx(config)# dot1x traps authentication quiet
2.28 dot1x traps authentication success
To enable sending traps when a host is successfully authorized by an 802.1X
authentication method, use the dot1x traps authentication success command in
Global Configuration mode. To disable the traps, use the no form of this command.
Syntax
dot1x traps authentication success {[802.1x] [mac] [web]}
no dot1x traps authentication success
Parameters
•
802.1x—Enables traps for 802.1X-based authentication.
•
mac—Enables traps for MAC-based authentication.
•
web—Enables traps for WEB-based authentication.
Default Configuration
Success traps are disabled.
Command Mode
Global Configuration mode
79
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
User Guidelines
Any combination of the keywords are allowed. At least one keyword must be
configured.
A rate limit is applied to the traps: not more than one trap of this type can be sent in 10
seconds.
Example
The following example enables sending traps when a MAC address is successfully
authorized by the 802.1X MAC-authentication access control.
switchxxxxxx(config)# dot1x traps authentication success mac
2.29 dot1x unlock client
To unlock a locked (in the quiet period) client, use the dot1x unlock client command
in Privileged EXEC mode.
Syntax
dot1x unlock client interface-id mac-address
Parameters
• interface-id—Interface ID where the client is connected to.
• mac-address—Client MAC address.
Default Configuration
The client is locked until the silence interval is over.
Command Mode
Privileged EXEC mode
User Guidelines
Use this command to unlock a client that was locked after the maximum allowed
authentication failed attempts and to end the quiet period. If the client is not in the
quiet period, the command has no affect.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
80
2
802.1X Commands
Example
switchxxxxxx# dot1x unlock client te1/0/1 00:01:12:af:00:56
2.30 dot1x violation-mode
To configure the action to be taken when an unauthorized host on authorized port
in single-host mode attempts to access the interface, use the dot1x
violation-mode command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
dot1x violation-mode {restrict | protect | shutdown} [traps seconds]
no dot1x violation-mode
Parameters
•
restrict—Generates a trap when a station, whose MAC address is not the
supplicant MAC address, attempts to access the interface. The minimum
time between the traps is 1 second. Those frames are forwarded but their
source addresses are not learned.
•
protect—Discard frames with source addresses that are not the supplicant
address.
•
shutdown—Discard frames with source addresses that are not the
supplicant address and shutdown the port.
•
trap seconds - Send SNMP traps, and specifies the minimum time between
consecutive traps. If seconds = 0 traps are disabled. If the parameter is not
specified, it defaults to 1 second for the restrict mode and 0 for the other
modes.
Default Configuration
Protect
Command Mode
Interface (Ethernet) Configuration mode
81
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
User Guidelines
The command is relevant only for single-host mode.
For BPDU messages whose MAC addresses are not the supplicant MAC address
are not discarded in Protect mode.
BPDU message whose MAC addresses are not the supplicant MAC address
cause a shutdown in Shutdown mode.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# dot1x violation-mode protect
2.31 show dot1x
To display the 802.1X interfaces or specified interface status, use the show dot1x
command in Privileged EXEC mode.
Syntax
show dot1x [interface interface-id | detailed]
Parameters
• interface-id—Specifies an Ethernet port or OOB port.
•
detailed—Displays information for non-present ports in addition to present
ports.
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays authentication information for all interfaces on
which 802.1x is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
82
2
802.1X Commands
switchxxxxxx# show dot1x
Authentication is enabled
Authenticating Servers: Radius, None
Unathenticated VLANs: 100, 1000, 1021
Guest VLAN: VLAN 11, timeout 30 sec
Authentication failure traps are enabled for 802.1x+mac
Authentication success traps are enabled for 802.1x
Authentication quiet traps are enabled for 802.1x
te1/0/1
Host mode: multi-sessions
Authentication methods: 802.1x+mac
Port Adminstrated status: auto
Guest VLAN: enabled
VLAN Radius Attribute: enabled, static
Open access: disabled
Time range name: work_hours (Active now)
Server-timeout: 30 sec
Maximum Hosts: unlimited
Maximum Login Attempts: 3
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 9
Authentication fails: 1
Number of Authorized Hosts: 10
te1/0/2
83
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Host mode: single-host
Authentication methods: 802.1x+mac
Port Adminstrated status: auto
Port Operational status: authorized
Guest VLAN: disabled
VLAN Radius Attribute: enabled
Open access: enabled
Time range name: work_hours (Active now)
Server-timeout: 30 sec
Aplied Authenticating Server: Radius
Applied Authentication method: 802.1x
Session Time (HH:MM:SS): 00:25:22
MAC Address: 00:08:78:32:98:66
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Trap Min Interval: 20 sec
Violations were detected: 9
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 2
Authentication fails: 0
te1/0/3
Host mode: multi-host
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
84
2
802.1X Commands
Authentication methods: 802.1x+mac
Port Adminstrated status: auto
Port Operational status: authorized
Guest VLAN: disabled
VLAN Radius Attribute: disabled
Time range name: work_hours (Active now)
Open access: disabled
Server-timeout: 30 sec
Aplied Authenticating Server: Radius
Applied Authentication method: 802.1x
Session Time (HH:MM:SS): 00:25:22
MAC Address: 00:08:78:32:98:66
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Trap Min Interval: 20 sec
Violations were detected: 0
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 20
Authentication fails: 0
Host mode: multi-host
Authentication methods: 802.1x+mac
Port Adminstrated status: force-auto
85
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Guest VLAN: disabled
VLAN Radius Attribute: disabled
Time range name: work_hours (Active now)
Open access: disabled
Server-timeout: 30 sec
Aplied Authenticating Server: Radius
Applied Authentication method: 802.1x
Session Time (HH:MM:SS): 00:25:22
MAC Address: 00:08:78:32:98:66
Username: Bob
Violation:
Mode: restrict
Trap: enabled
Trap Min Interval: 20 sec
Violations were detected: 0
Reauthentication is enabled
Reauthentication period: 3600 sec
Silence period: 1800 sec
Quiet Period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
max-req: 2
Authentication success: 0
Authentication fails: 0
Supplicant Configuration:
retry-max: 2
EAP time period: 15 sec
Supplicant Held Period: 30 sec
Credentials Name: Basic-User
Supplicant Operational status: authorized
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
86
2
802.1X Commands
The following describes the significant fields shown in the display:
•
Port—The port interface-id.
•
Host mode—The
port authentication configured mode. Possible values:
single-host, multi-host, multi-sessions.
•single-host
•multi-host
•multi-sessions
•
Authentication methods—Authentication
methods configured on port. Possible
values are combinations of the following methods:
•802.1x
•mac
•wba
•
Port Administrated status—The port administration (configured) mode. Possible values:
force-auth, force-unauth, auto.
•
Port Operational status—The port operational (actual) mode. Possible values: authorized or
unauthorized.
•
Username—Username representing the supplicant identity. This field shows the username if the
port control is auto. If the port is Authorized, it displays the username of the current user. If the port
is Unauthorized, it displays the last user authorized successfully.
•
Quiet period—Number of seconds that the device remains in the quiet state following a failed
authentication exchange (for example, the client provided an invalid password).
•
Silence period—Number of seconds that If an authorized client does not send traffic during the
silence period specified by the command, the state of the client is changed to unauthorized.
•
Tx period—Number of seconds that the device waits for a response to an Extensible
Authentication Protocol (EAP) request/identity frame from the client before resending the request.
•
Max req—Maximum number of times that the device sends an EAP request frame (assuming that
no response is received) to the client before restarting the authentication process.
•
Server timeout—Number of seconds that the device waits for a response from the authentication
server before resending the request.
87
•
Session Time—Amount of time (HH:MM:SS) that the user is logged in.
•
MAC address—Supplicant MAC address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
•
Authentication success—Number of times the state machine received a Success message from
the Authentication Server.
•
Authentication fails—Number of times the state machine received a Failure message from the
Authentication Server.
2.32 show dot1x locked clients
To display all clients who are locked and in the quiet period, use the show dot1x
locked clients command in Privileged EXEC mode.
Syntax
show dot1x locked clients
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Use the show dot1x locked clients command to display all locked (in the quiet
period) clients.
Examples
The following example displays locked clients:
Example 1
switchxxxxxx# show dot1x locked clients
Port
MAC Address
Remaining Time
-------
--------------
--------------
te1/0/1
0008.3b79.8787
20
te1/0/1
0008.3b89.3128
40
te1/0/2
0008.3b89.3129
10
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
88
2
802.1X Commands
2.33 show dot1x statistics
To display 802.1X statistics for the specified port, use the show dot1x statistics
command in Privileged EXEC mode.
Syntax
show dot1x statistics interface interface-id
Parameters
• interface-id—Specifies an Ethernet port or OOB port.
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays 802.1X statistics for te1/0/1.
switchxxxxxx# show dot1x statistics interface te1/0/1
EapolFramesRx: 11
EapolFramesTx: 12
EapolStartFramesRx: 1
EapolLogoffFramesRx: 1
EapolRespIdFramesRx: 3
EapolRespFramesRx: 6
EapolReqIdFramesTx: 3
EapolReqFramesTx: 6
InvalidEapolFramesRx: 0
EapLengthErrorFramesRx: 0
LastEapolFrameVersion: 1
LastEapolFrameSource: 00:08:78:32:98:78
89
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
The following table describes the significant fields shown in the display:
Field
Description
EapolFramesRx
Number of valid EAPOL frames of any
type that have been received by this
Authenticator.
EapolFramesTx
Number of EAPOL frames of any type
that have been transmitted by this
Authenticator.
EapolStartFramesRx
Number of EAPOL Start frames that
have been received by this
Authenticator.
EapolLogoffFramesRx
Number of EAPOL Logoff frames that
have been received by this
Authenticator.
EapolRespIdFramesRx
Number of EAP Resp/Id frames that
have been received by this
Authenticator.
EapolRespFramesRx
Number of valid EAP Response frames
(other than Resp/Id frames) that have
been received by this Authenticator.
EapolReqIdFramesTx
Number of EAP Req/Id frames that have
been transmitted by this Authenticator.
EapolReqFramesTx
Number of EAP Request frames (other
than Req/Id frames) that have been
transmitted by this Authenticator.
InvalidEapolFramesRx
Number of EAPOL frames that have
been received by this Authenticator for
which the frame type is not recognized.
EapLengthErrorFramesR
x
Number of EAPOL frames that have
been received by this Authenticator in
which the Packet Body Length field is
invalid.
LastEapolFrameVersion
Protocol version number carried in the
most recently received EAPOL frame.
LastEapolFrameSource
Source MAC address carried in the
most recently received EAPOL frame.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
90
2
802.1X Commands
2.34 show dot1x users
To display active 802.1X authorized users for the device, use the show dot1x users
command in Privileged EXEC mode.
Syntax
show dot1x users [username username]
Parameters
•
username username—Specifies the supplicant username (Length: 1–160
characters).
Default Configuration
Display all users.
Command Mode
Privileged EXEC mode
Examples
Example 1. The following commands displays all 802.1x users:
show dot1x users
Port
Udsername
MAC Address
Auth
Auth
Session
Method
Server
Time
VLAN
----------------
---------------
--------------------
----------
---------
----------
-------
te1/0/1
Bob
0008.3b71.1111
802.1x
Remote
09:01:00
1020
te1/0/2
Allan
0008.3b79.8787
MAC
Remote
00:11:12
te1/0/2
John
0008.3baa.0022
WBA
Remote
00:27:16
Example 2. The following example displays 802.1X user with supplicant username
Bob:
switchxxxxxx# show dot1x users username Bob
91
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
2
802.1X Commands
Port
Udsername
MAC Address
Auth
Auth
Session
Method
Server
Time
VLAN
----------------
---------------
--------------------
----------
---------
----------
-------
te1/0/1
Bob
0008.3b71.1111
802.1x
Remote
09:01:00
1020
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
92
3
ACL Commands
3.0
3.1
ip access-list (IP extended)
Use the ip access-list extended Global Configuration mode command to name an
IPv4 access list (ACL) and to place the device in IPv4 Access List Configuration
mode. All commands after this command refer to this ACL. The rules (ACEs) for this
ACL are defined in the permit ( IP ) and deny ( IP ) commands. The service-acl input
command is used to attach this ACL to an interface.
Use the no form of this command to remove the access list.
Syntax
ip access-list extended acl-name
no ip access-list extended acl-name
Parameters
•
acl-name—Name of the IPv4 access list. (Range 1-32 characters)
Default Configuration
No IPv4 access list is defined.
Command Mode
Global Configuration mode
User Guidelines
An IPv4 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
93
3
ACL Commands
3.2
permit ( IP )
Use the permit IP Access-list Configuration mode command to set permit
conditions for an IPv4 access list (ACL). Permit conditions are also known as
access control entries (ACEs). Use the no form of the command to remove the
access control entry.
Syntax
permit protocol {any | source source-wildcard} {any | destination
destination-wildcard} [ace-priority priority] [dscp number | precedence number]
[time-range time-range-name]
[log-input]
permit icmp {any | source source-wildcard} {any | destination destination-wildcard}
[any | icmp-type] [any | icmp-code]] [ace-priority priority] [dscp number |
precedence number] [time-range time-range-name]
[log-input]
permit igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type] [ace-priority priority] [dscp number |
precedence number] [time-range time-range-name]
[log-input]
permit tcp {any | source source-wildcard} {any|source-port/port-range}{any |
destination destination-wildcard} {any|destination-port/port-range} [ace-priority
priority] [dscp number | precedence number] [match-all list-of-flags] [time-range
time-range-name]
[log-input]
permit udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [ace-priority
priority] [dscp number | precedence number] [time-range time-range-name]
[log-input]
no permit protocol {any | source source-wildcard} {any | destination
destination-wildcard} [dscp number | precedence number][time-range
time-range-name]
[log-input]
no permit icmp {any | source source-wildcard} {any | destination
destination-wildcard} [any | icmp-type] [any | icmp-code]] [dscp number |
precedence number][time-range time-range-name]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
94
3
ACL Commands
[log-input]
no permit igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type] [dscp number | precedence number] [time-range
time-range-name]
[log-input]
no permit tcp {any | source source-wildcard} {any|source-port/port-range}{any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number] [match-all list-of-flags] [time-range time-range-name]
[log-input]
no permit udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number] [time-range time-range-name]
[log-input]
Parameters
• protocol—The name or the number of an IP protocol. Available protocol
names are: icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,
ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis.
To match any protocol, use the ip keyword.(Range: 0–255)
• source—Source IP address of the packet.
• source-wildcard—Wildcard bits to be applied to the source IP address. Use
ones in the bit position that you want to be ignored.
• destination—Destination IP address of the packet.
• destination-wildcard—Wildcard bits to be applied to the destination IP
address. Use ones in the bit position that you want to be ignored.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value.
•
precedence number—Specifies the IP precedence value.
• icmp-type—Specifies an ICMP message type for filtering ICMP packets.
Enter a number or one of the following values: echo-reply,
destination-unreachable, source-quench, redirect, alternate-host-address,
echo-request, router-advertisement, router-solicitation, time-exceeded,
parameter-problem, timestamp, timestamp-reply, information-request,
95
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
information-reply, address-mask-request, address-mask-reply, traceroute,
datagram-conversion-error, mobile-host-redirect,
mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip, photuris. (Range: 0–255)
• icmp-code—Specifies an ICMP message code for filtering ICMP packets.
(Range: 0–255)
• igmp-type—IGMP packets can be filtered by IGMP message type. Enter a
number or one of the following values: host-query, host-report, dvmrp, pim,
cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
• destination-port—Specifies the UDP/TCP destination port. You can enter
range of ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one
of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), on500-isakmp (4500),
ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514),
tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).(Range:
0–65535).
• source-port—Specifies the UDP/TCP source port. Predefined port names
are defined in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flags—List of TCP flags that should occur. If a flag should be
set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”.
Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst,
-syn and -fin. The flags are concatenated to a one string. For example:
+fin-ack.
•
time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•
log-input—Specifies sending an informational SYSLOG message about the
packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
96
3
ACL Commands
Default Configuration
No IPv4 access list is defined.
Command Mode
IP Access-list Configuration mode
User Guidelines
If a range of ports is used for source port in an ACE, it is not counted again, if it is
also used for a source port in another ACE. If a range of ports is used for the
destination port in an ACE, it is not counted again if it is also used for destination
port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)# permit ip 176.212.0.0 00.255.255 any
3.3
deny ( IP )
Use the deny IP Access-list Configuration mode command to set deny conditions
for IPv4 access list. Deny conditions are also known as access control entries
(ACEs). Use the no form of the command to remove the access control entry.
Syntax
deny protocol {any | source source-wildcard} {any | destination
destination-wildcard} [ace-priority priority] [dscp number | precedence number]
[time-range time-range-name] [disable-port |log-input ]
deny icmp {any | source source-wildcard} {any | destination destination-wildcard}
[any | icmp-type] [any | icmp-code]][ace-priority priority] [dscp number |
precedence number] [time-range time-range-name] [disable-port |log-input ]
97
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
deny igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type][ace-priority priority] [dscp number | precedence
number] [time-range time-range-name] [disable-port |log-input ]
deny tcp {any | source source-wildcard} {any|source-port/port-range}{any |
destination destination-wildcard} {any|destination-port/port-range} [ace-priority
priority] [dscp number | precedence number] [match-all list-of-flags][time-range
time-range-name] [disable-port |log-input ]
deny udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [ace-priority
priority] [dscp number | precedence number] [time-range time-range-name]
[disable-port |log-input ]
no deny protocol {any | source source-wildcard} {any | destination
destination-wildcard} [dscp number | precedence number] [time-range
time-range-name] [disable-port |log-input ]
no deny icmp {any | source source-wildcard} {any | destination
destination-wildcard} [any | icmp-type] [any | icmp-code]] [dscp number |
precedence number][time-range time-range-name] [disable-port |log-input ]
no deny igmp {any | source source-wildcard} {any | destination
destination-wildcard}[igmp-type] [dscp number | precedence number] [time-range
time-range-name] [disable-port |log-input ]
no deny tcp {any | source source-wildcard} {any|source-port/port-range}{any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number] [match-all list-of-flags] [time-range time-range-name]
[disable-port |log-input ]
no deny udp {any | source source-wildcard} {any|source-port/port-range} {any |
destination destination-wildcard} {any|destination-port/port-range} [dscp number |
precedence number] [time-range time-range-name] [disable-port |log-input ]
Parameters
• protocol—The name or the number of an IP protocol. Available protocol
names: icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,
ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis.
To match any protocol, use the Ip keyword. (Range: 0–255)
• source—Source IP address of the packet.
• source-wildcard—Wildcard bits to be applied to the source IP address. Use
1s in the bit position that you want to be ignored.
• destination—Destination IP address of the packet.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
98
3
ACL Commands
• destination-wildcard—Wildcard bits to be applied to the destination IP
address. Use 1s in the bit position that you want to be ignored.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value.
•
precedence number—Specifies the IP precedence value.
• icmp-type—Specifies an ICMP message type for filtering ICMP packets.
Enter a number or one of the following values: echo-reply,
destination-unreachable, source-quench, redirect, alternate-host-address,
echo-request, router-advertisement, router-solicitation, time-exceeded,
parameter-problem, timestamp, timestamp-reply, information-request,
information-reply, address-mask-request, address-mask-reply, traceroute,
datagram-conversion-error, mobile-host-redirect,
mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip, photuris. (Range: 0–255)
• icmp-code—Specifies an ICMP message code for filtering ICMP packets.
(Range: 0–255)
• igmp-type—IGMP packets can be filtered by IGMP message type. Enter a
number or one of the following values: host-query, host-report, dvmrp, pim,
cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
• destination-port—Specifies the UDP/TCP destination port. You can enter
range of ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one
of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog
(514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
• source-port—Specifies the UDP/TCP source port. Predefined port names
are defined in the destination-port parameter. (Range: 0–65535)
•
99
match-all list-of-flags—List of TCP flags that should occur. If a flag should be
set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
•
time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•
disable-port—The Ethernet interface is disabled if the condition is matched.
•
log-input—Specifies sending an informational syslog message about the
packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No IPv4 access list is defined.
Command Mode
IP Access-list Configuration mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for a source port in ACE it is not counted again if it is also used for
source port in another ACE. If a range of ports is used for destination port in ACE it
is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port, it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)# deny ip 176.212.0.0 00.255.255 any
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
100
3
ACL Commands
3.4
ipv6 access-list (IPv6 extended)
Use the ipv6 access-list Global Configuration mode command to define an IPv6
access list (ACL) and to place the device in Ipv6 Access-list Configuration mode.
All commands after this command refer to this ACL. The rules (ACEs) for this ACL
are defined in the permit ( IPv6 ) and deny ( IPv6 ) commands. The service-acl
input command is used to attach this ACL to an interface.
Use the no form of this command to remove the access list.
Syntax
ipv6 access-list [acl-name]
no ipv6 access-list [acl-name]
Parameters
acl-name—Name of the IPv6 access list. Range 1-32 characters.
Default Configuration
No IPv6 access list is defined.
Command Mode
Global Configuration mode
User Guidelines
IPv6 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name.
Every IPv6 ACL has an implicit permit icmp any any nd-ns any, permit icmp any
any nd-na any, and deny ipv6 any any statements as its last match conditions. (The
former two match conditions allow for ICMPv6 neighbor discovery.)
The IPv6 neighbor discovery process uses the IPv6 network layer service,
therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets
to be sent and received on an interface. In IPv4, the Address Resolution Protocol
(ARP), which is equivalent to the IPv6 neighbor discovery process, uses a
separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow
ARP packets to be sent and received on an interface.
Example
switchxxxxxx(config)# ipv6 access-list acl1
101
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
switchxxxxxx(config-ip-al)# permit tcp 2001:0DB8:0300:0201::/64 any any 80
3.5
permit ( IPv6 )
Use the permit command in Ipv6 Access-list Configuration mode to set permit
conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the
access control entry.
Syntax
permit protocol {any |{source-prefix/length}{any | destination-prefix/length}
[ace-priority priority][dscp number | precedence number] [time-range
time-range-name] [log-input]
permit icmp {any | {source-prefix/length}{any | destination-prefix/length}
{any|icmp-type} {any|icmp-code} [ace-priority priority][dscp number | precedence
number] [time-range time-range-name] [log-input]
permit tcp {any | {source-prefix/length} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [ace-priority
priority][dscp number | precedence number] [match-all list-of-flags] [time-range
time-range-name] [log-input]
permit udp {any | {source-prefix/length}} {any | source-port/port-range}}{any |
destination-prefix/length} {any | destination-port/port-range} [ace-priority
priority][dscp number | precedence number][time-range time-range-name]
[log-input]
no permit protocol {any |{source-prefix/length}{any | destination-prefix/length}
[dscp number | precedence number] [time-range time-range-name] [log-input]
no permit icmp {any | {source-prefix/length}{any | destination-prefix/length}
{any|icmp-type} {any|icmp-code} [dscp number | precedence number] [time-range
time-range-name] [log-input]
no permit tcp {any | {source-prefix/length} {any | source-port/port-range}}{any |
destination- prefix/length} {any| destination-port/port-range} [dscp number |
precedence number] [match-all list-of-flags] [time-range time-range-name]
[log-input]
no permit udp {any | {source-prefix/length}} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [dscp number |
precedence number] [time-range time-range-name] [log-input]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
102
3
ACL Commands
Parameters
• protocol—The name or the number of an IP protocol. Available protocol
names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the
ipv6 keyword. (Range: 0–255)
• source-prefix/length—The source IPv6 network or class of networks about
which to set permit conditions. This argument must be in the form
documented in RFC 3513 where the address is specified in hexadecimal
using 16-bit values between colons.
• destination-prefix/length—The destination IPv6 network or class of
networks about which to set permit conditions. This argument must be in
the form documented in RFC 3513 where the address is specified in
hexadecimal using 16-bit values between colons.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value. (Range: 0–63)
•
precedence number—Specifies the IP precedence value.
• icmp-type—Specifies an ICMP message type for filtering ICMP packets.
Enter a number or one of the following values: destination-unreachable (1),
packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request
(128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report
(143), mld-done (132), router-solicitation (133), router-advertisement (134),
nd-ns (135), nd-na (136). (Range: 0–255)
• icmp-code—Specifies an ICMP message code for filtering ICMP packets.
(Range: 0–255)
• destination-port—Specifies the UDP/TCP destination port. You can enter a
range of ports by using a hyphen. E.g. 20 - 21. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
103
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
• source-port—Specifies the UDP/TCP source port. Predefined port names
are defined in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flag—List of TCP flags that should occur. If a flag should be
set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
• time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•
log-input—Specifies sending an informational SYSLOG message about
the packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No IPv6 access list is defined.
Command Mode
Ipv6 Access-list Configuration mode
User Guidelines
If a range of ports is used for the destination port in an ACE, it is not counted again
if it is also used for destination port in another ACE.
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for a source port in ACE, it is not counted again if it is also used for a
source port in another ACE. If a range of ports is used for destination port in ACE it
is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
104
3
ACL Commands
Example
This example defines an ACL by the name of server and enters a rule (ACE) for tcp
packets.
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# permit tcp 3001::2/64 any any 80
3.6
deny ( IPv6 )
Use the deny command in Ipv6 Access-list Configuration mode to set permit
conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the
access control entry.
Syntax
deny protocol {any | {source-prefix/length}{any | destination-prefix/length}
[ace-priority priority][dscp number | precedence number] [time-range
time-range-name] [disable-port |log-input]
deny icmp {any | {source-prefix/length}{any | destination-prefix/length}
{any|icmp-type} {any|icmp-code} [ace-priority priority][dscp number | precedence
number] [time-range time-range-name] [disable-port |log-input]
deny tcp {any | {source-prefix/length} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [ace-priority
priority][dscp number | precedence number] [match-all list-of-flags] [time-range
time-range-name] [disable-port |log-input]
deny udp {any | {source-prefix/length}} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [ace-priority
priority][dscp number | precedence number] [time-range time-range-name]
[disable-port |log-input]
no deny protocol {any | {source-prefix/length}{any | destination-prefix/length} [dscp
number | precedence number] [time-range time-range-name] [disable-port
|log-input]
no deny icmp {any | {source-prefix/length}{any | destination-prefix/length}
{any|icmp-type} {any|icmp-code} [dscp number | precedence number] [time-range
time-range-name] [disable-port |log-input]
no deny tcp {any | {source-prefix/length} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [dscp number |
105
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
precedence number] [match-all list-of-flags] [time-range time-range-name]
[disable-port |log-input]
no deny udp {any | {source-prefix/length}} {any | source-port/port-range}}{any |
destination-prefix/length} {any| destination-port/port-range} [dscp number |
precedence number] [time-range time-range-name] [disable-port |log-input]
Parameters
• protocol—The name or the number of an IP protocol. Available protocol
names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the
ipv6 keyword. (Range: 0–255)
• source-prefix/length—The source IPv6 network or class of networks about
which to set permit conditions. This argument must be in the format
documented in RFC 3513 where the address is specified in hexadecimal
using 16-bit values between colons.
• destination-prefix/length—The destination IPv6 network or class of
networks about which to set permit conditions. This argument must be in
the format documented in RFC 3513 where the address is specified in
hexadecimal using 16-bit values between colons.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
•
dscp number—Specifies the DSCP value. (Range: 0–63)
•
precedence number—Specifies the IP precedence value.
• icmp-type—Specifies an ICMP message type for filtering ICMP packets.
Enter a number or one of the following values: destination-unreachable (1),
packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request
(128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report
(143), mld-done (132), router-solicitation (133), router-advertisement (134),
nd-ns (135), nd-na (136). (Range: 0–255)
• icmp-code—Specifies an ICMP message code for filtering ICMP packets.
(Range: 0–255)
• destination-port—Specifies the UDP/TCP destination port. You can enter a
range of ports by using a hyphen. E.g. 20 - 21. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data 20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
106
3
ACL Commands
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
• source-port—Specifies the UDP/TCP source port. Predefined port names
are defined in the destination-port parameter. (Range: 0–65535)
•
match-all list-of-flags—List of TCP flags that should occur. If a flag should be
set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
• time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•
disable-port—The Ethernet interface is disabled if the condition is matched.
•
log-input—Specifies sending an informational syslog message about the
packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No IPv6 access list is defined.
Command Mode
Ipv6 Access-list Configuration mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for source port in ACE it is not counted again if it is also used for
source port in another ACE. If a range of ports is used for a destination port in ACE
it is not counted again if it is also used for a destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
107
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# deny tcp 3001::2/64 any any 80
3.7
mac access-list
Use the mac access-list Global Configuration mode command to define a Layer 2
access list (ACL) based on source MAC address filtering and to place the device
in MAC Access-list Configuration mode. All commands after this command refer to
this ACL. The rules (ACEs) for this ACL are defined in the permit ( MAC ) and deny
(MAC) commands. The service-acl input command is used to attach this ACL to an
interface.
Use the no form of this command to remove the access list.
Syntax
mac access-list extended acl-name
no mac access-list extended acl-name
Parameters
acl-name—Specifies the name of the MAC ACL (Range: 1–32 characters).
Default Configuration
No MAC access list is defined.
Command Mode
Global Configuration mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
108
3
ACL Commands
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
3.8
permit ( MAC )
Use the permit command in MAC Access-list Configuration mode to set permit
conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the
access control entry.
Syntax
permit {any | source source-wildcard} {any | destination destination-wildcard}
[ace-priority priority][eth-type 0 | aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range
time-range-name]
[log-input]
no permit {any | source source-wildcard} {any | destination destination-wildcard}
[eth-type 0 | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000]
[vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name]
[log-input]
Parameters
• source—Source MAC address of the packet.
• source-wildcard—Wildcard bits to be applied to the source MAC address.
Use 1s in the bit position that you want to be ignored.
• destination—Destination MAC address of the packet.
• destination-wildcard—Wildcard bits to be applied to the destination MAC
address. Use 1s in the bit position that you want to be ignored.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
109
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
• eth-type—The Ethernet type in hexadecimal format of the packet.
• vlan-id—The VLAN ID of the packet. (Range: 1–4094)
• cos—The Class of Service of the packet. (Range: 0–7)
• cos-wildcard—Wildcard bits to be applied to the CoS.
• time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•
log-input—Specifies sending an informational SYSLOG message about
the packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Default Configuration
No MAC access list is defined.
Command Mode
MAC Access-list Configuration mode
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
110
3
ACL Commands
3.9
deny (MAC)
Use the deny command in MAC Access-list Configuration mode to set deny
conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the
access control entry.
Syntax
deny {any | source source-wildcard} {any | destination destination-wildcard}
[ace-priority priority][{eth-type 0}| aarp | amber | dec-spanning | decnet-iv |
diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range
time-range-name] [disable-port |log-input ]
no deny {any | source source-wildcard} {any | destination destination-wildcard}
[{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm |
etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name]
[disable-port |log-input ]
Parameters
• source—Source MAC address of the packet.
• source-wildcard—Wildcard bits to be applied to the source MAC address.
Use ones in the bit position that you want to be ignored.
• destination—Destination MAC address of the packet.
• destination-wildcard—Wildcard bits to be applied to the destination MAC
address. Use 1s in the bit position that you want to be ignored.
• priority - Specify the priority of the access control entry (ACE) in the access
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
• eth-type—The Ethernet type in hexadecimal format of the packet.
• vlan-id—The VLAN ID of the packet. (Range: 1–4094).
• cos—The Class of Service of the packet.(Range: 0–7).
• cos-wildcard—Wildcard bits to be applied to the CoS.
• time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
111
•
disable-port—The Ethernet interface is disabled if the condition is matched.
•
log-input—Specifies sending an informational syslog message about the
packet that matches the entry. Because forwarding/dropping is done in
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No MAC access list is defined.
Command Mode
MAC Access-list Configuration mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any
3.10 service-acl input
Use the service-acl input command in Interface Configuration mode to bind an
access list(s) (ACL) to an interface.
Use the no form of this command to remove all ACLs from the interface.
Syntax
sevice-acl input acl-name1 [acl-name2] [default-action {deny-any | permit-any}]
no service-acl input
Parameters
• acl-name—Specifies an ACL to apply to the interface. See the user
guidelines. (Range: 1–32 characters).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
112
3
ACL Commands
•
deny-any—Deny all packets (that were ingress at the port) that do not meet
the rules in this ACL.
•
permit-any—Forward all packets (that were ingress at the port) that do not
meet the rules in this ACL.
Default Configuration
No ACL is assigned.
Command Mode
Interface Configuration mode (Ethernet, Port-Channel,,VLAN )
User Guidelines
The following rules govern when ACLs can be bound or unbound from an
interface:
•
IPv4 ACLs and IPv6 ACLs can be bound together to an interface.
•
A MAC ACL cannot be bound on an interface which already has an IPv4
ACL or IPv6 ACL bound to it.
•
Two ACLs of the same type cannot be bound to a port.
•
An ACL cannot be bound to a port that is already bound to an ACL, without
first removing the current ACL. Both ACLs must be mentioned at the same
time in this command.
•
MAC ACLs that include a VLAN as match criteria cannot be bound to a
VLAN.
•
ACLs with time-based configuration on one of its ACEs cannot be bound to
a VLAN.
•
ACLs with the action Shutdown cannot be bound to a VLAN.
•
When the user binds ACL to an interface, TCAM resources will be
consumed. One TCAM rule for each MAC or IP ACE and two TCAM rules for
each IPv6 ACE.The TCAM consumption is always even number, so in case
of odd number of rules the consumption will be increased by 1.
•
An ACL cannot be bound as input if it has been bound as output.
Example
switchxxxxxx(config)# mac access-list extended server-acl
113
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# service-acl input server-acl default-action deny-any
3.11 service-acl output
Use the service-acl output command in Interface Configuration mode to control
access to an interface on the egress (transmit path).
Use the no form of this command to remove the access control.
Syntax
service-acl output acl-name1 [acl-name2]
no service-acl output
Parameters
acl-name-Specifies an ACL to apply to the interface. See the usage guidelines.
(Range: acl-name is from 0-32 characters. Use "" for empty string)
Default
No ACL is assigned.
Command Mode
Interface Configuration mode(Ethernet, Port-Channel).
User Guidelines
The rule actions: log-input is not supported. Trying to use it will result in an error.
The deny rule action disable-port is not supported. Trying to use it will result in an
error.
IPv4 and IPv6 ACLs can be bound together on an interface.
A MAC ACL cannot be bound on an interface together with an IPv4 ACL or IPv6
ACL.
Two ACLs of the same type cannot be added to a port.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
114
3
ACL Commands
An ACL cannot be added to a port that is already bounded to an ACL, without first
removing the current ACL and binding the two ACLs together.
An ACL cannot be bound as output if it has been bound as input.
Example
This example binds an egress ACL to a port:
switchxxxxxx(config)# mac access-list extended server
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# service-acl output server
3.12 time-range
Use the time-range Global Configuration mode command to define time ranges for
different functions. In addition, this command enters the Time-range Configuration
mode. All commands after this one refer to the time-range being defined.
This command sets a time-range name. Use the absolute and periodic commands
to actually configure the time-range.
Use the no form of this command to remove the time range from the device.
Syntax
time-range time-range-name
no time-range time-range-name
Parameters
time-range-name—Specifies the name for the time range. (Range: 1–32
characters)
Default Configuration
No time range is defined
115
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
Command Mode
Global Configuration mode
User Guidelines
After adding the name of a time range with this command, use the absolute and
periodic commands to actually configure the time-range. Multiple periodic
commands are allowed in a time range. Only one absolute command is allowed.
If a time-range command has both absolute and periodic values specified, then
the periodic items are evaluated only after the absolute start time is reached, and
are not evaluated again after the absolute end time is reached.
All time specifications are interpreted as local time.
To ensure that the time range entries take effect at the desired times, the software
clock should be set by the user or by SNTP. If the software clock is not set by the
user or by SNTP, the time range ACEs are not activated.
The user cannot delete a time-range that is bound to any features.
When a time range is defined, it can be used in the following commands:
•
dot1x port-control
•
power inline
•
operation time
•
permit (IP)
•
deny (IP)
•
permit (IPv6)
•
deny (IPv6)
•
permit (MAC)
•
deny (MAC)
Example
switchxxxxxx(config)# time-range http-allowed
console(config-time-range)#periodic mon 12:00 to wed 12:00
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
116
3
ACL Commands
3.13 absolute
Use the absolute Time-range Configuration mode command to specify an
absolute time when a time range is in effect. Use the no form of this command to
remove the time limitation.
Syntax
absolute start hh:mm day month year
no absolute start
absolute end hh:mm day month year
no absolute end
Parameters
•
start—Absolute time and date that the permit or deny statement of the
associated function going into effect. If no start time and date are specified,
the function is in effect immediately.
•
end—Absolute time and date that the permit or deny statement of the
associated function is no longer in effect. If no end time and date are
specified, the function is in effect indefinitely.
•
hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
•
day—Day (by date) in the month. (Range: 1–31)
•
month—Month (first three letters by name). (Range: Jan...Dec)
•
year—Year (no abbreviation) (Range: 2000–2097)
Default Configuration
There is no absolute time when the time range is in effect.
Command Mode
Time-range Configuration mode
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005
117
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005
3.14 periodic
Use the periodic Time-range Configuration mode command to specify a recurring
(weekly) time range for functions that support the time-range feature. Use the no
form of this command to remove the time limitation.
Syntax
periodic day-of-the-week hh:mm to day-of-the-week hh:mm
no periodic day-of-the-week hh:mm to day-of-the-week hh:mm
periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…
day-of-the-week7]
no periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…
day-of-the-week7]
periodic list hh:mm to hh:mm all
no periodic list hh:mm to hh:mm all
Parameters
•
day-of-the-week—The starting day that the associated time range is in
effect. The second occurrence is the ending day the associated statement
is in effect. The second occurrence can be the following week (see
description in the User Guidelines). Possible values are: mon, tue, wed, thu,
fri, sat, and sun.
•
hh:mm—The first occurrence of this argument is the starting hours:minutes
(military format) that the associated time range is in effect. The second
occurrence is the ending hours:minutes (military format) the associated
statement is in effect. The second occurrence can be at the following day
(see description in the User Guidelines). (Range: 0–23, mm: 0–59)
• list day-of-the-week1—Specifies a list of days that the time range is in
effect.
Default Configuration
There is no periodic time when the time range is in effect.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
118
3
ACL Commands
Command Mode
Time-range Configuration mode
User Guidelines
The second occurrence of the day can be at the following week, e.g. Thursday–
Monday means that the time range is effective on Thursday, Friday, Saturday,
Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00
3.15 show time-range
Use the show time-range User EXEC mode command to display the time range
configuration.
Syntax
show time-range time-range-name
Parameters
time-range-name—Specifies the name of an existing time range.
Command Mode
User EXEC mode
Example
switchxxxxxx> show time-range
http-allowed
-------------absolute start 12:00 1 Jan 2005 end
12:00 31 Dec 2005
periodic Monday 12:00 to Wednesday 12:00
119
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
3.16 show access-lists
Use the show access-lists Privileged EXEC mode command to display access
control lists (ACLs) configured on the switch.
Syntax
show access-lists [name]
show access-liststime-range-active [name]
Parameters
•
name—Specifies the name of the ACL.(Range: 1-160 characters).
•
time-range-active—Shows only the Access Control Entries (ACEs) whose
time-range is currently active (including those that are not associated with
time-range).
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show access-lists
Standard IP access list 1
Extended IP access list ACL2
permit 234 172.30.19.1 0.0.0.255 any priority 20 time-range weekdays
permit 234 172.30.23.8 0.0.0.255 any priority 40 time-range weekdays
switchxxxxxx# show access-lists time-range-active
Extended IP access list ACL1
permit 234 172.30.40.1 0.0.0.0 any priority 20
permit 234 172.30.8.8
0.0.0.0 any priority 40
Extended IP access list ACL2
permit 234 172.30.19.1 0.0.0.255 any priority 20time-range weekdays
switchxxxxxx# show access-lists ACL1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
120
3
ACL Commands
Extended IP access list ACL1
permit 234 172.30.40.1 0.0.0.0 any priority 20
permit 234 172.30.8.8
0.0.0.0 any priority 40
3.17 show interfaces access-lists
Use the show interfaces access-lists Privileged EXEC mode command to display
access lists (ACLs) applied on interfaces.
Syntax
show interfaces access-lists [interface-id]
Parameters
interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port, port-channel or VLAN.
Command Mode
Privileged EXEC mode
Example
Interface
--------te1/0/2
ACLs
----------------------Ingress: server1
Egress : ip
3.18 clear access-lists counters
Use the clear access-lists counters Privileged EXEC mode command to clear
access-lists (ACLs) counters.
Syntax
clear access-lists counters [interface-id]
121
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
Parameters
interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# clear access-lists counters te1/0/1
3.19 show interfaces access-lists trapped
packets
Use the show interfaces access-lists trapped packets Privileged EXEC mode
command to display Access List (ACLs) trapped packets.
Syntax
show interfaces access-lists trapped packets [interface-id | port-channel-number |
VLAN]
Parameters
•
interface-id—Specifies an interface ID, the interface ID is an Ethernet port
port-channel.
•
port-channel—Specifies a port-channel.
•
VLAN—Specifies a VLAN
Command Mode
Privileged EXEC mode
User Guidelines
This command shows whether packets were trapped from ACE hits with logging
enable on an interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
122
3
ACL Commands
Examples
Example 1:
switchxxxxxx# show interfaces access-lists trapped packets
Ports/LAGs: te1/0/1-te1/0/3, ch1-ch3, ch4
VLANs: VLAN1, VLAN12-VLAN15
Packets were trapped globally due to lack of resources
Example 2:
switchxxxxxx# show interfaces access-lists trapped packets te1/0/1
Packets were trapped on interface te1/0/1
3.20 ip access-list (IP standard)
Use the ip access-list Global Configuration mode command to define an IP
standard list. The no format of the command removes the list.
Syntax
ip access-list access-list-name {deny|permit} {src-addr[/src-len] | any}
no ip access-list access-list-name
Parameters
•
access-list-name—The name of the Standard IP access list. The name may
contain maximum 32 characters.
•
deny/permit—Denies/permits access if the conditions are matched.
- src-addr[/src-len] | any— IP prefix defined as an IP address and length or
any. The any value matches all IP addresses. If src-len is not defined, a
value of 32 is applied. A value of src-len must be in the interval 1-32.
Default Configuration
No access list is defined.
123
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
Command Mode
Global Configuration mode
User Guidelines
Use the ip access-list command to configure IP address filtering. Access lists are
configured with permit or deny keywords to either permit or deny an IP address
based on a matching condition. An implicit deny is applied to address that does
not match any access-list entry.
An access-list entry consists of an IP address and a bit mask. The bit mask is a
number from 1 to 32.
Evaluation of an IP address by an access list starts with the first entry of the list
and continues down the list until a match is found. When the IP address match is
found, the permit or deny statement is applied to that address and the remainder
of the list is not evaluated.
Use the no ip access-list command to delete the access list.
In addition to filtering IP traffic on a per port base, a basic IP access control list can
be used by RIP (Routing Information Protocol) to filter route updates.
Examples
Example 1 - The following example of a standard access list allows only the three
specified networks. Any IP address that does not match the access list statements
will be rejected.
switchxxxxxx(config)# ip access-list 1 permit 192.168.34.0/24
switchxxxxxx(config)# ip access-list 1 permit 10.88.0.0/16
switchxxxxxx(config)# ip access-list 1 permit 10.0.0.0/8
Note: all other access is implicitly denied.
Example 2 - The following example of a standard access list allows access for IP
addresses in the range from 10.29.2.64 to 10.29.2.127. All IP addresses not in this
range will be rejected.
switchxxxxxx(config)# ip access-list apo permit 10.29.2.64/26
Note: all other access is implicitly denied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
124
3
ACL Commands
Example 3 - To specify a large number of individual addresses more easily, you
can omit the mask length if it is 32. Thus, the following two configuration
commands are identical in effect:
switchxxxxxx(config)# ip access-list 2aa permit 10.48.0.3
switchxxxxxx(config)# ip access-list 2aa permit 10.48.0.3/32
3.21 ipv6 access-list (IP standard)
The ipv6 access-list Global Configuration mode command defines an IPv6
standard list. The no format of the command removes the list.
Syntax
ipv6 access-list access-list-name {deny|permit} {src-addr[/src-len] | any}
no ipv6 access-list access-list-name
Parameters
•
access-list-name—The name of the Standard IPv6 access list. The name
may contain maximum 32 characters.
•
deny—Denies access if the conditions are matched.
•
permit—Permits access if the conditions are matched.
• src-addr[/src-len] | any— IPv6 prefix defined as an IPv6 address and length
or any. The any value matches to all IPv6 addresses. If the src-len is not
defined a value of 128 is applied. A value of src-len must be in interval
1-128.
Default Configuration
no access list
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 access-list command to configure IPv6 address filtering. Access lists
are configured with permit or deny keywords to either permit or deny an IPv6
address based on a matching condition. An implicit deny is applied to address that
does not match any access-list entry.
125
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
ACL Commands
An access-list entry consists of an IP address and a bit mask. The bit mask is a
number from 1 to 128.
Evaluation of an IPv6 address by an access list starts with the first entry of the list
and continues down the list until a match is found. When the IPv6 address match is
found, the permit or deny statement is applied to that address and the remainder
of the list is not evaluated.
Use the no ipv6 access-list command to delete the access list.
The IPv6 standard access list is used to filter received and sent IPv6 routing
information.
Example
The following example of an access list allows only the one specified prefix: Any
IPv6 address that does not match the access list statements will be rejected.
switchxxxxxx(config)# ipv6 access-list 1 permit 3001::2/64
Note: all other access implicitly denied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
126
4
Address Table Commands
4.0
4.1
bridge multicast filtering
To enable the filtering of Multicast addresses, use the bridge multicast filtering
Global Configuration mode command. To disable Multicast address filtering, use
the no form of this command.
Syntax
bridge multicast filtering
no bridge multicast filtering
Parameters
This command has no arguments or keywords.
Default Configuration
Multicast address filtering is disabled. All Multicast addresses are flooded to all
ports.
Command Mode
Global Configuration mode
User Guidelines
When this feature is enabled, unregistered Multicast traffic (as opposed to
registered) will still be flooded.
All registered Multicast addresses will be forwarded to the Multicast groups.
There are two ways to manage Multicast groups, one is the IGMP Snooping
feature, and the other is the bridge multicast forward-all command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
127
4
Address Table Commands
Example
The following example enables bridge Multicast filtering.
switchxxxxxx(config)#
4.2
bridge multicast filtering
bridge multicast mode
To configure the Multicast bridging mode, use the bridge multicast mode Interface
(VLAN) Configuration mode command. To return to the default configuration, use
the no form of this command.
Syntax
bridge multicast mode {mac-group | ipv4-group | ipv4-src-group}
no bridge multicast mode
Parameters
•
mac-group—Specifies that Multicast bridging is based on the packet's
VLAN and MAC address.
•
ipv4-group—Specifies that Multicast bridging is based on the packet's
VLAN and MAC address for non-IPv4 packets, and on the packet's VLAN
and IPv4 destination address for IPv4 packets.
•
ipv4-src-group—Specifies that Multicast bridging is based on the packet's
VLAN and MAC address for non-IPv4 packets, and on the packet's VLAN,
IPv4 destination address and IPv4 source address for IPv4 packets.
Default Configuration
The default mode is mac-group.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the mac-group option when using a network management system that uses a
MIB based on the Multicast MAC address. Otherwise, it is recommended to use
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
128
4
Address Table Commands
the ipv4 mode, because there is no overlapping of IPv4 Multicast addresses in
these modes.
For each Forwarding Data Base (FDB) mode, use different CLI commands to
configure static entries in the FDB, as described in the following table:
FDB Mode
CLI Commands
mac-group
bridge multicast
address
bridge multicast forbidden
address
ipv4-group
bridge multicast
ip-address
bridge multicast forbidden
ip-addresss
ipv4-src-group
bridge multicast
source group
bridge multicast forbidden
source group
The following table describes the actual data that is written to the Forwarding
Data Base (FDB) as a function of the IGMP version that is used in the network:
FDB mode
IGMP version 2
IGMP version 3
mac-group
MAC group
address
MAC group address
ipv4-group
IP group address
IP group address
ipv4-src-group
(*)
IP source and group addresses
(*) Note that (*,G) cannot be written to the FDB if the mode is ipv4-src-group. In that
case, no new FDB entry is created, but the port is added to the static (S,G) entries
(if they exist) that belong to the requested group. It is recommended to set the FDB
mode to ipv4-group or mac-group for IGMP version 2.
If an application on the device requests (*,G), the operating FDB mode is changed
to
ipv4-group.
Example
The following example configures the Multicast bridging mode as an mac-group
on VLAN 2.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)#
129
bridge multicast mode mac-group
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
4.3
bridge multicast address
To register a MAC-layer Multicast address in the bridge table and statically add or
remove ports to or from the group, use the bridge multicast address Interface
(VLAN) Configuration mode command. To unregister the MAC address, use the no
form of this command.
Syntax
bridge multicast address {mac-multicast-address | ipv4-multicast-address} [[add |
remove] {ethernet interface-list | port-channel port-channel-list}]
no bridge multicast address mac-multicast-address
Parameters
•
mac-multicast-address | ipv4-multicast-address—Specifies the group
Multicast address.
•
add—(Optional) Adds ports to the group.
•
remove—(Optional) Removes ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces; use
a hyphen to designate a range of port channels.
Default Configuration
No Multicast addresses are defined.
If ethernet interface-list or port-channel port-channel-list is specified without
specifying add or remove, the default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
To register the group in the bridge database without adding or removing ports or
port channels, specify the mac-multicast-address parameter only.
Static Multicast addresses can be defined on static VLANs only.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
130
4
Address Table Commands
You can execute the command before the VLAN is created.
Examples
Example 1 - The following example registers the MAC address to the bridge table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast address 01:00:5e:02:02:03
Example 2 - The following example registers the MAC address and adds ports
statically.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast address 01:00:5e:02:02:03 add
te1/0/1-2
4.4
bridge multicast forbidden address
To forbid adding or removing a specific Multicast address to or from specific ports,
use the bridge multicast forbidden address IInterface (VLAN) Configuration mode
command. To restore the default configuration, use the no form of this command.
Syntax
bridge multicast forbidden address {mac-multicast-address |
ipv4-multicast-address} {add | remove} {ethernet interface-list | port-channel
port-channel-list}
no bridge multicast forbidden address mac-multicast-address
Parameters
131
•
mac-multicast-address | ipv4-multicast-address—Specifies the group
Multicast address.
•
add—Forbids adding ports to the group.
•
remove—Forbids removing ports from the group.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
•
ethernet interface-list—Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen
to designate a range of ports.
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen
to designate a range of port channels.
Default Configuration
No forbidden addresses are defined.
Default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered, using
bridge multicast address.
You can execute the command before the VLAN is created.
Example
The following example forbids MAC address 0100.5e02.0203 on port te1/0/4
within VLAN 8.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast address 0100.5e02.0203
switchxxxxxx(config-if)#
bridge multicast forbidden address 0100.5e02.0203
add te1/0/4
4.5
bridge multicast ip-address
To register IP-layer Multicast addresses to the bridge table, and statically add or
remove ports to or from the group, use the bridge multicast ip-address IInterface
(VLAN) Configuration mode command. To unregister the IP address, use the no
form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
132
4
Address Table Commands
Syntax
bridge multicast ip-address ip-multicast-address [[add | remove] {interface-list |
port-channel port-channel-list}]
no bridge multicast ip-address ip-multicast-address
Parameters
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Adds ports to the group.
•
remove—(Optional) Removes ports from the group.
• interface-list—(Optional) Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen
to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces. Use
a hyphen to designate a range of port channels.
Default Configuration
No Multicast addresses are defined.
Default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
To register the group in the bridge database without adding or removing ports or
port channels, specify the ip-multicast-address parameter only.
Static Multicast addresses can be defined on static VLANs only.
You can execute the command before the VLAN is created.
Example
The following example registers the specified IP address to the bridge table:
switchxxxxxx(config)#
133
interface vlan 8
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
switchxxxxxx(config-if)#
bridge multicast ip-address 239.2.2.2
The following example registers the IP address and adds ports statically.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
4.6
bridge multicast ip-address 239.2.2.2 add te1/0/4
bridge multicast forbidden ip-address
To forbid adding or removing a specific IP Multicast address to or from specific
ports, use the bridge multicast forbidden ip-address Interface (VLAN)
Configuration mode command. To restore the default configuration, use the no
form of this command.
Syntax
bridge multicast forbidden ip-address {ip-multicast-address} {add | remove}
{ethernet interface-list | port-channel port-channel-list}
no bridge multicast forbidden ip-address ip-multicast-address
Parameters
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Forbids adding ports to the group.
•
remove—(Optional) Forbids removing ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces. Use
a hyphen to designate a range of port channels.
Default Configuration
No forbidden addresses are defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
134
4
Address Table Commands
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers IP address 239.2.2.2, and forbids the IP address
on port te1/0/4 within VLAN 8.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ip-address 239.2.2.2
switchxxxxxx(config-if)# bridge multicast forbidden ip-address 239.2.2.2 add
te1/0/4
4.7
bridge multicast source group
To register a source IP address - Multicast IP address pair to the bridge table, and
statically add or remove ports to or from the source-group, use the bridge
multicast source group Interface (VLAN) Configuration mode command. To
unregister the source-group-pair, use the no form of this command.
Syntax
bridge multicast source ip-address group ip-multicast-address [[add | remove]
{ethernet interface-list | port-channel port-channel-list}]
no bridge multicast source ip-address group ip-multicast-address
Parameters
135
•
ip-address—Specifies the source IP address.
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Adds ports to the group for the specific source IP address.
•
remove—(Optional) Removes ports from the group for the specific source
IP address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces; use
a hyphen to designate a range of port channels.
Default Configuration
No Multicast addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
You can execute the command before the VLAN is created.
Example
The following example registers a source IP address - Multicast IP address pair to
the bridge table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
4.8
bridge multicast source 13.16.1.1 group 239.2.2.2
bridge multicast forbidden source group
To forbid adding or removing a specific IP source address - Multicast address pair
to or from specific ports, use the bridge multicast forbidden source group
IInterface (VLAN) Configuration mode command. To return to the default
configuration, use the no form of this command.
Syntax
bridge multicast forbidden source ip-address group ip-multicast-address {add |
remove} {ethernet interface-list | port-channel port-channel-list}
no bridge multicast forbidden source ip-address group ip-multicast-address
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
136
4
Address Table Commands
Parameters
•
ip-address—Specifies the source IP address.
•
ip-multicast-address—Specifies the group IP Multicast address.
•
add—(Optional) Forbids adding ports to the group for the specific source IP
address.
•
remove—(Optional) Forbids removing ports from the group for the specific
source IP address.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces; use
a hyphen to designate a range of port channels.
Default Configuration
No forbidden addresses are defined.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers a source IP address - Multicast IP address pair to
the bridge table, and forbids adding the pair to port te1/0/4 on VLAN 8:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast source 13.16.1.1 group 239.2.2.2
switchxxxxxx(config-if)#
bridge multicast forbidden source 13.16.1.1 group
239.2.2.2 add te1/0/4
137
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
4.9
bridge multicast ipv6 mode
To configure the Multicast bridging mode for IPv6 Multicast packets, use the
bridge multicast ipv6 mode Interface (VLAN) Configuration mode command. To
return to the default configuration, use the no form of this command.
Syntax
bridge multicast ipv6 mode {mac-group | ip-group | ip-src-group}
no bridge multicast ipv6 mode
Parameters
•
mac-group—Specifies that Multicast bridging is based on the packet's
VLAN and MAC destination address.
•
ip-group—Specifies that Multicast bridging is based on the packet's VLAN
and IPv6 destination address for IPv6 packets.
•
ip-src-group—Specifies that Multicast bridging is based on the packet's
VLAN, IPv6 destination address and IPv6 source address for IPv6 packets.
Default Configuration
The default mode is mac-group.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the mac-group mode when using a network management system that uses a
MIB based on the Multicast MAC address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
138
4
Address Table Commands
For each Forwarding Data Base (FDB) mode, use different CLI commands to
configure static entries for IPv6 Multicast addresses in the FDB, as described in
the following table::
FDB Mode
CLI Commands
bridge multicast address
bridge multicast forbidden
address
ipv6-group
bridge multicast ipv6
ip-address
bridge multicast ipv6
forbidden ip-address
ipv6-src-grou
p
bridge multicast ipv6 source
group
bridge multicast ipv6
forbidden source group
mac-group
The following table describes the actual data that is written to the Forwarding
Data Base (FDB) as a function of the MLD version that is used in the network:
FDB mode
MLD version 1
MLD version 2
mac-group
MAC group
address
MAC group address
ipv6-group
IPv6 group
address
IPv6 group address
ipv6-src-group
(*)
IPv6 source and group
addresses
(*) In ip-src-group mode a match is performed on 4 bytes of the multicast address
and 4 bytes of the source address. In the group address the last 4 bytes of the
address are checked for match. In the source address the last 3 bytes and 5th
from last bytes of the interface ID are examined.
(*) Note that (*,G) cannot be written to the FDB if the mode is ip-src-group. In that
case, no new FDB entry is created, but the port is added to the (S,G) entries (if they
exist) that belong to the requested group.
If an application on the device requests (*,G), the operating FDB mode is changed
to ip-group.
You can execute the command before the VLAN is created.
Example
The following example configures the Multicast bridging mode as an ip-group on
VLAN 2.
switchxxxxxx(config)#
139
interface vlan 2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
switchxxxxxx(config-if)#
bridge multicast ipv6 mode
ip-group
4.10 bridge multicast ipv6 ip-address
To register an IPv6 Multicast address to the bridge table, and statically add or
remove ports to or from the group, use the bridge multicast ipv6 ip-address
Interface (VLAN) Configuration mode command. To unregister the IPv6 address,
use the no form of this command.
Syntax
bridge multicast ipv6 ip-address ipv6-multicast-address [[add | remove] {ethernet
interface-list | port-channel port-channel-list}]
no bridge multicast ipv6 ip-address ip-multicast-address
Parameters
•
ipv6-multicast-address—Specifies the group IPv6 multicast address.
•
add—(Optional) Adds ports to the group.
•
remove—(Optional) Removes ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces; use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces. Use
a hyphen to designate a range of port channels.
Default Configuration
No Multicast addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
140
4
Address Table Commands
User Guidelines
To register the group in the bridge database without adding or removing ports or
port channels, specify the ipv6-multicast-address parameter only.
Static Multicast addresses can be defined on static VLANs only.
You can execute the command before the VLAN is created.
Examples
Example 1 - The following example registers the IPv6 address to the bridge table:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
Example 2 - The following example registers the IPv6 address and adds ports
statically.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)# bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
add te1/0/1-2
4.11 bridge multicast ipv6 forbidden
ip-address
To forbid adding or removing a specific IPv6 Multicast address to or from specific
ports, use the bridge multicast ipv6 forbidden ip-address Interface (VLAN)
Configuration mode command. To restore the default configuration, use the no
form of this command.
Syntax
bridge multicast ipv6 forbidden ip-address {ipv6-multicast-address} {add |
remove} {ethernet interface-list | port-channel port-channel-list}
no bridge multicast ipv6 forbidden ip-address ipv6-multicast-address
Parameters
•
141
ipv6-multicast-address—Specifies the group IPv6 Multicast address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
•
add—(Optional) Forbids adding ports to the group.
•
remove—(Optional) Forbids removing ports from the group.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces. Use
a hyphen to designate a range of port channels.
Default Configuration
No forbidden addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers an IPv6 Multicast address, and forbids the IPv6
address on port te1/0/4 within VLAN 8.
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast ipv6 ip-address FF00:0:0:0:4:4:4:1
switchxxxxxx(config-if)#
bridge multicast ipv6 forbidden ip-address
FF00:0:0:0:4:4:4:1 add te1/0/4
4.12 bridge multicast ipv6 source group
To register a source IPv6 address - Multicast IPv6 address pair to the bridge table,
and statically add or remove ports to or from the source-group, use the bridge
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
142
4
Address Table Commands
multicast ipv6 source group Interface (VLAN) Configuration mode command. To
unregister the source-group-pair, use the no form of this command.
Syntax
bridge multicast ipv6 source ipv6-source-address group ipv6-multicast-address
[[add | remove] {ethernet interface-list | port-channel port-channel-list}]
no bridge multicast ipv6 source ipv6-address group ipv6-multicast-address
Parameters
•
ipv6-source-address—Specifies the source IPv6 address.
•
ipv6-multicast-address—Specifies the group IPv6 Multicast address.
•
add—(Optional) Adds ports to the group for the specific source IPv6
address.
•
remove—(Optional) Removes ports from the group for the specific source
IPv6 address.
•
ethernet interface-list—(Optional) Specifies a list of Ethernet ports.
Separate nonconsecutive Ethernet ports with a comma and no spaces. Use
a hyphen to designate a range of ports.
•
port-channel port-channel-list—(Optional) Specifies a list of port channels.
Separate nonconsecutive port-channels with a comma and no spaces. Use
a hyphen to designate a range of port channels.
Default Configuration
No Multicast addresses are defined.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
Example
The following example registers a source IPv6 address - Multicast IPv6 address
pair to the bridge table:
switchxxxxxx(config)#
143
interface vlan 8
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
switchxxxxxx(config-if)#
bridge multicast source 2001:0:0:0:4:4:4 group
FF00:0:0:0:4:4:4:1
4.13 bridge multicast ipv6 forbidden source
group
To forbid adding or removing a specific IPv6 source address - Multicast address
pair to or from specific ports, use the bridge multicast ipv6 forbidden source
group Interface (VLAN) Configuration mode command. To return to the default
configuration, use the no form of this command.
Syntax
bridge multicast ipv6 forbidden source ipv6-source-address group
ipv6-multicast-address {add | remove} {ethernet interface-list | port-channel
port-channel-list}
no bridge multicast ipv6 forbidden source ipv6-address group
ipv6-multicast-address
Parameters
•
ipv6-source-address—Specifies the source IPv6 address.
•
ipv6-multicast-address—Specifies the group IPv6 Multicast address.
•
add—Forbids adding ports to the group for the specific source IPv6
address.
•
remove—Forbids removing ports from the group for the specific source
IPv6 address.
•
ethernet interface-list—Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen
to designate a range of ports.
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen
to designate a range of port channels.
Default Configuration
No forbidden addresses are defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
144
4
Address Table Commands
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Before defining forbidden ports, the Multicast group should be registered.
You can execute the command before the VLAN is created.
Example
The following example registers a source IPv6 address - Multicast IPv6 address
pair to the bridge table, and forbids adding the pair to te1/0/4 on VLAN 8:
switchxxxxxx(config)#
interface vlan 8
switchxxxxxx(config-if)#
bridge multicast source 2001:0:0:0:4:4:4 group
FF00:0:0:0:4:4:4:1
switchxxxxxx(config-if)#
bridge multicast forbidden source
2001:0:0:0:4:4:4:1 group FF00:0:0:0:4:4:4:1 add te1/0/4
4.14 bridge multicast unregistered
To configure forwarding unregistered Multicast addresses, use the bridge
multicast unregistered Interface (Ethernet, Port Channel) Configuration mode
command. To restore the default configuration, use the no form of this command.
Syntax
bridge multicast unregistered {forwarding | filtering}
no bridge multicast unregistered
Parameters
•
forwarding—Forwards unregistered Multicast packets.
•
filtering—Filters unregistered Multicast packets.
Default Configuration
Unregistered Multicast addresses are forwarded.
145
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Do not enable unregistered Multicast filtering on ports that are connected to
routers, because the 224.0.0.x address range should not be filtered. Note that
routers do not necessarily send IGMP reports for the 224.0.0.x range.
You can execute the command before the VLAN is created.
Example
The following example specifies that unregistered Multicast packets are filtered
on te1/0/1:
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
bridge multicast unregistered filtering
4.15 bridge multicast forward-all
To enable forwarding all multicast packets for a range of ports or port channels,
use the bridge multicast forward-all Interface (VLAN) Configuration mode
command. To restore the default configuration, use the no form of this command.
Syntax
bridge multicast forward-all {add | remove} {ethernet interface-list | port-channel
port-channel-list}
no bridge multicast forward-all
Parameters
•
add—Forces forwarding of all Multicast packets.
•
remove—Does not force forwarding of all Multicast packets.
•
ethernet interface-list—Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen
to designate a range of ports.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
146
4
Address Table Commands
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces. Use a hyphen
to designate a range of port channels.
Default Configuration
Forwarding of all Multicast packets is disabled.
Command Mode
Interface (VLAN) Configuration mode
Example
The following example enables all Multicast packets on port te1/0/4 to be
forwarded.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)#
bridge multicast forward-all add te1/0/4
4.16 bridge multicast forbidden forward-all
To forbid a port to dynamically join Multicast groups, use the bridge multicast
forbidden forward-all Interface (VLAN) Configuration mode command. To restore
the default configuration, use the no form of this command.
Syntax
bridge multicast forbidden forward-all {add | remove} {ethernet interface-list |
port-channel port-channel-list}
no bridge multicast forbidden forward-all
Parameters
147
•
add—Forbids forwarding of all Multicast packets.
•
remove—Does not forbid forwarding of all Multicast packets.
•
ethernet interface-list —Specifies a list of Ethernet ports. Separate
nonconsecutive Ethernet ports with a comma and no spaces. Use a hyphen
to designate a range of ports.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
•
port-channel port-channel-list—Specifies a list of port channels. Separate
nonconsecutive port-channels with a comma and no spaces; use a hyphen
to designate a range of port channels.
Default Configuration
Ports are not forbidden to dynamically join Multicast groups.
The default option is add.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to forbid a port to dynamically join (by IGMP, for example) a
Multicast group.
The port can still be a Multicast router port.
Example
The following example forbids forwarding of all Multicast packets to te1/0/1 within
VLAN 2.
switchxxxxxx(config)#
interface vlan 2
switchxxxxxx(config-if)# bridge multicast forbidden forward-all add ethernet
te1/0/1
4.17 bridge unicast unknown
To enable egress filtering of Unicast packets where the destination MAC address
is unknown to the device, use the bridge unicast unknown Interface (Ethernet, Port
Channel) Configuration mode command. To restore the default configuration, use
the no form of this command.
Syntax
bridge unicast unknown {filtering | forwarding}
no bridge unicast unknown
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
148
4
Address Table Commands
Parameters
•
filtering—Filter unregistered Unicast packets.
•
forwarding—Forward unregistered Unicast packets.
Default Configuration
Forwarding.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode.
Example
The following example drops Unicast packets on te1/0/1 when the destination is
unknown.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
bridge unicast unknown filtering
4.18 show bridge unicast unknown
To display the unknown Unicast filtering configuration, use the show bridge unicast
unknown Privileged EXEC mode command.
Syntax
show bridge unicast unknown [interface-id]
Parameters
interface-id—(Optional) Specify an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel
Command Mode
Privileged EXEC mode
Example
149
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Console # show bridge unicast unknown
Port
Unregistered
--------
---------------------
te1/0/1
Forward
te1/0/2
Filter
te1/0/3
Filter
4.19 mac address-table static
To add a MAC-layer station source address to the MAC address table, use the mac
address-table static Global Configuration mode command. To delete the MAC
address, use the no form of this command.
Syntax
mac address-table static mac-address vlan vlan-id interface interface-id
[permanent | delete-on-reset | delete-on-timeout | secure]|
no mac address-table static [mac-address] vlan vlan-id
Parameters
• mac-address—MAC address (Range: Valid MAC address)
• vlan-id— Specify the VLAN
• interface-id—Specify an interface ID. The interface ID can be one of the
following types: Ethernet port or port-channel (Range: valid ethernet port,
valid port-channel)
•
permanent—(Optional) The permanent static MAC address. The keyword is
applied by the default.
•
delete-on-reset—(Optional)The delete-on-reset static MAC address.
•
delete-on-timeout—(Optional)The delete-on-timeout static MAC address.
•
secure—(Optional)The secure MAC address. May be used only in a secure
mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
150
4
Address Table Commands
Default Configuration
No static addresses are defined. The default mode for an added address is
permanent.
Command Mode
Global Configuration mode
User Guidelines
Use the command to add a static MAC address with given time-to-live in any
mode or to add a secure MAC address in a secure mode.
Each MAC address in the MAC address table is assigned two attributes: type and
time-to-live.
The following value of time-of-live is supported:
•
permanent—MAC address is saved until it is removed manually.
•
delete-on-reset—MAC address is saved until the next reboot.
•
delete-on-timeout—MAC address that may be removed by the aging timer.
The following types are supported:
•
static— MAC address manually added by the command with the following
keywords specifying its time-of-live:
-
permanent
-
delete-on-reset
-
delete-on-timeout
A static MAC address may be added in any port mode.
•
secure— A MAC address added manually or learned in a secure mode. Use
the mac address-table static command with the secure keyword to add a
secure MAC address. The MAC address cannot be relearned.
A secure MAC address may be added only in a secure port mode.
•
151
dynamic— a MAC address learned by the switch in non-secure mode. A
value of its time-to-live attribute is delete-on-timeout.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Examples
Example 1 - The following example adds two permanent static MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b1 vlan 1
interface te1/0/1
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface te1/0/1 permanent
Example 2 - The following example adds a deleted-on-reset static MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface te1/0/1 delete-on-reset
Example 3 - The following example adds a deleted-on-timeout static MAC
address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface te1/0/1 delete-on-timeout
Example 4 - The following example adds a secure MAC address:
switchxxxxxx(config)# mac address-table static 00:3f:bd:45:5a:b2 vlan 1
interface
te1/0/1 secure
4.20 clear mac address-table
To remove learned or secure entries from the forwarding database (FDB), use the
clear mac address-table Privileged EXEC mode command.
Syntax
clear mac address-table dynamic interface interface-id
clear mac address-table secure interface interface-id
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
152
4
Address Table Commands
Parameters
•
dynamic interface interface-id—Delete all dynamic (learned) addresses on
the specified interface.The interface ID can be one of the following types:
Ethernet port or port-channel. If interface ID is not supplied, all dynamic
addresses are deleted.
•
secure interface interface-id—Delete all the secure addresses learned on
the specific interface. A secure address on a MAC address learned on
ports on which port security is defined.
Default Configuration
For dynamic addresses, if interface-id is not supplied, all dynamic entries are
deleted.
Command Mode
Privileged EXEC mode
Examples
Example 1 - Delete all dynamic entries from the FDB.
switchxxxxxx#
clear mac address-table dynamic
Example 2 - Delete all secure entries from the FDB learned on secure port te1/0/1.
switchxxxxxx#
clear mac address-table secure interface te1/0/1
4.21 mac address-table aging-time
To set the aging time of the address table, use the mac address-table aging-time
Global configuration command. To restore the default, use the no form of this
command.
Syntax
mac address-table aging-time seconds
no mac address-table aging-time
153
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Parameters
seconds—Time is number of seconds. (Range:10-630)
Default Configuration
300
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)#
mac address-table aging-time 600
4.22 port security
To enable port security learning mode on an interface, use the port security
Interface (Ethernet, Port Channel) Configuration mode command. To disable port
security learning mode on an interface, use the no form of this command.
Syntax
port security [forward | discard | discard-shutdown] [trap seconds]
no port security
Parameters
•
forward—(Optional) Forwards packets with unlearned source addresses,
but does not learn the address.
•
discard—(Optional) Discards packets with unlearned source addresses.
•
discard-shutdown—(Optional) Discards packets with unlearned source
addresses and shuts down the port.
•
trap seconds—(Optional) Sends SNMP traps and specifies the minimum
time interval in seconds between consecutive traps. (Range: 1–1000000)
Default Configuration
The feature is disabled by default.
The default mode is discard.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
154
4
Address Table Commands
The default number of seconds is zero, but if traps is entered, a number of
seconds must also be entered.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The command may be used only when the interface in the regular (non-secure
with unlimited MAC learning) mode.
See the mac address-table static command for information about MAC address
attributes (type and time-to-live) definitions.
When the port security command enables the lock mode on a port all dynamic
addresses learned on the port are changed to permanent secure addresses.
When the port security command enables a mode on a port differing from the lock
mode all dynamic addresses learned on the port are deleted.
When the no port security command cancels a secure mode on a port all secure
addresses defined on the port are changed to dynamic addresses.
Additionally to set a mode, use the port security command to set an action that the
switch should perform on a frame which source MAC address cannot be learned.
Example
The following example forwards all packets to port te1/0/1 without learning
addresses of packets from unknown sources and sends traps every 100 seconds,
if a packet with an unknown source address is received.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# port security mode lock
switchxxxxxx(config-if)# port security forward trap 100
switchxxxxxx(config-if)# exit
4.23 port security mode
To configure the port security learning mode, use the port security mode Interface
(Ethernet, Port Channel) Configuration mode command. To restore the default
configuration, use the no form of this command.
155
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Syntax
port security mode {max-addresses | lock | secure permanent | secure
delete-on-reset}
no port security mode
Parameters
•
max-addresses— Non-secure mode with limited learning dynamic MAC
addresses. The static MAC addresses may be added on the port manually
by the mac address-table static command.
•
lock— Secure mode without MAC learning. The static and secure MAC
addresses may be added on the port manually by the mac address-table
static command.
•
secure permanent—Secure mode with limited learning permanent secure
MAC addresses with the permanent time-of-live. The static and secure
MAC addresses may be added on the port manually by the mac
address-table static command.
•
secure delete-on-reset—Secure mode with limited learning secure MAC
addresses with the delete-on-reset time-of-live. The static and secure MAC
addresses may be added on the port manually by the mac address-table
static command.
Default Configuration
The default port security mode is
lock.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The default port mode is called regular. In this mode, the port allows unlimited
learning of dynamic addresses.
The static MAC addresses may be added on the port manually by the mac
address-table static command.
The command may be used only when the interface in the regular (non-secure
with unlimited MAC learning) mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
156
4
Address Table Commands
Use the port security mode command to change the default mode before the port
security command.
Example
The following example sets the port security mode to
Lock for te1/0/4.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# port security mode
lock
switchxxxxxx(config-if)# port security
switchxxxxxx(config-if)# exit
4.24 port security max
To configure the maximum number of addresses that can be learned on the port
while the port is in port, max-addresses or secure mode, use the port security
max Interface (Ethernet, Port Channel) Configuration mode command. To restore
the default configuration, use the no form of this command.
Syntax
port security max max-addr
no port security max
Parameters
max-addr—Specifies the maximum number of addresses that can be learned on
the port. (Range: 0–256)
Default Configuration
This default maximum number of addresses is 1.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
157
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
User Guidelines
The command may be used only when the interface in the regular (non-secure
with unlimited MAC learning) mode.
Use this command to change the default value before the port security command.
Example
The following example sets the port to limited learning mode:
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# port security mode max
switchxxxxxx(config-if)# port security max 20
switchxxxxxx(config-if)# port security
switchxxxxxx(config-if)# exit
4.25 port security routed secure-address
To add a MAC-layer secure address to a routed port. (port that has an IP address
defined on it), use the port security routed secure-address Interface (Ethernet,
Port Channel) Configuration mode command. To delete a MAC address from a
routed port, use the no form of this command.
Syntax
port security routed secure-address mac-address
no port security routed secure-address mac-address
Parameters
mac-address—Specifies the MAC address.
Default Configuration
No addresses are defined.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode. It cannot be configured for
a range of interfaces (range context).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
158
4
Address Table Commands
User Guidelines
This command enables adding secure MAC addresses to a routed port in port
security mode. The command is available when the port is a routed port and in
port security mode. The address is deleted if the port exits the security mode or is
not a routed port.
Example
The following example adds the MAC-layer address 00:66:66:66:66:66 to te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
port security routed secure-address
00:66:66:66:66:66
4.26 show mac address-table
To display entries in the MAC address table, use the show mac address-table
Privileged EXEC mode command.
Syntax
show mac address-table [dynamic | static | secure] [vlan vlan] [interface
interface-id] [address mac-address]
Parameters
159
•
dynamic—(Optional) Displays only dynamic MAC address table entries.
•
static—(Optional) Displays only static MAC address table entries.
•
secure—(Optional) Displays only secure MAC address table entries.
•
vlan—(Optional) Displays entries for a specific VLAN.
•
interface interface-id—(Optional) Displays entries for a specific interface ID.
The interface ID can be one of the following types: Ethernet port or
port-channel.
•
address mac-address—(Optional) Displays entries for a specific MAC
address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Default Configuration
If no parameters are entered, the entire table is displayed.
Command Mode
Privileged EXEC mode
User Guidelines
Internal usage VLANs (VLANs that are automatically allocated on routed ports) are
presented in the VLAN column by a port number and not by a VLAN ID.
Examples
Example 1 - Displays entire address table.
switchxxxxxx#
show mac address-table
Aging time is 300 sec
VLAN
MAC Address
Port
Type
--------
---------------------
----------
----------
1
00:00:26:08:13:23
0
self
1
00:3f:bd:45:5a:b1
te1/0/1
static
1
00:a1:b0:69:63:f3
te1/0/2
dynamic
2
00:a1:b0:69:63:f3
te1/0/3
dynamic
te1/0/4
00:a1:b0:69:61:12
te1/0/4
dynamic
Example 2 - Displays address table entries containing the specified MAC address.
switchxxxxxx#
show mac address-table address 00:3f:bd:45:5a:b1
Aging time is 300 sec
VLAN
MAC Address
Port
Type
-------- --------------------- ---------- ---------1
00:3f:bd:45:5a:b1
static
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
te1/0/4
160
4
Address Table Commands
4.27 show mac address-table count
To display the number of addresses present in the Forwarding Database, use the
show mac address-table count Privileged EXEC mode command.
Syntax
show mac address-table count [vlan vlan | interface interface-id]
Parameters
•
vlan vlan—(Optional) Specifies VLAN.
•
interface-id interface-id—(Optional) Specifies an interface ID. The interface
ID can be one of the following types: Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx#
show mac address-table count
This may take some time.
Capacity : 16384
Free
: 16379
Used
: 5
Secure
: 0
Dynamic
: 2
Static
: 2
Internal : 1
console#
4.28 show bridge multicast mode
To display the Multicast bridging mode for all VLANs or for a specific VLAN, use
the show bridge multicast mode Privileged EXEC mode command.
161
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Syntax
show bridge multicast mode [vlan vlan-id]
Parameters
vlan vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
Privileged EXEC mode
Example
The following example displays the Multicast bridging mode for all VLANs
switchxxxxxx#
VLAN
show bridge multicast mode
IPv4 Multicast Mode
IPv6 Multicast Mode
Admin
Oper
Admin
Oper
-----
-----------
-----------
-----------
-----------
1
MAC-GROUP
MAC-GROUP
MAC-GROUP
MAC-GROUP
11
IPv4-GROUP
IPv4-GROUP
IPv6-GROUP
IPv6-GROUP
12
IPv4-SRC-
IPv4-SRC-
IPv6-SRC-
IPv6-SRC-
GROUP
GROUP
GROUP
GROUP
4.29 show bridge multicast address-table
To display Multicast MAC addresses or IP Multicast address table information, use
the show bridge multicast address-table Privileged EXEC mode command.
Syntax
show bridge multicast address-table [vlan vlan-id]
show bridge multicast address-table [vlan vlan-id] [address
mac-multicast-address] [format {ip | mac}]
show bridge multicast address-table [vlan vlan-id] [address
ipv4-multicast-address] [source ipv4-source-address]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
162
4
Address Table Commands
show bridge multicast address-table [vlan vlan-id] [address
ipv6-multicast-address] [source ipv6-source-address]
Parameters
•
vlan-id vlan-id—(Optional) Display entries for specified VLAN ID.
•
address—(Optional) Display entries for specified Multicast address. The
possible values are:
•
•
-
mac-multicast-address—(Optional) Specifies the MAC Multicast
address.
-
ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast
address.
-
ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast
address.
format—(Optional) Applies if mac-multicast-address was selected. In this
case either MAC or IP format can be displayed. Display entries for specified
Multicast address format. The possible values are:
-
ip—Specifies that the Multicast address is an IP address.
-
mac—Specifies that the Multicast address is a MAC address.
source —(Optional) Specifies the source address. The possible values are:
-
ipv4-address—(Optional) Specifies the source IPv4 address.
-
ipv6-address—(Optional) Specifies the source IPv6 address.
Default Configuration
If the format is not specified, it defaults to mac (only if mac-multicast-address was
entered).
If VLAN ID is not entered, entries for all VLANs are displayed.
If MAC or IP address is not supplied, entries for all addresses are displayed.
Command Mode
Privileged EXEC mode
163
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
User Guidelines
A MAC address can be displayed in IP format only if it is within the range
0100.5e00.0000 through 0100.5e7f.ffff.
Multicast router ports (defined statically or discovered dynamically) are members
in all MAC groups.
Ports that were defined via the bridge multicast forbidden forward-all command
are displayed in all forbidden MAC entries.
Changing the Multicast mode can move static Multicast addresses that are written
in the device FDB to a shadow configuration because of FDB hash collisions.
Example
The following example displays bridge Multicast address information.
switchxxxxxx#
show bridge multicast address-table
Multicast address table for VLANs in MAC-GROUP bridging mode:
Vlan
MAC Address
---- ----------------8
01:00:5e:02:02:03
Type
-------------Static
Ports
----1-2
Forbidden ports for Multicast addresses:
Vlan
MAC Address
Ports
---- -----------------
-----
8
te1/0/4
01:00:5e:02:02:03
Multicast address table for VLANs in IPv4-GROUP bridging mode:
Vlan
MAC Address
---- ----------------1
224.0.0.251
Type
-------------Dynamic
Ports
----te1/0/2
Forbidden ports for Multicast addresses:
Vlan
MAC Address
---- ----------------1
232.5.6.5
1
233.22.2.6
Ports
-----
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
164
4
Address Table Commands
Multicast address table for VLANs in IPv4-SRC-GROUP bridging mode:
Vlan
Group Address
Source address
Type
Ports
---- --------------- --------------- --------
-----
1
te1/0/1
224.2.2.251
11.2.2.3
Dynamic
Forbidden ports for Multicast addresses:
Vlan
Group Address
Source Address
Ports
---- --------------- --------------- ------8
239.2.2.2
*
te1/0/4
8
239.2.2.2
1.1.1.11
te1/0/4
Multicast address table for VLANs in IPv6-GROUP bridging mode:
VLAN
IP/MAC Address
Type
Ports
---- ----------------- --------- --------------------8
ff02::4:4:4
Static
te1/0/1-2, te1/0/3, Po1
Forbidden ports for Multicast addresses:
VLAN
IP/MAC Address
Ports
---- ----------------- ----------8
ff02::4:4:4
te1/0/4
Multicast address table for VLANs in IPv6-SRC-GROUP bridging mode:
Vlan
Group Address
Source address
Type
Ports
---- --------------- --------------- -------- -----------------8
ff02::4:4:4
*
Static
8
ff02::4:4:4
fe80::200:7ff:
Static
te1/0/1-2,te1/0/3,Po1
fe00:200
Forbidden ports for Multicast addresses:
Vlan
Group Address
Source address
---- --------------- ---------------
Ports
----------
8
ff02::4:4:4
*
te1/0/4
8
ff02::4:4:4
fe80::200:7ff:f
te1/0/4
e00:200
165
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
4.30 show bridge multicast address-table
static
To display the statically-configured Multicast addresses, use the show bridge
multicast address-table static Privileged EXEC mode command.
Syntax
show bridge multicast address-table static [vlan vlan-id] [all]
show bridge multicast address-table static [vlan vlan-id] [address
mac-multicast-address] [mac| ip]
show bridge multicast address-table static [vlan vlan-id] [address
ipv4-multicast-address] [source ipv4-source-address]
show bridge multicast address-table static [vlan vlan-id] [address
ipv6-multicast-address] [source ipv6-source-address]
Parameters
•
vlan vlan-id—(Optional) Specifies the VLAN ID.
•
address—(Optional) Specifies the Multicast address. The possible values
are:
•
-
mac-multicast-address—(Optional) Specifies the MAC Multicast
address.
-
ipv4-multicast-address—(Optional) Specifies the IPv4 Multicast
address.
-
ipv6-multicast-address—(Optional) Specifies the IPv6 Multicast
address.
source—(Optional) Specifies the source address. The possible values are:
-
ipv4-address—(Optional) Specifies the source IPv4 address.
-
ipv6-address—(Optional) Specifies the source IPv6 address.
Default Configuration
When all/mac/ip is not specified, all entries (MAC and IP) will be displayed.
Command Mode
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
166
4
Address Table Commands
User Guidelines
A MAC address can be displayed in IP format only if it is within the range
0100.5e00.0000–- 0100.5e7f.ffff.
Example
The following example displays the statically-configured Multicast addresses.
switchxxxxxx#
show bridge multicast address-table static
MAC-GROUP table
Vlan
MAC Address
Ports
----
--------------
--------
1
0100.9923.8787
te1/0/1, te1/0/2
Forbidden ports for multicast addresses:
Vlan
MAC Address
Ports
----
--------------
--------
IPv4-GROUP Table
Vlan
IP Address
Ports
----
----------
--------
1
231.2.2.3
te1/0/1, te1/0/2
19
231.2.2.8
te1/0/2-3
Forbidden ports for multicast addresses:
Vlan
IP Address
Ports
----
----------
--------
1
231.2.2.3
te1/0/4
19
231.2.2.8
te1/0/3
IPv4-SRC-GROUP Table:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
Forbidden ports for multicast addresses:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
IPv6-GROUP Table
167
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Vlan
IP Address
Ports
----
----------------
---------
191
FF12::8
te1/0/1-4
Forbidden ports for multicast addresses:
Vlan
IP Address
Ports
----
----------------
---------
11
FF12::3
te1/0/4
191
FF12::8
te1/0/4
IPv6-SRC-GROUP Table:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
192
FF12::8
FE80::201:C9A9:FE40:
te1/0/1-4
8988
Forbidden ports for multicast addresses:
Vlan
Group Address
Source address
Ports
----
---------------
---------------
------
192
FF12::3
FE80::201:C9A9:FE40
te1/0/4
:8988
4.31 show bridge multicast filtering
To display the Multicast filtering configuration, use the show bridge multicast
filtering Privileged EXEC mode command.
Syntax
show bridge multicast filtering vlan-id
Parameters
vlan-id—Specifies the VLAN ID. (Range: Valid VLAN)
Default Configuration
None
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
168
4
Address Table Commands
Command Mode
Privileged EXEC mode
Example
The following example displays the Multicast configuration for VLAN 1.
switchxxxxxx#
show bridge multicast filtering 1
Filtering: Enabled
VLAN: 1
Forward-All
Port
Static
Status
-----
---------
------
te1/0/1
Forbidden
Filter
te1/0/2
Forward
Forward(s)
te1/0/3
-
Forward(d)
4.32 show bridge multicast unregistered
To display the unregistered Multicast filtering configuration, use the show bridge
multicast unregistered Privileged EXEC mode command.
Syntax
show bridge multicast unregistered [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of
the following types: Ethernet port or Port-channel.
Default Configuration
Display for all interfaces.
Command Mode
Privileged EXEC mode
169
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Example
The following example displays the unregistered Multicast configuration.
switchxxxxxx#
show bridge multicast unregistered
Port
Unregistered
-------
-------------
te1/0/1
Forward
te1/0/2
Filter
te1/0/3
Filter
4.33 show ports security
To display the port-lock status, use the show ports security Privileged EXEC mode
command.
Syntax
show ports security [interface-id | detailed]
Parameters
• interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays the port-lock status of all ports.
switchxxxxxx#
show ports security
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
170
4
Address Table Commands
Port
Status
------- -------te1/0/1
Learning
Action
Maximum
Trap
Frequency
---------
------
---
-------
--------
Enabled
Max-
Discard
3
Enabled
100
Addresses
te1/0/2
Disabled
Max-
-
28
-
-
Addresses
te1/0/3
Enabled
Lock
Discard
8
Disabled
-
The following table describes the fields shown above.
Field
Description
Port
The port number.
Status
The port security status. The possible values are:
Enabled or Disabled.
Action
The action taken on violation.
Maximum
The maximum number of addresses that can be
associated on this port in the Max-Addresses mode.
Trap
The status of SNMP traps. The possible values are:
Enable or Disable.
Frequency
The minimum time interval between consecutive
traps.
4.34 show ports security addresses
To display the current dynamic addresses in locked ports, use the show ports
security addresses Privileged EXEC mode command.
Syntax
show ports security addresses [interface-id | detailed]
Parameters
• interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
171
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays dynamic addresses in all currently locked port:
Port
Status
Learning
Current
Maximum
-------
--------
--------
----------
----------
te1/0/1
Disabled
Lock
0
10
te1/0/2
Disabled
Lock
0
1
Disabled
Lock
0
1
Disabled
Lock
0
1
te1/0/3
te1/0/4
...
4.35 bridge multicast reserved-address
To define the action on Multicast reserved-address packets, use the bridge
multicast reserved-address Global Configuration mode command. To revert to
default, use the no form of this command.
Syntax
bridge multicast reserved-address mac-multicast-address [ethernet-v2 ethtype |
llc sap | llc-snap pid] {discard | bridge}
no bridge multicast reserved-address mac-multicast-address [ethernet-v2
ethtype | llc sap | llc-snap pid]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
172
4
Address Table Commands
Parameters
•
mac-multicast-address—MAC Multicast address in the reserved MAC
addresses range. (Range: 01-80-C2-00-00-00, 01-80-C2-00-00-02–
01-80-C2-00-00-2F)
•
ethernet-v2 ethtype—(Optional) Specifies that the packet type is Ethernet
v2 and the Ethernet type field (16 bits in hexadecimal format). (Range:
0x0600–0xFFFF)
•
llc sap—(Optional) Specifies that the packet type is LLC and the
DSAP-SSAP field (16 bits in hexadecimal format). (Range: 0xFFFF)
•
llc-snap pid—(Optional) Specifies that the packet type is LLC-SNAP and
the PID field (40 bits in hexadecimal format). (Range: 0x0000000000 0xFFFFFFFFFF)
•
discard—Specifies discarding the packets.
•
bridge—Specifies bridging (forwarding) the packets
Default Configuration
•
If the user-supplied MAC Multicast address, ethertype and encapsulation
(LLC) specifies a protocol supported on the device (called Peer), the default
action (discard or bridge) is determined by the protocol.
•
If not, the default action is as follows:
-
For MAC addresses in the range 01-80-C2-00-00-00,
01-80-C2-00-00-02– 01-80-C2-00-00-0F, the default is discard.
-
For MAC addresses in the range 00-80-C2-00-00-10–
01-80-C2-00-00-2F, the default is bridge.
Command Mode
Global Configuration mode
User Guidelines
If the packet/service type (ethertype/encapsulation) is not specified, the
configuration is relevant to all the packets with the configured MAC address.
Specific configurations (that contain service type) have precedence over less
specific configurations (contain only MAC address).
The packets that are bridged are subject to security ACLs.
173
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
4
Address Table Commands
The actions define by this command has precedence over forwarding rules
defined by applications/protocols (STP, LLDP etc.) supported on the device.
Example
switchxxxxxx(config)# bridge multicast reserved-address 00:3f:bd:45:5a:b1
4.36 show bridge multicast
reserved-addresses
To display the Multicast reserved-address rules, use the show bridge multicast
reserved-addresses Privileged EXEC mode command.
Syntax
show bridge multicast reserved-addresses
Command Mode
Privileged EXEC mode
Example
switchxxxxxx # show bridge multicast reserved-addresses
MAC Address
Frame Type
------------------
----------- --------------
01-80-C2-00-00-00
LLC-SNAP
Protocol
Action
------------
00-00-0C-01-29
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Bridge
174
5
Authentication, Authorization and Accounting
(AAA) Commands
5.0
5.1
aaa authentication login
Use the aaa authentication login Global Configuration mode command to set one
or more authentication methods to be applied during login. Use the no form of this
command to restore the default authentication method.
Syntax
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name}
Parameters
•
default—Uses the authentication methods that follow this argument as the
default method list when a user logs in (this list is unnamed).
• list-name—Specifies a name of a list of authentication methods activated
when a user logs in. (Length: 1–12 characters)
• method1 [method2...]—Specifies a list of methods that the authentication
algorithm tries (in the given sequence). Each additional authentication
method is used only if the previous method returns an error, not if it fails. To
ensure that the authentication succeeds even if all methods return an error,
specify none as the final method in the command line. Select one or more
methods from the following list::
Keyword
Description
enable
Uses the enable password for authentication.
line
Uses the line password for authentication.
local
Uses the locally-defined usernames for
authentication.
none
Uses no authentication.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
175
Authentication, Authorization and Accounting (AAA) Commands
Keyword
Description
radius
Uses the list of all RADIUS servers for authentication.
tacacs
Uses the list of all TACACS+ servers for
authentication.
5
Default Configuration
If no methods are specified, the default are the locally-defined users and
passwords. This is the same as entering the command aaa authentication login
local.
Command Mode
Global Configuration mode
User Guidelines
Create a list of authentication methods by entering this command with the
list-name parameter where list-name is any character string. The method
arguments identifies the list of methods that the authentication algorithm tries, in
the given sequence.
The default and list names created with this command are used with the login
authentication command.
The no aaa authentication login list-name command deletes a list-name only if it
has not been referenced by another command.
Example
The following example sets the authentication login methods for the console.
switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list
5.2
aaa authentication enable
The aaa authentication enable Global Configuration mode command sets one or
more authentication methods for accessing higher privilege levels. To restore the
default authentication method, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
176
5
Authentication, Authorization and Accounting (AAA) Commands
Syntax
aaa authentication enable {default | list-name} method [method2...]}
no aaa authentication enable {default | list-name}
Parameters
•
default—Uses the listed authentication methods that follow this argument
as the default method list, when accessing higher privilege levels.
• list-name —Specifies a name for the list of authentication methods
activated when a user accesses higher privilege levels. (Length: 1–12
characters)
• method [method2...]—Specifies a list of methods that the authentication
algorithm tries, in the given sequence. The additional authentication
methods are used only if the previous method returns an error, not if it fails.
Specify none as the final method in the command line to ensure that the
authentication succeeds, even if all methods return an error. Select one or
more methods from the following list:
Keyword
Description
enable
Uses the enable password for authentication.
line
Uses the line password for authentication.
none
Uses no authentication.
radius
Uses the list of all RADIUS servers for authentication.
tacacs
Uses the list of all TACACS+ servers for authentication.
Default Configuration
The enable password command defines the default authentication login method.
This is the same as entering the command aaa authentication enable default
enable.
On a console, the enable password is used if a password exists. If no password is
set, authentication still succeeds. This is the same as entering the command aaa
authentication enable default enable none.
Command Mode
Global Configuration mode
177
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
User Guidelines
Create a list by entering the aaa authentication enable list-name method1
[method2...] command where list-name is any character string used to name this
list. The method argument identifies the list of methods that the authentication
algorithm tries, in the given sequence.
The default and list names created by this command are used with the enable
authentication command.
All aaa authentication enable requests sent by the device to a RADIUS server
include the username $enabx$., where x is the requested privilege level.
All aaa authentication enable requests sent by the device to a TACACS+ server
include the username that is entered for login authentication.
The additional methods of authentication are used only if the previous method
returns an error, not if it fails. Specify none as the final method in the command line
to ensure that the authentication succeeds even if all methods return an error.
no aaa authentication enable list-name deletes list-name if it has not been
referenced.
Example
The following example sets the enable password for authentication for accessing
higher privilege levels.
switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list
5.3
login authentication
The login authentication Line Configuration mode command specifies the login
authentication method list for a remote Telnet or console session. Use the no form
of this command to restore the default authentication method.
Syntax
login authentication {default | list-name}
no login authentication
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
178
5
Authentication, Authorization and Accounting (AAA) Commands
Parameters
•
default—Uses the default list created with the aaa authentication login
command.
• list-name—Uses the specified list created with the aaa authentication login
command.
Default Configuration
default
Command Mode
Line Configuration Mode
Examples
Example 1 - The following example specifies the login authentication method as
the default method for a console session.
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication default
Example
Example 2 - The following example sets the authentication login methods for the
console as a list of methods.
switchxxxxxx(config)# aaa authentication login authen-list radius local none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# login authentication authen-list
5.4
enable authentication
The enable authentication Line Configuration mode command specifies the
authentication method for accessing a higher privilege level from a remote Telnet
or console. Use the no form of this command to restore the default authentication
method.
Syntax
enable authentication {default | list-name}
179
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
no enable authentication
Parameters
•
default—Uses the default list created with the aaa authentication enable
command.
• list-name—Uses the specified list created with the aaa authentication
enable command.
Default Configuration
default.
Command Mode
Line Configuration Mode
Examples
Example 1 - The following example specifies the authentication method as the
default method when accessing a higher privilege level from a console.
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication default
Example 2 - The following example sets a list of authentication methods for
accessing higher privilege levels.
switchxxxxxx(config)# aaa authentication enable enable-list radius none
switchxxxxxx(config)# line console
switchxxxxxx(config-line)# enable authentication enable-list
5.5
ip http authentication
The ip http authentication Global Configuration mode command specifies
authentication methods for HTTP server access. Use the no form of this command
to restore the default authentication method.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
180
5
Authentication, Authorization and Accounting (AAA) Commands
Syntax
ip http authentication aaa login-authentication method1 [method2...]
no ip http authentication aaa login-authentication
Parameters
• method [method2...]—Specifies a list of methods that the authentication
algorithm tries, in the given sequence. The additional authentication
methods are used only if the previous method returns an error, not if it fails.
Specify none as the final method in the command line to ensure that the
authentication succeeds, even if all methods return an error. Select one or
more methods from the following list:
Keyword
Description
local
Uses the local username database for authentication.
none
Uses no authentication.
radius
Uses the list of all RADIUS servers for authentication.
tacacs
Uses the list of all TACACS+ servers for
authentication.
Default Configuration
The local user database is the default authentication login method. This is the
same as entering the ip http authentication local command.
Command Mode
Global Configuration mode
User Guidelines
The command is relevant for HTTP and HTTPS server users.
Example
The following example specifies the HTTP access authentication methods.
switchxxxxxx(config)# ip http authentication aaa login-authentication radius
local none
181
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5.6
5
show authentication methods
The show authentication methods Privileged EXEC mode command displays
information about the authentication methods.
Syntax
show authentication methods
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays the authentication configuration:
switchxxxxxx# show
authentication methods
Login Authentication Method Lists
--------------------------------Default: Radius, Local, Line
Console_Login: Line, None
Enable Authentication Method Lists
---------------------------------Default: Radius, Enable
Console_Enable(with authorization): Enable, None
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
182
5
Authentication, Authorization and Accounting (AAA) Commands
.
Line
Login Method List
Enable Method List
--------------
-----------------
------------------
Console
Console_Login
Console_Enable
Telnet
Default
Default
SSH
Default
Default
HTTP, HHTPS: Radius, local
Dot1x: Radius
5.7
password
Use the password Line Configuration mode command to specify a password on a
line (also known as an access method, such as a console or Telnet). Use the no
form of this command to return to the default password.
Syntax
password password [encrypted]
no password
Parameters
• password—Specifies the password for this line. (Length: 0–159 characters)
•
encrypted—Specifies that the password is encrypted and copied from
another device configuration.
Default Configuration
No password is defined.
Command Mode
Line Configuration Mode
Example
The following example specifies the password ‘secret’ on a console.
switchxxxxxx(config)# line console
183
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
switchxxxxxx(config-line)# password secret
5.8
enable password
Use the enable password Global Configuration mode command to set a local
password to control access to normal and privilege levels. Use the no form of this
command to return to the default password.
Syntax
enable password [level privilege-level] {unencrypted-password | encrypted
encrypted-password}
no enable password [level level]
Parameters
•
level privilege-level—Level for which the password applies. If not specified,
the level is 15. (Range: 1–15)
• unencrypted-password—Password for this level. (Range: 0–159 chars)
•
password encrypted encrypted-password—Specifies that the password
is encrypted. Use this keyword to enter a password that is already
encrypted (for instance that you copied from another the configuration file
of another device). (Range: 1–40)
Default Configuration
Default for level is 15.
Passwords are encrypted by default.
Command Mode
Global Configuration mode
User Guidelines
When the administrator configures a new enable password, this password is
encrypted automatically and saved to the configuration file. No matter how the
password was entered, it appears in the configuration file with the keyword
encrypted and the encrypted value.
If the administrator wants to manually copy a password that was configured on
one switch (for instance, switch B) to another switch (for instance, switch A), the
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
184
5
Authentication, Authorization and Accounting (AAA) Commands
administrator must add encrypted in front of this encrypted password when
entering the enable command in switch A. In this way, the two switches will have
the same password.
Passwords are encrypted by default. You only are required to use the encrypted
keyword when you are actually entering an encrypted keyword.
Examples
Example 1 - The command sets a password that has already been encrypted. It
will copied to the configuration file just as it is entered. To use it, the user must
know its unencrypted form.
switchxxxxxx(config)# enable password encrypted
4b529f21c93d4706090285b0c10172eb073ffebc4
Example 2 - The command sets an unencrypted password for level 7 (it will be
encrypted in the configuration file).
switchxxxxxx(config)# enable password level 7 let-me-in
5.9
service password-recovery
Use the service password-recovery Global Configuration mode command to
enable the password-recovery mechanism. This mechanism allows an end user,
with physical access to the console port of the device, to enter the boot menu and
trigger the password recovery process. Use the no service password-recovery
command to disable the password-recovery mechanism. When the
password-recovery mechanism is disabled, accessing the boot menu is still
allowed and the user can trigger the password recovery process. The difference
is, that in this case, all the configuration files and all the user files are removed. The
following log message is generated to the terminal: “All the configuration and user
files were removed”.
Syntax
service password-recovery
no service password-recovery
185
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
Parameters
N/A
Default Configuration
The service password recovery is enabled by default.
Command Mode
Global Configuration mode
User Guidelines
•
If password recovery is enabled, the user can access the boot menu and
trigger the password recovery in the boot menu. All configuration files and
user files are kept.
•
If password recovery is disabled, the user can access the boot menu and
trigger the password recovery in the boot menu. The configuration files
and user files are removed.
•
If a device is configured to protect its sensitive data with a user-defined
passphrase for (Secure Sensitive Data), then the user cannot trigger the
password recovery from the boot menu even if password recovery is
enabled.
•
If a device is configured to protect its sensitive data with a user-defined
passphrase for (Secure Sensitive Data), then the user cannot trigger the
password recovery from the boot menu even if password recovery is
enabled.
Example
The following command disables password recovery:
switchxxxxxx(config)# no service password recovery
Note that choosing to use Password recovery option in the Boot Menu during
the boot process will remove the configuration files and the user files.
Would you like to continue ? Y/N.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
186
5
Authentication, Authorization and Accounting (AAA) Commands
5.10 username
Use the username Global Configuration mode command to establish a
username-based authentication system. Use the no form to remove a user name.
Syntax
username name {nopassword | {password {unencrypted-password | {encrypted
encrypted-password}}} | {privilege privilege-level {unencrypted-password |
{encrypted encrypted-password}}}
no username name
Parameters
• name—The name of the user. (Range: 1–20 characters)
•
nopassword—No password is required for this user to log in.
•
password—Specifies the password for this username. (Range: 1–64)
• unencrypted-password—The authentication password for the user. (Range:
1–159)
•
encrypted encrypted-password—Specifies that the password is MD5
encrypted. Use this keyword to enter a password that is already encrypted
(for instance that you copied from another the configuration file of another
device). (Range: 1–40)
•
privilege privilege-level —Privilege level for which the password applies. If
not specified the level is 1. (Range: 1–15).
Default Configuration
No user is defined.
Command Mode
Global Configuration mode
Usage Guidelines
The last level 15 user (regardless of whether it is the default user or any user)
cannot be removed and cannot be a remote user.
187
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
Examples
Example 1 - Sets an unencrypted password for user tom (level 15). It will be
encrypted in the configuration file.
switchxxxxxx(config)# username tom password 1234
Example 2 - Sets a password for user jerry (level 15) that has already been
encrypted. It will be copied to the configuration file just as it is entered. To use it,
the user must know its unencrypted form.
switchxxxxxx(config)# username jerry privilege 15 encrypted
4b529f21c93d4706090285b0c10172eb073ffebc4
5.11 show users accounts
The show users accounts Privileged EXEC mode command displays information
about the users local database.
Syntax
show users accounts
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays information about the users local database:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
188
5
Authentication, Authorization and Accounting (AAA) Commands
switchxxxxxx# show users accounts
Password
Username
Privilege
Expiry date
--------
---------
----------
Bob
15
Jan 18 2005
Robert
15
Jan 19 2005
Smith
15
The following table describes the significant fields shown in the display:
Field
Description
Username
The user name.
Privilege
The user’s privilege level.
Password Expiry
date
The user's password expiration date.
5.12 aaa accounting login
Use the aaa accounting login command in Global Configuration mode to enable
accounting of device management sessions. Use the no form of this command to
disable accounting.
Syntax
aaa accounting login start-stop group {radius | tacacs+}
no aaa accounting login start-stop
Parameters
•
group radius—Uses a RADIUS server for accounting.
•
group tacacs+—Uses a TACACS+ server for accounting.
Default Configuration
Disabled
Command Mode
Global Configuration mode
189
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
5
Authentication, Authorization and Accounting (AAA) Commands
User Guidelines
This command enables the recording of device management sessions (Telnet,
serial and WEB but not SNMP).
It records only users that were identified with a username (e.g. a user that was
logged in with a line password is not recorded).
If accounting is activated, the device sends a “start”/“stop” messages to a RADIUS
server when a user logs in / logs out respectively.
The device uses the configured priorities of the available RADIUS/TACACS+
servers in order to select the RADIUS/TACACS+ server.
The following table describes the supported RADIUS accounting attributes
values, and in which messages they are sent by the switch.
Name
Start
Messag
e
Stop
Message
Description
User-Name (1)
Yes
Yes
User’s identity.
NAS-IP-Address (4)
Yes
Yes
The switch IP address that is
used for the session with the
RADIUS server.
Class (25)
Yes
Yes
Arbitrary value is included in all
accounting packets for a specific
session.
Called-Station-ID
(30)
Yes
Yes
The switch IP address that is
used for the management
session.
Calling-Station-ID
(31)
Yes
Yes
The user IP address.
Acct-Session-ID
(44)
Yes
Yes
A unique accounting identifier.
Acct-Authentic (45)
Yes
Yes
Indicates how the supplicant was
authenticated.
Acct-Session-Time
(46)
No
Yes
Indicates how long the user was
logged in.
Acct-Terminate-Cau
se (49)
No
Yes
Reports why the session was
terminated.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
190
5
Authentication, Authorization and Accounting (AAA) Commands
The following table describes the supported TACACS+ accounting arguments
and in which messages they are sent by the switch.
Name
Description
Start
Message
Stop Message
task_id
A unique accounting session
identifier.
Yes
Yes
user
username that is entered for
login authentication
Yes
Yes
rem-addr
IP address.of the user
Yes
Yes
elapsed-time
Indicates how long the user
was logged in.
No
Yes
reason
Reports why the session was
terminated.
No
Yes
Example
switchxxxxxx(config)# aaa accounting login start-stop group radius
5.13 aaa accounting dot1x
To enable accounting of 802.1x sessions, use the aaa accounting dot1x Global
Configuration mode command. Use the no form of this command to disable
accounting.
Syntax
aaa accounting dot1x start-stop group radius
no aaa accounting dot1x start-stop group radius
Parameters
N/A
Default Configuration
Disabled
Command Mode
Global Configuration mode
191
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
5
Authentication, Authorization and Accounting (AAA) Commands
User Guidelines
This command enables the recording of 802.1x sessions.
If accounting is activated, the device sends start/stop messages to a RADIUS
server when a user logs in / logs out to the network, respectively.
The device uses the configured priorities of the available RADIUS servers in order
to select the RADIUS server.
If a new supplicant replaces an old supplicant (even if the port state remains
authorized), the software sends a stop message for the old supplicant and a start
message for the new supplicant.
In multiple sessions mode (dot1x multiple-hosts authentication), the software
sends start/stop messages for each authenticated supplicant.
In multiple hosts mode (dot1x multiple-hosts), the software sends start/stop
messages only for the supplicant that has been authenticated.
The software does not send start/stop messages if the port is force-authorized.
The software does not send start/stop messages for hosts that are sending traffic
on the guest VLAN or on the unauthenticated VLANs.
The following table describes the supported Radius accounting Attributes Values
and when they are sent by the switch.
Name
Start
Stop
Description
User-Name (1)
Yes
Yes
Supplicant’s identity.
NAS-IP-Address (4)
Yes
Yes
The switch IP address
that is used for the
session with the
RADIUS server.
NAS-Port (5)
Yes
Yes
The switch port from
where the supplicant
has logged in.
Class (25)
Yes
Yes
The arbitrary value that
is included in all
accounting packets for
a specific session.
Called-Station-ID (30)
Yes
Yes
The switch MAC
address.
Calling-Station-ID (31)
Yes
Yes
The supplicant MAC
address.
Acct-Session-ID (44)
Yes
Yes
A unique accounting
identifier.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
192
5
Authentication, Authorization and Accounting (AAA) Commands
Name
Start
Stop
Description
Acct-Authentic (45)
Yes
Yes
Indicates how the
supplicant was
authenticated.
Acct-Session-Time (46)
No
Yes
Indicates how long the
supplicant was logged
in.
Acct-Terminate-Cause
(49)
No
Yes
Reports why the
session was
terminated.
Nas-Port-Type (61)
Yes
Yes
Indicates the supplicant
physical port type.
Example
switchxxxxxx(config)# aaa accounting dot1x start-stop group radius
5.14 show accounting
The show accounting EXEC mode command displays information as to which type
of accounting is enabled on the switch.
Syntax
show accounting
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
Example
The following example displays information about the accounting status.
193
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
switchxxxxxx# show accounting
Login: Radius
802.1x: Disabled
5.15 passwords complexity enable
Use the passwords complexity enable Global Configuration mode command to
enforce minimum password complexity. The no form of this command disables
enforcing password complexity.
Syntax
passwords complexity enable
no passwords complexity enable
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
If password complexity is enabled, the user is forced to enter a password that:
•
Has a minimum length of 8 characters.
•
Contains characters from at least 3 character classes (uppercase letters,
lowercase letters, numbers, and special characters available on a standard
keyboard).
•
Is different from the current password.
•
Contains no character that is repeated more than 3 times consecutively.
•
Does not repeat or reverse the user name or any variant reached by
changing the case of the characters.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
194
5
Authentication, Authorization and Accounting (AAA) Commands
•
Does not repeat or reverse the manufacturer’s name or any variant reached
by changing the case of the characters.
You can control the above attributes of password complexity with specific
commands described in this section.
If you have previously configured other complexity settings, then those settings
are used. This command does not wipe out the other settings. It works only as a
toggle.
Example
The following example configures requiring complex passwords that fulfill the
minimum requirements specified in the User Guidelines above.
switchxxxxxx(config)# passwords complexity enable
switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled
New password must be different than the manufacturer name: Enabled
switchxxxxxx#
5.16 passwords complexity
Use the passwords complexity Global Configuration mode commands to control
the minimum requirements from a password when password complexity is
enabled. Use the no form of these commands to return to default.
Syntax
passwords complexity {min-length number} | {min-classes number} | not-current |
{no-repeat number} | not-username | not-manufacturer-name
195
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
no passwords complexity min-length | min-classes | not-current | no-repeat |
not-username | not-manufacturer-name
Parameters
•
min-length number—Sets the minimal length of the password. (Range: 0–
64)
•
min-classes number—Sets the minimal character classes (uppercase
letters, lowercase letters, numbers, and special characters available on a
standard keyboard). (Range: 0–4)
•
not-current—Specifies that the new password cannot be the same as the
current password.
•
no-repeat number—Specifies the maximum number of characters in the
new password that can be repeated consecutively. Zero specifies that
there is no limit on repeated characters. (Range: 0–16)
•
not-username—Specifies that the password cannot repeat or reverse the
user name or any variant reached by changing the case of the characters.
•
not-manufacturer-name—Specifies that the password cannot repeat or
reverse the manufacturer’s name or any variant reached by changing the
case of the characters.
Default Configuration
The minimal length is 8.
The number of classes is 3.
The default for no-repeat is 3.
All the other controls are enabled by default.
Command Mode
Global Configuration mode
Example
The following example configures the minimal required password length to 8
characters.
switchxxxxxx(config)# passwords complexity min-length 8
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
196
5
Authentication, Authorization and Accounting (AAA) Commands
5.17 passwords aging
Use the passwords aging Global Configuration mode command to enforce
password aging. Use the no form of this command to return to default.
Syntax
passwords aging days
no passwords aging
Parameters
• days—Specifies the number of days before a password change is forced.
You can use 0 to disable aging. (Range: 0–365).
Default Configuration
180
Command Mode
Global Configuration mode
User Guidelines
Aging is relevant only to users of the local database with privilege level 15 and to
enable a password of privilege level 15.
To disable password aging, use passwords aging 0.
Using no passwords aging sets the aging time to the default.
Example
The following example configures the aging time to be 24 days.
switchxxxxxx(config)# passwords aging 24
5.18 show passwords configuration
The show passwords configuration Privileged EXEC mode command displays
information about the password management configuration.
197
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Authentication, Authorization and Accounting (AAA) Commands
5
Syntax
show passwords configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show passwords configuration
Passwords aging is enabled with aging time 180 days.
Passwords complexity is enabled with the following attributes:
Minimal length: 3 characters
Minimal classes: 3
New password must be different than the current: Enabled
Maximum consecutive same characters: 3
New password must be different than the user name: Enabled
New password must be different than the manufacturer name: Enabled
Enable Passwords
Level
----1
15
Line Passwords
Line
----Console
Telnet
SSH
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
198
5
199
Authentication, Authorization and Accounting (AAA) Commands
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
6
Auto-Update and Auto-Configuration
6.0
6.1
boot host auto-config
Use the boot host auto-config Global Configuration mode command to enable
auto configuration via DHCP. Use the no form of this command to disable DHCP
auto configuration.
Syntax
boot host auto-config [tftp | scp | auto [extension]]
no boot host auto-config
Parameters
•
tftp—Only the TFTP protocol is used by auto-configuration.
•
scp—Only the SCP protocol is used by auto-configuration.
•
auto—(Default) Auto-configuration uses the TFTP or SCP protocol depending
on the configuration file's extension. If this option is selected, the extension
parameter may be specified or, if not, the default extension is used.
• extension—The SCP file extension. When no value is specified, 'scp' is
used. (Range: 1-16 characters)
Default Configuration
Enabled by default with the auto option.
Command Mode
Global Configuration mode
User Guidelines
The TFTP or SCP protocol is used to download/upload a configuration file.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
200
6
Auto-Update and Auto-Configuration
Examples
Example 1. The following example specifies the auto mode and specifies "scon" as
the SCP extension:
switchxxxxxx(config)# boot host auto-config auto scon
Example 2. The following example specifies the auto mode and does not provide
an SCP extension.
In this case "scp" is used.
switchxxxxxx(config)# boot host auto-config auto
Example 3. The following example specifies that only the SCP protocol will be
used:
switchxxxxxx(config)# boot host auto-config scp
6.2
boot host auto-update
Use the boot host auto-update Global Configuration mode command to enable the
support of auto update via DHCP. Use the no form of this command to disable
DHCP auto configuration.
Syntax
boot host auto-update [tftp | scp | auto [extension]]
no boot host auto-update
Parameters
201
•
tftp—Only the TFTP protocol is used by auto-update.
•
scp—Only the SCP protocol is used by auto-update.
•
auto (Default)—Auto-configuration uses the TFTP or SCP protocol
depending on the Indirect image file's extension. If this option is selected,
the extension parameter may be specified or, if not, the default extension is
used.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
6
Auto-Update and Auto-Configuration
• extension—The SCP file extension. When no value is specified, 'scp' is used.
(Range: 1-16 characters)
Default Configuration
Enabled by default with the auto option.
Command Mode
Global Configuration mode
User Guidelines
The TFTP or SCP protocol is used to download/upload an image file.
Examples
Example 1—The following example specifies the auto mode and specifies "scon"
as the SCP extension:
switchxxxxxx(config)# boot host auto-update auto scon
Example 2—The following example specifies the auto mode and does not provide
an SCP extension. In this case "scp" is used.
switchxxxxxx(config)# boot host auto-update auto
Example 3—The following example specifies that only the SCP protocol will be
used:
switchxxxxxx(config)# boot host auto-update scp
6.3
show boot
Use the show boot Privilege EXEC mode command to show the status of the IP
DHCP Auto Config process.
Syntax
show boot
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
202
6
Auto-Update and Auto-Configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Examples
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: auto
SCP protocol will be used for files with extension: scp
Configuration file auto-save: enabled
Auto Config State: Finished successfully
Server IP address: 1.2.20.2
Configuration filename: /config/configfile1.cfg
Auto Update
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: scp
Configuration file auto-save: enabled
Auto Config State: Opening <hostname>-config file
Auto Update
203
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Auto-Update and Auto-Configuration
6
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
"Download Protocol: scp
Configuration file auto-save: enabled
Auto Config State: Downloading configuration file
Auto Update
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: tftp
Configuration file auto-save: enabled
Auto Config State: Searching device hostname in indirect file
Auto Update
----------Image Download via DHCP: enabled
switchxxxxxx# show boot
Auto Config
-----------Config Download via DHCP: enabled
Download Protocol: tftp
Configuration file auto-save: enabled
Auto Update
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
204
6
Auto-Update and Auto-Configuration
----------Image Download via DHCP: enabled
Auto Update State: Downloaded indirect image file
Indirect Image filename: /image/indirectimage.txt
6.4
ip dhcp tftp-server ip address
Use the ip dhcp tftp-server ip address Global Configuration mode command to
set the backup server’s IP address. This address server as the default address
used by a switch when it has not been received from the DHCP server. Use the no
form of the command to return to default.
Syntax
ip dhcp tftp-server ip address ip-addr
no ip dhcp tftp-server ip address
Parameters
• ip-addr—IPv4 Address, or IPv6 Address or DNS name of TFTP or SCP
server.
Default Configuration
No IP address
Command Mode
Global Configuration mode
User Guidelines
The backup server can be a TFTP server or a SCP server.
Examples
Example 1. The example specifies the IPv4 address of TFTP server:
switchxxxxxx(config)# ip dhcp tftp-server ip address 10.5.234.232
205
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
6
Auto-Update and Auto-Configuration
Example 2. The example specifies the IPv6 address of TFTP server:
switchxxxxxx(config)# ip dhcp tftp-server ip address 3000:1::12
Example 3. The example specifies the IPv6 address of TFTP server:
switchxxxxxx(config)# ip dhcp tftp-server ip address tftp-server.company.com
6.5
ip dhcp tftp-server file
Use the ip dhcp tftp-server file Global Configuration mode command to set the full
file name of the configuration file to be downloaded from the backup server when
it has not been received from the DHCP server. Use the no form of this command
to remove the name.
Syntax
ip dhcp tftp-server file file-path
no ip dhcp tftp-server file
Parameters
• file-path—Full file path and name of the configuration file on the server.
Default Configuration
No file name
Command Mode
Global Configuration mode
User Guidelines
The backup server can be a TFTP server or an SCP server.
Examples
switchxxxxxx(config)# ip dhcp tftp-server file conf/conf-file
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
206
6
Auto-Update and Auto-Configuration
6.6
ip dhcp tftp-server image file
Use the ip dhcp tftp-server image file Global Configuration mode command to set
the indirect file name of the image file to be downloaded from the backup server
when it has not been received from the DHCP server. Use the no form of this
command to remove the file name.
Syntax
ip dhcp tftp-server image file file-path
no ip dhcp tftp-server image file
Parameters
• file-path—Full indirect file path and name of the configuration file on the
server.
Default Configuration
No file name
Command Mode
Global Configuration mode
User Guidelines
The backup server can be a TFTP server or a SCP server.
Examples
switchxxxxxx(config)# ip dhcp tftp-server image file imag/imag-file
6.7
show ip dhcp tftp-server
Use the show ip dhcp tftp-server EXEC mode command to display information
about the backup server.
Syntax
show ip dhcp tftp-server
207
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
6
Auto-Update and Auto-Configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
User Guidelines
The backup server can be a TFTP server or a SCP server.
Example
show ip dhcp tftp-server
server address
active
1.1.1.1 from sname
manual
2.2.2.2
file path on server
active
conf/conf-file from option 67
manual
conf/conf-file1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
208
7
Bonjour Commands
7.0
7.1
bonjour enable
To enable Bonjour globally, use the bonjour enable command in Global
Configuration mode. To disable Bonjour globally, use the no format of the
command.
Syntax
bonjour enable
no bonjour enable.
Default Configuration
Enable
Command Mode
Global Configuration mode
Examples
switchxxxxxx(config)# bonjour enable
7.2
bonjour interface range
To add L2 interfaces to the Bonjour L2 interface list, use the bonjour interface
range command in Global Configuration mode. To remove L2 interfaces from this
list, use the no format of the command.
Syntax
bonjour interface range interface-list
no bonjour interface range [interface-list]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
209
7
Bonjour Commands
Parameters
• interface-list—Specifies a list of interfaces. Only interfaces supporting L2
Multicast forwarding can be specified. The follow: LAN and point, which
support be of the following types: OOB, Ethernet port, Port-channel, and
VLAN.
Default Configuration
The list includes the Default VLAN and OOB.
Command Mode
Global Configuration mode
User Guidelines
The Bonjour L2 interface list specifies a set of interfaces on which Bonjour is
enabled.
Use the bonjour interface range interface-list command, to add the specified
interfaces to the Bonjour L2 interface list.
Use the no bonjour interface range interface-list command, to remove the
specified interfaces from the Bonjour L2 interface list.
Use the no bonjour interface range command, to clear the Bonjour L2 interface list.
Examples
switchxxxxxx(config)# bonjour interface range VLAN 100-103
7.3
show bonjour
To display Bonjour information, use the show bonjour command in Privileged EXEC
mode.
Syntax
show bonjour [interface-id]
Parameters
• interface-id—Specifies an interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
210
7
Bonjour Commands
Command Mode
Privileged EXEC mode
Examples
The example displays Bonjour status.
switchxxxxxx# show bonjour
Bonjour global status: enabled
Bonjour L2 interfaces list: vlans 1
211
Service
Admin Status
Oper Status
-------
------------
--------------
csco-sb
enabled
enabled
http
enabled
enabled
https
enabled
disabled
ssh
enabled
disabled
telnet
enabled
disabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
8.0
8.1
cdp advertise-v2
To specify version 2 of transmitted CDP packets, use the cdp advertise-v2
command in Global Configuration mode. To specify version 1, use the no form of
this command.
Syntax
cdp advertise-v2
no cdp advertise-v2
Parameters
N/A
Default Configuration
Version 2.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp run
switchxxxxxx(config)# cdp advertise-v2
8.2
cdp appliance-tlv enable
To enable sending of the Appliance TLV, use the cdp appliance-tlv enable
command in Global Configuration mode. To disable the sending of the Appliance
TLV, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
212
8
CDP Commands
Syntax
cdp appliance-tlv enable
no cdp appliance-tlv enable
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
This MIB specifies the Voice Vlan ID (VVID) to which this port belongs:
•
0—The CDP packets transmitting through this port contain Appliance
VLAN-ID TLV with value of 0. VoIP and related packets are expected to be
sent and received with VLAN-ID=0 and an 802.1p priority.
•
1..4094—The CDP packets transmitting through this port contain Appliance
VLAN-ID TLV with N. VoIP and related packets are expected to be sent and
received with VLAN-ID=N and an 802.1p priority.
•
4095—The CDP packets transmitting through this port contain Appliance
VLAN-ID TLV with value of 4095. VoIP and related packets are expected to
be sent and received untagged without an 802.1p priority.
•
4096—The CDP packets transmitting through this port do not include
Appliance VLAN-ID TLV; or, if the VVID is not supported on the port, this MIB
object will not be configurable and will return 4096.
Example
switchxxxxxx(config)# cdp appliance-tlv enable
213
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
8.3
cdp device-id format
To specify the format of the Device-ID TLV, use the cdp device-id format command
in Global Configuration mode. To return to default, use the no form of this
command.
Syntax
cdp device-id format {mac | serial-number | hostname}
no cdp device-id format
Parameters
•
mac—Specifies that the Device-ID TLV contains the device’s MAC address.
•
serial-number—Specifies that Device-ID TLV contains the device’s
hardware serial number.
•
hostname—Specifies that Device-ID TLV contains the device’s hostname.
Default Configuration
MAC address is selected by default.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp device-id format serial-number
8.4
cdp enable
Tp enable CDP on interface, use the cdp enable command in Interface (Ethernet)
Configuration mode. To disable CDP on an interface, use the no form of the CLI
command.
Syntax
cdp enable
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
214
8
CDP Commands
Parameters
N/A
Default Configuration
Enabled
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
For CDP to be enabled on an interface, it must first be enabled globally using cdp
advertise-v2.
Example
switchxxxxxx(config)# cdp run
switchxxxxxx(config-if)# interface te1/0/1
switchxxxxxx(config-if)# cdp enable
8.5
cdp holdtime
To specify a value of the Time-to-Live field into sent CDP messages, use the cdp
holdtime command in Global Configuration mode. To return to default, use the no
form of this command.
Syntax
cdp holdtime seconds
no cdp holdtime
Parameters
seconds—Value of the Time-to-Live field in seconds. The value should be greater
than the value of the Transmission Timer.
Parameters range
seconds—10 - 255.
215
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
Default Configuration
180 seconds.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp holdtime 100
8.6
cdp log mismatch duplex
To enable validating that the duplex status of a port received in a CDP packet
matches the ports actual configuration and generation the SYSLOG duplex
mismatch messages if they do not match, use the cdp log mismatch duplex
command in Global Configuration mode and Interface (Ethernet) Configuration
mode. To disable the generation of the SYSLOG messages, use the no form of the
CLI command.
Syntax
cdp log mismatch duplex
no cdp log mismatch duplex
Parameters
N/A
Default Configuration
The switch reports duplex mismatches from all ports.
Command Mode
Global Configuration mode
Interface (Ethernet) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
216
8
CDP Commands
switchxxxxxx(config-if)# cdp log mismatch duplex
8.7
cdp log mismatch native
To enable validating that the native VLAN received in a CDP packet matches the
actual native VLAN of the port and generation the SYSLOG VLAN native mismatch
messages if they do not match, use the cdp log mismatch native Global and
Interface Configuration mode command in Global Configuration mode and
Interface (Ethernet) Configuration mode. To disable the generation of the SYSLOG
messages, use the no format of the CLI command.
Syntax
cdp log mismatch native
no cdp log mismatch native
Parameters
N/A
Default Configuration
The switch reports native VLAN mismatches from all ports.
Command Mode
Global Configuration mode
Interface (Ethernet) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# cdp log mismatch native
8.8
cdp log mismatch voip
To enable validating that the VoIP status of the port received in a CDP packet
matches its actual configuration and generation the SYSLOG voip mismatch
messages if they do not match, use the cdp log mismatch voip Global and
Interface Configuration mode command in Global Configuration mode and
217
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
Interface (Ethernet) Configuration mode. To disable the generation of the SYSLOG
messages, use the no format of the CLI command.
Syntax
cdp log mismatch voip
no cdp log mismatch voip
Parameters
N/A
Default Configuration
The switch reports VoIP mismatches from all ports.
Command Mode
Global Configuration mode
Interface (Ethernet) Configuration mode
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# cdp log mismatch voip
8.9
cdp mandatory-tlvs validation
To validate that all mandatory (according to the CDP protocol) TLVs are present in
received CDP frames, use the cdp mandatory-tlvs validation command in Global
Configuration mode. To disables the validation, use the no form of this command.
Syntax
cdp mandatory-tlvs validation
no cdp mandatory-tlvs validation
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
218
8
CDP Commands
Default Configuration
Enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the command to delete CDP packets not including all the mandatory TLVs.
Example
This example turns off mandatory TLV validation:
switchxxxxxx(config)# no cdp mandatory-tlvs validation
8.10 cdp pdu
To specify CDP packets handling when CDP is globally disabled, use the cdp pdu
command in Global Configuration mode. To return to default, use the no form of
this command.
Syntax
cdp pdu [filtering | bridging | flooding]
no cdp pdu
Parameters
•
filtering—Specify that when CDP is globally disabled, CDP packets are
filtered (deleted).
•
bridging—Specify that when CDP is globally disabled, CDP packets are
bridged as regular data packets (forwarded based on VLAN).
•
flooding—Specify that when CDP is globally disabled, CDP packets are
flooded to all the ports in the product that are in STP forwarding state,
ignoring the VLAN filtering rules.
Default Configuration
bridging
219
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
Command Mode
Global Configuration mode
User Guidelines
When CDP is globally enabled, CDP packets are filtered (discarded) on
CDP-disabled ports.
In the flooding mode, VLAN filtering rules are not applied, but STP rules are
applied. In case of MSTP, the CDP packets are classified to instance 0.
Example
switchxxxxxx(config)# cdp run
switchxxxxxx(config)# cdp pdu flooding
8.11 cdp run
To enable CDP globally, use the cdp run command in Global Configuration mode.
To disable CDP globally, use the no form of this command.
Syntax
cdp run
no cdp run
Parameters
N/A
Default Configuration
Enabled.
Command Mode
Global Configuration mode
User Guidelines
CDP is a link layer protocols for directly-connected CDP/LLDP-capable devices to
advertise themselves and their capabilities. In deployments where the CDP/LLDP
capable devices are not directly connected and are separated with CDP/LLDP
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
220
8
CDP Commands
incapable devices, the CDP/LLDP capable devices may be able to receive the
advertisement from other device(s) only if the CDP/LLDP incapable devices flood
the CDP/LLDP packets they receives. If the CDP/LLDP incapable devices perform
VLAN-aware flooding, then CDP/LLDP capable devices can hear each other only if
they are in the same VLAN. It should be noted that a CDP/LLDP capable device
may receive advertisement from more than one device if the CDP/LLDP incapable
devices flood the CDP/LLDP packets.
To learn and advertise CDP information, it must be globally enabled (it is so by
default) and also enabled on interfaces (also by default).
Example
switchxxxxxx(config)# cdp run
8.12 cdp source-interface
To specify the CDP source port used for source IP address selection, use the cdp
source-interface command in Global Configuration mode. To delete the source
interface, use the no form of this command.
Syntax
cdp source-interface interface-id
no cdp source-interface
Parameters
interface-id—Source port used for Source IP address selection.
Default Configuration
No CDP source interface is specified.
Command Mode
Global Configuration mode
User Guidelines
Use the cdp source-interface command to specify an interface whose minimal IP
address will be advertised in the TVL instead of the minimal IP address of the
outgoing interface.
221
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
Example
switchxxxxxx(config)# cdp source-interface te1/0/1
8.13 cdp timer
To specify how often CDP packets are transmitted, use the cdp timer command in
Global Configuration mode. To return to default, use the no form of this command.
Syntax
cdp timer seconds
no cdp timer
Parameters
seconds—Value of the Transmission Timer in seconds. Range: 5-254 seconds.
Default Configuration
60 seconds.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)# cdp timer 100
8.14 clear cdp counters
To reset the CDP traffic counters to 0, use the clear cdp counters command in
Privileged EXEC mode.
Syntax
clear cdp counters [global | interface-id]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
222
8
CDP Commands
Parameters
•
global—Clear only the global counters.
• interface-id—Specifies the interface identifier of the counters that should
be cleared.
Command Mode
Privileged EXEC mode
User Guidelines
Use the command clear cdp counters without parameters to clear all the counters.
Use the clear cdp counters global to clear only the global counters.
Use the clear cdp counters interface-id command to clear the counters of the
given interface.
Example
Example 1. The example clears all the CDP counters:
switchxxxxxx# clear cdp couters
Example 2. The example clears the CDP global counters.
switchxxxxxx# clear cdp couters global
Example 3. The example clears the CDP counters of Ethernet port te1/0/1:
switchxxxxxx# clear cdp couters interface te1/0/1
8.15 clear cdp table
To delete the CDP Cache tables, use the clear cdp table command in Privileged
EXEC mode.
223
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
Syntax
clear cdp table
Parameters
N/A
Command Mode
Privileged EXEC mode
Example The example deletes all entries from the CDP Cache tables:
switchxxxxxx# clear cdp table
8.16 show cdp
To display the interval between advertisements, the number of seconds the
advertisements are valid and version of the advertisements, use the show cdp
Privileged EXEC mode command in Privileged EXEC mode.
Syntax
show cdp
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp
Global CDP information:
cdp is globally enabled
cdp log duplex mismatch is globally enabled
cdp log voice VLAN mismatch is globally enabled
cdp log native VLAN mismatch is globally disabled
Mandatory TLVs are
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
224
8
CDP Commands
Device-ID TLV (0x0001
Address TLV (0x0002)
Port-ID TLV (0x0003)
Capabilities TLV (0x0004)
Version TLV (0x0005)
Platform TLV (0x0006)
Sending CDPv2 advertisements is enabled
Sending Appliance TLV is enabled
Device ID format is Serial Number
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
8.17 show cdp entry
To display information about specific neighbors, use the show cdp entry
command in Privileged EXEC mode.
Syntax
show cdp entry {* | device-name} [protocol | version]
Parameters
•
*—Specifies all neighbors
•
device-name—Specifies the name of the neighbor.
•
protocol—Limits the display to information about the protocols enabled on
neighbors.
•
version—Limits the display to information about the version of software
running on the neighbors.
Default Configuration
Version
Command Mode
Privileged EXEC mode
Example
225
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
switchxxxxxx# show cdp entry
device.cisco.com
Device ID: device.cisco.com
Advertisement version: 2
Entry address(es):
IP address: 192.168.68.18
CLNS address: 490001.1111.1111.1111.00
DECnet address: 10.1
Platform: cisco 4500,
Interface: te1/0/1,
Capabilities: Router
Port ID (outgoing port): Ethernet0
Holdtime: 125 sec
Version:
Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by dschwart
switchxxxxxx# show cdp entry device.cisco.com protocol
Protocol information for device.cisco.com:
IP address: 192.168.68.18
CLNS address: 490001.1111.1111.1111.00
DECnet address: 10.1
switchxxxxxx# show cdp entry device.cisco.com version
Version information for device.cisco.com:
Cisco Internetwork Operating System Software
IOS (tm) 4500 Software (C4500-J-M), Version 11.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by cisco Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by dschwart
8.18 show cdp interface
To display information about ports on which CDP is enabled, use the show cdp
interface command in Privileged EXEC mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
226
8
CDP Commands
Syntax
show cdp interface interface-id
Parameters
interface-id—Port ID.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp interface te1/0/1
CDP is globally enabled
CDP log duplex mismatch
Globally is enabled
Per interface is enabled
CDP log voice VLAN mismatch
Globally is enabled
Per interface is enabled
CDP log native VLAN mismatch
Globally is disabled
Per interface is enabled
te1/0/1 is Down, CDP is enabled
Sending CDP packets every 60 seconds
Holdtime is 180 seconds
8.19 show cdp neighbors
To display information about neighbors kept in the main or secondary cache, use
the show cdp neighbors command in Privileged EXEC mode.
Syntax
show cdp neighbors [interface-id] [detail | secondary]
Parameters
•
227
interface-id—Displays the neighbors attached to this port.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
•
detail—Displays detailed information about a neighbor (or neighbors) from
the main cache including network address, enabled protocols, hold time,
and software version.
•
secondary—Displays information about neighbors from the secondary
cache.
Default Configuration
If an interface ID is not specified, the command displays information for the
neighbors of all ports.
If detail or secondary are not specified, the default is secondary.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,P - VoIP Phone,
M - Remotely-Managed Device, C - CAST Phone Port, W - Two-Port MAC Relay
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - VoIP Phone
M - Remotely-Managed Device, C - CAST Phone Port,
W - Two-Port MAC Relay
Device ID
Local
Adv
Interface
Ver. Live
Time To Capability
Platform
Port ID
------------------ ----------- ---- ------- ---------- ------------ ----------PTK-SW-A-86.company
gi48
2
147
S I
ESW-520-8P
gi48
2
153
S I M
ESW-520-8P
g1
ESW-540-8P
g9
Company
fa2/1
l.com
Company
gi3/39
XX-10R-E
ESW-540-8P
gi48
2
146
S I M
003106131611
gi48
2
143
S I
001828100211
gi48
2
173
S I
XX-23R-E
Company
fa2/2
XX-23R-E
c47d4fed9302
gi48
2
137
S I
Company
fa2/5
XX-23R-E
switchxxxxxx# show cdp neighbors detail
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
228
8
CDP Commands
------------------------Device ID: lab-7206
Advertisement version: 2
Entry address(es):
IP address: 172.19.169.83
Platform: company x5660,
Interface: Ethernet0,
Capabilities: Router
Port ID (outgoing port): te1/0/0
Time To Live : 123 sec
Version :
Company Network Operating System Software
NOS (tm) x5660 Software (D5660-I-N), Version 18.1(10.4), MAINTENANCE INTERIM
SOFTWARE
Copyright (c) 1986-1997 by company Systems, Inc.
Compiled Mon 07-Apr-97 19:51 by xxdeeert
Duplex: half
------------------------Device ID: lab-as5300-1
Entry address(es):
IP address: 172.19.169.87
Platform: company TD6780,
Capabilities: Router
Device ID: SEP000427D400ED
Advertisement version: 2
Entry address(es):
IP address: 1.6.1.81
Platform: Company IP Phone x8810,
Interface: te1/0/1,
Capabilities: Host
Port ID (outgoing port): Port 1
Time To Live: 150 sec
Version :
P00303020204
Duplex: full
sysName: a-switch
229
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
Power drawn: 6.300 Watts
switchxxxxxx# show cdp neighbors secondary
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Local Interface te1/0/1, MAC Address: 00:00:01:23:86:9c
TimeToLive: 157
Capabilities: R S
VLAN-ID: 10
Platform: 206VXRYC
Local Interface te1/0/1, MAC Address: 00:00:01:53:86:9c
TimeToLive: 163
Capabilities: R S
VLAN-ID: 10
Platform: ABCD-VSD
Power Available TLV: Request-ID is 1
Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Local Interface te1/0/2, MAC Address: 00:00:01:2b:86:9c
TimeToLive: 140
Capabilities: R S
VLAN-ID: 1210
Platform: QACSZ
4-wire Power-via-MDI (UPOE) TLV:
4-pair PoE Supported: Yes
Spare pair Detection/Classification required: Yes
PD Spare Pair Desired State: Disabled
PSE Spare Pair Operational State: Disabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
230
8
CDP Commands
Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Local Interface te1/0/2, MAC Address: 00:00:01:2c:86:9c
TimeToLive: 132
Capabilities: T
VLAN-ID: 1005
Platform: CAT-3000
Field Definitions:
231
•
Advertisement version—The version of CDP being used for CDP
advertisements.
•
Capabilities—The device type of the neighbor. This device can be a router,
a bridge, a transparent bridge, a source-routing bridge, a switch, a host, an
IGMP device, or a repeater.
•
COS for Untrusted Ports—The COS value with which all packets received
on an untrusted port should be marked by a simple switching device which
cannot itself classify individual packets.
•
Device ID—The name of the neighbor device and either the MAC address
or the serial number of this device.
•
Duplex—The duplex state of connection between the current device and
the neighbor device.
•
Entry address(es)—A list of network addresses of neighbor devices.
•
Extended Trust—The Extended Trust.
•
External Port-ID—Identifies the physical connector port on which the CDP
packet is transmitted. It is used in devices, such as those with optical ports,
in which signals from multiple hardware interfaces are multiplexed through
a single physical port. It contains the name of the external physical port
through which the multiplexed signal is transmitted.
•
Interface—The protocol and port number of the port on the current device.
•
IP Network Prefix—It is used by On Demand Routing (ODR). When
transmitted by a hub router, it is a default route (an IP address). When
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
transmitted by a stub router, it is a list of network prefixes of stub networks
to which the sending stub router can forward IP packets.
•
Management Address—When present, it contains a list of all the addresses
at which the device will accept SNMP messages, including those it will only
accept when received on interface(s) other than the one over which the
CDP packet is being sent.
•
MTU—The MTU of the interface via which the CDP packet is sent.
•
Native VLAN—The ID number of the VLAN on the neighbor device.
•
Physical Location—A character string indicating the physical location of a
connector which is on, or physically connected to, the interface over which
the CDP packet containing this TLV is sent.
•
Platform—The product name and number of the neighbor device. In the
case of the Secondary Cache only the 8 last characters of the value are
printed.
•
Power Available—Every switch interface transmits information in the Power
Available TLV, which permits a device which needs power to negotiate and
select an appropriate power setting. The Power Available TLV includes four
fields.
•
Power Consumption—The maximum amount of power, in milliwatts,
expected to be obtained and consumed from the interface over which the
CDP packet is sent.
•
Power Drawn—The maximum requested power.
Note: For IP Phones the value shown is the maximum requested power (6.3
Watts). This value can be different than the actual power supplied by the
routing device (generally 5 watts; shown using the show power command).
•
Protocol-Hello—Specifies that a particular protocol has asked CDP to
piggyback
its "hello" messages within transmitted CDP packets.
•
Remote Port_ID—Identifies the port the CDP packet is sent on
•
sysName—An ASCII string containing the same value as the sending
device's sysName MIB object.
•
sysObjectID—The OBJECT-IDENTIFIER value of the sending device's
sysObjectID MIB object.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
232
8
CDP Commands
•
Time To Live—The remaining amount of time, in seconds, the current device
will hold the CDP advertisement from a transmitting router before
discarding it.
•
Version—The software version running on the neighbor device.
•
Voice VLAN-ID—The Voice VLAN-ID.
•
VTP Management Domain—A string that is the name of the collective group
of VLANs associated with the neighbor device.
8.20 show cdp tlv
To display information about TLVs sent by CDP on all ports or on a specific port,
use the show cdp tlv command in Privileged EXEC mode.
Syntax
show cdp tlv [interface-id]
Parameters
interface-id—Port ID.
Default Configuration
TLVs for all ports.
Command Mode
Privileged EXEC mode
User Guidelines
You can use the show cdp tlv command to verify the TLVs configured to be sent in
CDP packets. The show cdp tlv command displays information for a single port if
specified or for all ports if not specified. Information for a port is displayed if only
CDP is really running on the port, i.e. CDP is enabled globally and on the port,
which is UP.
Examples:
Example 1 - In this example, CDP is disabled and no information is displayed.
switchxxxxxx# show cdp tlv
233
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
cdp globally is disabled
Example 2 - In this example, CDP is globally enabled but disabled on the port and
no information is displayed.
switchxxxxxx# show cdp tlv te1/0/2
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/2
CDP is disabled on te1/0/2
Example 3 - In this example, CDP is globally enabled and enabled on the port, but
the port is down and no information is displayed.
switchxxxxxx# show cdp tlv interface te1/0/2
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/3
CDP is enabled on te1/0/3
Ethernet te1/0/3 is down
Example 4 - In this example, CDP is globally enabled, and no ports are specified,
so information is displayed for all ports on which CDP is enabled who are up.
switchxxxxxx# show cdp tlv interface
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
234
8
CDP Commands
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/1
CDP is enabled
Ethernet te1/0/1 is up,
Device ID TLV: type is MAC address; Value is 00:11:22:22:33:33:44:44
Address TLV: IPv4:
1.2.2.2 IPv6:
Port_ID TLV: te1/0/1
Capabilities: S, I
Version TLV: 1 and 2
Platform TLV: VSD Ardd
Native VLAN TLV: 1
Full/Half Duplex TLV: full-duplex
Appliance VLAN_ID TLV: Appliance-ID is 1; VLAN-ID is 100
COS for Untrusted Ports TLV: 1
sysName: a-switch
4-wire Power-via-MDI (UPOE) TLV:
4-pair PoE Supported: No
Power Available TLV: Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
Interface TLV: te1/0/2
CDP is disabled on te1/0/2
Interface TLV: te1/0/3
CDP is enabled on te1/0/3
Ethernet te1/0/3 is down
Example 5 - In this example, CDP is globally enabled and enabled on the PSE PoE
port, which is up and information is displayed.
235
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
switchxxxxxx# show cdp tlv interface te1/0/1
cdp globally is enabled
Capability Codes: R - Router,T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater,
P - VoIP Phone,M - Remotely-Managed Device,
C - CAST Phone Port, W - Two-Port MAC Relay
Interface TLV: te1/0/1
CDP is enabled
Ethernet te1/0/1 is up,
Device ID TLV: type is MAC address; Value is 00:11:22:22:33:33:44:44
Address TLV: IPv4:
1.2.2.2 IPv6:
Port_ID TLV: te1/0/1
Capabilities: S, I
Version TLV: 1 and 2
Platform TLV: VSD Ardd
Native VLAN TLV: 1
Full/Half Duplex TLV: full-duplex
Appliance VLAN_ID TLV: Appliance-ID is 1; VLAN-ID is 100
COS for Untrusted Ports TLV: 1
sysName: a-switch
Power Available TLV: Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
4-wire Power-via-MDI (UPOE) TLV:
4-pair PoE Supported: Yes
Spare pair Detection/Classification required: Yes
PD Spare Pair Desired State: Disabled
PSE Spare Pair Operational State: Disabled
Request-ID is 1 Power management-ID is 1;
Available-Power is 15.4;
Management-Power-Level is 0xFFFFFFFF
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
236
8
CDP Commands
8.21 show cdp traffic
To display the CDP counters, including the number of packets sent and received
and checksum errors, use the show cdp traffic command in Privileged EXEC
mode.
Syntax
show cdp traffic [global | interface-id]
Parameters
•
global—Display only the global counters
• interaface-id—Port for which counters should be displayed.
Command Mode
Privileged EXEC mode
User Guidelines
Use the command show cdp traffic without parameters to display all the counters.
Use the show cdp traffic global to display only the global counters.
Use the show cdp traffic interface-id command to display the counters of the
given port.
Example
switchxxxxxx# show cdp traffic
CDP Global counters:
Total packets output: 81684,
Hdr syntax:
Input: 81790
0, Chksum error: 0, Invalid packet: 0
No memory in main cache: 0, in secondary cache: 0
CDP version 1 advertisements output:
100,
Input
0
CDP version 2 advertisements output:
81784,
Input
0
te1/0/1
Total packets output: 81684,
Hdr syntax:
237
Input: 81790
0, Chksum error: 0, Invalid packet: 0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
8
CDP Commands
No memory in main cache: 0, in secondary cache: 0
CDP version 1 advertisements output:
100,
Input
0
CDP version 2 advertisements output:
81784,
Input
0
te1/0/2
Total packets output: 81684,
Hdr syntax:
Input: 81790
0, Chksum error: 0, Invalid packet: 0
No memory in main cache: 0, in secondary cache: 0
CDP version 1 advertisements output:
100,
Input
0
CDP version 2 advertisements output:
81784,
Input
0
Field Definition:
•
Total packets output—The number of CDP advertisements sent by the local
device. Note that this value is the sum of the CDP Version 1 advertisements
output and CDP Version 2 advertisements output fields.
•
Input—The number of CDP advertisements received by the local device.
Note that this value is the sum of the CDP Version 1 advertisements input
and CDP Version 2 advertisements input fields.
•
Hdr syntax—The number of CDP advertisements with bad headers,
received by the local device.
•
Chksum error—The number of times the checksum (verifying) operation
failed on incoming CDP advertisements.
•
No memory—The number of times the local device did not have enough
memory to store the CDP advertisements in the advertisement cache table
when the device was attempting to assemble advertisement packets for
transmission and parse them when receiving them.
•
Invalid—The number of invalid CDP advertisements received.
•
CDP version 1 advertisements output The number of CDP Version 1
advertisements sent by the local device.
•
CDP version 1 advertisements Input—The number of CDP Version 1
advertisements received by the local device.
•
CDP version 2 advertisements output—The number of CDP Version 2
advertisements sent by the local device.
•
CDP version 2 advertisements Input—The number of CDP Version 2
advertisements received by the local device.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
238
8
239
CDP Commands
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
9.0
9.1
absolute
To specify an absolute time when a time range is in effect, use the absolute
command in Time-range Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
absolute start hh:mm day month year
no absolute start
absolute end hh:mm day month year
no absolute end
Parameters
•
start—Absolute time and date that the permit or deny statement of the
associated function going into effect. If no start time and date are specified,
the function is in effect immediately.
•
end—Absolute time and date that the permit or deny statement of the
associated function is no longer in effect. If no end time and date are
specified, the function is in effect indefinitely.
• hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
• day—Day (by date) in the month. (Range: 1–31)
• month—Month (first three letters by name). (Range: Jan...Dec)
• year—Year (no abbreviation) (Range: 2000–2097)
Default Configuration
There is no absolute time when the time range is in effect.
Command Mode
Time-range Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
240
9
Clock Commands
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005
switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005
9.2
clock dhcp timezone
To specify that the timezone and the Summer Time (Daylight Saving Time) of the
system can be taken from the DHCP Timezone option, use the clock dhcp
timezone command in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
clock dhcp timezone
no clock dhcp timezone
Parameters
N/A
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
The TimeZone taken from the DHCP server has precedence over the static
TimeZone.
The Summer Time taken from the DHCP server has precedence over static
SummerTime.
The TimeZone and SummerTime remain effective after the IP address lease time
has expired.
The TimeZone and SummerTime that are taken from the DHCP server are cleared
after reboot.
241
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
The no form of the command clears the dynamic Time Zone and Summer Time
from the DHCP server are cleared.
In case of multiple DHCP-enabled interfaces, the following precedence is applied:
- information received from DHCPv6 precedes information received from
DHCPv4
- information received from DHCP client running on lower interface precedes
information received from DHCP client running on higher interfac
Disabling the DHCP client from where the DHCP-TimeZone option was taken,
clears the dynamic Time Zone and Summer Time configuration.
Example
switchxxxxxx(config)# clock dhcp timezone
9.3
clock set
To set the system clock manually, use the clock set command in Privileged EXEC
mode.
Syntax
clock set hh:mm:ss {[day month] | [month day]} year
Parameters
•
hh:mm:ss—Specifies the current time in hours (military format), minutes, and
seconds. (Range: hh: 0-23, mm: 0-59, ss: 0-59)
•
day—Specifies the current day of the month. (Range: 1-31)
• month—Specifies the current month using the first three letters of the
month name. (Range: Jan–Dec)
• year—Specifies the current year. (Range: 2000–2037)
Default Configuration
The time of the image creation.
Command Mode
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
242
9
Clock Commands
User Guidelines
After boot the system clock is set to the time of the image creation.
Example
The following example sets the system time to 13:32:00 on March 7th, 2005.
switchxxxxxx# clock set 13:32:00 7 Mar 2005
9.4
clock source
To configure an external time source for the system clock, use the clock source
command in Global Configuration mode. To disable the external time source, use
the no form of this command.
Syntax
clock source {sntp | browser}
no clock source {sntp | browser}
Parameters
•
sntp—(Optional) Specifies that an SNTP server is the external clock source.
•
browser—(Optional) Specifies that if the system clock is not already set
(either manually or by SNTP) and a user login to the device using a WEB
browser (either via HTTP or HTTPS), the system clock will be set according
to the browser’s time information.
Default Configuration
SNTP
Command Mode
Global Configuration mode
User Guidelines
After boot the system clock is set to the time of the image creation.
If no parameter is specified, SNTP will be configured as the time source.
243
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
if the command is executed twice, each time with a different clock source, both
sources will be operational, SNTP has higher priority than time from browser.
Example
The following example configures an SNTP server as an external time source for
the system clock.
switchxxxxxx(config)# clock source sntp
switchxxxxxx(config)# clock source browser
switchxxxxxx(config)# exit
switchxxxxxx# show clock
*10:46:48 UTC May 28 2013
Time source is sntp
Time from Browser is enabled
9.5
clock summer-time
To configure the system to automatically switch to summer time (Daylight Saving
Time), use the clock summer-time command in Global Configuration mode. To
restore the default configuration, use the no form of this command.
Syntax
clock summer-time zone recurring {usa | eu | {week day month hh:mm week day
month hh:mm}} [offset]
clock summer-time zone date day month year hh:mm date month year hh:mm
[offset]
clock summer-time zone date month day year hh:mm month day year hh:mm
[offset]
no clock summer-time
Parameters
• zone—The acronym of the time zone to be displayed when summer time is
in effect. (Range: up to 4 characters)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
244
9
Clock Commands
•
recurring—Indicates that summer time starts and ends on the
corresponding specified days every year.
•
date—Indicates that summer time starts on the first date listed in the
command and ends on the second date in the command.
•
usa—The summer time rules are the United States rules.
•
eu—The summer time rules are the European Union rules.
• week—Week of the month. Can be 1–5, first to last.
• day—Day of the week (first three characters by name, such as Sun).
• date—Date of the month. (Range: 1–31)
• month—Month (first three characters by name, such as Feb).
• year—year (no abbreviation). (Range: 2000–2097)
• hh:mm—Time (military format) in hours and minutes. (Range: hh:mmhh: 0-23,
mm: 0-59)
• offset—(Optional) Number of minutes to add during summer time (default is
60). (Range: 1440)
Default Configuration
Summer time is disabled.
Command Mode
Global Configuration mode
User Guidelines
In both the date and recurring forms of the command, the first part of the command
specifies when summer time begins, and the second part specifies when it ends.
All times are relative to the local time zone. The start time is relative to standard
time. The end time is relative to summer time. If the starting month is
chronologically after the ending month, the system assumes that you are in the
southern hemisphere.
USA rules for Daylight Saving Time:
•
245
From 2007:
-
Start: Second Sunday in March
-
End: First Sunday in November
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
•
Time: 2 AM local time
Before 2007:
-
Start: First Sunday in April
-
End: Last Sunday in October
-
Time: 2 AM local time
EU rules for Daylight Saving Time:
•
Start: Last Sunday in March
•
End: Last Sunday in October
•
Time: 1.00 am (01:00) Greenwich Mean Time (GMT)
Example
switchxxxxxx(config)# clock summer-time abc date apr 1 2010 09:00 aug 2 2010
09:00
9.6
clock timezone
To set the time zone for display purposes, use the clock timezone command in
Global Configuration mode. To restore the default configuration, use the no form of
this command.
Syntax
clock timezone zone hours-offset [minutes-offset]
no clock timezone
Parameters
• zone—The acronym of the time zone. (Range: Up to 4 characters)
• hours-offset—Hours difference from UTC. (Range: (-12)–(+13))
• minutes-offset—(Optional) Minutes difference from UTC. (Range: 0–59)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
246
9
Clock Commands
Default Configuration
Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT), which is the
same:
•
Offsets are 0.
•
Acronym is empty.
Command Mode
Global Configuration mode
User Guidelines
The system internally keeps time in UTC, so this command is used only for display
purposes and when the time is manually set.
Example
switchxxxxxx(config)# clock timezone abc +2 minutes 32
9.7
periodic
To specify a recurring (weekly) time range for functions that support the
time-range feature, use the periodic command in Time-range Configuration mode.
To restore the default configuration, use the no form of this command.
Syntax
periodic day-of-the-week hh:mm to day-of-the-week hh:mm
no periodic day-of-the-week hh:mm to day-of-the-week hh:mm
periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…
day-of-the-week7]
no periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…
day-of-the-week7]
periodic list hh:mm to hh:mm all
no periodic list hh:mm to hh:mm all
247
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Parameters
• day-of-the-week—The starting day that the associated time range is in
effect. The second occurrence is the ending day the associated statement
is in effect. The second occurrence can be the following week (see
description in the User Guidelines). Possible values are: mon, tue, wed, thu,
fri, sat, and sun.
• hh:mm—The first occurrence of this argument is the starting hours:minutes
(military format) that the associated time range is in effect. The second
occurrence is the ending hours:minutes (military format) the associated
statement is in effect. The second occurrence can be at the following day
(see description in the User Guidelines). (Range: 0–23, mm: 0–59)
•
list day-of-the-week1—Specifies a list of days that the time range is in
effect.
Default Configuration
There is no periodic time when the time range is in effect.
Command Mode
Time-range Configuration mode
User Guidelines
The second occurrence of the day can be at the following week, e.g. Thursday–
Monday means that the time range is effective on Thursday, Friday, Saturday,
Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00
9.8
sntp anycast client enable
To enable the SNTP Anycast client, use the sntp anycast client enable command in
Global Configuration mode. To restore the default configuration, use the no form of
this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
248
9
Clock Commands
Syntax
sntp anycast client enable [both | ipv4 | ipv6]
Parameters
•
both—(Optional) Specifies the IPv4 and IPv6 SNTP Anycast clients are
enabled. If the parameter is not defined it is the default value.
•
ipv4—(Optional) Specifies the IPv4 SNTP Anycast clients are enabled.
•
ipv6—(Optional) Specifies the IPv6 SNTP Anycast clients are enabled.
Default Configuration
The SNTP anycast client is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use this command to enable the SNTP Anycast client.
Example
The following example enables SNTP Anycast clients.
switchxxxxxx(config)# sntp anycast client enable
9.9
sntp authenticate
To enable authentication for received SNTP traffic from servers, use the sntp
authenticate command in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
sntp authenticate
no sntp authenticate
249
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Parameters
N/A
Default Configuration
Authentication is disabled.
Command Mode
Global Configuration mode
Examples
The following example enables authentication for received SNTP traffic and sets
the key and encryption key.
switchxxxxxx(config)# sntp authenticate
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp trusted-key 8
9.10 sntp authentication-key
To define an authentication key for Simple Network Time Protocol (SNTP), use the
sntp authentication-key command in Global Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
sntp authentication-key key-number md5 key-value
encrypted sntp authentication-key key-number md5 encrypted-key-value
no sntp authentication-key key-number
Parameters
• key-number—Specifies the key number. (Range: 1–4294967295)
• key-value—Specifies the key value. (Length: 1–8 characters)
• encrypted-key-value—Specifies the key value in encrypted format.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
250
9
Clock Commands
Default Configuration
No authentication key is defined.
Command Mode
Global Configuration mode
Examples
The following example defines the authentication key for SNTP.
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp trusted-key 8
switchxxxxxx(config)# sntp authenticate
9.11 sntp broadcast client enable
To enable SNTP Broadcast clients, use the sntp broadcast client enable command
in Global Configuration mode. To restore the default configuration, use the no form
of this command.
Syntax
sntp broadcast client enable [both | ipv4 | ipv6]
no sntp broadcast client enable
Parameters
•
both—(Optional) Specifies the IPv4 and IPv6 SNTP Broadcast clients are
enabled. If the parameter is not defined it is the default value.
•
ipv4—(Optional) Specifies the IPv4 SNTP Broadcast clients are enabled.
•
ipv6—(Optional) Specifies the IPv6 SNTP Broadcast clients are enabled.
Default Configuration
The SNTP Broadcast client is disabled.
251
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Command Mode
Global Configuration mode
User Guidelines
Use the sntp broadcast client enable Interface Configuration mode command to
enable the SNTP Broadcast client on a specific interface.
After entering this command, you must enter the clock source command with the
sntp keyword for the command to be run. If this command is not run, the switch will
not synchronize with Broadcast servers.
Example
The following example enables SNTP Broadcast clients.
s
switchxxxxxx(config)# sntp broadcast client enable
9.12 sntp client enable
To enable the SNTP Broadcast and Anycast client, use the sntp client enable
command in Global Configuration mode. To restore the default configuration, use
the no form of this command.
Syntax
sntp client enable interface-id
no sntp client enable interface-id
Parameters
• interface-id—Specifies an interface ID, which can be one of the following
types: Ethernet port, Port-channel or VLAN.
Default Configuration
The SNTP client is disabled.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
252
9
Clock Commands
User Guidelines
Use the sntp client enable command to enable SNTP Broadcast and Anycast
clients.
Example
The following example enables the SNTP Broadcast and Anycast clients on VLAN
100:
switchxxxxxx(config)# sntp client enable vlan 100
9.13 sntp client enable (interface)
To enable the SNTP Broadcast and Anycast client on an interface, use the sntp
client enable command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
sntp client enable
no sntp client enable
Parameters
N/A
Default Configuration
The SNTP client is disabled on an interface.
Command Mode
Interface Configuration mode
User Guidelines
This command enables the SNTP Broadcast and Anycast client on an interface.
Use the no form of this command to disable the SNTP client.
253
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Example
The following example enables the SNTP broadcast and anycast client on an
interface.
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# sntp client enable
switchxxxxxx(config-if)# exit
9.14 sntp server
To configure the device to use the SNTP to request and accept Network Time
Protocol (NTP) traffic from a specified server (meaning to accept system time from
an SNTP server), use the sntp server command in Global Configuration mode. To
remove a server from the list of SNTP servers, use the no form of this command.
Syntax
sntp server {default | {{ip-address | hostname} [poll] [key keyid]}}
no sntp server [ip-address | hostname]
Parameters
•
default—Default defined SNTP servers.
• ip-address—Specifies the server IP address. This can be an IPv4, IPv6 or
IPv6z address.
• hostname—Specifies the server hostname. Only translation to IPv4
addresses is supported. (Length: 1–158 characters. Maximum label length
for each part of the hostname: 63 characters)
•
poll—(Optional) Enables polling.
•
key keyid—(Optional) Specifies the Authentication key to use when sending
packets to this peer. (Range:1–4294967295)
Default Configuration
The following servers with polling and without authentication are defined:
•
time-a.timefreq.bldrdoc.gov
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
254
9
Clock Commands
•
time-b.timefreq.bldrdoc.gov
•
time-c.timefreq.bldrdoc.gov
Command Mode
Global Configuration mode
User Guidelines
Use the sntp server {ip-address | hostname} [poll] [key keyid] command to define a
SNTP server. The switch supports up to 8 SNTP servers.
Use the sntp server default command to return to the default configuration.
Use the no sntp server ip-address | hostname command to remove one SNTP
server.
Use the no sntp server to remove all SNTP servers.
Example
The following example configures the device to accept SNTP traffic from the
server on 192.1.1.1 with polling.
switchxxxxxx(config)# sntp server 192.1.1.1 poll
9.15 sntp source-interface
To specify the source interface whose IPv4 address will be used as the source
IPv4 address for communication with IPv4 SNTP servers, use the sntp
source-interface command in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
sntp source-interface interface-id
no sntp source-interface
Parameters
• interface-id—Specifies the source interface.
255
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Default Configuration
The source IPv4 address is the IPv4 address defined on the outgoing interface
and belonging to next hop IPv4 subnet.
Command Mode
Global Configuration mode
User Guidelines
If the source interface is the outgoing interface, the interface IP address belonging
to next hop IPv4 subnet is applied.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the interface is applied.
If there is no available IPv4 source address, a SYSLOG message is issued when
attempting to communicate with an IPv4 SNTP server.
OOB cannot be defined as a source interface.
Example
The following example configures the VLAN 10 as the source interface.
switchxxxxxx(config)# sntp source-interface vlan 10
9.16 sntp source-interface-ipv6
To specify the source interface whose IPv6 address will be used ad the Source
IPv6 address for communication with IPv6 SNTP servers, use the sntp
source-interface-ipv6 command in Global Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
sntp source-interface-ipv6 interface-id
no sntp source-interface-ipv6
Parameters
• interface-id—Specifies the source interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
256
9
Clock Commands
Default Configuration
The IPv6 source address is the IPv6 address defined of the outgoing interface and
selected in accordance with RFC6724.
Command Mode
Global Configuration mode
User Guidelines
The outgoing interface is selected based on the SNTP server's IP address. If the
source interface is the outgoing interface, the IPv6 address defined on the
interfaces and selected in accordance with RFC 6724.
If the source interface is not the outgoing interface, the minimal IPv4 address
defined on the interface and with the scope of the destination IPv6 address is
applied.
If there is no available IPv6 source address, a SYSLOG message is issued when
attempting to communicate with an IPv6 SNTP server.
Example
The following example configures the VLAN 10 as the source interface.
switchxxxxxx(config)# sntp source-interface-ipv6 vlan 10
9.17 sntp trusted-key
To define the trusted key, use the sntp trusted-key command in Global
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
sntp trusted-key key-number
no sntp trusted-key key-number
Parameters
• key-number—Specifies the key number of the authentication key to be
trusted. (Range: 1–4294967295).
257
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Default Configuration
No keys are trusted.
Command Mode
Global Configuration mode
User Guidelines
The trusted key is used for authentication of all servers not having personal keys
assigned by the sntp server command.
Examples
The following example authenticates key 8.
switchxxxxxx(config)# sntp trusted-key 8
switchxxxxxx(config)# sntp authentication-key 8 md5 ClkKey
switchxxxxxx(config)# sntp trusted-key 8
switchxxxxxx(config)# sntp authenticate
9.18 sntp unicast client enable
To enable the device to use Simple Network Time Protocol (SNTP) Unicast clients,
use the sntp unicast client enable command in Global Configuration mode. To
disable the SNTP Unicast clients, use the no form of this command.
Syntax
sntp unicast client enable
no sntp unicast client enable
Parameters
N/A
Default Configuration
The SNTP unicast clients are disabled.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
258
9
Clock Commands
Command Mode
Global Configuration mode
User Guidelines
Use the sntp server Global Configuration mode command to define SNTP servers.
Example
The following example enables the device to use SNTP Unicast clients.
switchxxxxxx(config)# sntp unicast client enable
9.19 sntp unicast client poll
To enable polling for the SNTP Unicast clients, use the sntp unicast client poll
command in Global Configuration mode. To disable the polling, use the no form of
this command.
Syntax
sntp unicast client poll
no sntp unicast client poll
Parameters
N/A
Default Configuration
Polling is enabled.
Command Mode
Global Configuration mode
User Guidelines
The polling interval is 1024 seconds.
259
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Example
The following example enables polling for SNTP unicast clients.
switchxxxxxx(config)# sntp unicast client poll
9.20 show clock
To display the time and date from the system clock, use the show clock command
in User EXEC mode.
Syntax
show clock [detail]
Parameters
•
detail—(Optional) Displays the time zone and summer time configuration.
Command Mode
User EXEC mode
User Guidelines
Before the time, there is displayed either a star (*), period (.), or blank:
•
star (*)—The clock is invalid.
•
period (.)—The clock was set manually or by Browser.
•
blank—The clock was set by SNTP.
Examples
Example 1 - The following example displays the system time and date.
switchxxxxxx# show clock
15:29:03 PDT(UTC-7) Jun 17 2002
Time source is SNTP
Time from Browser is enabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
260
9
Clock Commands
Example 2 - The following example displays the system time and date along with
the time zone and summer time configuration.
switchxxxxxx# show clock detail
15:22:55 SUN Apr 23 2012
Time source is sntp
Time from Browser is enabled
Time zone (DHCPv4 on VLAN1):
Acronym is RAIN
Offset is UTC+2
Time zone (Static):
Offset is UTC+0
Summertime (DHCPv4 on VLAN1):
Acronym is SUN
Recurring every year.
Begins at first Sunday of Apr at 02:00.
Ends at first Tuesday of Sep at 02:00.
Offset is 60 minutes.
Summertime (Static):
Acronym is GMT
Recurring every year.
Begins at first Sunday of Mar at 10:00.
Ends at first Sunday of Sep at 10:00.
Offset is 60 minutes.
DHCP timezone: Enabled
9.21 show sntp configuration
To display the SNTP configuration on the device, use the show sntp configuration
command in Privileged EXEC mode.
261
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Syntax
show sntp configuration
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Examples
The following example displays the device’s current SNTP configuration.
switchxxxxxx# show sntp configuration
SNTP port : 123
Polling interval: 1024 seconds
MD5 Authentication Keys
----------------------------------2
John123
3
Alice456
----------------------------------Authentication is not required for synchronization.
No trusted keys
Unicast Clients: enabled
Unicast Clients Polling: enabled
Server: 1.1.1.121
Polling: disabled
Encryption Key: disabled
Server: 3001:1:1::1
Polling: enabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
262
9
Clock Commands
Encryption Key: disabled
Server: dns_server1.comapany.com
Polling: enabled
Encryption Key: disabled
Server: dns_server2.comapany.com
Polling: enabled
Encryption Key: disabled
Broadcast Clients: enabled for IPv4 and IPv6
Anycast Clients: disabled
No Broadcast Interfaces
Source IPv4 interface: vlan 1
Source IPv6 interface: vlan 10
9.22 show sntp status
To display the SNTP servers status, use the show sntp status command in
Privileged EXEC mode.
Syntax
show sntp status
Parameters
N/A
Default Configuration
N/A
Command Mode
Privileged EXEC mode
Example
The following example displays the SNTP servers status:
switchxxxxxx# show sntp status
263
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Clock is synchronized, stratum 4, reference is 176.1.1.8, unicast
Reference time is afe2525e.70597b34 (00:10:22.438 PDT Jul 5 1993)
Unicast servers:
Server: 176.1.1.8
Source: DHCPv4 on VLAN 1
Status: Up
Last response: 19:58:22.289 PDT Feb 19 2005
Stratum Level: 1
Offset: 7.33mSec
Delay: 117.79mSec
Server: dns_server.comapany.com
Source:
static
Status: Unknown
Last response: 12:17.17.987 PDT Feb 19 2005
Stratum Level: 1
Offset: 8.98mSec
Delay: 189.19mSec
Server: 3001:1:1::1
Source: DHCPv6 on VLAN 2
Status: Unknown
Last response:
Offset: mSec
Delay: mSec
Server: dns1.company.com
Source: DHCPv6 on VLAN 20
Status: Unknown
Last response:
Offset: mSec
Delay: mSec
Anycast servers:
Server: 176.1.11.8
Interface:
VLAN 112
Status: Up
Last response: 9:53:21.789 PDT Feb 19 2005
Stratum Level: 10
Offset: 9.98mSec
Delay: 289.19mSec
Broadcast servers:
Server: 3001:1::12
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
264
9
Clock Commands
Interface:
VLAN 101
Last response: 9:53:21.789 PDT Feb 19 2005
Stratum Level: 255
9.23 show time-range
To display the time range configuration, use the show time-range command in
User EXEC mode.
Syntax
show time-range time-range-name
Parameters
• time-range-name—Specifies the name of an existing time range.
Command Mode
User EXEC mode
Example
switchxxxxxx# show time-range
http-allowed
-------------absolute start 12:00 1 Jan 2005 end
12:00 31 Dec 2005
periodic Monday 12:00 to Wednesday 12:00
9.24 time-range
To define time ranges and to enter to Time-range Configuration mode, use the
time-range command to define time ranges and to enter to Time-range
Configuration mode in Global Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
time-range time-range-name
no time-range time-range-name
265
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
9
Clock Commands
Parameters
• time-range-name—Specifies the name for the time range. (Range: 1–32
characters).
Default Configuration
No time range is defined
Command Mode
Global Configuration mode
User Guidelines
After entering to Time-range Configuration mode with this command, use the
absolute and periodic commands to actually configure the time-range. Multiple
periodic commands are allowed in a time range. Only one absolute command is
allowed.
If a time-range command has both absolute and periodic values specified, then
the periodic items are evaluated only after the absolute start time is reached, and
are not evaluated again after the absolute end time is reached.
All time specifications are interpreted as local time.
To ensure that the time range entries take effect at the desired times, the software
clock should be set by the user or by SNTP. If the software clock is not set by the
user or by SNTP, the time range is not activated.
Example
switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
266
10
Denial of Service (DoS) Commands
10.0
10.1 security-suite deny fragmented
To discard IP fragmented packets from a specific interface, use the security-suite
deny fragmented Interface (Ethernet, Port Channel) Configuration mode
command.
To permit IP fragmented packets, use the no form of this command.
Syntax
security-suite deny fragmented {[add {ip-address | any} {mask | /prefix-length}] |
[remove {ip-address | any} {mask | /prefix-length}]}
no security-suite deny fragmented
Parameters
•
add ip-address | any—Specifies the destination IP address. Use any to
specify all IP addresses.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address
prefix. The prefix length must be preceded by a forward slash (/).
Default Configuration
Fragmented packets are allowed from all interfaces.
If mask is unspecified, the default is 255.255.255.255.
If prefix-length is unspecified, the default is 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
267
10
Denial of Service (DoS) Commands
User Guidelines
For this command to work, show security-suite configuration must be enabled
both globally and for interfaces.
Example
The following example attempts to discard IP fragmented packets from an
interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite deny fragmented add any /32
To perform this command, DoS Prevention must be enabled in the per-interface mode.
10.2 security-suite deny icmp
To discard ICMP echo requests from a specific interface (to prevent attackers from
knowing that the device is on the network), use the security-suite deny icmp
Interface (Ethernet, Port Channel) Configuration mode command.
To permit echo requests, use the no form of this command.
Syntax
security-suite deny icmp {[add {ip-address | any} {mask | /prefix-length}] | [remove
{ip-address | any} {mask | /prefix-length}]}
no security-suite deny icmp
Parameters
•
ip-address | any—Specifies the destination IP address. Use any to specify
all IP addresses.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address
prefix. The prefix length must be preceded by a forward slash (/).
Default Configuration
Echo requests are allowed from all interfaces.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
268
10
Denial of Service (DoS) Commands
If mask is not specified, it defaults to 255.255.255.255.
If prefix-length is not specified, it defaults to 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled
both globally and for interfaces.
This command discards ICMP packets with "ICMP type= Echo request" that
ingress the specified interface.
Example
The following example attempts to discard echo requests from an interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite deny icmp add any /32
To perform this command, DoS Prevention must be enabled in the per-interface mode.
10.3 security-suite deny martian-addresses
To deny packets containing system-reserved IP addresses or user-defined IP
addresses, use the security-suite deny martian-addresses Global Configuration
mode command.
To restore the default, use the no form of this command.
Syntax
security-suite deny martian-addresses {add {ip-address {mask | /prefix-length}} |
remove {ip-address {mask | /prefix-length}} (Add/remove user-specified IP
addresses)
security-suite deny martian-addresses reserved {add | remove} (Add/remove
system-reserved IP addresses, see tables below)
no security-suite deny martian-addresses (This command removes addresses
reserved by security-suite deny martian-addresses {add {ip-address {mask |
269
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
Denial of Service (DoS) Commands
/prefix-length}} | remove {ip-address {mask | /prefix-length}}, and removes all
entries added by the user. The user can remove a specific entry by using remove
ip-address {mask | /prefix-length} parameter.
There is no no form of the security-suite deny martian-addresses reserved {add |
remove} command. Use instead the security-suite deny martian-addresses
reserved remove command to remove protection (and free up hardware
resources).
Parameters
•
reserved add/remove—Add or remove the table of reserved addresses
below.
•
ip-address—Adds/discards packets with the specified IP source or
destination address.
•
mask—Specifies the network mask of the IP address.
•
prefix-length—Specifies the number of bits that comprise the IP address
prefix. The prefix length must be preceded by a forward slash (/).
•
reserved—Discards packets with the source or destination IP address in
the block of the reserved (Martian) IP addresses. See the User Guidelines
for a list of reserved addresses.
Default Configuration
Martian addresses are allowed.
Command Mode
Global Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled
globally.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
270
10
Denial of Service (DoS) Commands
security-suite deny martian-addresses reserved adds or removes the addresses
in the following table:
Address Block
Present Use
0.0.0.0/8 (except
when 0.0.0.0/32 is
the source
address)
Addresses in this block refer to source hosts
on "this" network.
127.0.0.0/8
This block is assigned for use as the Internet
host loopback address.
192.0.2.0/24
This block is assigned as "TEST-NET" for use
in documentation and example code.
224.0.0.0/4 as
source
This block, formerly known as the Class D
address space, is allocated for use in IPv4
multicast address assignments.
240.0.0.0/4 (except
when
255.255.255.255/3
2 is the destination
address)
This block, formerly known as the Class E
address space, is reserved.
Note that if the reserved addresses are included, individual reserved addresses
cannot be removed.
Example
The following example discards all packets with a source or destination address in
the block of the reserved IP addresses.
switchxxxxxx(config)# security-suite deny martian-addresses reserved add
10.4 security-suite deny syn
To block the creation of TCP connections from a specific interface, use the
security-suite deny syn Interface (Ethernet, Port Channel) Configuration mode
command. This a complete block of these connections.
To permit creation of TCP connections, use the no form of this command.
271
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
Denial of Service (DoS) Commands
Syntax
security-suite deny syn {[add {tcp-port | any} {ip-address | any} {mask |
/prefix-length}] |
[remove {tcp-port | any} {ip-address | any} {mask | /prefix-length}]}
no security-suite deny syn
Parameters
•
ip-address | any—Specifies the destination IP address. Use any to specify
all IP addresses.
•
mask— Specifies the network mask of the destination IP address.
•
prefix-length—Specifies the number of bits that comprise the destination IP
address prefix. The prefix length must be preceded by a forward slash (/).
•
tcp-port | any—Specifies the destination TCP port. The possible values are:
http, ftp-control, ftp-data, ssh, telnet, smtp, or port number. Use any to
specify all ports.
Default Configuration
Creation of TCP connections is allowed from all interfaces.
If the mask is not specified, it defaults to 255.255.255.255.
If the prefix-length is not specified, it defaults to 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled
both globally and for interfaces.
The blocking of TCP connection creation from an interface is done by discarding
ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0" for the specified
destination IP addresses and destination TCP ports.
Example
The following example attempts to block the creation of TCP connections from an
interface. It fails because security suite is enabled globally and not per interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
272
10
Denial of Service (DoS) Commands
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite deny syn add any /32 any
To perform this command, DoS Prevention must be enabled in the per-interface mode.
10.5 security-suite deny syn-fin
To drop all ingressing TCP packets in which both SYN and FIN are set, use the
security-suite deny syn-fin Global Configuration mode command.
To permit TCP packets in which both SYN and FIN are set, use the no form of this
command.
Syntax
security-suite deny syn-fin
no security-suite deny syn-fin
Parameters
This command has no arguments or keywords.
Default Configuration
The feature is disabled by default.
Command Mode
Global Configuration mode
Example
The following example blocks TCP packets in which both SYN and FIN flags are
set.
switchxxxxxx(config)# security-suite deny sin-fin
273
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
Denial of Service (DoS) Commands
10.6 security-suite dos protect
To protect the system from specific well-known Denial of Service (DoS) attacks,
use the security-suite dos protect Global Configuration mode command. There
are three types of attacks against which protection can be supplied (see
parameters below).
To disable DoS protection, use the no form of this command.
Syntax
security-suite dos protect {add attack | remove attack}
no security-suite dos protect
Parameters
add/remove attack—Specifies the attack type to add/remove. To add an attack is
to provide protection against it; to remove the attack is to remove protection.
The possible attack types are:
•
stacheldraht—Discards TCP packets with source TCP port 16660.
•
invasor-trojan—Discards TCP packets with destination TCP port 2140 and
source TCP port 1024.
•
back-orifice-trojan—Discards UDP packets with destination UDP port
31337 and source UDP port 1024.
Default Configuration
No protection is configured.
Command Mode
Global Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled
globally.
Example
The following example protects the system from the Invasor Trojan DOS attack.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
274
10
Denial of Service (DoS) Commands
switchxxxxxx(config)# security-suite dos protect add invasor-trojan
10.7 security-suite dos syn-attack
To rate limit Denial of Service (DoS) SYN attacks, use the security-suite dos
syn-attack Interface Configuration mode command. This provides partial blocking
of SNY packets (up to the rate that the user specifies).
To disable rate limiting, use the no form of this command.
Syntax
security-suite dos syn-attack syn-rate {any | ip-address} {mask | prefix-length}
no security-suite dos syn-attack {any | ip-address} {mask | prefix-length}
Parameters
•
syn-rate—Specifies the maximum number of connections per second.
(Range: 199–1000)
•
any | ip-address—Specifies the destination IP address. Use any to specify
all IP addresses.
•
mask—Specifies the network mask of the destination IP address.
•
prefix-length—Specifies the number of bits that comprise the destination IP
address prefix. The prefix length must be preceded by a forward slash (/).
Default Configuration
No rate limit is configured.
If ip-address is unspecified, the default is 255.255.255.255
If prefix-length is unspecified, the default is 32.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
For this command to work, show security-suite configuration must be enabled
both globally and for interfaces.
275
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
Denial of Service (DoS) Commands
This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0"
for the specified destination IP addresses.
SYN attack rate limiting is implemented after the security suite rules are applied to
the packets. The ACL and QoS rules are not applied to those packets.
Since the hardware rate limiting counts bytes, it is assumed that the size of “SYN”
packets is short.
Example
The following example attempts to rate limit DoS SYN attacks on a port. It fails
because security suite is enabled globally and not per interface.
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10
To perform this command, DoS Prevention must be enabled in the per-interface mode.
10.8 security-suite enable
To enable the security suite feature, use the security-suite enable Global
Configuration mode command. This feature supports protection against various
types of attacks.
When this command is used, hardware resources are reserved. These hardware
resources are released when the no security-suite enable command is entered.
The security-suite feature can be enabled in one of the following ways:
•
Global-rules-only—This enables the feature globally but per-interface
features are not enabled.
•
All (no keyword)—The feature is enabled globally and per-interface.
To disable the security suite feature, use the no form of this command.
When security-suite is enabled, you can specify the types of protection required.
The following commands can be used:
•
show security-suite configuration
•
show security-suite configuration
•
show security-suite configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
276
10
Denial of Service (DoS) Commands
•
show security-suite configuration
•
show security-suite configuration
•
show security-suite configuration
•
show security-suite configuration
•
show security-suite configuration
Syntax
security-suite enable [global-rules-only]
no security-suite enable
Parameters
global-rules-only—(Optional) Specifies that all the security suite commands are
global commands only (they cannot be applied per-interface). This setting saves
space in the Ternary Content Addressable Memory (TCAM). If this keyword is not
used, security-suite commands can be used both globally on per-interface.
Default Configuration
The security suite feature is disabled.
If global-rules-only is not specified, the default is to enable security-suite globally
and per interfaces.
Command Mode
Global Configuration mode
User Guidelines
MAC ACLs must be removed before the security-suite is enabled. The rules can
be re-entered after the security-suite is enabled.
If ACLs or policy maps are assigned on interfaces, per interface security-suite
rules cannot be enabled.
Examples
Example 1—The following example enables the security suite feature and
specifies that security suite commands are global commands only. When an
attempt is made to configure security-suite on a port, it fails.
277
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
Denial of Service (DoS) Commands
switchxxxxxx(config)# security-suite enable global-rules-only
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10
To perform this command, DoS Prevention must be enabled in the per-interface mode.
Example 2—The following example enables the security suite feature globally and
on interfaces. The security-suite command succeeds on the port.
switchxxxxxx(config)# security-suite enable
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# security-suite dos syn-attack 199 any /10
switchxxxxxx(config-if)#
10.9 security-suite syn protection mode
To set the TCP SYN protection mode, use the security-suite syn protection mode
Global Configuration mode command.
To set the TCP SYN protection mode to default, use the no form of this command.
Syntax
security-suite syn protection mode {disabled | report | block}
no security-suite syn protection mode
Parameters
•
disabled—Feature is disabled
•
report—Feature reports about TCP SYN traffic per port (including
rate-limited SYSLOG message when an attack is identified)
•
block—TCP SYN traffic from attacking ports destined to the local system is
blocked, and a rate-limited SYSLOG message (one per minute) is generated
Default Configuration
The default mode is block.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
278
10
Denial of Service (DoS) Commands
User Guidelines
On ports in which an ACL is defined (user-defined ACL etc.), this feature cannot block TCP SYN
packets. In case the protection mode is block but SYN Traffic cannot be blocked, a relevant
SYSLOG message will be created, e.g.: “port te1/0/1 is under TCP SYN attack. TCP SYN traffic
cannot be blocked on this port since the port is bound to an ACL.”
Examples
Example 1: The following example sets the TCP SYN protection feature to report
TCP SYN attack on ports in case an attack is identified from these ports.
switchxxxxxx(config)# security-suite syn protection mode report
…
01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port te1/0/1
Example 2: The following example sets the TCP SYN protection feature to block
TCP SYN attack on ports in case an attack is identified from these ports.
switchxxxxxx(config)# security-suite syn protection mode block
…
01-Jan-2012 05:29:46: A TCP SYN Attack was identified on port te1/0/1. TCP SYN
traffic destined to the local system is automatically blocked for 100
seconds.
10.10 security-suite syn protection recovery
To set the time period for the SYN Protection feature to block an attacked
interface, use the security-suite syn protection period Global Configuration mode
command.
To set the time period to its default value, use the no form of this command.
Syntax
security-suite syn protection recovery timeout
no security-suite syn protection recovery
279
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Denial of Service (DoS) Commands
10
Parameters
timeout—Defines the timeout (in seconds) by which an interface from which SYN packets are blocked
gets unblocked. Note that if a SYN attack is still active on this interface it might become blocked again.
(Range: 10-600)
Default Configuration
The default timeout is 60 seconds.
Command Mode
Global Configuration mode
User Guidelines
If the timeout is modified, the new value will be used only on interfaces which are
not currently under attack.
Example
The following example sets the TCP SYN period to 100 seconds.
switchxxxxxx(config)# security-suite syn protection recovery 100
10.11 security-suite syn protection threshold
To set the threshold for the SYN protection feature, use the security-suite syn
protection threshold Global Configuration mode command.
To set the threshold to its default value, use the no form of this command.
Syntax
security-suite syn protection threshold syn-packet-rate
no security-suite syn protection threshold
Parameters
syn-packet-rate—defines the rate (number of packets per second) from each specific port that triggers
identification of TCP SYN attack. (Range: 20-200)
Default Configuration
The default threshold is 80pps (packets per second).
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
280
10
Denial of Service (DoS) Commands
Example
The following example sets the TCP SYN protection threshold to 40 pps.
switchxxxxxx(config)# security-suite syn protection threshold 40
10.12 show security-suite configuration
To display the security-suite configuration, use the show security-suite
configuration switchxxxxxx> command.
Syntax
show security-suite configuration
Command Mode
User EXEC mode
Example
The following example displays the security-suite configuration.
switchxxxxxx# show security-suite configuration
Security suite is enabled (Per interface rules are enabled).
Denial Of Service Protect: stacheldraht, invasor-trojan,
back-office-trojan.
Denial Of Service SYN-FIN Attack is enabled
Denial Of Service SYN Attack
Interface
IP Address
SYN Rate (pps)
-----------------
--------------
--------------
te1/0/1
176.16.23.0\24
100
Martian addresses filtering
Reserved addresses: enabled.
Configured addresses: 10.0.0.0/8, 192.168.0.0/16
SYN filtering
Interface
IP Address
TCP port
----------------
--------------
--------------
te1/0/2
176.16.23.0\24
FTP
ICMP filtering
281
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
10
Denial of Service (DoS) Commands
Interface
IP Address
---------------
--------------
te1/0/2
176.16.23.0\24
Fragmented packets filtering
Interface
IP Address
--------------
--------------
te1/0/2
176.16.23.0\24
10.13 show security-suite syn protection
To display the SYN Protection feature configuration and the operational status per interface-id, including
the time of the last attack per interface, use the show security-suite syn protection switchxxxxxx>
command.
Syntax
show security-suite syn protection [interface-id]
Parameters
interface-id—(Optional) Specifies an interface-ID. The interface-ID can be one of the following types:
Ethernet port of Port-Channel.
Command Mode
User EXEC mode
User Guidelines
Use the Interface-ID to display information on a specific interface.
Example
The following example displays the TCP SYN protection feature configuration and current status on all
interfaces. In this example, port te1/0/2 is attacked but since there is a user-ACL on this port, it cannot
become blocked so its status is Reported and not Blocked and Reported.
switchxxxxxx# show security-suite syn protection
Protection Mode: Block
Threshold: 40 Packets Per Second
Period: 100 Seconds
Interface Name
Current Status
Last Attack
te1/0/1
Attacked
19:58:22.289 PDT Feb 19 2012 Blocked and Reported
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
282
10
283
Denial of Service (DoS) Commands
te1/0/2
Attacked
19:58:22.289 PDT Feb 19 2012 Reported
te1/0/3
Attacked
19:58:22.289 PDT Feb 19 2012 Blocked and Reported
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
11
DHCP Relay Commands
11.0
11.1 ip dhcp relay enable (Global)
Use the ip dhcp relay enable Global Configuration mode command to enable the
DHCP relay feature on the device. Use the no form of this command to disable the
DHCP relay feature.
Syntax
ip dhcp relay enable
no ip dhcp relay enable
Parameters
N/A
Default Configuration
DHCP relay feature is disabled.
Command Mode
Global Configuration mode
Example
The following example enables the DHCP relay feature on the device.
switchxxxxxx(config)# ip dhcp relay enable
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
284
11
DHCP Relay Commands
11.2 ip dhcp relay enable (Interface)
Use the ip dhcp relay enable Interface Configuration mode command to enable
the DHCP relay feature on an interface. Use the no form of this command to disable
the DHCP relay agent feature on an interface.
Syntax
ip dhcp relay enable
no ip dhcp relay enable
Parameters
N/A
Default Configuration
Disabled
Command Mode
Interface Configuration mode
User Guidelines
The operational status of DHCP Relay on an interface is active if one of the
following conditions exist:
•
DHCP Relay is globally enabled, and there is an IP address defined on the
interface.
Or
•
DHCP Relay is globally enabled, there is no IP address defined on the
interface, the interface is a VLAN, and option 82 is enabled.
Example
The following example enables DHCP Relay on VLAN 21.
switchxxxxxx(config)# interface vlan 21
switchxxxxxx(config-if)# ip dhcp relay enable
285
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
11
DHCP Relay Commands
11.3 ip dhcp relay address (Global)
Use the ip dhcp relay address Global Configuration mode command to define the
DHCP servers available for the DHCP relay. Use the no form of this command to
remove the server from the list.
Syntax
ip dhcp relay address ip-address
no ip dhcp relay address [ip-address]
Parameters
• ip-address—Specifies the DHCP server IP address. Up to 8 servers can be
defined.
Default Configuration
No server is defined.
Command Mode
Global Configuration mode
User Guidelines
Use the ip dhcp relay address command to define a global DHCP Server IP
address. To define a few DHCP Servers, use the command a few times.
To remove a DHCP Server, use the no form of the command with the ip-address
argument.
The no form of the command without the ip-address argument deletes all global
defined DHCP servers.
Example
The following example defines the DHCP server on the device.
switchxxxxxx(config)# ip dhcp relay address 176.16.1.1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
286
11
DHCP Relay Commands
11.4 ip dhcp relay address (Interface)
Use the ip dhcp relay address Interface Configuration (VLAN, Ethernet,
Port-channel) command to define the DHCP servers available by the DHCP relay
for DHCP clients connected to the interface. Use the no form of this command to
remove the server from the list.
Syntax
ip dhcp relay address ip-address
no ip dhcp relay address [ip-address]
Parameters
• ip-address—Specifies the DHCP server IP address. Up to 8 servers can be
defined.
Default Configuration
No server is defined.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip dhcp relay address command to define a DHCP Server IP address per
the interface. To define multiple DHCP Servers, use the command multiple times.
To remove a DHCP server, use the no form of the command with the ip-address
argument.
The no form of the command without the ip-address argument deletes all DHCP
servers.
Example
The following example defines the DHCP server on the device.
switchxxxxxx(config)# interface vlan 21
switchxxxxxx(config-if)# ip dhcp relay address 176.16.1.1
287
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
11
DHCP Relay Commands
11.5 show ip dhcp relay
Use the show ip dhcp relay EXEC mode command to display the DHCP relay
information.
Syntax
show ip dhcp relay
Command Mode
User EXEC mode
Examples
Example 1. Option 82 is not supported:
switchxxxxxx# show ip dhcp relay
DHCP relay is globally enabled
Option 82 is Disabled
Maximum number of supported VLANs without IP Address is 256
Number of DHCP Relays enabled on VLANs without IP Address is 0
DHCP relay is not configured on any port.
DHCP relay is not configured on any vlan.
No servers configured
Example 2. Option 82 is supported (disabled):
switchxxxxxx# show ip dhcp relay
DHCP relay is globally disabled
Option 82 is disabled
Maximum number of supported VLANs without IP Address: 0
Number of DHCP Relays enabled on VLANs without IP Address: 4
DHCP relay is enabled on Ports: te1/0/1,po1-2
Active:
Inactive: te1/0/1, po1-4
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
288
11
DHCP Relay Commands
DHCP relay is enabled on VLANs: 1, 2, 4, 5
Active:
Inactive: 1, 2, 4, 5
Global Servers: 1.1.1.1 , 2.2.2.2
Example 3. Option 82 is supported (enabled):
switchxxxxxx# show ip dhcp relay
DHCP relay is globally enabled
Option 82 is enabled
Maximum number of supported VLANs without IP Address is 4
Number of DHCP Relays enabled on VLANs without IP Address: 2
DHCP relay is enabled on Ports: te1/0/1,po1-2
Active: te1/0/1
Inactive: po1-2
DHCP relay is enabled on VLANs: 1, 2, 4, 5
Active: 1, 2, 4, 5
Inactive:
Global Servers: 1.1.1.1 , 2.2.2.2
Example 3. Option 82 is supported (enabled) and there DHCP Servers defined per
interface:
switchxxxxxx# show ip dhcp relay
DHCP relay is globally enabled
Option 82 is enabled
Maximum number of supported VLANs without IP Address is 4
Number of DHCP Relays enabled on VLANs without IP Address: 2
DHCP relay is enabled on Ports: te1/0/1,po1-2
Active: te1/0/1
Inactive: po1-2
289
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
11
DHCP Relay Commands
DHCP relay is enabled on VLANs: 1, 2, 4, 5
Active: 1, 2, 4, 5
Inactive:
Global Servers: 1.1.1.1 , 2.2.2.2
VLAN 1: 1.1.1.1, 100.10.1.1
VLAN 2: 3.3.3.3, 4.4.4.4, 5.5.5.5
VLAN 10: 6.6.6.6
11.6 ip dhcp information option
Use the ip dhcp information option Global Configuration command to enable
DHCP option-82 data insertion. Use the no form of this command to disable DHCP
option-82 data insertion.
Syntax
ip dhcp information option
no ip dhcp information option
Parameters
N/A
Default Configuration
DHCP option-82 data insertion is disabled.
Command Mode
Global Configuration mode
User Guidelines
DHCP option 82 would be enabled only if DHCP snooping or DHCP relay are
enabled.
Example
switchxxxxxx(config)# ip dhcp information option
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
290
11
DHCP Relay Commands
11.7 show ip dhcp information option
The show ip dhcp information option EXEC mode command displays the DHCP
Option 82 configuration.
Syntax
show ip dhcp information option
Parameters
N/A
Default Configuration
N/A
Command Mode
User EXEC mode
Example
The following example displays the DHCP Option 82 configuration.
switchxxxxxx# show ip dhcp information option
Relay agent Information option is Enabled
291
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
12.0
12.1 address (DHCP Host)
To manually bind an IP address to a DHCP client, use the address command in
DHCP Pool Host Configuration mode. To remove the IP address binding to the
client, use the no form of this command.
Syntax
address ip-address {mask | prefix-length} {client-identifier unique-identifier |
hardware-address mac-address}
no address
Parameters
• address—Specifies the client IP address.
• mask—Specifies the client network mask.
• prefix-length—Specifies the number of bits that comprise the address
prefix. The prefix is an alternative way of specifying the client network
mask. The prefix length must be preceded by a forward slash (/).
• unique-identifier—Specifies the distinct client identification in dotted
hexadecimal notation. Each byte in a hexadecimal character string is two
hexadecimal digits. Bytes are separated by a period or colon. For example,
01b7.0813.8811.66.
• mac-address—Specifies the client MAC address.
Default Configuration
No address are bound.
Command Mode
DHCP Pool Host Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
292
12
DHCP Server Commands
User Guidelines
To classify the DHCP client, DHCP server uses either the client identifier passed in
Option 61, if the client-identifier keyword is configured or the client MAC address,
if the hardware-address keyword is configured.
Example
The following example manually binds an IP address to a DHCP client.
switchxxxxxx(config)# ip dhcp pool host aaaa
switchxxxxxx(config-dhcp)# address 10.12.1.99 255.255.255.0 client-identifier
01b7.0813.8811.66
switchxxxxxx(config-dhcp)# exit
switchxxxxxx(config)# ip dhcp pool host bbbb
switchxxxxxx(config-dhcp)# address 10.12.1.88 255.255.255.0 hardware-address
00:01:b7:08:13:88
switchxxxxxx(config-dhcp)# exit
switchxxxxxx(config)#
12.2 address (DHCP Network)
To configure the subnet number and mask for a DHCP address pool on a DHCP
server, use the address command in DHCP Pool Network Configuration mode. To
remove the subnet number and mask, use the no form of this command.
Syntax
address {network-number | low low-address high high-address} {mask |
prefix-length}
no address
Parameters
• network-number—Specifies the IP address of the DHCP address pool.
• mask—Specifies the pool network mask.
293
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
• prefix-length—Specifies the number of bits that comprise the address
prefix. The prefix is an alternative way of specifying the client network
mask. The prefix length must be preceded by a forward slash (/).
•
low low-address—Specifies the first IP address to use in the address
range.
•
high high-address—Specifies the last IP address to use in the address
range.
Default Configuration
DHCP address pools are not configured.
If the low address is not specified, it defaults to the first IP address in the network.
If the high address is not specified, it defaults to the last IP address in the network.
Command Mode
DHCP Pool Network Configuration mode
Example
The following example configures the subnet number and mask for a DHCP
address pool on a DHCP server.
switchxxxxxx(config-dhcp)# address 10.12.1.0 255.255.255.0
12.3 auto-default-router
To enable auto default router, use the auto-default-router command in DHCP Pool
Network Configuration mode or in DHCP Pool Host Configuration mode. To disable
auto default router, use the no form of this command.
Syntax
auto-default-router
no auto-default-router
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
294
12
DHCP Server Commands
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
Enabled.
User Guidelines
If the feature is enabled then the DHCP server returns an IP address defined on the input
interface as a default router when an default router is not configured in the following case:




Default router is not configurable.
DHCP client is directly connected.
IP Routing is enabled.
Default router was required by the client.
Example
The following example disable auto default router sending.
switchxxxxxx(config-dhcp)# no auto-default-router
12.4 bootfile
To specify the default boot image file name for a DHCP client, use the bootfile
command in DHCP Pool Network Configuration mode or in DHCP Pool Host
Configuration mode. To delete the boot image file name, use the no form of this
command.
Syntax
bootfile filename
no bootfile
Parameters
• filename—Specifies the file name used as a boot image. (Length: 1–128
characters).
295
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Example
The following example specifies boot_image_file as the default boot image file
name for a DHCP client.
switchxxxxxx(config-dhcp)# bootfile boot_image_file
12.5 clear ip dhcp binding
To delete the dynamic address binding from the DHCP server database, use the
clear ip dhcp binding command in Privileged EXEC mode.
Syntax
clear ip dhcp binding {address | *}
Parameters
• address —Specifies the binding address to delete from the DHCP
database.
•
* —Clears all dynamic bindings.
Command Mode
Privileged EXEC mode
User Guidelines
Typically, the address supplied denotes the client IP address. If the asterisk (*)
character is specified as the address parameter, DHCP clears all dynamic
bindings.
Use the no ip dhcp pool Global Configuration mode command to delete a manual
binding.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
296
12
DHCP Server Commands
Example
The following example deletes the address binding 10.12.1.99 from a DHCP
server database:
switchxxxxxx# clear ip dhcp binding 10.12.1.99
12.6 client-name
To define the name of a DHCP client, use the client-name command in DHCP Pool
Host Configuration mode. To remove the client name, use the no form of this
command.
Syntax
client-name name
no client-name
Parameters
• name—Specifies the client name, using standard ASCII characters. The
client name should not include the domain name. For example, the .name
Mars should not be specified as mars.yahoo.com. (Length: 1–32 characters).
Command Mode
DHCP Pool Host Configuration mode
Default Configuration
No client name is defined.
Example
The following example defines the string client1 as the client name.
switchxxxxxx(config-dhcp)# client-name client1
297
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
12.7 default-router
To configure the default router list for a DHCP client, use the default-router
command in DHCP Pool Network Configuration mode or in DHCP Pool Host
Configuration mode. To remove the default router list, use the no form of this
command.
Syntax
default-router ip-address [ip-address2 ... ip-address8]
no default-router
Parameters
• ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of
default routers. Up to eight addresses can be specified in one command
line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No default router is defined.
User Guidelines
The router IP address should be on the same subnet as the client subnet.
If the auto-default-router command is configured then the DHCP server returns an
IP address defined on the input interface as a default router when an default router is not configured in
the following case:




Default router is not configurable.
DHCP client is directly connected.
IP Routing is enabled.
Default router was required by the client.
Example
The following example specifies 10.12.1.99 as the default router IP address.
switchxxxxxx(config-dhcp)# default-router 10.12.1.99
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
298
12
DHCP Server Commands
12.8 dns-server
To configure the Domain Name System (DNS) IP server list available to a DHCP
client, use the dns-server command in DHCP Pool Network Configuration mode or
in DHCP Pool Host Configuration mode. To remove the DNS server list, use the no
form of this command.
Syntax
dns-server ip-address [ip-address2 ... ip-address8]
no dns-server
Parameters
• ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of
DNS servers. Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No DNS server is defined.
User Guidelines
If DNS IP servers are not configured for a DHCP client, the client cannot correlate
host names to IP addresses.
Example
The following example specifies 10.12.1.99 as the client domain name server IP
address.
switchxxxxxx(config-dhcp)# dns-server 10.12.1.99
299
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
12.9 domain-name
To specify the domain name for a DHCP client, use the domain-name command in
DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration
mode. To remove the domain name, use the no form of this command.
Syntax
domain-name domain
no domain-name
Parameters
• domain—Specifies the DHCP client domain name string. (Length: 1–32
characters).
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No domain name is defined.
Example
The following example specifies yahoo.com as the DHCP client domain name
string.
switchxxxxxx(config-dhcp)# domain-name yahoo.com
12.10 ip dhcp excluded-address
To specify IP addresses that a DHCP server must not assign to DHCP clients, use
the ip dhcp excluded-address command in Global Configuration mode. To remove
the excluded IP addresses, use the no form of this command.
Syntax
ip dhcp excluded-address low-address [high-address]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
300
12
DHCP Server Commands
no ip dhcp excluded-address low-address [high-address]
Parameters
• low-address—Specifies the excluded IP address, or first IP address in an
excluded address range.
• high-address—(Optional) Specifies the last IP address in the excluded
address range.
Default Configuration
All IP pool addresses are assignable.
Command Mode
Global Configuration mode
User Guidelines
The DHCP server assumes that all pool addresses can be assigned to clients. Use
this command to exclude a single IP address or a range of IP addresses.
Example
The following example configures an excluded IP address range from
172.16.1.100 through 172.16.1.199.
switchxxxxxx(config)# ip dhcp excluded-address 172.16.1.100 172.16.1.199
12.11 ip dhcp pool host
To configure a DHCP static address on a DHCP server and enter the DHCP Pool
Host Configuration mode, use the ip dhcp pool host command in Global
Configuration mode. To remove the address pool, use the no form of this
command.
Syntax
ip dhcp pool host name
no ip dhcp pool host name
301
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Parameters
• name—Specifies the DHCP address pool name. It can be either a symbolic
string (such as Engineering) or an integer (such as 8). (Length: 1–32
characters).
Default Configuration
DHCP hosts are not configured.
Command Mode
Global Configuration mode
User Guidelines
During execution of this command, the configuration mode changes to the DHCP
Pool Configuration mode. In this mode, the administrator can configure host
parameters, such as the IP subnet number and default router list.
Example
The following example configures station as the DHCP address pool:
switchxxxxxx(config)# ip dhcp pool host station
switchxxxxxx(config-dhcp)#
12.12 ip dhcp pool network
To configure a DHCP address pool on a DHCP Server and enter DHCP Pool
Network Configuration mode, use the ip dhcp pool network command in Global
Configuration mode. To remove the address pool, use the no form of this
command.
Syntax
ip dhcp pool network name
no ip dhcp pool network name
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
302
12
DHCP Server Commands
Parameters
• name—Specifies the DHCP address pool name. It can be either a symbolic
string (such as ‘engineering’) or an integer (such as 8). (Length: 1–32
characters).
Default Configuration
DHCP address pools are not configured.
Command Mode
Global Configuration mode
User Guidelines
During execution of this command, the configuration mode changes to DHCP Pool
Network Configuration mode. In this mode, the administrator can configure pool
parameters, such as the IP subnet number and default router list.
Example
The following example configures Pool1 as the DHCP address pool.
switchxxxxxx(config)# ip dhcp pool network Pool1
switchxxxxxx(config-dhcp)#
12.13 ip dhcp server
To enable the DHCP server features on the device, use the ip dhcp server
command in Global Configuration mode. To disable the DHCP server, use the no
form of this command.
Syntax
ip dhcp server
no ip dhcp server
Default Configuration
The DHCP server is disabled.
303
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Command Mode
Global Configuration mode
Example
The following example enables the DHCP server on the device:
switchxxxxxx(config)# ip dhcp server
12.14 lease
To configure the time duration of the lease for an IP address that is assigned from a
DHCP server to a DHCP client, use the lease command in DHCP Pool Network
Configuration mode. To restore the default value, use the no form of this command.
Syntax
lease days [hours [minutes]] | infinite
no lease
Parameters
• days—Specifies the number of days in the lease.
• hours—(Optional) Specifies the number of hours in the lease. A days value
must be supplied before configuring an hours value.
• minutes—(Optional) Specifies the number of minutes in the lease. A days
value and an hours value must be supplied before configuring a minutes
value.
•
infinite—Specifies that the duration of the lease is unlimited.
Default Configuration
The default lease duration is 1 day.
Command Mode
DHCP Pool Network Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
304
12
DHCP Server Commands
Examples
The following example shows a 1-day lease.
switchxxxxxx(config-dhcp)# lease 1
The following example shows a one-hour lease.
switchxxxxxx(config-dhcp)# lease 0 1
The following example shows a one-minute lease.
switchxxxxxx(config-dhcp)# lease 0 0 1
The following example shows an infinite (unlimited) lease.
switchxxxxxx(config-dhcp)# lease infinite
12.15 netbios-name-server
To configure the NetBIOS Windows Internet Naming Service (WINS) server list that
is available to Microsoft DHCP clients, use the netbios-name-server in DHCP Pool
Network Configuration mode or in DHCP Pool Host Configuration mode. To
remove the NetBIOS name server list, use the no form of this command.
Syntax
netbios-name-server ip-address [ip-address2 ... ip-address8]
no netbios-name-server
Parameters
• ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of
NetBIOS WINS name servers. Up to eight addresses can be specified in
one command line.
305
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No bios server is defined.
Example
The following example specifies the IP address of a NetBIOS name server
available to the DHCP client.
switchxxxxxx(config-dhcp)# netbios-name-server 10.12.1.90
12.16 netbios-node-type
To configure the NetBIOS node type for Microsoft DHCP clients, use the
netbios-node-type command in DHCP Pool Network Configuration mode or in
DHCP Pool Host Configuration mode. To return to default, use the no form of this
command.
Syntax
netbios-node-type {b-node | p-node | m-node | h-node}
no netbios-node-type
Parameters
•
b-node—Specifies the Broadcast NetBIOS node type.
•
p-node—Specifies the Peer-to-peer NetBIOS node type.
•
m-node—Specifies the Mixed NetBIOS node type.
•
h-node—Specifies the Hybrid NetBIOS node type.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
306
12
DHCP Server Commands
Default Configuration
h-node (Hybrid NetBIOS node type).
Example
The following example specifies the client's NetBIOS type as mixed.
switchxxxxxx(config-dhcp)# netbios node-type m-node
12.17 next-server
To configure the next server (siaddr) in the boot process of a DHCP client, use the
next-server command in DHCP Pool Network Configuration mode or in DHCP Pool
Host Configuration mode. To remove the next server, use the no form of this
command.
Syntax
next-server ip-address
no next-server
Parameters
• ip-address—Specifies the IP address of the next server in the boot
process.
Default Configuration
If the next-server command is not used to configure a boot server list, the DHCP
server uses inbound interface helper addresses as boot servers.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
User Guidelines
The client will connect, using the SCP/TFTP protocol, to this server in order to
download the configuration file.
307
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Example
The following example specifies 10.12.1.99 as the IP address of the next server:
switchxxxxxx(config-dhcp)# next-server 10.12.1.99
12.18 next-server-name
To configure the next server name (sname) in the boot process of a DHCP client,
use the next-server-name command in DHCP Pool Network Configuration mode or
in DHCP Pool Host Configuration mode. To remove the boot server name, use the
no form of this command.
Syntax
next-server-name name
no next-server-name
Parameters
• name—Specifies the name of the next server in the boot process. (Length:
1–64 characters).
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No next server name is defined.
User Guidelines
The client will connect, using the SCP/TFTP protocol, to this server in order to
download the configuration file.
Example
The following example specifies www.bootserver.com as the name of the next
server in the boot process of a DHCP client.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
308
12
DHCP Server Commands
switchxxxxxx(config-dhcp)# next-server www.bootserver.com
12.19 option
To configure the DHCP server options, use the option command in DHCP Pool
Network Configuration mode or in DHCP Pool Host Configuration mode. To
remove the options, use the no form of this command.
Syntax
option code {boolean {false | true} | integer value | ascii string | hex {string | none} | ip
{address} | ip-list {ip-address1 [ip-address2 …]}} [description text]
no option code
Parameters
• code—Specifies the DHCP option code. The supported values are defined
in the User Guidelines.
309
•
boolean {false | true}—Specifies a boolean value. The values are coded by
integer values of one octet: 0 = false and 1 = true.
•
integer value—Specifies an integer value. The option size depends on the
option code.
•
ascii string—Specifies a network virtual terminal (NVT) ASCII character
string. ASCII character strings that contain white spaces must be delimited
by quotation marks. The ASCII value is truncated to the first 160 characters
entered.
•
ip address—Specifies an IP address.
•
ip-list {ip-address1 [ip-address2 ...]}—Specifies up to 8 IP addresses.
•
hex string—Specifies dotted hexadecimal data. The hexadecimal value is
truncated to the first 320 characters entered. Each byte in hexadecimal
character strings is two hexadecimal digits. Each byte can be separated by
a period, colon, or white space.
•
hex none—Specifies the zero-length hexadecimal string.
•
description text—User description
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
User Guidelines
The option command enables defining any option that cannot be defined by other
special CLI commands. A new definition of an option overrides the previous
definition of this option.
The boolean keyword may be configured for the following options: 19, 20, 27,
29-31, 34, 36, and 39.
The integer keyword may be configured for the following options: 2, 13, 22-26, 35,
37-38, 132-134, and 211. The switch checks the value range and builds the value
field of the size in accordance with the option definition.
The ascii keyword may be configured for the following options: 14, 17-18, 40, 64,
130, 209, and 210.
The ip keyword may be configured for the following options: 16, 28, 32, 128-129,
131, 135, and 136.
The ip-list keyword may be configured for the following options: 5, 7-11, 33, 41, 42,
45, 48, 49, 65, 68-76, and 150.
The hex keyword may be configured for any option in the range 1-254 except for
the following: 1, 3-4, 6, 12, 15, 44, 46, 50-51, 53-54, 56, 66-67, 82, and 255. The
switch does not validate the syntax of an option defined by this format.
Examples
Example 1. The following example configures DHCP option 19, which specifies
whether the client should configure its IP layer for packet forwarding:
switchxxxxxx(config-dhcp)# option 19 boolean true description "IP Forwarding
Enable/Disable Option"
Example 2. The following example configures DHCP option 2, which specifies the
offset of the client in seconds from Coordinated Universal Time (UTC):
switchxxxxxx(config-dhcp)# option 2 integer 3600
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
310
12
DHCP Server Commands
Example 3. The following example configures DHCP option 72, which specifies the
World Wide Web servers for DHCP clients. World Wide Web servers 172.16.3.252
and 172.16.3.253 are configured in the following example:
switchxxxxxx(config-dhcp)# option 72 ip-list 172.16.3.252 172.16.3.253
12.20 show ip dhcp
To display the DHCP configuration, use the show ip dhcp command in User EXEC
mode.
Syntax
show ip dhcp
Command Mode
User EXEC mode
Example
The following example displays the DHCP configuration.
switchxxxxxx# show ip dhcp
DHCP server is enabled.
12.21 show ip dhcp allocated
To display the allocated address or all the allocated addresses on the DHCP
server, use the show ip dhcp allocated command in User EXEC mode.
Syntax
show ip dhcp allocated [ip-address]
Parameters
• ip-address —(Optional) Specifies the IP address.
311
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Command Mode
User EXEC mode
Example
The following example displays the output of various forms of this command:
switchxxxxxx# show ip dhcp allocated
DHCP server enabled
The number of allocated entries is 3
IP address
Hardware address Lease expiration
Type
----------
---------------- --------------------
---------
172.16.1.11
00a0.9802.32de
Feb 01 1998 12:00 AM
Dynamic
172.16.3.253 02c7.f800.0422
Infinite
Automatic
172.16.3.254 02c7.f800.0422
Infinite
Static
switchxxxxxx# show ip dhcp allocated 172.16.1.11
DHCP server enabled
The number of allocated entries is 2
IP address
Hardware address Lease expiration
Type
----------
---------------- --------------------
--------
172.16.1.11
00a0.9802.32de
Dynamic
Feb 01 1998 12:00 AM
switchxxxxxx# show ip dhcp allocated 172.16.3.254
DHCP server enabled
The number of allocated entries is 2
IP address
Hardware address Lease expiration
Type
----------
---------------- --------------------
-------
172.16.3.254 02c7.f800.0422
Infinite
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Static
312
12
DHCP Server Commands
The following table describes the significant fields shown in the display.
Field
Description
IP address
The host IP address as recorded on the DHCP
Server.
Hardware
address
The MAC address or client identifier of the host as
recorded on the DHCP Server.
Lease
expiration
The lease expiration date of the host IP address.
Type
The manner in which the IP address was assigned
to the host.
12.22 show ip dhcp binding
To display the specific address binding or all the address bindings on the DHCP
server, use the show ip dhcp binding command in User EXEC mode.
Syntax
show ip dhcp binding [ip-address]
Parameters
• ip-address—(Optional) Specifies the IP address.
Command Mode
User EXEC mode
Examples
The following examples display the DHCP server binding address parameters.
switchxxxxxx# show ip dhcp binding
DHCP server enabled
The number of used (all types) entries is 6
The number of pre-allocated entries is 1
The number of allocated entries is 1
The number of expired entries is 1
313
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
The number of declined entries is 2
The number of static entries is 1
The number of dynamic entries is 2
The number of automatic entries is 1
IP address Client Identifier
Lease Expiration Type
State
---------- -----------------
-------------
1.16.1.11
00a0.9802.32de
Feb 01 1998
dynamic allocated
1.16.3.23
02c7.f801.0422
12:00AM
dynamic expired
1.16.3.24
02c7.f802.0422
dynamic declined
1.16.3.25
02c7.f803.0422
dynamic pre-allocated
1.16.3.26
02c7.f804.0422
dynamic declined
------- ---------
switchxxxxxx# show ip dhcp binding 1.16.1.11
DHCP server enabled
IP address Client Identifier
Lease Expiration
---------- -----------------
----------------- ------- ---------
1.16.1.11
Feb 01 1998
00a0.9802.32de
Type
State
dynamic allocated
12:00 AM
switchxxxxxx# show ip dhcp binding 1.16.3.24
IP address Client Identifier
Lease Expiration
---------- -----------------
---------------
1.16.3.24
02c7.f802.0422
Type
State
------- --------dynamic declined
The following table describes the significant fields shown in the display.
Field
Description
IP address
The host IP address as recorded on the DHCP
Server.
Client Identifier
The MAC address or client identifier of the host as
recorded on the DHCP Server.
Lease
expiration
The lease expiration date of the host IP address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
314
12
DHCP Server Commands
Field
Description
Type
The manner in which the IP address was assigned
to the host.
State
The IP Address state.
12.23 show ip dhcp declined
To display the specific declined address or all of the declined addresses on the
DHCP server, use the show ip dhcp declined command in User EXEC mode.
Syntax
show ip dhcp declined [ip-address]
Parameters
• ip-address—(Optional) Specifies the IP address.
Command Mode
User EXEC mode
Example
The following example displays the output of various forms of this command:
switchxxxxxx# show ip dhcp declined
DHCP server enabled
The number of declined entries is 2
IP address
Hardware address
172.16.1.11
00a0.9802.32de
172.16.3.254 02c7.f800.0422
switchxxxxxx# show ip dhcp declined 172.16.1.11
DHCP server enabled
The number of declined entries is 2
IP address
315
Hardware address
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
172.16.1.11
00a0.9802.32de
12.24 show ip dhcp excluded-addresses
To display the excluded addresses, use the show ip dhcp excluded-addresses
command in User EXEC mode.
Syntax
show ip dhcp excluded-addresses
Command Mode
User EXEC mode
Example
The following example displays excluded addresses.
switchxxxxxx# show ip dhcp excluded-addresses
The number of excluded addresses ranges is 2
Excluded addresses:
10.1.1.212- 10.1.1.219, 10.1.2.212- 10.1.2.219
12.25 show ip dhcp expired
To display the specific expired address or all of the expired addresses on the
DHCP server, use the show ip dhcp expired command in User EXEC mode.
Syntax
show ip dhcp expired [ip-address]
Parameters
• ip-address—(Optional) Specifies the IP.
Command Mode
User EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
316
12
DHCP Server Commands
Example
switchxxxxxx# show ip dhcp expired
DHCP server enabled
The number of expired entries is 1
IP address
Hardware address
172.16.1.11
00a0.9802.32de
172.16.3.254 02c7.f800.0422
switchxxxxxx# show ip dhcp expired 172.16.1.11
DHCP server enabled
The number of expired entries is 1
IP address
Hardware address
172.16.1.13 00a0.9802.32de
12.26 show ip dhcp pool host
To display the DHCP pool host configuration, use the show ip dhcp pool host
command in User EXEC mode.
Syntax
show ip dhcp pool host [address | name]
Parameters
• address—(Optional) Specifies the client IP address.
• name—(Optional) Specifies the DHCP pool name. (Length: 1-32 characters)
Command Mode
User EXEC mode
317
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
Examples
Example 1. The following example displays the configuration of all DHCP host
pools:
switchxxxxxx# show ip dhcp pool host
The number of host pools is 1
Name
IP Address
Hardware Address
Client Identifier
----------
----------
----------------
-----------------
station
172.16.1.11
01b7.0813.8811.66
Example 2. The following example displays the DHCP pool host configuration of
the pool named station:
switchxxxxxx# show ip dhcp pool host station
Name
IP Address
Hardware Address
Client Identifier
----------
----------
----------------
-----------------
station
172.16.1.11
01b7.0813.8811.66
Mask: 255.255.0.0
Auto Default router: enabled
Default router: 172.16.1.1
Client name: client1
DNS server: 10.12.1.99
Domain name: yahoo.com
NetBIOS name server: 10.12.1.90
NetBIOS node type: h-node
Next server: 10.12.1.99
Next-server-name: 10.12.1.100
Bootfile: Bootfile
Time server 10.12.1.99
Options:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
318
12
DHCP Server Commands
Code Type
Len Value
Description
---
-------
--- ----------------
--------------------------------
2
integer
14
ascii
19
boolean
4 3600
16 qq/aaaa/bbb.txt
1 false
"IP Forwarding Enable/Disable
Option"
21
ip
4 134.14.14.1
31
ip-list
8 1.1.1.1, 12.23.45.2
47
hex
5 02af00aa00
12.27 show ip dhcp pool network
To display the DHCP network configuration, use the show ip dhcp pool network
command in User EXEC mode.
Syntax
show ip dhcp pool network [name]
Parameters
• name—(Optional) Specifies the DHCP pool name. (Length: 1-32 characters).
Command Mode
User EXEC mode
Examples
Example 1—The following example displays configuration of all DHCP network
pools:
switchxxxxxx# show ip dhcp pool network
The number of network pools is 2
Name Address range mask Lease
---------------------------------------------------marketing 10.1.1.17-10.1.1.178 255.255.255.0 0d:12h:0m
319
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
finance 10.1.2.8-10.1.2.178 255.255.255.0 0d:12h:0m
Example 2—The following example displays configuration of the DHCP network
pool marketing:
switchxxxxxx# show ip dhcp pool network marketing
Name Address range mask Lease
--------------------------------- -----------------------marketing 10.1.1.17-10.1.1.178 255.255.255.0 0d:12h:0m
Statistics:
All-range Available Free Pre-allocated Allocated Expired
---------- ---------
----- -------------
162 150 68 50 20
3
Declined
--------- --------- --------
9
Auto Default router: enabled
Default router: 10.1.1.1
DNS server: 10.12.1.99
Domain name: yahoo.com
NetBIOS name server: 10.12.1.90
NetBIOS node type: h-node
Next server: 10.12.1.99
Next-server-name: 10.12.1.100
Bootfile: Bootfile
Time server 10.12.1.99
Options:
Code Type
Len Value
Description
---
-------
--- --------------------
--------------------------------
2
integer
14
ascii
19
boolean
4 3600
16 qq/aaaa/bbb.txt
1 false
"IP Forwarding Enable/Disable
Option"
21
ip
4 134.14.14.1
31
ip-list
8 1.1.1.1, 12.23.45.2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
320
12
DHCP Server Commands
47
hex
5 02af00aa00
12.28 show ip dhcp pre-allocated
To display the specific pre-allocated address or all the pre-allocated addresses
on the DHCP server, use the show ip dhcp pre-allocated command in User EXEC
mode.
Syntax
show ip dhcp pre-allocated [ip-address]
Parameters
• ip-address—(Optional) Specifies the IP.
Command Mode
User EXEC mode
Examples
switchxxxxxx# show ip dhcp pre-allocated
DHCP server enabled
The number of pre-allocated entries is 1
IP address
Hardware address
172.16.1.11
00a0.9802.32de
172.16.3.254 02c7.f800.0422
switchxxxxxx# show ip dhcp pre-allocated 172.16.1.11
DHCP server enabled
The number of pre-allocated entries is 1
321
IP address
Hardware address
172.16.1.15
00a0.9802.32de
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
12
DHCP Server Commands
12.29 show ip dhcp server statistics
To display DHCP server statistics, use the show ip dhcp server statistics
command in User EXEC mode.
Syntax
show ip dhcp server statistics
Command Mode
User EXEC mode
Example
The following example displays DHCP server statistics
switchxxxxxx# show ip dhcp server statistics
DHCP server enabled
The number of network pools is 7
The number of excluded pools is 2
The number of used (all types) entries is 7
The number of pre-allocated entries is 1
The number of allocated entries is 3
The number of expired entries is 1
The number of declined entries is 2
The number of static entries is 1
The number of dynamic entries is 2
The number of automatic entries is 1
12.30 time-server
To specify the time servers list for a DHCP client, use the time-server command in
DHCP Pool Network Configuration mode or in DHCP Pool Host Configuration
mode. To remove the time servers list, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
322
12
DHCP Server Commands
Syntax
time-server ip-address [ip-address2 ... ip-address8]
no time-server
Parameters
• ip-address [ip-address2 ... ip-address8]—Specifies the IP addresses of
Time servers. Up to eight addresses can be specified in one command line.
Command Mode
DHCP Pool Network Configuration mode
DHCP Pool Host Configuration mode
Default Configuration
No time server is defined.
User Guidelines
The time server’s IP address should be on the same subnet as the client subnet.
Example
The following example specifies 10.12.1.99 as the time server IP address.
switchxxxxxx(config-dhcp)# time-server 10.12.1.99
323
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
13.0
13.1 ip dhcp snooping
Use the ip dhcp snooping Global Configuration mode command to enable
Dynamic Host Configuration Protocol (DHCP) Snooping globally. Use the no form
of this command to restore the default configuration.
Syntax
ip dhcp snooping
no ip dhcp snooping
Parameters
N/A
Default Configuration
DHCP snooping is disabled.
Command Mode
Global Configuration mode
User Guidelines
For any DHCP Snooping configuration to take effect, DHCP Snooping must be
enabled globally. DHCP Snooping on a VLAN is not active until DHCP Snooping on
a VLAN is enabled by using the ip dhcp snooping vlan Global Configuration mode
command.
Example
The following example enables DHCP Snooping on the device.
switchxxxxxx(config)# ip dhcp snooping
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
324
13
DHCP Snooping Commands
13.2 ip dhcp snooping vlan
Use the ip dhcp snooping vlan Global Configuration mode command to enable
DHCP Snooping on a VLAN. Use the no form of this command to disable DHCP
Snooping on a VLAN.
Syntax
ip dhcp snooping vlan vlan-id
no ip dhcp snooping vlan vlan-id
Parameters
• vlan-id—Specifies the VLAN ID.
Default Configuration
DHCP Snooping on a VLAN is disabled.
Command Mode
Global Configuration mode
User Guidelines
DHCP Snooping must be enabled globally before enabling DHCP Snooping on a
VLAN.
Example
The following example enables DHCP Snooping on VLAN 21.
switchxxxxxx(config)# ip dhcp snooping vlan 21
13.3 ip dhcp snooping trust
Use the ip dhcp snooping trust Interface Configuration (Ethernet, Port-channel)
mode command to configure a port as trusted for DHCP snooping purposes. Use
the no form of this command to restore the default configuration.
325
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands
13
Syntax
ip dhcp snooping trust
no ip dhcp snooping trust
Parameters
N/A
Default Configuration
The interface is untrusted.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Configure as trusted the ports that are connected to a DHCP server or to other
switches or routers. Configure the ports that are connected to DHCP clients as
untrusted.
Example
The following example configures te1/0/4 as trusted for DHCP Snooping.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# ip dhcp snooping trust
13.4 ip dhcp snooping information option
allowed-untrusted
Use the ip dhcp snooping information option allowed-untrusted Global
Configuration mode command to allow a device to accept DHCP packets with
option-82 information from an untrusted port. Use the no form of this command to
drop these packets from an untrusted port.
Syntax
ip dhcp snooping information option allowed-untrusted
no ip dhcp snooping information option allowed-untrusted
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
326
13
DHCP Snooping Commands
Parameters
N/A
Default Configuration
DHCP packets with option-82 information from an untrusted port are discarded.
Command Mode
Global Configuration mode
Example
The following example allows a device to accept DHCP packets with option-82
information from an untrusted port.
switchxxxxxx(config)# ip dhcp snooping information option allowed-untrusted
13.5 ip dhcp snooping verify
Use the ip dhcp snooping verify Global Configuration mode command to
configure a device to verify that the source MAC address in a DHCP packet
received on an untrusted port matches the client hardware address. Use the no
form of this command to disable MAC address verification in a DHCP packet
received on an untrusted port.
Syntax
ip dhcp snooping verify
no ip dhcp snooping verify
Default Configuration
The switch verifies that the source MAC address in a DHCP packet received on an
untrusted port matches the client hardware address in the packet.
Command Mode
Global Configuration mode
327
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands
13
Example
The following example configures a device to verify that the source MAC address
in a DHCP packet received on an untrusted port matches the client hardware
address.
switchxxxxxx(config)# ip dhcp snooping verify
13.6 ip dhcp snooping database
Use the ip dhcp snooping database Global Configuration mode command to
enable the DHCP Snooping binding database file. Use the no form of this
command to delete the DHCP Snooping binding database file.
Syntax
ip dhcp snooping database
no ip dhcp snooping database
Parameters
N/A
Default Configuration
The DHCP Snooping binding database file is not defined.
Command Mode
Global Configuration mode
User Guidelines
The DHCP Snooping binding database file resides on Flash.
To ensure that the lease time in the database is accurate, the Simple Network Time
Protocol (SNTP) must be enabled and configured.
The device writes binding changes to the binding database file only if the device
system clock is synchronized with SNTP.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
328
13
DHCP Snooping Commands
Example
The following example enables the DHCP Snooping binding database file.
switchxxxxxx(config)# ip dhcp snooping database
13.7 ip dhcp snooping binding
Use the ip dhcp snooping binding Privileged EXEC mode command to configure
the DHCP Snooping binding database and add dynamic binding entries to the
database. Use the no form of this command to delete entries from the binding
database.
Syntax
ip dhcp snooping binding mac-address vlan-id ip-address interface-id expiry
{seconds | infinite}
no ip dhcp snooping binding mac-address vlan-id
Parameters
• mac-address—Specifies a MAC address.
• vlan-id—Specifies a VLAN number.
• ip-address—Specifies an IP address.
• interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
•
expiry
- seconds—Specifies the time interval, in seconds, after which the
binding entry is no longer valid. (Range: 10–4294967294).
-
infinite—Specifies infinite lease time.
Default Configuration
No static binding exists.
Command Mode
Privileged EXEC mode
329
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands
13
User Guidelines
Use the ip dhcp snooping binding command to add manually a dynamic entry to
the DHCP database.
After entering this command, an entry is added to the DHCP Snooping database. If
the DHCP Snooping binding file exists, the entry is also added to that file.
The entry would not be added to the configuration files. The entry would be
displayed in the show commands as a “DHCP Snooping” entry.
An entry added by this command can override the existed dynamic entry.
An entry added by this command cannot override the existed static entry added
by the ip source-guard binding command.
The entry is displayed in the show commands as a DHCP Snooping entry.
Use the no ip dhcp snooping binding command to delete manually a dynamic
entry from the DHCP database.
A dynamic temporary entries for which the IP address is 0.0.0.0 cannot be deleted.
Example
The following example adds a binding entry to the DHCP Snooping binding
database.
switchxxxxxx# ip dhcp snooping binding 0060.704C.73FF 23 176.10.1.1 te1/0/4
expiry 900
13.8 clear ip dhcp snooping database
Use the clear ip dhcp snooping database Privileged EXEC mode command to
clear the DHCP Snooping binding database.
Syntax
clear ip dhcp snooping database
Parameters
N/A
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
330
13
DHCP Snooping Commands
Command Mode
Privileged EXEC mode
Example
The following example clears the DHCP Snooping binding database.
switchxxxxxx# clear ip dhcp snooping database
13.9 show ip dhcp snooping
Use the show ip dhcp snooping EXEC mode command to display the DHCP
snooping configuration for all interfaces or for a specific interface.
Syntax
show ip dhcp snooping [interface-id]
Parameters
• interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following example displays the DHCP snooping configuration.
switchxxxxxx# show ip dhcp snooping
DHCP snooping is Enabled
DHCP snooping is configured on following VLANs: 21
DHCP snooping database is Enabled
Relay agent Information option 82 is Enabled
Option 82 on untrusted port is allowed
Verification of hwaddr field is Enabled
331
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
DHCP snooping file update frequency is configured to: 6666 seconds
Interface
Trusted
---------
-------
te1/0/1
Yes
te1/0/2
Yes
13.10 show ip dhcp snooping binding
Use the show ip dhcp snooping binding User EXEC mode command to display the
DHCP Snooping binding database and configuration information for all interfaces
or for a specific interface.
Syntax
show ip dhcp snooping binding [mac-address mac-address] [ip-address
ip-address] [vlan vlan-id] [interface-id]
Parameters
•
mac-address mac-address—Specifies a MAC address.
•
ip-address ip-address—Specifies an IP address.
•
vlan vlan-id—Specifies a VLAN ID.
• interface-id—Specifies an interface ID. The interface ID can be one of
the
following types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
332
13
DHCP Snooping Commands
Example
The following examples displays the DHCP snooping binding database and
configuration information for all interfaces on a device.switchxxxxxx# show ip dhcp snooping binding
Update frequency: 1200
Total number of binding: 2
Mac Address
IP Address
------------
---------
0060.704C.73FF
0060.704C.7BC1
Lease
Type
VLAN
Interface
-------
--------
----
---------------
10.1.8.1
7983
snooping
3
te1/0/1
10.1.8.2
92332
snooping
3
te1/0/2
(sec)
(s)
13.11 ip source-guard
Use the ip source-guard command in Configuration mode or Interface
Configuration mode to enable IP Source Guard globally on a device or in Interface
Configuration (Ethernet, Port-channel) mode to enable IP Source Guard on an
interface.
Use the no form of this command to disable IP Source Guard on the device or on
an interface.
Syntax
ip source-guard
no ip source-guard
Parameters
N/A
Default Configuration
IP Source Guard is disabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
333
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
User Guidelines
IP Source Guard must be enabled globally before enabling IP Source Guard on an
interface.
IP Source Guard is active only on DHCP snooping untrusted interfaces, and if at
least one of the interface VLANs are DHCP snooping enabled.
Example
The following example enables IP Source Guard on te1/0/4.
switchxxxxxx(config)# interface te1/0/4
switchxxxxxx(config-if)# ip source-guard
13.12 ip source-guard binding
Use the ip source-guard binding Global Configuration mode command to
configure the static IP source bindings on the device. Use the no form of this
command to delete the static bindings.
Syntax
ip source-guard binding mac-address vlan-id ip-address interface-id
no ip source-guard binding mac-address vlan-id
Parameters
• mac-address—Specifies a MAC address.
• vlan-id—Specifies a VLAN number.
• ip-address—Specifies an IP address.
• interface-id—Specifies an interface ID. The interface ID can be one of
the
following types: Ethernet port or Port-channel.
Default Configuration
No static binding exists.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
334
13
DHCP Snooping Commands
User Guidelines
Use the ip source-guard binding command to add a static entry to the DHCP
database.
An entry added by this command can override the existed entry.
Use the no ip source-guard binding command to delete an entry from the DHCP
database.
Example
The following example configures the static IP source bindings.
switchxxxxxx(config)# ip source-guard binding 0060.704C.73FF 23 176.10.1.1
te1/0/4
13.13 ip source-guard tcam retries-freq
Use the ip source-guard tcam retries-freq Global Configuration mode command to
set the frequency of retries for TCAM resources for inactive IP Source Guard
addresses. Use the no form of this command to restore the default configuration.
Syntax
ip source-guard tcam retries-freq {seconds | never}
no ip source-guard tcam retries-freq
Parameters
• seconds—Specifies the retries frequency in seconds. (Range: 10–600)
•
never—Disables automatic searching for TCAM resources.
Default Configuration
The default retries frequency is 60 seconds.
Command Mode
Global Configuration mode
335
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
DHCP Snooping Commands
13
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory
(TCAM) resources, there may be situations when IP Source Guard addresses are
inactive because of a lack of TCAM resources.
By default, once every minute the software conducts a search for available space
in the TCAM for the inactive IP Source Guard addresses. Use this command to
change the search frequency or to disable automatic retries for TCAM space.
The ip source-guard tcam locate command manually retries locating TCAM
resources for the inactive IP Source Guard addresses.
The show ip source-guard inactive EXEC mode command displays the inactive IP
Source Guard addresses.
Example
The following example sets the frequency of retries for TCAM resources to 2
minutes.
switchxxxxxx(config)# ip source-guard tcam retries-freq 120
13.14 ip source-guard tcam locate
Use the ip source-guard tcam locate Privileged EXEC mode command to manually
retry to locate TCAM resources for inactive IP Source Guard addresses.
Syntax
ip source-guard tcam locate
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory
(TCAM) resources, there may be situations when IP Source Guard addresses are
inactive because of a lack of TCAM resources.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
336
13
DHCP Snooping Commands
By default, once every 60 seconds the software conducts a search for available
space in the TCAM for the inactive IP Source Guard addresses.
Execute the ip source-guard tcam retries-freq command with the never keyword
to disable automatic retries for TCAM space, and then execute this command to
manually retry locating TCAM resources for the inactive IP Source Guard
addresses.
The show ip source-guard inactive EXEC mode command displays the inactive IP
source guard addresses.
Example
The following example manually retries to locate TCAM resources.
switchxxxxxx# ip source-guard tcam locate
13.15 show ip source-guard configuration
Use the show ip source-guard configuration EXEC mode command to display the
IP source guard configuration for all interfaces or for a specific interface.
Syntax
show ip source-guard configuration [interface-id]
Parameters
• interface-id—Specifies an interface ID. The interface ID can be one of
the
following types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
337
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
Example
The following example displays the IP Source Guard configuration.
switchxxxxxx# show ip source-guard configuration
IP source guard is globally enabled.
Interface
State
---------
-------
te1/0/1
Enabled
te1/0/2
Enabled
te1/0/3
Enabled
te1/0/4
Enabled
13.16 show ip source-guard status
Use the show ip source-guard status EXEC mode command to display the IP
Source Guard status.
Syntax
show ip source-guard status [mac-address mac-address] [ip-address ip-address]
[vlan vlan] [interface-id]
Parameters
•
mac-address mac-address—Specifies a MAC address.
•
ip-address ip-address—Specifies an IP address.
•
vlan vlan-id—Specifies a VLAN ID.
• interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
338
13
DHCP Snooping Commands
Example
The following examples display the IP Source Guard status.
switchxxxxxx# show ip source-guard status
IP source guard is globally enaabled.
Interface
Filter
Status
IP Address
MAC Address
VLAN
Type
-------
-----
-------
-----------
---------------
---
-----
te1/0/1
IP
Active
10.1.8.1
0060.704C.73FF
3
DHCP
te1/0/2
IP
Active
10.1.8.2
0060.704C.7BC1
3
Static
te1/0/3
IP
Active
Deny all
0060.704C.7BC3
4
DHCP
te1/0/4
IP
Inactive
13.17 show ip source-guard inactive
Use the show ip source-guard inactive EXEC mode command to display the IP
Source Guard inactive addresses.
Syntax
show ip source-guard inactive
Parameters
N/A
Command Mode
User EXEC mode
User Guidelines
Since the IP Source Guard uses the Ternary Content Addressable Memory
(TCAM) resources, there may be situations when IP Source Guard addresses are
inactive because of a lack of TCAM resources.
By default, once every minute the software conducts a search for available space
in the TCAM for the inactive IP Source Guard addresses.
Use the ip source-guard tcam retries-freq command to change the retry
frequency or to disable automatic retries for TCAM space.
Use the ip source-guard tcam locate command to manually retry locating TCAM
resources for the inactive IP Source Guard addresses.
339
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
This command displays the inactive IP source guard addresses.
Example
The following example displays the IP source guard inactive addresses.
switchxxxxxx# show ip source-guard inactive
TCAM resources search frequency: 60 seconds
Interface
Filter
--------
-----
te1/0/2
IP
te1/0/3
IP
te1/0/4
I
IP
MAC Address
VLAN
Type
Reason
---------
-----------
-----
----
----------
10.1.8.32
0060.704C.8
3
DHCP
Resource
Address
3FF
Problem
Trust port
13.18 show ip source-guard statistics
Use the show ip source-guard statistics EXEC mode command to display the
Source Guard dynamic information (permitted stations).
Syntax
show ip source-guard statistics [vlan vlan-id]
Parameters
• vlan-id—Display the statistics on this VLAN.
Command Mode
User EXEC mode
Example
switchxxxxxx# show ip source-guard statistics
VLAN
Statically Permitted Stations
DHCP Snooping Permitted Stations
---- ------------------------------- -------------------------------2
2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
3
340
13
DHCP Snooping Commands
13.19 ip arp inspection
Use the ip arp inspection Global Configuration mode command globally to enable
Address Resolution Protocol (ARP) inspection. Use the no form of this command to
disable ARP inspection.
Syntax
ip arp inspection
no ip arp inspection
Parameters
N/A
Default Configuration
ARP inspection is disabled.
Command Mode
Global Configuration mode
User Guidelines
Note that if a port is configured as an untrusted port, then it should also be
configured as an untrusted port for DHCP Snooping, or the
IP-address-MAC-address binding for this port should be configured statically.
Otherwise, hosts that are attached to this port cannot respond to ARPs.
Example
The following example enables ARP inspection on the device.
switchxxxxxx(config)# ip arp inspection
13.20 ip arp inspection vlan
Use the ip arp inspection vlan Global Configuration mode command to enable
ARP inspection on a VLAN, based on the DHCP Snooping database. Use the no
form of this command to disable ARP inspection on a VLAN.
341
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
Syntax
ip arp inspection vlan vlan-id
no ip arp inspection vlan vlan-id
Parameters
• vlan-id—Specifies the VLAN ID.
Default Configuration
DHCP Snooping based ARP inspection on a VLAN is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables ARP inspection on a VLAN based on the DHCP snooping
database. Use the ip arp inspection list assign command to enable static ARP
inspection.
Example
The following example enables DHCP Snooping based ARP inspection on VLAN
23.
switchxxxxxx(config)# ip arp inspection vlan 23
13.21 ip arp inspection trust
Use the ip arp inspection trust Interface Configuration (Ethernet, Port-channel)
mode command to configure an interface trust state that determines if incoming
Address Resolution Protocol (ARP) packets are inspected. Use the no form of this
command to restore the default configuration.
Syntax
ip arp inspection trust
no ip arp inspection trust
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
342
13
DHCP Snooping Commands
Parameters
N/A
Default Configuration
The interface is untrusted.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The device does not check ARP packets that are received on the trusted interface;
it only forwards the packets.
For untrusted interfaces, the device intercepts all ARP requests and responses. It
verifies that the intercepted packets have valid IP-to-MAC address bindings
before updating the local cache and before forwarding the packet to the
appropriate destination. The device drops invalid packets and logs them in the log
buffer according to the logging configuration specified with the ip arp inspection
logging interval command.
Example
The following example configures te1/0/3 as a trusted interface.
switchxxxxxx(config)# interface te1/0/3
switchxxxxxx(config-if)# ip arp inspection trust
13.22 ip arp inspection validate
Use the ip arp inspection validate Global Configuration mode command to
perform specific checks for dynamic Address Resolution Protocol (ARP)
inspection. Use the no form of this command to restore the default configuration.
Syntax
ip arp inspection validate
no ip arp inspection validate
343
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
Parameters
N/A
Default Configuration
ARP inspection validation is disabled.
Command Mode
Global Configuration mode
User Guidelines
The following checks are performed:
•
Source MAC address: Compares the source MAC address in the Ethernet
header against the sender MAC address in the ARP body. This check is
performed on both ARP requests and responses.
•
Destination MAC address: Compares the destination MAC address in the
Ethernet header against the target MAC address in the ARP body. This
check is performed for ARP responses.
•
IP addresses: Compares the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast
addresses.
Example
The following example executes ARP inspection validation.
switchxxxxxx(config)# ip arp inspection validate
13.23 ip arp inspection list create
Use the ip arp inspection list create Global Configuration mode command to
create a static ARP binding list and enters the ARP list configuration mode. Use the
no form of this command to delete the list.
Syntax
ip arp inspection list create name
no ip arp inspection list create name
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
344
13
DHCP Snooping Commands
Parameters
• name—Specifies the static ARP binding list name. (Length: 1–32
characters).
Default Configuration
No static ARP binding list exists.
Command Mode
Global Configuration mode
User Guidelines
Use the ip arp inspection list assign command to assign the list to a VLAN.
Example
The following example creates the static ARP binding list ‘servers’ and enters the
ARP list configuration mode.
switchxxxxxx(config)# ip arp inspection list create servers
13.24 ip mac
Use the ip mac ARP-list Configuration mode command to create a static ARP
binding. Use the no form of this command to delete a static ARP binding.
Syntax
ip ip-address mac mac-address
no ip ip-address mac mac-address
Parameters
• ip-address—Specifies the IP address to be entered to the list.
• mac-address—Specifies the MAC address associated with the IP address.
Default Configuration
No static ARP binding is defined.
345
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
Command Mode
ARP-list Configuration mode
Example
The following example creates a static ARP binding.
switchxxxxxx(config)# ip arp inspection list create servers
switchxxxxxx(config-arp-list)# ip 172.16.1.1 mac 0060.704C.7321
switchxxxxxx(config-arp-list)# ip 172.16.1.2 mac 0060.704C.7322
13.25 ip arp inspection list assign
Use the ip arp inspection list assign Global Configuration mode command to
assign a static ARP binding list to a VLAN. Use the no form of this command to
delete the assignment.
Syntax
ip arp inspection list assign vlan-id name
no ip arp inspection list assign vlan-id
Parameters
• vlan-id—Specifies the VLAN ID.
• name—Specifies the static ARP binding list name.
Default Configuration
No static ARP binding list assignment exists.
Command Mode
Global Configuration mode
Example
The following example assigns the static ARP binding list Servers to VLAN 37.
switchxxxxxx(config)# ip arp inspection list assign 37 servers
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
346
13
DHCP Snooping Commands
13.26 ip arp inspection logging interval
Use the ip arp inspection logging interval Global Configuration mode command to
set the minimum time interval between successive ARP SYSLOG messages. Use
the no form of this command to restore the default configuration.
Syntax
ip arp inspection logging interval {seconds | infinite}
no ip arp inspection logging interval
Parameters
• seconds—Specifies the minimum time interval between successive ARP
SYSLOG messages. A 0 value means that a system message is
immediately generated. (Range: 0–86400)
•
infinite—Specifies that SYSLOG messages are not generated.
Default Configuration
The default minimum ARP SYSLOG message logging time interval is 5 seconds.
Command Mode
Global Configuration mode
Example
The following example sets the minimum ARP SYSLOG message logging time
interval to 60 seconds.
switchxxxxxx(config)# ip arp inspection logging interval 60
13.27 show ip arp inspection
Use the show ip arp inspection EXEC mode command to display the ARP
inspection configuration for all interfaces or for a specific interface.
Syntax
show ip arp inspection [interface-id]
347
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
Parameters
• interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port or Port-channel.
Command Mode
User EXEC mode
Example
The following example displays the ARP inspection configuration.
switchxxxxxx# show ip arp inspection
IP ARP inspection is Enabled
IP ARP inspection is configured on following VLANs: 1
Verification of packet header is Enabled
IP ARP inspection logging interval is: 222
Interface
seconds
Trusted
----------- -----------
te1/0/1
Yes
te1/0/2
Yes
13.28 show ip arp inspection list
Use the show ip arp inspection list Privileged EXEC mode command to display the
static ARP binding list.
Syntax
show ip arp inspection list
Parameters
N/A
Command Mode
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
348
13
DHCP Snooping Commands
Example
The following example displays the static ARP binding list.
switchxxxxxx# show ip arp inspection list
List name: servers
Assigned to VLANs: 1,2
IP
ARP
-----------
--------------
172.16.1.1
0060.704C.7322
172.16.1.2
0060.704C.7322
13.29 show ip arp inspection statistics
Use the show ip arp inspection statistics EXEC command to display statistics for
the following types of packets that have been processed by this feature:
Forwarded, Dropped, IP/MAC Validation Failure.
Syntax
show ip arp inspection statistics [vlan vlan-id]
Parameters
• vlan-id—Specifies VLAN ID.
Command Mode
User EXEC mode
User Guidelines
To clear ARP Inspection counters use the clear ip arp inspection statistics
command. Counters values are kept when disabling the ARP Inspection feature.
Example
switchxxxxxx# show ip arp inspection statistics
349
Vlan
Forwarded Packets Dropped Packets IP/MAC Failures
----
-----------------------------------------------
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
13
DHCP Snooping Commands
2
1500100
80
13.30 clear ip arp inspection statistics
Use the clear ip arp inspection statistics Privileged EXEC mode command to clear
statistics ARP Inspection statistics globally.
Syntax
clear ip arp inspection statistics [vlan vlan-id]
Parameters
• vlan-id—Specifies VLAN ID.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# clear ip arp inspection statistics
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
350
14
DHCPv6 Commands
14.0
14.1 clear ipv6 dhcp client
To restart DHCP for an IPv6 client on an interface, use the clear ipv6 dhcp client
command in Privileged EXEC mode.
Syntax
clear ipv6 dhcp client interface-id
Parameters
• interface-id—Interface identifier.
Default Configuration
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command restarts DHCP for an IPv6 client on a specified interface after first
releasing and unconfiguring previously-acquired prefixes and other configuration
options (for example, Domain Name System [DNS] servers).
Example
The following example restarts the DHCP for IPv6 client on VLAN 100:
switchxxxxxx# clear ipv6 dhcp client vlan 100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
351
14
DHCPv6 Commands
14.2 ipv6 dhcp client information refresh
To configure the refresh time for IPv6 client information refresh time on a specified
interface if the DHCPv6 server reply does not include the Information Refresh
Time, use the ipv6 dhcp client information refresh command in Interface
Configuration mode. To return to the default value of the refresh time, use the no
form of this command.
Syntax
ipv6 dhcp client information refresh seconds | infinite
no ipv6 dhcp client information refresh
Parameters
• seconds—The refresh time, in seconds. The value cannot be less than the
minimal acceptable refresh time configured by the ipv6 dhcp client
information refresh command. The maximum value that can be used is
4,294967,294 seconds (0xFFFFFFFE).
•
infinite—Infinite refresh time.
Default Configuration
The default is 86,400 seconds (24 hours).
Command Mode
Interface Configuration mode
User Guidelines
The ipv6 dhcp client information refresh command specifies the information
refresh time. If the server does not sends an information refresh time option then a
value configured by the command is used.
Use the infinite keyword, to prevent refresh, if the server does not send an
information refresh time option.
Example
The following example configures an upper limit of 2 days:
switchxxxxxx(config)# interface vlan 100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
352
14
DHCPv6 Commands
switchxxxxxx(config-if)# ipv6 dhcp client information refresh 172800
switchxxxxxx(config-if)# exit
14.3 ipv6 dhcp client information refresh
minimum
To configure the minimum acceptable refresh time on the specified interface, use
the ipv6 dhcp client information refresh minimum command in Interface
Configuration mode. To remove the configured refresh time, use the no form of this
command.
Syntax
ipv6 dhcp client information refresh minimum seconds | infinite
no ipv6 dhcp client information refresh minimum
Parameters
• seconds—The refresh time, in seconds. The minimum value that can be
used is 600 seconds. The maximum value that can be used is 4,294,967,294
seconds (0xFFFFFFFE).
•
infinite—Infinite refresh time.
Default Configuration
The default is 86,400 seconds (24 hours).
Command Mode
Interface Configuration mode
User Guidelines
The ipv6 dhcp client information refresh minimum command specifies the
minimum acceptable information refresh time. If the server sends an information
refresh time option of less than the configured minimum refresh time, the
configured minimum refresh time will be used instead.
This command may be configured in the following situations:
• In unstable environments where unexpected changes are likely to occur.
353
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
DHCPv6 Commands
• For planned changes, including renumbering. An administrator can gradually
decrease the time as the planned event nears.
• Limit the amount of time before new services or servers are available to the
client, such as the addition of a new Simple Network Time Protocol (SNTP)
server or a change of address of a Domain Name System (DNS) server.
If you configure the infinite keyword client never refreshes the information.
Example
The following example configures an upper limit of 2 days:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp client information refresh 172800
switchxxxxxx(config-if)# exit
14.4 ipv6 dhcp client stateless
To enable DHCP for an IPv6 client process and to enable request for stateless
configuration through the interface on which the command is run, use the ipv6
dhcp client stateless command in Interface Configuration mode. To disable
requests for stateless configuration, use the no form of this command.
Syntax
ipv6 dhcp client stateless
no ipv6 dhcp client stateless
Parameters
This command has no arguments or keywords.
Default Configuration
Information request is disabled on an interface.
Command Mode
Interface Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
354
14
DHCPv6 Commands
User Guidelines
Enabling this command starts the DHCPv6 client process if this process is not yet
running and IPv6 interface is enabled on the interface.
This command enables the DHCPv6 Stateless service on the interface. The
service allows to receive the configuration from a DHCP server, passed in the
following options:
•
Option 7: OPTION_PREFERENCE - The preference value for the server in
this message
•
Option 12: OPTION_UNICAST - The IP address to which the client should
send
messages delivered using unicast
•
Option 23: OPTION_DNS_SERVERS - List of DNS Servers IPv6 Addresses
•
Option 24: OPTION_DOMAIN_LIST - Domain Search List
•
Option 31: OPTION_SNTP_SERVERS - List of SNTP Servers IPv6
Addresses
•
Option 32: OPTION_INFORMATION_REFRESH_TIME - Information Refresh
Time Option
•
Option 41: OPTION_NEW_POSIX_TIMEZONE - New Timezone Posix String
•
Option 59: OPT_BOOTFILE_URL - Configuration Server URL
•
Option 60: OPT_BOOTFILE_PARAM, the first parameter - Configuration File
Path Name
DHCPv6 client and relay functions are mutually exclusive on an interface.
Example
The following example enables the Stateless service:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp client stateless
switchxxxxxx(config-if)# exit
355
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
DHCPv6 Commands
14.5 ipv6 dhcp duid-en
To set the Vendor Based on Enterprise Number DHVPv6 Unique Identified
(DUID-EN) format, use the ipv6 dhcp duid-en command in Global Configuration
mode.
To return to the default value, use the no form of this command.
Syntax
ipv6 dhcp duid-en enterprise-number identifier
no ipv6 dhcp duid-en
Parameters
• enterprise-number—The vendor’s registered Private Enterprise number as
maintained by IANA.
• identifier—The vendor-defined non-empty hex string (up to 64 hex
characters). If the number of the character is not even ’0’ is added at the
right. Each 2 hex characters can be separated by a period or colon.
Default Configuration
DUID Based on Link-layer Address (DUID-LL) is used. The base MAC Address is
used as a Link-layer Address.
Command Mode
Global Configuration mode
User Guidelines
By default, the DHCPv6 uses the DUID Based on Link-layer Address (see
RFC3315) with the Base MAC Address as a Link-layer Address.
Use this command to change the DUID format to the Vendor Based on Enterprise
Number.
Examples
Example 1. The following sets the DIID-EN format:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
356
14
DHCPv6 Commands
ipv6 dhcp duid-en 9 0CC084D303000912
Example 2. The following sets the DIID-EN format using colons as delimiter:
switchxxxxxx(config)# ipv6 dhcp duid-en 9 0C:C0:84:D3:03:00:09:12
14.6 ipv6 dhcp relay destination (Global)
To specify a globally-defined relay destination address to which client messages
are forwarded, use the ipv6 dhcp relay destination command in Global
Configuration mode. To remove a relay destination address, use the no form of this
command.
Syntax
ipv6 dhcp relay destination {ipv6-address [interface-id]} | interface-id
no ipv6 dhcp relay destination [{ipv6-address [interface-id]} | interface-id]
Parameters
• ipv6-address [interface-id]—Relay destination IPv6 address in the form
documented in RFC 4291 where the address is specified in hexadecimal
using 16-bit values between colons. There are the following types of relay
destination address:
-
Link-local Unicast address. A user must specify the interface-id
argument for this kind of address.
-
Global Unicast IPv6 address. If the interface-id argument is omitted then
the Routing table is used.
• interface-id—Interface identifier that specifies the output interface for a
destination. If this argument is configured, client messages are forwarded to
the well-known link-local Multicast address
All_DHCP_Relay_Agents_and_Servers (FF02::1:2) through the link to which
the output interface is connected.
Default Configuration
There is no globally-defined relay destination.
357
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
DHCPv6 Commands
Command Mode
Global Configuration mode
User Guidelines
The ipv6 dhcp relay destination command specifies a destination address to
which client messages are forwarded. The address is used by all DHCPv6 relays
running on the switch. Up to 100 addresses can be defined.
When a relay service is running on an interface, a DHCP for IPv6 message
received on that interface will be forwarded to all configured relay destinations
configured per interface and globally.
Multiple destinations can be configured on one interface, and multiple output
interfaces can be configured for one destination.
Unspecified, loopback, and Multicast addresses are not acceptable as the relay
destination.
Use the no form of the command with the ipv6-address and interface-id
arguments to remove only the given globally-defined address with the given
output interface.
Use the no form of the command with the ipv6-address argument to remove only
the given globally-defined address for all output interfaces.
The no form of the command without the arguments removes all the
globally-defined addresses.
Examples
Example 1. The following example sets the relay unicast link-local destination
address per VLAN 200:
switchxxxxxx(config)# ipv6 dhcp relay destination FE80::1:2 vlan 200
Example 2. The following example sets that client messages are forwarded to
VLAN 200:
switchxxxxxx(config)# ipv6 dhcp relay destination vlan 200
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
358
14
DHCPv6 Commands
Example 3. The following example sets the unicast global relay destination
address:
switchxxxxxx(config)# ipv6 dhcp relay destination 3002::1:2
14.7 ipv6 dhcp relay destination (Interface)
To specify a destination address to which client messages are forwarded and to
enable DHCP for IPv6 relay service on the interface, use the ipv6 dhcp relay
destination command in Interface Configuration mode. To remove a relay
destination on the interface or to delete an output interface for a destination, use
the no form of this command.
Syntax
ipv6 dhcp relay destination [{ipv6-address [interface-id]} | interface-id]
no ipv6 dhcp relay destination [{ipv6-address [interface-id]} | interface-id]
Parameters
• ipv6-address [interface-id]—Relay destination IPv6 address in the form
documented in RFC 4291 where the address is specified in hexadecimal
using 16-bit values between colons. There are the following types of relay
destination address:
-
Link-local Unicast address. A user must specify the interface-id
argument for this kind of address.
-
Global Unicast IPv6 address. If the interface-id argument is omitted then
the Routing table is used.
• interface-id—Interface identifier that specifies the output interface for a
destination. If this argument is configured, client messages are forwarded to
the well-known link-local Multicast address
All_DHCP_Relay_Agents_and_Servers (FF02::1:2) through the link to which
the output interface is connected.
Default Configuration
The relay function is disabled, and there is no relay destination on an interface.
359
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
DHCPv6 Commands
Command Mode
Interface Configuration mode
User Guidelines
This command specifies a destination address to which client messages are
forwarded, and it enables DHCP for IPv6 relay service on the interface. Up to 10
addresses can be defined per one interface and up to 100 addresses can be
defined per switch.
DHCPv6 Relay inserts the Interface-id option if an IPv6 global address is not
defined on the interface on which the relay is running. The Interface-id field of the
option is the interface name (a value of the ifName field of the ifTable) on which the
relay is running.
When relay service is running on an interface, a DHCP for IPv6 message received
on that interface will be forwarded to all configured relay destinations configured
per interface and globally.
The incoming DHCP for IPv6 message may have come from a client on that
interface, or it may have been relayed by another relay agent.
The relay destination can be a Unicast address of a server or another relay agent,
or it may be a Multicast address. There are two types of relay destination
addresses:
• A link-local Unicast or Multicast IPv6 address, for which a user must specify an
output interface.
• A global Unicast IPv6 address. A user can optionally specify an output
interface for this kind of address.
If no output interface is configured for a destination, the output interface is
determined by routing tables. In this case, it is recommended that a Unicast or
Multicast routing protocol be running on the router.
Multiple destinations can be configured on one interface, and multiple output
interfaces can be configured for one destination. When the relay agent relays
messages to a Multicast address, it sets the hop limit field in the IPv6 packet
header to 32.
Unspecified, loopback, and node-local Multicast addresses are not acceptable as
the relay destination.
Note that it is not necessary to enable the relay function on an interface for it to
accept and forward an incoming relay reply message from servers. By default, the
relay function is disabled, and there is no relay destination on an interface.
Use the no form of the command with arguments to remove a specific address.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
360
14
DHCPv6 Commands
Use the no form of the command without arguments to remove all the defined
addresses and to disable the relay on the interface.
Examples
Example 1. The following example sets the relay Unicast link-local destination
address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if it was not
enabled:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination FE80::1:2 vlan 200
switchxxxxxx(config-if)# exit
Example 2. The following example sets the relay well known Multicast link-local
destination address per VLAN 200 and enables the DHCPv6 Relay on VLAN 100 if
it was not enabled:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination vlan 200
switchxxxxxx(config-if)# exit
Example 3. The following example sets the Unicast global relay destination
address and enables the DHCPv6 Relay on VLAN 100 if it was not enabled:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination 3002::1:2
switchxxxxxx(config-if)# exit
Example 4. The following example enables DHCPv6 relay on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp relay destination
361
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
DHCPv6 Commands
switchxxxxxx(config-if)# exit
Example 5. The following example disables DHCPv6 relay on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# no ipv6 dhcp relay destination
switchxxxxxx(config-if)# exit
14.8 show ipv6 dhcp
To display the Dynamic DHCP unique identifier (DUID) on a specified device, use
the show ipv6 dhcp command in User EXEC mode.This information is relevant for
DHCPv6 clients and DHCPv6 relays.
Syntax
show ipv6 dhcp
Parameters
NA
Command Mode
User EXEC mode
User Guidelines
This command uses the DUID, which is based on the link-layer address for both
client and server identifiers. The device uses the MAC address from the
lowest-numbered interface to form the DUID.
Examples
Example 1. The following is sample output from this command when the switch’s
DUID format is vendor based on enterprise number:
switchxxxxxx# show ipv6 dhcp
The switch’s DHCPv6 unique identifier(DUID)is 0002000000090CC084D303000912
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
362
14
DHCPv6 Commands
Format: 2
Enterprise Number: 9
Identifier: 0CC084D303000912
Example 2. The following is sample output from this command when the switch’s
DUID format is the vendor-based on link-layer address:
switchxxxxxx# show ipv6 dhcp
The switch’s DHCPv6 unique identifier(DUID)is 000300010024012607AA
Format: 3
Hardware type: 1
MAC Address: 0024.0126.07AA
Example 3. The following is sample output from this command when the switch’s
DUID format is vendorbased on link-layer address and DHCPv6 Relay is
supported:
switchxxxxxx# show ipv6 dhcp
The switch’s DHCPv6 unique identifier(DUID)is 000300010024012607AA
Format: 3
Hardware type: 1
MAC Address: 0024.0126.07AA
Relay Destinations:
2001:001:250:A2FF:FEBF:A056
2001:1001:250:A2FF:FEBF:A056
2001:1011:250:A2FF:FEBF:A056 via VLAN 100
FE80::250:A2FF:FEBF:A056 via VLAN 100
FE80::250:A2FF:FEBF:A056 via VLAN 200
363
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
14
DHCPv6 Commands
14.9 show ipv6 dhcp interface
To display DHCP for IPv6 interface information, use the show ipv6 dhcp interface
command in User EXEC mode.
Syntax
show ipv6 dhcp interface [interface-id]
Parameters
• interface-id—Interface identifier.
Command Mode
User EXEC mode
User Guidelines
If no interfaces are specified in the command, all interfaces on which DHCP for
IPv6 (client or server) is enabled are displayed. If an interface is specified in the
command, only information about the specified interface is displayed.
Note. It is a legacy output format supported by SW versions not supporting
statefull configuration
Example
The following is sample output from this command when only the Stateless
service is enabled:
switchxxxxxx# show ipv6 dhcp interface
VLAN 100 is in client mode
DHCP Operational mode is enabled
Stateless Service is enabled
Reconfigure service is enabled
Information Refresh Minimum
Time: 600 seconds
Information Refresh Time: 86400 seconds
Received Information Refresh Time: 3600 seconds
Remain Information Refresh Time: 411 seconds
DHCP server:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
364
14
DHCPv6 Commands
Address FE80::202:FCFF:FEA1:7439, DUID 000300010002FCA17400
Preference: 20
DNS Servers: 1001::1, 2001::10
DNS Domain Search List: company.com beta.org
SNTP Servers: 2004::1
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
Configuration Server: config.company.com
Configuration Path Name: qqq/config/aaa_config.dat
Indirect Image Path Name: qqq/config/aaa_image_name.txt
VLAN 110 is in client mode
DHCP Operational mode is disabled (IPv6 is not enabled)
Stateless Service is enabled
Reconfigure service is enabled
Information Refresh Minimum
Time: 600 seconds
Information Refresh Time: 86400 seconds
Remain Information Refresh Time: 0 seconds
VLAN 1000 is in client mode
DHCP Operational mode is disabled (Interface status is DOWN)
Stateless Service is enabled
Reconfigure service is enabled
Information Refresh Minimum
Time: 600 seconds
Information Refresh Time: 86400 seconds
Remain Information Refresh Time: 0 seconds
VLAN 1010 is in relay mode
DHCP Operational mode is enabled
Relay source interface: VLAN 101
Relay destinations:
2001:001:250:A2FF:FEBF:A056
FE80::250:A2FF:FEBF:A056 via FastEthernet 1/0/10
365
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
15
DNS Client Commands
15.0
15.1 clear host
Use the clear host command in privileged EXEC mode to delete dynamic
hostname-to-address mapping entries from the DNS client name-to-address
cache.
Syntax
clear host {hostname | *}
Parameters
• hostname—Name of the host for which hostname-to-address mappings are
to be deleted from the DNS client name-to-address cache.
•
*—Specifies that all the dynamic hostname-to-address mappings are to be
deleted from the DNS client name-to-address cache.
Default Configuration
No hostname-to-address mapping entries are deleted from the DNS client
name-to-address cache.
Command Mode
Privileged EXEC mode
User Guidelines
To remove the dynamic entry that provides mapping information for a single
hostname, use the hostname argument. To remove all the dynamic entries, use the
* keyword.
To define a static hostname-to-address mappings in the DNS hostname cache,
use the ip host command.
To delete a static hostname-to-address mappings in the DNS hostname cache,
use the no ip host command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
366
15
DNS Client Commands
Example
The following example deletes all dynamic entries from the DNS client
name-to-address cache.
switchxxxxxx# clear host *
15.2 ip domain lookup
Use the ip domain lookup command in Global Configuration mode to enable the IP
Domain Naming System (DNS)-based host name-to-address translation.
To disable the DNS, use the no form of this command.
Syntax
ip domain lookup
no ip domain lookup
Parameters
N/A
Default Configuration
Enabled.
Command Mode
Global Configuration mode
Example
The following example enables DNS-based host name-to-address translation.
switchxxxxxx(config)# ip domain lookup
367
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
15
DNS Client Commands
15.3 ip domain name
Use the ip domain name command in Global Configuration mode. to define a
default domain name that the switch uses to complete unqualified hostnames
(names without a dotted-decimal domain name).
To delete the static defined default domain name, use the no form of this
command.
Syntax
ip domain name name
no ip domain name
Parameters
name—Default domain name used to complete unqualified host names. Do not
include the initial period that separates an unqualified name from the domain
name. Length: 1–158 characters. Maximum label length of each domain level is 63
characters.
Default Configuration
No default domain name is defined.
Command Mode
Global Configuration mode
User Guidelines
Any IP hostname that does not contain a domain name (that is, any name without a
dot) will have the dot and the default domain name appended to it before being
added to the host table.
Domain names and host names are restricted to the ASCII letters A through Z
(case-insensitive), the digits 0 through 9, the underscore and the hyphen. A period
(.) is used to separate labels.
The maximum size of each domain level is 63 characters. The maximum name size
is 158 bytes.
Example
The following example defines the default domain name as ‘www.website.com’.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
368
15
DNS Client Commands
switchxxxxxx(config)# ip domain name website.com
15.4 ip domain polling-interval
Use the ip domain polling-interval command in Global Configuration mode to
specify the polling interval.
Use the no form of this command to return to the default behavior.
Syntax
ip domain polling-interval seconds
no ip domain polling-interval
Parameters
seconds—Polling interval in seconds. The range is from (2*(R+1)*T) to 3600.
Default Configuration
The default value is 2 * (R+1) * T, where
•
R is a value configured by the ip domain retry command.
•
T is a value configured by the ip domain timeout command.
Command Mode
Global Configuration mode
User Guidelines
Some applications communicate with the given IP address continuously. DNS
clients for such applications, which have not received resolution of the IP address
or have not detected a DNS server using a fixed number of retransmissions, return
an error to the application and continue to send DNS Request messages for the IP
address using the polling interval.
Example
The following example shows how to configure the polling interval of 100
seconds:
switchxxxxxx(config)# ip domain polling-interval 100
369
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
15
DNS Client Commands
15.5 ip domain retry
Use the ip domain retry command in Global Configuration mode to specify the
number of times the device will send Domain Name System (DNS) queries when
there is no replay.
To return to the default behavior, use the no form of this command.
Syntax
ip domain retry number
no ip domain retry
Parameters
number—Number of times to retry sending a DNS query to the DNS server. The
range is from 0 to 16.
Default Configuration
The default value is 1.
Command Mode
Global Configuration mode
User Guidelines
The number argument specifies how many times the DNS query will be sent to a
DNS server until the switch decides that the DNS server does not exist.
Example
The following example shows how to configure the switch to send out 10 DNS
queries before giving up:
switchxxxxxx(config)# ip domain retry 10
15.6 ip domain timeout
Use the ip domain timeout command in Global Configuration mode to specify the
amount of time to wait for a response to a DNS query.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
370
15
DNS Client Commands
To return to the default behavior, use the no form of this command.
Syntax
ip domain timeout seconds
no ip domain timeout
Parameters
seconds—Time, in seconds, to wait for a response to a DNS query. The range is
from 1 to 60.
Default Configuration
The default value is 2 seconds.
Command Mode
Global Configuration mode
User Guidelines
Use the command to change the default time out value. Use the no form of this
command to return to the default time out value.
Example
The following example shows how to configure the switch to wait 50 seconds for a
response to a DNS query:
switchxxxxxx(config)# ip domain timeout 50
15.7 ip host
Use the ip host Global Configuration mode command to define the static host
name-to-address mapping in the DNS host name cache.
Use the no form of this command to remove the static host name-to-address
mapping.
Syntax
ip host hostname address1 [address2...address8]
371
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
15
DNS Client Commands
no ip host name ip host name [address1...address8]
Parameters
• hostname—Name of the host. (Length: 1–158 characters. Maximum label
length of each domain level is 63 characters).
• address1—Associated host IP address (IPv4 or IPv6, if IPv6 stack is
supported).
• address2...address8—Up to seven additional associated IP addresses,
delimited by a single space (IPv4 or IPv6, if IPv6 stack is supported).
Default Configuration
No host is defined.
Command Mode
Global Configuration mode
User Guidelines
Host names are restricted to the ASCII letters A through Z (case-insensitive), the
digits 0 through 9, the underscore and the hyphen. A period (.) is used to separate
labels.
An IP application will receive the IP addresses in the following order:
1. IPv6 addresses in the order specified by the command.
2. IPv4 addresses in the order specified by the command.
Use the no format of the command with the address1...address8 argument to
delete the specified addresses. The entry is deleted if all its addresses are
deleted.
Example
The following example defines a static host name-to-address mapping in the host
cache.
switchxxxxxx(config)# ip host accounting.website.com 176.10.23.1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
372
15
DNS Client Commands
15.8 ip name-server
Use the ip name-server command in Global Configuration mode to specify the
address of one or more name servers to use for name and address resolution.
Use the no form of this command to remove the static specified addresses.
Syntax
ip name-server server1-address [server-address2...erver-address8]
no ip name-server [server-address1...server-address8]
Parameters
• server-address1—IPv4 or IPv6 addresses of a single name server.
• server-address2...server-address8—IPv4 or IPv6 addresses of additional
name servers.
Default Configuration
No name server IP addresses are defined.
Command Mode
Global Configuration mode
User Guidelines
The preference of the servers is determined by the order in which they were
entered.
Each ip name-server command replaces the configuration defined by the previous
one (if one existed).
Example
The following example shows how to specify IPv4 hosts 172.16.1.111, 172.16.1.2,
and IPv6 host 2001:0DB8::3 as the name servers:
switchxxxxxx(config)# ip name-server 172.16.1.111 172.16.1.2 2001:0DB8::3
373
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
15
DNS Client Commands
15.9 show hosts
Use the show hosts command in privileged EXEC mode to display the default
domain name, the style of name lookup service, a list of name server hosts, and
the cached list of hostnames and addresses.
Syntax
show hosts [all | hostname]
Parameters
•
all—The specified host name cache information is to be displayed for all
configured DNS views. This is the default.
• hostname—The specified host name cache information displayed is to be
limited to entries for a particular host name.
Command Mode
Privileged EXEC mode
Default Configuration
Default is all.
User Guidelines
This command displays the default domain name, a list of name server hosts, and
the cached list of host names and addresses.
Example
The following is sample output with no parameters specified:
switchxxxxxx# show hosts
Name/address lookup is enabled
Domain Timeout: 3 seconds
Domain Retry: 4 times
Domain Polling Interval: 10 seconds
Default Domain Table
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
374
15
DNS Client Commands
Source
Interface Preference Domain
static
website.com
dhcpv6
vlan 100
1
qqtca.com
dhcpv6
vlan 100
2
company.com
dhcpv6
vlan 1100
1
pptca.com
Name Server Table
Source
Interface Preference
IP Address
static
1
192.0.2.204
static
2
192.0.2.205
static
3
192.0.2.105
DHCPv6
vlan 100 1
2002:0:22AC::11:231A:0BB4
DHCPv4
vlan 1
1
192.1.122.20
DHCPv4
vlan 1
2
154.1.122.20
Casche Table
Flags: (static/dynamic, OK/Ne/??)
OK - Okay, Ne - Negative Cache, ?? - No Response
Host Flag Address;Age...in preference order
example1.company.com (dynamic, OK) 2002:0:130F::0A0:1504:0BB4;1 112.0.2.10
176.16.8.8;123 124 173.0.2.30;39
example2.company.com (dynamic, ??)
example3.company.com (static, OK) 120.0.2.27
example4.company.com (dynamic, OK) 24 173.0.2.30;15
example5.company.com (dynamic, Ne); 12
375
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
EEE Commands
1
16.1 eee enable (global)
To enable the EEE mode globally, use the eee enable Global Configuration
command. To disable the mode, use the no format of the command.
Syntax
eee enable
no eee enable
Parameters
This command has no arguments or keywords.
Default Configuration
EEE is enabled.
Command Mode
Global Configuration mode
User Guidelines
In order for EEE to work, the device at the other end of the link must also support
EEE and have it enabled. In addition, for EEE to work properly, auto-negotaition
must be enabled; however, if the port speed is negotiated as 1Giga, EEE always
works regardless of whether the auto-negotiation status is enabled or disabled.
If auto-negotiation is not enabled on the port and its speed is less than 1 Giga, the
EEE operational status is disabled.
Example
switchxxxxxx(config)# eee enable
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
376
16
EEE Commands
16.2 eee enable (interface)
To enable the EEE mode on an Ethernet port, use the eee enable Interface
Configuration command. To disable the mode, use the no format of the command.
Syntax
eee enable
no eee enable
Parameters
This command has no arguments or keywords.
Default Configuration
EEE is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
If auto-negotiation is not enabled on the port and its speed is 1 Giga, the EEE
operational status is disabled.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# eee enable
16.3 eee lldp enable
To enable EEE support by LLDP on an Ethernet port, use the eee lldp enable
Interface Configuration command. To disable the support, use the no format of the
command.
Syntax
eee lldp enable
no eee lldp enable
377
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
EEE Commands
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Enabling EEE LLDP advertisement enables devices to choose and change system
wake-up times in order to get the optimal energy saving mode.
Example
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# eee lldp enable
16.4 show eee
Use the show eee EXEC command to display EEE information.
Syntax
show eee [interface-id]
Parameters
interface-id—(Optional) Specify an Ethernet port.
Defaults
None
Command Mode
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
378
16
EEE Commands
User Guidelines
If the port is a 10G port, but the link speed is 1G, the EEE Remote status cannot be
resolved (and displayed).
Examples
Example 1 - The following displays brief Information about all ports.
switchxxxxxx# show eee
EEE globally enabled
EEE Administrate status is enabled on ports: te1/0/1-2, te1/0/4
EEE Operational status is enabled on ports: te1/0/1-2, te1/0/4
EEE LLDP Administrate status is enabled on ports: te1/0/1-3
EEE LLDP Operational status is enabled on ports: te1/0/1-2
Example 2 - The following is the information displayed when a port is in the Not
Present state; no information is displayed if the port supports EEE.
switchxxxxxx# show eee te1/0/1
Port Status: notPresent
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 3 - The following is the information displayed when the port is in status
DOWN.
switchxxxxxx# show eee te1/0/1
Port Status: DOWN
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
379
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
EEE Commands
Speed 10G: EEE not supported
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 4 - The following is the information displayed when the port is in status
UP and does not support EEE.
switchxxxxxx# show eee te1/0/2
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Administrate status: enabled
EEE LLDP Administrate status: enabled
Example 5 - The following is the information displayed when the neighbor does
not support EEE.
switchxxxxxx# show eee te1/0/4
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: disabled
EEE Administrate status: enabled
EEE Operational status: disabled (neighbor does not support)
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: disabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
380
16
EEE Commands
Example 6 - The following is the information displayed when EEE is disabled on the
port.
switchxxxxxx# show eee te1/0/1
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Administrate status: disabled
EEE Operational status: disabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: disabled
Example 7 - The following is the information displayed when EEE is running on the
port, and EEE LLDP is disabled.
switchxxxxxx# show eee te1/0/2
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: disabled
EEE LLDP Operational status: disabled
Resolved Tx Timer: 10usec
Local Tx Timer: 10 usec
381
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
EEE Commands
Resolved Timer: 25 usec
Local Rx Timer: 20 usec
Example 8 - The following is the information displayed when EEE and EEE LLDP are
running on the port.
switchxxxxxx# show eee te1/0/3
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: enabled
Resolved Tx Timer: 10usec
Local Tx Timer: 10 usec
Remote Rx Timer: 5 usec
Resolved Timer: 25 usec
Local Rx Timer: 20 usec
Remote Tx Timer: 25 usec
Example 9 - The following is the information displayed when EEE is running on the
port, EEE LLDP is enabled but not synchronized with the remote link partner.
switchxxxxxx# show eee te1/0/4
Port Status: up
EEE capabilities:
Speed 10M: EEE not supported
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
382
16
EEE Commands
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status:
disabled
Resolved Tx Timer: 64
Local Tx Timer: 64
Resolved Rx Timer: 16
Local Rx Timer: 16
Example 10 - The following is the information displayed when EEE and EEE LLDP
are running on the port.
show eee te1/0/3
Port Status: UP
EEE capabilities:
Speed 10M: EEE not supported
Speed 100M: EEE supported
Speed 1G: EEE supported
Speed 10G: EEE not supported
Current port speed: 1000Mbps
EEE Remote status: enabled
EEE Administrate status: enabled
EEE Operational status: enabled
EEE LLDP Administrate status: enabled
EEE LLDP Operational status: enabled
Resolved Tx Timer: 10usec
Local Tx Timer: 10 usec
Remote Rx Timer: 5 usec
Resolved Timer: 25 usec
383
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
16
EEE Commands
Local Rx Timer: 20 usec
Remote Tx Timer: 25 usec
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
384
17
Ethernet Configuration Commands
17.0
1
17.1 interface
To enter Interface configuration mode in order to configure an interface, use the
interface Global Configuration mode command.
Syntax
interface interface-id
Parameters
interface-id—Specifies an interface ID. The interface ID can be one of the
following types: Ethernet port, port-channel, VLAN, range, OOB, IP interface or
tunnel.
Default Configuration
None
Command Mode
Global Configuration mode
Examples
Example 1—For Ethernet ports:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)#
Example 2—For port channels (LAGs):
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
385
Ethernet Configuration Commands
17
switchxxxxxx(config)# interface po1
switchxxxxxx(config-if)#
17.2 interface range
To execute a command on multiple ports at the same time, use the interface range
command.
Syntax
interface range interface-id-list
Parameters
interface-id-list—Specify list of interface IDs. The interface ID can be one of the
following types: Ethernet port, VLAN, or port-channel
Default Configuration
None
Command Mode
Interface (Ethernet, Port Channel, VLAN) Configuration mode
User Guidelines
Commands under the interface range context are executed independently on
each interface in the range. If the command returns an error on one of the
interfaces, it does not stop the execution of the command on other interfaces.
Example
switchxxxxxx(config)# interface range te1/0/1-4
switchxxxxxx(config-if-range)#
17.3 shutdown
To disable an interface, use the shutdown Interface Configuration mode command.
To restart a disabled interface, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
386
17
Ethernet Configuration Commands
Syntax
shutdown
no shutdown
Parameters
This command has no arguments or keywords.
Default Configuration
The interface is enabled.
Command Mode
Interface Configuration mode
User Guidelines
The shutdown command set a value of ifAdminStatus (see RFC 2863) to DOWN.
When ifAdminStatus is changed to DOWN, ifOperStatus will be also changed to
DOWN.
The DOWN state of ifOperStatus means that the interface does not
transmit/receive messages from/to higher levels. For example, if you shut down a
VLAN, on which an IP interface is configured, bridging into the VLAN continues, but
the switch cannot transmit and receive IP traffic on the VLAN.
Notes:
•
If the switch shuts down an Ethernet port it additionally shuts down the port
MAC sublayer too.
•
If the switch shuts down a port channel it additionally shuts down all ports
of the port channel too.
Examples
Example 1—The following example disables te1/0/4 operations.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
387
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Example 2—The following example restarts the disabled Ethernet port.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
no shutdown
switchxxxxxx(config-if)#
Example 3—The following example shuts down vlan 100.
switchxxxxxx(config)#
interface vlan 100
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
Example 4—The following example shuts down tunnel 1.
switchxxxxxx(config)#
interface tunnel 1
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
Example 5—The following example shuts down Port Channel 3.
switchxxxxxx(config)#
interface po3
switchxxxxxx(config-if)#
shutdown
switchxxxxxx(config-if)#
17.4 operation time
To control the time that the port is up, use the operation time Interface (Ethernet,
Port Channel) Configuration mode command. To cancel the time range for the port
operation time, use the no form of this command.
Syntax
operation time time-range-name
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
388
17
Ethernet Configuration Commands
no operation time
Parameters
•
time-range-name—Specifies a time range the port operates (in up state).
When the Time Range is not in effect, the port is shutdown. (Range: 1–32
characters)
Default Configuration
There is no time range configured on the port authorized state.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
It is recommended to disable spanning tree or to enable spanning-tree PortFast
mode on 802.1x edge ports (ports in auto state that are connected to end stations),
in order to proceed to the forwarding state immediately after successful
authentication.
Example
The operation time command influences the port if the port status is up. This
command defines the time frame during which the port stays up and at which time
the port will be shutdown. While the port is in shutdown because of other reasons,
this command has no effect.
The following example activates an operation time range (named "morning") on
port te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
operation time morning
17.5 description
To add a description to an interface, use the description Interface (Ethernet, Port
Channel) Configuration mode command. To remove the description, use the no
form of this command.
389
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Syntax
description string
no description
Parameters
string—Specifies a comment or a description of the port to assist the user.
(Length: 1–64 characters).
Default Configuration
The interface does not have a description.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example adds the description ‘SW#3’ to te1/0/4.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
description SW#3
17.6 speed
To configure the speed of a given Ethernet interface when not using
auto-negotiation, use the speed Interface (Ethernet, Port Channel) Configuration
mode command. To restore the default configuration, use the no form of this
command.
Syntax
speed {100 | 1000 | 10000}
no speed
Parameters
•
100—Forces 100 Mbps operation
•
1000—Forces 1000 Mbps operation
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
390
17
Ethernet Configuration Commands
•
10000—Forces 10000 Mbps operation
Default Configuration
The port operates at its maximum speed capability.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
The no speed command in a port-channel context returns each port in the
port-channel to its maximum capability.
Example
The following example configures the speed of te1/0/4 to 100 Mbps operation.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
speed 100
17.7 duplex
To configure the full/half duplex operation of a given Ethernet interface when not
using auto-negotiation, use the duplex Interface (Ethernet, Port Channel)
Configuration mode command. To restore the default configuration, use the no
form of this command.
Syntax
duplex {half | full}
no duplex
Parameters
•
half—Forces half-duplex operation.
•
full—Forces full-duplex operation.
Default Configuration
The interface operates in full duplex mode.
391
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Command Mode
Interface (Ethernet) Configuration mode
Example
The following example configures te1/0/1 to operate in full duplex mode.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
duplex full
17.8 negotiation
To enable auto-negotiation operation for the speed and duplex parameters and
master-slave mode of a given interface, use the negotiation Interface (Ethernet,
Port Channel) Configuration mode command. To disable auto-negotiation, use the
no form of this command.
Syntax
negotiation [capability [capability2... capability5]] [preferred {master | slave}]
no negotiation
Parameters
•
•
Capability—(Optional) Specifies the capabilities to advertise. (Possible
values: 10h, 10f, 100h,100f, 1000f ,10000f ).
-
10h—Advertise 10 half-duplex
-
10f—Advertise 10 full-duplex
-
100h—Advertise 100 half-duplex
-
100f—Advertise 100 full-duplex
-
1000f—Advertise 1000 full-duplex
-
10000f—Advertise 10000 full-duplex
Preferred—(Optional) Specifies the master-slave preference:
-
Master—Advertise master preference
-
Slave—Advertise slave preference
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
392
17
Ethernet Configuration Commands
Default Configuration
If capability is unspecified, defaults to list of all the capabilities of the port and
preferred slave mode.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example enables auto-negotiation on te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
negotiation
17.9 flowcontrol
To configure the Flow Control on a given interface, use the flowcontrol Interface
(Ethernet, Port Channel) Configuration mode command. To disable Flow Control,
use the no form of this command.
Syntax
flowcontrol {auto | on | off}
no flowcontrol
Parameters
•
auto—Specifies auto-negotiation of Flow Control.
•
on—Enables Flow Control.
•
off—Disables Flow Control.
Default Configuration
Flow control is Disabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
393
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
User Guidelines
Use the negotiation command to enable flow control auto.
Example
The following example enables Flow Control on port te1/0/1
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
flowcontrol on
17.10 mdix
To enable cable crossover on a given interface, use the mdix Interface (Ethernet)
Configuration mode command. To disable cable crossover, use the no form of this
command.
Syntax
mdix {on | auto}
no mdix
Parameters
•
on—Enables manual MDIX.
•
auto—Enables automatic MDI/MDIX.
Default Configuration
The default setting is Auto.
Command Mode
Interface (Ethernet) Configuration mode
Example
The following example enables automatic crossover on port te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
mdix auto
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
394
17
Ethernet Configuration Commands
17.11 back-pressure
To enable back pressure on a specific interface, use the back-pressure Interface
(Ethernet) Configuration mode command. To disable back pressure, use the no
form of this command.
Syntax
back-pressure
no back-pressure
Parameters
This command has no arguments or keywords.
Default Configuration
Back pressure is disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Back-pressure cannot be enabled when EEE is enabled.
Example
The following example enables back pressure on port te1/0/1.
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
back-pressure
17.12 port jumbo-frame
To enable jumbo frames on the device, use the port jumbo-frame Global
Configuration mode command. To disable jumbo frames, use the no form of this
command.
395
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Syntax
port jumbo-frame
no port jumbo-frame
Parameters
This command has no arguments or keywords.
Default Configuration
Jumbo frames are disabled on the device.
Command Mode
Global Configuration mode
User Guidelines
This command takes effect only after resetting the device.
Example
The following example enables jumbo frames on the device.
switchxxxxxx(config)#
port jumbo-frame
17.13 link-flap prevention
To enable setting a physical interface to err-disable state due to excessive link
flapping, use the link-flap prevention Global Configuration mode command. Use
the no form of this command to restore the default configuration.
Syntax
link-flap prevention {enable | disable}
no link-flap prevention
Parameters
enable—Enables Link-flap Prevention.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
396
17
Ethernet Configuration Commands
disable—Disables Link-flap Prevention.
Default Configuration
Link-flap prevention is enabled on the device.
Command Mode
Global Configuration mode
User Guidelines
This command will shutdown Ethernet (Physical) interfaces if the interface
experienced, for a duration of 10 seconds, 3 link flaps (link status changes) within
each second.
You can use the following commands to reset an interface shut down by link-flap prevention:



The errdisable recovery reset command with the link-flapping parameter to recover all
interfaces in this state due to link-flap prevention, or the interface interface-id parameter to reset a
given interface.
The errdisable recovery cause with the link-flapping parameter to automatically recover
from the link-flap prevention error-disabled state.
The command sequence of "shutdown" and then "no shutdown" on required interface.
Example
The following example enables link-flap prevention on the device.
switchxxxxxx(config)#
link-flap prevention
17.14 clear counters
To clear counters on all or on a specific interface, use the clear counters Privileged
EXEC mode command.
Syntax
clear counters [interface-id]
397
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of
the following types: Ethernet port or port-channel.
Default Configuration
All counters are cleared.
Command Mode
Privileged EXEC mode
Example
The following example clears the statistics counters for te1/0/1.
switchxxxxxx#
clear counters te1/0/1
17.15 set interface active
To reactivate an interface that was shut down, use the set interface active
Privileged EXEC mode command.
Syntax
set interface active {interface-id}
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of
the following types: Ethernet port or port-channel.
Command Mode
Privileged EXEC mode
User Guidelines
This command is used to activate interfaces that were configured to be active, but
were shut down by the system.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
398
17
Ethernet Configuration Commands
Example
The following example reactivates te1/0/1.
switchxxxxxx#
set interface active te1/0/1
17.16 errdisable recovery cause
To enable automatic re-activation of an interface after an Err-Disable shutdown,
use the errdisable recovery cause Global Configuration mode command. To
disable automatic re-activation, use the no form of this command.
Syntax
errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld | storm-control | link-flap }
no errdisable recovery cause {all | port-security | dot1x-src-address | acl-deny |
stp-bpdu-guard | loopback-detection | udld | storm-control | link-flap }
Parameters
399
•
all—Enables the error recovery mechanism for all reasons described below.
•
port-security—Enables the error recovery mechanism for the port security
Err-Disable state.
•
dot1x-src-address—Enables the error recovery mechanism for the 802.1x
Err-Disable state.
•
acl-deny—Enables the error recovery mechanism for the ACL Deny
Err-Disable state.
•
stp-bpdu-guard—Enables the error recovery mechanism for thee STP
BPDU Guard Err-Disable state.
•
loopback-detection—Enables the error recovery mechanism for the
Loopback Detection Err-Disable state.
•
udld—Enables the error recovery mechanism for the UDLD Shutdown state.
•
storm-control—Enables the error recovery mechanism for the Storm
Control Shutdown state.
•
link-flap—Enables the error recovery mechanism for the link-flap prevention
Err-Disable state.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Default Configuration
Automatic re-activation is disabled, except for link-flap reason where automatic
re-creation is enabled by default.
Command Mode
Global Configuration mode
Example
The following example enables automatic re-activation of an interface after all
states.
switchxxxxxx(config)#
errdisable recovery cause all
17.17 errdisable recovery interval
To set the error recovery timeout intervalse the errdisable recovery interval Global
Configuration mode command. To return to the default configuration, use the no
form of this command.
Syntax
errdisable recovery interval seconds
no errdisable recovery interval
Parameters
seconds—Specifies the error recovery timeout interval in seconds. (Range: 30–
86400)
Default Configuration
The default error recovery timeout interval is 300 seconds.
Command Mode
Global Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
400
17
Ethernet Configuration Commands
Example
The following example sets the error recovery timeout interval to 10 minutes.
switchxxxxxx(config)#
errdisable recovery interval 600
17.18 errdisable recovery reset
To reactivate one or more interfaces that were shut down by a given application,
use the errdisable recovery reset Privileged EXEC mode command. A single
interface, multiple interfaces or all interfaces can be specified.
Syntax
errdisable recovery reset {all | port-security | dot1x-src-address | acl-deny
|stp-bpdu-guard | loopback-detection | udld | storm-control | link-flap | interface
interface-id}
Parameters
401
•
all—Reactivate all interfaces regardless of their state.
•
port-security—Reactivate all interfaces in the Port Security Err-Disable
state.
•
dot1x-src-address—Reactivate all interfaces in the 802.1x Err-Disable state.
•
acl-deny—Reactivate all interfaces in the ACL Deny Err-Disable state.
•
stp-bpdu-guard—Reactivate all interfaces in the STP BPDU Guard
Err-Disable state.
•
loopback-detection—Reactivate all interfaces in the Loopback Detection
Err-Disable state.
•
udld—Reactivate all interfaces in the UDLD Shutdown state.
•
storm-control—Reactivate all interfaces in the Storm Control Shutdown
state.
•
link-flap—Reactivate all interfaces in the link-flap prevention Err-Disable
state.
•
interface interface-id—Reactivate interfaces that were configured to be
active, but were shut down by the system.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Default Configuration
None.
Command Mode
Privileged EXEC mode
Examples
Example 1—The following example reactivates interface te1/0/1:
switchxxxxxx#
errdisable recovery reset interface te1/0/1
Example 2—The following example reactivates all interfaces regardless their
state:
switchxxxxxx#
errdisable recovery reset all
Example 3—The following example enables all interfaces in the port security
Err-Disable state
switchxxxxxx#
errdisable recovery reset port-security
17.19 show interfaces configuration
To display the configuration for all configured interfaces or for a specific interface,
use the show interfaces configuration Privileged EXEC mode command.
Syntax
show interfaces configuration [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
402
17
Ethernet Configuration Commands
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
Display all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays the configuration of all configured interfaces:
switchxxxxxx#
show interfaces configuration
Flow
Port
Type
Admin
Back
Mdix
Duplex
Speed
Neg
control
State
Pressure
Mode
------ -------- ------
-----
-------- -------
-----
--------
----
te1/0/1 1G-Copper
Full
1000
Disabled Off
Up
Disabled
Off
te1/0/2 10G-Copper
Full
10000
Disabled Off
Up
Disabled
Off
PO
Type
Speed
------
------ -----
Po1
switchxxxxxx#
Port
Flow
Admin
Neg
Control
State
--------
-------
-----
Disabled
Off
Up
show interfaces configuration
Type
Speed
Neg
Flow
Cont
403
----
-----------
te1
------
-----
-------
----
10G-Fiber
10000
Off
On
te1
10G-Fiber
10000
Off
Off
te2
10G-Fiber
10000
Off
Off
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Legend
Neg: Negotiation
Flow Cont: Flow Control
17.20 show interfaces status
To display the status of all interfaces or of a specific interface, use the show
interfaces status Privileged EXEC mode command.
Syntax
show interfaces status [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Command Mode
Privileged EXEC mode
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Example
The following example displays the status of all configured interfaces.
switchxxxxxx#
Port
Type
show interfaces status
Duplex
------ --------- -----te1/0/1
1G-Copper
Full
Speed Neg
Flow
Link
Back
ctrl
State
Pressure Mode
----- -------- ---1000
Disabled Off
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Mdix
------ -------- -Up
Disabled Off
404
17
Ethernet Configuration Commands
te1/0/2
1G-Copper
--
--
--
--
Down
Flow
Link
control
State
PO
Type
Duplex Speed
Neg
-----
-------
------ -----
------- ----
------
Po1
1G
Full
Disabled Off
Up
10000
--
--
*: The interface was suspended by the system.
17.21 show interfaces advertise
To display auto-negotiation advertisement information for all configured interfaces
or for a specific interface, use the show interfaces advertise Privileged EXEC
mode command.
Syntax
show interfaces advertise [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
Display for all interfaces. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
405
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Examples
The following examples display auto-negotiation information.
switchxxxxxx#
show interfaces advertise
Port
Type
Neg
Prefered
Operational Link Advertisement
----
---------
------
-------
----------------------------
te1/0/1
1G-Copper
Enable
Master
1000f, 100f, 10f, 10h
te1/0/2
1G-Copper
Enable
Slave
1000f
switchxxxxxx#
show interfaces advertise
te1/0/1
Port:te1/0/1
Type: 1G-Copper
Link state: Up
Auto Negotiation: enabled
Preference: Master
10h
10f
100h
100f
1000f
---
---
----
----
-----
Admin Local link Advertisement
yes
yes
yes
yes
yes
Oper Local link Advertisement
yes
yes
yes
yes
yes
Remote Local link Advertisement
no
no
yes
yes
yes
Priority Resolution
-
-
-
-
yes
switchxxxxxx#
show interfaces advertise
te1/0/1
Port: te1/0/1
Type: 1G-Copper
Link state: Up
Auto negotiation: disabled.
17.22 show interfaces description
To display the description for all configured interfaces or for a specific interface,
use the show interfaces description Privileged EXEC mode command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
406
17
Ethernet Configuration Commands
Syntax
show interfaces description [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
Display description for all interfaces. If detailed is not used, only present ports are
displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays the description of all configured interfaces.
switchxxxxxx#
show interfaces description
Port
Descriptions
------
---------------------------------------------
te1/0/1
Port that should be used for management only
te1/0/2
te1/0/3
te1/0/4
PO
Description
----
-----------
Po1
Output
17.23 show interfaces counters
To display traffic seen by all the physical interfaces or by a specific interface, use
the show interfaces counters Privileged EXEC mode command.
407
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Syntax
show interfaces counters [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
Display counters for all interfaces. If detailed is not used, only present ports are
displayed.
Command Mode
Privileged EXEC mode
Example
The following example displays traffic seen by all the physical interfaces.
switchxxxxxx#
Port
show interfaces counters te1/0/1
InUcastPkts
InMcastPkts
InBcastPkts
InOctets
---------- ------------ ------------ ------------ -----------te1/0/1
Port
0
0
0
OutUcastPkts OutMcastPkts OutBcastPkts
0
OutOctets
---------- ------------ ------------ ------------ -----------te1/0/1
0
1
35
7051
FCS Errors: 0
Single Collision Frames: 0
Multiple Collision Frames: 0
SQE Test Errors: 0
Deferred Transmissions: 0
Late Collisions: 0
Excessive Collisions: 0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
408
17
Ethernet Configuration Commands
Carrier Sense Errors: 0
Oversize Packets: 0
Internal MAC Rx Errors: 0
Symbol Errors: 0
Received Pause Frames: 0
Transmitted Pause Frames: 0
409
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
The following table describes the fields shown in the display.
Field
Description
InOctets
Number of received octets.
InUcastPkts
Number of received Unicast packets.
InMcastPkts
Number of received Unicast packets.
InBcastPkts
Number of received broadcast packets.
OutOctets
Number of transmitted octets.
OutUcastPkts
Number of transmitted Unicast packets.
OutMcastPkts
Nmber of transmitted Unicast packets.
OutBcastPkts
Number of transmitted Broadcast
packets.
FCS Errors
Number of frames received that are an
integral number of octets in length but do
not pass the FCS check.
Single Collision Frames
Number of frames that are involved in a
single collision, and are subsequently
transmitted successfully.
Multiple Collision
Frames
Number of frames that are involved in
more than one collision and are
subsequently transmitted successfully.
SQE Test Errors
Number of times that the SQE TEST
ERROR is received. The SQE TEST
ERROR is set in accordance with the
rules for verification of the SQE detection
mechanism in the PLS Carrier Sense
Function as described in IEEE Std. 802.3,
2000 Edition, section 7.2.4.6.
Deferred Transmissions
Number of frames for which the first
transmission attempt is delayed because
the medium is busy.
Late Collisions
Number of times that a collision is
detected later than one slotTime into the
transmission of a packet.
Excessive Collisions
Number of frames for which transmission
fails due to excessive collisions.
Oversize Packets
Number of frames received that exceed
the maximum permitted frame size.
Internal MAC Rx Errors
Number of frames for which reception
fails due to an internal MAC sublayer
receive error.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
410
17
Ethernet Configuration Commands
Field
Description
Received Pause
Frames
Number of MAC Control frames received
with an opcode indicating the PAUSE
operation.
Transmitted Pause
Frames
Number of MAC Control frames
transmitted on this interface with an
opcode indicating the PAUSE operation.
17.24 show ports jumbo-frame
To display the whether jumbo frames are enabled on the device, use the show
ports jumbo-frame Privileged EXEC mode command.
Syntax
show ports jumbo-frame
Parameters
This command has no arguments or keywords.
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example displays whether jumbo frames are enabled on the device.
switchxxxxxx#
show ports jumbo-frame
Jumbo frames are disabled
Jumbo frames will be enabled after reset
411
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
17.25 show link-flap prevention
To display whether link-flap prevention is enabled on the device, use the show
link-flap prevention Privileged EXEC mode command.
Syntax
show link-flap prevention
Parameters
This command has no arguments or keywords.
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example displays whether link-flap prevention is enabled on the
device.
switchxxxxxx#
show link-flap prevention
link-flap prevention is currently enabled on device
17.26 show errdisable recovery
To display the Err-Disable configuration of the device, use the show errdisable
recovery Privileged EXEC mode command.
Syntax
show errdisable recovery
Parameters
This command has no arguments or keywords.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
412
17
Ethernet Configuration Commands
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
The following example displays the Err-Disable configuration.
switchxxxxxx#
show errdisable recovery
Timer interval: 300 Seconds
Reason
Automatic Recovery
---------------------- -----------------port-security
Disable
dot1x-src-address
Disable
acl-deny
Enable
stp-bpdu-guard
Disable
stp-loopback-guard
Disable
loop-detection
Disable
udld
Disable
storm control
Disable
link-flap
Disable
17.27 show errdisable interfaces
To display the Err-Disable state of all interfaces or of a specific interface, use the
show errdisable interfaces Privileged EXEC mode command.
Syntax
show errdisable interfaces [interface-id]
413
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
Parameters
•
interface—(Optional) Port or port-channel number.
Default Configuration
Display for all interfaces.
Command Mode
Privileged EXEC mode
Example
The following example displays the Err-Disable state of te1/0/1.
switchxxxxxx#
show errdisable interfaces
Interface
Reason
------------
------------------
te1/0/1
stp-bpdu-guard
17.28 clear switchport monitor
To clear monitored statistics on all or on a specific interface or interface list, use
the clear switchport monitor Privileged EXEC mode command.
Syntax
clear switchport monitor [interface-id-list]
Parameters
interface-id-list—(Optional) Specifies a list of interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
Default Configuration
All monitored statistics are cleared.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
414
17
Ethernet Configuration Commands
Command Mode
Privileged EXEC mode
Example
The following example clears the monitored statistics for te1/0/1.
switchxxxxxx#
clear switchport monitor te1/0/1
17.29 show switchport monitor
To display the monitored statistics gathered by a specific interface, use the show
switchport monitor Privileged EXEC mode command.
Syntax
show switchport monitor interface-id {seconds | minutes | hours } [utilization | tx | rx |
frames]
show switchport monitor interface-id {days |weeks}
show switchport monitor utilization [interface-id]
Parameters
415
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
seconds— last 20 samples, sampled every 15 seconds.
•
minutes —last 60 samples, sampled every 60 seconds (every round minute
according to system time).
•
hours —last 24 samples, sampled every 60 minutes (every round hour
according to system time).
•
days —last 7 samples, sampled every 24 hours (midnight to midnight
according to system time).
•
weeks —last 12 samples, sampled every 7 days (midnight saturday to
midnight saturday according to system time).
•
utilization —shows per time frame the utilization calculated.
•
rx —shows received counters statistics.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
•
tx —shows sent counters statistics.
•
frames —show received counters statistics collected per packet size.
Default Configuration
Display monitored statistics for an interface or all interface in case of sshow
switchport monitor utilization command.
Command Mode
Privileged EXEC mode
User Guidelines
The show switchport monitor utilization is used to show a utilization summary per
interface of the last time frame in each time frame(i.e. last minute, last hour, last day
and last week).
The show switchport monitor interface-id is used to show monitored statistics
samples collected per time frame and per counter types.
Examples
Example 1—The following example displays monitored statistics utilization seen
by interface te1/0/1.
switchxxxxxx#
Interface
--------te1/0/1
show switchport monitor utilization te1/0/1
Minutes Rx/TX
Hours Rx/TX
Days Rx/TX
Weeks Rx/TX
utilization
utilization
utilization
utilization
------------
-----------
-----------
-----------
95%
80%
60%
20%
Example 2—The following example displays monitored Tx statistics gathered in
minutes time frame seen by interface te1/0/1.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
416
17
Ethernet Configuration Commands
switchxxxxxx#
Time
show switchport monitor te1/0/1 minutes tx
Unicast frames
Broadcast frames
Multicast frames
Good
Sent
Sent
Sent
Octet
Sent
----------
--------------
-----------
-----------
-------
04:22:00(~)
95%
80%
60%
20%
04:23:00
80%
70%
60%
50%
(~) Not all samples are available.
417
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
17
Ethernet Configuration Commands
The following table describes the fields shown in the display.
Field
Description
Time
Time stamp of the current sample in
system real time clock.
For seconds, minutes and hours format is:
hh:mm:ss.
For days and weeks format is:
<day of week> dd/mm/yy.
Good Octets Received
Number of received octets.
Good Unicast frames
Received
Number of received Unicast packets.
Good Multicast frames
Received
Number of received Unicast packets.
Good Broadcast frames
Received
Number of received broadcast packets.
Good Octets Sent
Number of transmitted octets.
Good Unicast frames
Sent
Number of transmitted Unicast packets.
Good Multicast frames
Sent
Nmber of transmitted Unicast packets.
Good Broadcast frames
Sent
Number of transmitted Broadcast
packets.
Frames of 64 bytes
Number of received packets size of 64
bytes.
Frames of 65-127 bytes
Number of received packets size of
65-127 bytes.
Frames of 128-255
bytes
Number of received packets size of
128-255 bytes.
Frames of 256-511
bytes
Number of received packets size of
256-511 bytes.
Frames of 512-1023
bytes
Number of received packets size of
512-1023 bytes.
Frames of 1024-1518
bytes
Number of received packets size of
1024-1518 bytes.
Rx Error Frames
Received
Number of frames received that are an
integral number of octets in length but do
not pass the FCS check.
Rx Utilization
Utilization in percentage for Received
frames on the interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
418
17
419
Ethernet Configuration Commands
Field
Description
Tx Utilization
Utilization in percentage for Sent frames
on the interface.
Rx/Tx Utilization
An average of the Rx Utilization and the
Tx Utilization in percentage on the
interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
18.0
18.1 File Specification
The files may be located on:
•
Network: TFTP servers and/or SCP servers - Network files
•
Master FLASH - Flash files
•
mass-storage connected to a USB port of Master - USB files. Only one
mass-storage is supported.
Note. Although inside the switch supports the File System on FLASH of all stack
units the File System CLI commands allow access only to flash files on Master.
Needed file synchronizations between Master and other units is performed by the
switch automatically.
Uniform Resource Locators (URLs) are used to specify the location of a file or a
directory. The URL has the following syntax:
<url> ::= tftp://<location>/<file-path> |
scp://[<username>:<password>@]<location>/<file-path> | usb://<file-path> |
flash://<file-path> | <current-directory>[/<file-path>] |
<higher-directory>[/<file-path>] | <file-path>
<username> ::= string up to 70 characters
<password> :: = string up to 70 characters
<location> ::= <ipv4-address> | <ipv6-address> | <dns-name>
<current-directory> ::= [{usb | flash}:][.]
<higher-directory> ::= [{usb | flash}:]..
<file-path> ::= [<directories-path>/]<filename>
<directories-path> ::= <directory-name> | <directories-path>/<directory-name>
The maximum number of directories in <directories-path> is 16.
<directory-name> ::= string up to 63 characters
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
420
18
File System Commands
<filename> ::= string up to 63 characters
Filenames and directory names consist only of characters from the portable
filename character set. The set includes the following characters:
•
ABCDEFGHIJKLMNOPQRSTUVWXYZ
•
abcdefghijklmnopqrstuvwxyz
•
<space>
•
0123456789._-
The last three characters are the <period>, <underscore>, and <hyphen>
characters, respectively. If an URL includes spaces it must be enclosed by the "
characters.
For example:
"flash://aaa it/alpha/file 125"
The maximal length of URL is 160 characters
The following File systems are supported on USB:
•
FAT32—Full support.
•
NTFS—Partially support: read only.
The switch supports the following predefined URL aliases:
•
•
active-image—The predefined URL alias specifies the Active Image file.
This file has the following permissions:
-
readable
-
executable
inactive-image—The predefined URL alias specifies the Inactive Image file.
This file has the following permissions:
-
readable
-
executable
•
running-config—The predefined URL alias specifies the Running
Configuration File.
•
startup-config—The predefined URL alias specifies the Startup
Configuration File. This file has the following permissions:
421
readable
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
•
localization. The predefined URL alias specifies the Secondary Language
Dictionary file. This file has the following permissions:
•
logging. The predefined URL alias specifies the Syslog file. This file has the
following permissions:
•
readable
readable
mirror-config. The predefined URL alias specifies the Mirror Configuration
file. This file has the following permissions:
-
readable
Example
Example 1. The following example specifies a file on TFTP server using an IPv4
address:
tftp://1.1.1.1/aaa/dat/file.txt
Example 2. The following example specifies a file on TFTP server using an IPv6
address:
tftp://3000:1:2::11/aaa/dat/file.txt
Example 3. The following example specifies a file on TFTP server using a DNS
name:
tftp://files.export.com/aaa/dat/file.txt
Example 4. The following example specifies a file on FLASH:
flash://aaa/dat/file.txt
Example 5. The following example specifies files using the current directory:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
422
18
File System Commands
./dat/file.txt
dat/file.txt
Example 6. The following example specifies a file using the higher directory:
../dat/file.txt
Example 7. The following example specifies a file on mass-storage device
connected to the USB port:
usb://aaa/dat/file.txt
Example 8. The following example specifies files on mass-storage device
connected to the USB port using the current directory:
usb:aaa/dat/file.txt
usb:./aaa/dat/file.txt
Example 9. The following example specifies a file on mass-storage device
connected to the USB port using the higher directory:
usb:../aaa/dat/file.txt
18.2 System Flash Files
The system files used by the switch are in the flash://system/ directory. A user
cannot add, delete, and rename the system files and directories, a user cannot
create new directories under the system directory.
The system files are divided to the following groups:
•
423
Inner System files. The files are created by the switch itself. For example the
Syslog file.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
•
Files installed/Uninstalled by user. This group includes the following files:
-
Active and Inactive Images
-
Startup Configuration
-
Secondary Language Dictionary
The following boot commands install/uninstall these files:
•
boot config
•
boot localization
•
boot system
Additionally, the following commands from previous versions can be used too:
•
copy (copy running-config startup-config)
•
write
Note. Reset to Factory Default removes all files from the FLASH except the
following files:
•
active-image
•
inactive-image
•
mirror-config
•
localization
The flash://system/ directory contains the following directories:
•
flash://system/images/—The directory contains the Active and Inactive
Image files.
•
flash://system/configuration/—The directory contains the Startup and
Mirror Configuration files.
•
flash://system/localization/—The directory contains the Secondary
Language Dictionary file.
•
flash://system/syslog/—The directory contains the Syslog file.
•
flash://system/applications/—The directory contains inner system files
managed by the switch applications.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
424
18
File System Commands
18.3 Flash File System on Stack
The CLI commands provide access only to files located on Master FLASH. The
switch performs automatically synchronization files between Master and slaves:
•
The Backup’s Flash File system is fully synchronized with the Master’s Flash
File System.
•
For non-Backup slave’s File system only the following files are synchronized:
-
Active Image file
-
Inactive Image file
-
Secondary Language Dictionary file
-
All other files and directories are deleted.
18.4 boot config
To install a file as Startup Configuration after reload, use the boot config command
in Privileged EXEC mode. To uninstall the Startup configuration file, use the no form
of this command.
Syntax
boot config startup-config-url
boot config running-config
boot config mirror-config
no boot config
Parameters
• startup-config-url—the url of a file. The predefined URLs cannot be
configured.
Default Configuration
N/A
Command Mode
Privileged EXEC mode
425
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
User Guidelines
Use the boot config startup-config-url command to install Startup Configuration
from the startup-config-url file. The file must be a text file containing CLI
commands. The command performs the following actions:
•
Copies the file into the system directory flash://system/configuration/
•
Converts the file format from the text format in the inner binary format.
•
Installs the converted file as Startup Configuration. The previous Startup
Configuration file is deleted.
•
Installs Startup Configuration on Backup.
Use the boot config running-config command to install Startup Configuration from
Running Configuration.
Use the boot config mirror-config command to install Startup Configuration from
the Mirror Configuration file.
Use the no boot config command, to uninstall Startup Configuration. The
uninstalled file is deleted.
Example
Example 1. The following example installs Startup Configuration from a TFTP
server:
switchxxxxxx(config)# boot config
tftp://1.1.1./confiration-files/config-v1.9.dat
Example 2. TThe following example installs Startup Configuration from FLASH:
switchxxxxxx(config)# boot config flash://confiration-files/config-v1.9.dat
Example 3. The following example unsets the current Startup Configuration:
switchxxxxxx(config)# no boot config
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
426
18
File System Commands
Example 4. The following example installs Startup Configuration from the Running
Configuration file:
switchxxxxxx(config)# boot config running-confg
Example 5. The following example installs Startup Configuration from the Mirror
Configuration file:
switchxxxxxx(config)# boot config mirror-confg
18.5 boot localization
To install a file as the Secondary Language Dictionary file, use the boot localization
command in Privileged EXEC mode. To return to the default, use the no form of this
command.
Syntax
boot localization dictionary-url
no boot localization
Parameters
• dictionary-url—the url of a file. The predefined URLs cannot be configured.
Default Configuration
Default language.
Command Mode
Privileged EXEC mode
User Guidelines
Use the boot dictionary dictionary-url command to install Secondary Language
Dictionary from the dictionary-url file. The command performs the following
actions:
•
427
Copies the file into the system directory flash://system/localization/
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
•
Validates its format. If the file does not have the correct format the file is
deleted and the command is finished with an error.
•
Installs the copied file as Secondary Language Dictionary. The previous
Secondary Language Dictionary file is deleted.
•
Installs Secondary Language Dictionary on all the all other stack units.
Use the no boot dictionary command, to uninstall Secondary Language Dictionary.
The uninstalled file is deleted.
Example
Example 1. The following example installs the Secondary Language Dictionary file
from a TFTP server:
switchxxxxxx(config)# boot localization
tftp://196.1.1.1/web-dictionaries/germany-dictionary.dat
Example 2. The following example installs the Secondary Language Dictionary file
from FLASH:
switchxxxxxx(config)# boot localization
flash://web-dictionaries/germany-dictionary.dat
18.6 boot system
To install the system (active) image that the switch loads at startup, use the boot
system command in Privileged EXEC mode.
Syntax
boot system image-url
boot system inactive-image
Parameters
• image-url—The URL of a file. The predefined URLs cannot be configured.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
428
18
File System Commands
Default Configuration
No default.
Command Mode
Privileged EXEC mode
User Guidelines
Use the boot system image-url command to install a new active image from the
image-url file. The command performs the following actions:
•
Copies the file into the system directory flash://system/image/
•
Validates its format. If the file does not have the correct image format the file
is deleted and the command is finished with an error.
•
Installs the copied file as the active image that will be used be loaded at
startup. The previous active image file is save as inactive image. The
previous inactive image is deleted.
•
Installs the new active image in all stack units.
Use the boot system inactive-image command to set the inactive image as active
one and the active image as inactive one.
The command installs the inactive image as active in all stack units.
Use the show bootvar / show version command to display information about the
active and inactive images.
Example
Example 1. The following example sets a new active image from a TFTP server:
switchxxxxxx(config)# boot system tftp://145.21.2.3/image/image-v1-1.ros
Example 2. The following example sets a new active image from FLASH:
switchxxxxxx(config)# boot system flash://images/image-v1-1.ros
Example 3. The following example sets the inactive image:
429
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
switchxxxxxx(config)# boot system inactive-image
18.7 cd
To change the current directory or file system, use the cd command in User EXEC
mode.
Syntax
cd url
Parameters
• url—Specifies a directory on FLASH or on USB.
Default Configuration
The flash root directory (flash://)
Command Mode
User EXEC mode
User Guidelines
When a terminal session is started the current directory of the session is set to
flash://. Use the cd command to change the current directory.
Example
Example 1. The following example sets a new current directory on FLASH:
switchxxxxxx> pwd
flash://
switchxxxxxx> cd date/aaa
switchxxxxxx> pwd
flash://date/aaa
Example 2. The following example sets a new current directory on USB:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
430
18
File System Commands
switchxxxxxx> pwd
flash://
switchxxxxxx> cd usb://
switchxxxxxx> pwd
usb://
18.8 copy
To copy any file from a source to a destination, use the copy command in
Privileged EXEC mode.
Syntax
copy src-url dst-url
copy {running-config | startup-config} dst-url [exclude | include-encrypted |
include-plaintext]
copy src-url running-config
copy running-config startup-config
Parameters
• src-url—The location URL of the source file to be copied. The predefined
URL aliases can be configured.
• dst-url—The URL of the destination file or the directory to be copied. The
predefined URL aliases cannot be configured.
•
exclude—The file does not include sensitive data in the file being copied.
•
include-encrypted—The file includes sensitive data in its encrypted form.
This secure option is applied by default, if no secure option is configured.
•
include-plaintext—The file includes sensitive data in its plaintext form.
Command Mode
Privileged EXEC mode
User Guidelines
The following guidelines are relevant:
431
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
•
You cannot copy one network file to another network file.
•
Use the copy src-url dst-url command to copy any file. If the dst-url
argument defines an existed flash file the command fails if this file does not
have the writable permission. If the dst-url argument defines a directory file
then the file is copied into the directory with the same name. No file format
validation or conversion is performed. If the src-url argument and dst-url
arguments define flash files the dst-url file will have the permissions of the
src-url file. If the src-url argument defines a non-flash file and the dst-url
argument defines a flash files the dst-url file will have the following
permissions:
-
readable
-
writable
•
Use the copy src-url running-config command to add a file to the Running
Configuration file.
•
The copy running-config startup-config command has exactly the same
functionality as the boot config command with the running-config keyword.
Example
Example 1. The following example copies file file1 from the TFTP server
172.16.101.101 to the flash://aaaa/file1 file:
switchxxxxxx# copy tftp://172.16.101.101/file1 flash://aaa/file1
Example 2. The following example saves the Startup configuration file in the
tftp://172.16.101.101/config.txt file:
switchxxxxxx# copy startup-config tftp://172.16.101.101/config.txt
include-encrypted
Example 3. The following example copies the Running Configuration file to the
Startup configuration:
switchxxxxxx# copy running-config startup-config
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
432
18
File System Commands
Example 4. The following example copies the Syslog file to a TFTP server:
switchxxxxxx# copy logging tftp://1.1.1.1/syslog.txt
Example 5. The following example copies a file from the mass-storage device
connected to the USB port to Flash:
switchxxxxxx# copy usb://aaa/file1.txt flash://dir1/file2
18.9 delete
To delete a local file, use the delete command in Privileged EXEC mode.
Syntax
delete url
delete startup-config
delete localization
Parameters
• url—Specifies the local URL of the local file to be deleted. The predefined
and network URLs cannot be configured.
Command Mode
Privileged EXEC mode
User Guidelines
The delete url command cannot delete a network file.
Use the delete startup-config command to delete the Startup Configuration file.
Use the delete localization command to delete the Secondary Language
Dictionary file.
433
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Example
Example 1. The following example deletes the file called ‘backup/config’ from
FLASH:
switchxxxxxx# cd flash://backup/
switchxxxxxx# delete aaa.ttt
Delete flash://backup/aaa.ttt? [Y/N]Y
Example 2. The following example deletes the file called ‘aaa/config’ from the
mass-storage device connected to the USB port:
switchxxxxxx# delete usb://aaa/config
Delete usb://aaa/config? [Y/N]Y
18.10 dir
To display a list of files on a file system, use the dir command in User EXEC mode.
Syntax
dir [url]
Parameters
• url—Specifies the local URL of the directory to be displayed. The
predefined and network URLs cannot be configured. If the argument is
omitted the current directory is used.
Command Mode
User EXEC mode
User Guidelines
The command cannot be applied to a network directory.
Use the dir command without the argument to display the current directory.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
434
18
File System Commands
Examples
The following example displays the flash://mng/ directory:
switchxxxxxx> dir flash://mng/
Permissions
d-directory
r-readable
w-writable
x-executable
134560K of 520000K are free
Directory of flash://mng/
Permission
File Size
Last Modified
File Name
----------
---------
--------------------
------------------
drw-
4720148
Dec 12 2010 17:49:36
bin
-r--
60
Dec 12 2011 17:49:36
config-list
-r--
160
Feb 12 2011 17:49:36
image-list
-r-x
6520148
Nov 29 2010
7:12:30
image1
-rw-
2014
Nov 20 2010
9:12:30
data
18.11 mkdir
To create a new directory, use the mkdir command in Privileged EXEC mode.
Syntax
mkdir url
Parameters
• url—Specifies the URL of the created directory. The predefined and
network URLs cannot be configured.
Command Mode
Privileged EXEC mode
435
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
User Guidelines
The mkdir command cannot be applied to a network directory.
The mkdir command cannot create a directory into the flash://system/ directory.
All directories defined in the url argument except the created one must exist.
Example
Example 1. The following example creates a directory on FLASH:
switchxxxxxx# mkdir flash://date/aaa/
Example 2. The following example creates a directory on the mass-storage device
connected to the USB port:
switchxxxxxx# mkdir usb://newdir/
18.12 more
To display the contents of a file, use the more command in User EXEC mode.
Syntax
more url
Parameters
• url—Specifies the local URL or predefined file name of the file to display.
Command Mode
User EXEC mode
User Guidelines
The command cannot be applied to a network file.
The more running-config command displays the same output as the show
running-config command regardless the specified format.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
436
18
File System Commands
The more startup-config command displays the same output as the show
startup-config command regardless the specified format.
The more active-image and more inactive-image commands display only the
version number of the image regardless the specified format.
Example
The following example displays the running configuration file contents:
switchxxxxxx> more running-config
no spanning-tree
interface range gi1/1//11-48
speed 1000
exit
no lldp run
line console
exec-timeout 0
18.13 pwd
To show the current directory, use the pwd command in User EXEC mode.
Syntax
pwd [usb: I flash:]
Parameters
•
usb:—Display the current directory on the USB driver.
•
flash:—Display the current directory on the FLASH driver.
Command Mode
User EXEC mode
User Guidelines
Use the pwd usb: I flash: command to show the current directory on the specified
driver.
437
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Use the pwd command to show the current directory set by the recent cd
command.
Example
The following example uses the cd command to change the current directory and
then uses the pwd command to display that current directory:
switchxxxxxx> pwd
flash://
switchxxxxxx> cd date/aaa
switchxxxxxx> pwd
flash://date/aaa
18.14 reload
To reload the operating system, use the reload command in Privileged EXEC
mode.
Syntax
reload
reload {in hhh:mm | mmm | at hh:mm [day month]}
reload cancel
Parameters
•
in hhh:mm | mmm—Schedules a reload of the image to take effect in the
specified minutes or hours and minutes. The reload must take place within
approximately 24 days.
•
at hh:mm—Schedules a reload of the image to take place at the specified
time (using a 24-hour clock). If you specify the month and day, the reload is
scheduled to take place at the specified time and date. If you do not specify
the month and day, the reload takes place at the specified time on the
current day (if the specified time is later than the current time) or on the next
day (if the specified time is earlier than the current time). Specifying 00:00
schedules the reload for midnight. The reload must take place within 24
hours.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
438
18
File System Commands
• day—Number of the day in the range from 1 to 31.
• month—Month of the year. (Range: Jan–Dec)
•
cancel—Cancels a scheduled reload.
Command Mode
Privileged EXEC mode
User Guidelines
Use the reload command to reload the switch.
Use the reload {in hhh:mm | mmm | at hh:mm [day month]} command the command
to specify scheduled switch reload.
The at keyword can be configured only if the system clock has been set on the
switch.
When you specify the reload time using the at keyword, if you specify the month
and day, the reload takes place at the specified time and date. If you do not
specify the month and day, the reload takes place at the specified time on the
current day (if the specified time is later than the current time), or on the next day (if
the specified time is earlier than the current time). Specifying 00:00 schedules the
reload for midnight. The reload must take place within 24 days.
Use the reload cancel command to cancel the scheduled reload.
To display information about a scheduled reload, use the show reload command.
Example
Example 1. The following example reloads the switch:
switchxxxxxx# reload
This command will reset the whole system and disconnect your current session.
Do you want to continue? (Y/N) [Y]
Example 2. The following example reloads the image in 10 minutes:
switchxxxxxx# reload in 10
439
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 11:57:08 UTC Fri Apr 21 2012 (in 10 minutes). Do you
want to continue? (Y/N) [Y]
Example 3. The following example reloads the image at 12:10 24 Aug:
switchxxxxxx# reload at 12:10 24 Aug
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 12:10:00 UTC Sun Aug 24 2014 (in 1 hours and 12
minutes). Do you want to continue ? (Y/N)[N]
Example 4. The following example reloads the image at 13:00:
switchxxxxxx# reload at 13:00 soft
This command will reset the whole system and disconnect your current session.
Reload is scheduled for 13:00:00 UTC Fri Apr 21 2012 (in 1 hour and 3
minutes). Do you want to continue? (Y/N) [Y]
Example 5. The following example cancels a reload.
switchxxxxxx# reload cancel
Reload cancelled.
18.15 rename
To rename a local file or directory, use the rename command in Privileged EXEC
mode.
Syntax
rename url new-url
Parameters
• url—Specifies the URL of the file or directory to be renamed. The
predefined and network URLs cannot be configured.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
440
18
File System Commands
• new-url—Specifies the new URL of the renamed file or directory. The
predefined and network URLs cannot be configured.
Command Mode
Privileged EXEC mode
User Guidelines
The url and new-url arguments must specifies the same driver.
The command cannot rename a network file or network directory.
The command cannot rename a file or directory into the flash://system directory.
Examples
Example 1. The following example renames the flash://bin/text1.txt file to
flash://archive/text1sav.txt:
switchxxxxxx# cd flash://archive
switchxxxxxx# rename flash://bin/text1.txt ./text1sav.txt
Example 2. The following example renames the flash://a/b directory to the
flash://e/g/h directory:
switchxxxxxx# pwd
flash://a/b/c/d
switchxxxxxx> dir flash://a
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://a
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
472148
Dec 13 2010 15:49:36
b
drw-
switchxxxxxx> dir flash://e/g/h
441
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://e/g/h
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
switchxxxxxx# rename flash://a/b flash://e/g/h
switchxxxxxx# pwd
flash://e/g/h/c/d
switchxxxxxx> dir flash://a
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://mng/
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
switchxxxxxx> dir flash://e/g/h
Permissions
• d-directory
• r-readable
• w-writable
• x-executable
134560K of 520000K are free
Directory of flash://e/g/h
File Name
Permission
File Size
Last Modified
---------
----------
---------
--------------------
720148
Dec 12 2010 17:49:36
c
drw-
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
442
18
File System Commands
18.16 rmdir
To remove a local directory, use the rmdir command in Privileged EXEC mode.
Syntax
rmdir url
Parameters
• url—Specifies the URL of the file or directory to be deleted. The predefined
and network URLs cannot be configured.
Command Mode
Privileged EXEC mode
User Guidelines
Only empty directory can be deleted.
The command cannot remove a network directory.
The command cannot remove a directory into the flash://system directory.
Example
Example 1. The following example removes the directory called ‘backup/config/’
from FLASH:
switchxxxxxx# rmdir flash://backup/config/
Remove flash://backup/config? [Y/N]Y
Example 2. The following example removes the directory called ‘aaa/config’ from
the mass-storage device connected to the USB port:
switchxxxxxx# rmdir usb://aaa/config/
Remove directory usb://aaa/config? [Y/N]Y
443
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
18.17 service mirror-configuration
Use the service mirror-configuration Global Configuration mode command to
enable the mirror-configuration service. Use no service mirror-configuration
command to disable the service.
Syntax
service mirror-configuration
no service mirror-configuration
Parameters
This command has no arguments or keywords.
Default Configuration
The default configuration is mirror-configuration service enabled.
Command Mode
Global Configuration mode
User Guidelines
The mirror-configuration service automatically keeps a copy of the last known
stable configuration (startup configuration that has not been modified for 24H).
When this service is disabled, the mirror-configuration file is deleted.
Examples
Example 1 - The following example disables the mirror-configuration service:
switchxxxxxx(config)# no service mirror-configuration
This operation will delete the mirror-config file if exists. Do you want to continue?
(Y/N) [N]
Example 2 - The following example enables the mirror-configuration service
switchxxxxxx(config)# service mirror-configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
444
18
File System Commands
Service is enabled.
18.18 show bootvar / show version
To display the active system image file that was loaded by the device at startup,
and to display the system image file that will be loaded after rebooting the switch,
use the show bootvar or show version command in User EXEC mode.
Syntax
show bootvar
show version
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
User Guidelines
The show bootvar and show version commands have the same functionality.
Example
Example 1. The following example gives an example of the command output after
reload:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
445
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Time: 11:13:17
Example 2. This example continues the inactive one, after applying the boot
system tftp://1.1.1.1/image_v14-01.ros command:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
Example 3. This example continues the inactive one, after a system reload:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Inactive-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
446
18
File System Commands
Example 4. This example continues the inactive one, after applying the boot
system inactive-image command:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Inactive after reboot
Inactive-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Active after reboot
Example 5. This example continues the inactive one, after a system reload:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/_image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Example 7. The following example gives an example of the command output after
applying the boot system command two times:
switchxxxxxx# show bootvar
447
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
Time: 11:13:17
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-01.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-04.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-04.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
448
18
File System Commands
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
Example 8. The following example gives an example of the command output after
applying the boot system tftp://1.1.1.1/image_v14-01.ros command and the boot
system inactive-image command:
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v12-01.ros
Version: 12.01
MD5 Digest: 3FA000012857D8855AABC7577AB8999
Date: 04-Feb-2001
Time: 11:13:17
switchxxxxxx# boot system tftp://1.1.1.1/image_v14-01.ros
switchxxxxxx# show bootvar
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive after reboot
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
Active after reboot
switchxxxxxx# boot system inactive-image
switchxxxxxx# show bootvar
449
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Active-image: flash://system/images/image_v12-03.ros
Version: 12.03
MD5 Digest: 63FA000012857D8855AABEA7451265456
Date: 04-Jul-2014
Time: 15:03:07
Inactive-image: flash://system/images/image_v14-01.ros
Version: 14.01
MD5 Digest: 23FA000012857D8855AABC7577AB5562
Date: 24-Jul-2014
Time: 23:11:17
18.19 show mirror-configuration service
To display the mirror-configuration service status, use the show
mirror-configuration service command in User EXEC mode.
Syntax
show mirror-configuration service
Command Mode
User EXEC mode
Example
The following example displays the status of the mirror-configuration service
switchxxxxxx# show mirror-configuration service
Mirror-configuration service is enabled
18.20 show reload
To display the reload status on the switch, use the show reload command in User
EXEC mode.
Syntax
show reload
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
450
18
File System Commands
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
User Guidelines
You can use the show reload command to display a pending image reload. To
cancel the reload, use the reload command with the cancel keyword.
Example
Example 1. The following example displays information when scheduled reload
has been configured:
switchxxxxxx> show reload
Image reload scheduled for 00:00:00 UTC Sat April 20 (in 3 hours and 12 minutes)
Example 2. The following example displays information when scheduled reload
has not been configured:
switchxxxxxx> show reload
No scheduled reload
18.21 show running-config
To display the contents of the currently running configuration file, use the
show running-config command in Privileged EXEC mode.
show running-config [interface interface-id-list | detailed | brief]
Parameters
451
•
interface interface-id-list—Specifies a list of interface IDs. The interface IDs
can be one of the following types: Ethernet port, port-channel or VLAN.
•
detailed—Displays configuration with SSL and SSH keys.
•
brief—Displays configuration without SSL and SSH keys.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
Default Configuration
All interfaces are displayed. If the detailed or brief keyword is not specified, the
brief keyword is applied.
Command Mode
Privileged EXEC mode
Example
The following example displays the running configuration file contents.
switchxxxxxx# show running-config
config-file-header
AA307-02
v1.2.5.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
unit-type unit 1 network te uplink none
unit-type unit 2 network te uplink none
unit-type unit 3 network te uplink none
unit-type unit 4 network te uplink none
unit-type-control-end
!
no spanning-tree
interface range te1/0/1-4
speed 1000
exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
452
18
File System Commands
no lldp run
interface vlan 1
ip address 1.1.1.1 255.0.0.0
exit
line console
exec-timeout 0
exit
switchxxxxxx#
18.22 show startup-config
To display the Startup Configuration file contents, use the show startup-config
command in Privileged EXEC mode.
Syntax
show startup-config [interface interface-id-list]
Parameters
•
interface interface-id-list—Specifies a list of interface IDs. The interface IDs
can be one of the following types: Ethernet port, port-channel or VLAN.
Command Mode
Privileged EXEC mode
Example
The following example displays the startup configuration file contents.
switchxxxxxx# show startup-config
config-file-header
AA307-02
v1.2.5.76 / R750_NIK_1_2_584_002
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
453
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
18
File System Commands
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
interface range te1/0/1-4
speed 1000
exit
no lldp run
interface vlan 1
ip address 1.1.1.1 255.0.0.0
exit
line console
exec-timeout 0
exit
switchxxxxxx#
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
454
18
File System Commands
18.23 write
To save the running configuration to the startup configuration file, use the write
command in Privileged EXEC mode.
Syntax
write
write memory
Parameters
This command has no arguments or keywords.
Command Mode
Privileged EXEC mode
User Guidelines
Use the write command or the write memory command to save the Running
Configuration file into the Startup Configuration file.
Examples
The following example shows how to overwrite the startup-config file with the
running-config file with the write command.
switchxxxxxx# write
Overwrite file [startup-config] ?[Yes/press any key for no]....15-Sep-2010
11:27
:48 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL
flash://startup-config
15-Sep-2010 11:27:50 %COPY-N-TRAP: The copy operation was completed
successfully
Copy succeeded
455
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
19
GARP VLAN Registration Protocol (GVRP)
Commands
19.0
19.1 clear gvrp statistics
To clear GVRP statistical information for all interfaces or for a specific interface,
use the clear gvrp statistics Privileged EXEC mode command.
Syntax
clear gvrp statistics [interface-id]
Parameters
Interface-id—(Optional) Specifies an interface ID. The interface ID can be one of
the following types: Ethernet port or Port-channel.
Default Configuration
All GVRP statistics are cleared.
Command Mode
Privileged EXEC mode
Example
The following example clears all GVRP statistical information on te1/0/4.
switchxxxxxx#
clear gvrp statistics te1/0/4
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
456
19
GARP VLAN Registration Protocol (GVRP) Commands
19.2 gvrp enable (Global)
To enable the Generic Attribute Registration Protocol (GARP) VLAN Registration
Protocol (GVRP) globally, use the gvrp enable Global Configuration mode
command. To disable GVRP on the device, use the no form of this command.
Syntax
gvrp enable
no gvrp enable
Parameters
This command has no arguments or keywords.
Default Configuration
GVRP is globally disabled.
Command Mode
Global Configuration mode
Example
The following example enables GVRP globally on the device.
switchxxxxxx(config)#
gvrp enable
19.3 gvrp enable (Interface)
To enable GVRP on an interface, use the gvrp enable Interface (Ethernet, Port
Channel) Configuration mode command. To disable GVRP on an interface, use the
no form of this command.
Syntax
gvrp enable
no gvrp enable
457
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
19
GARP VLAN Registration Protocol (GVRP) Commands
Parameters
This command has no arguments or keywords.
Default Configuration
GVRP is disabled on all interfaces.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
An access port does not dynamically join a VLAN because it is always a member
of a single VLAN only. Membership in an untagged VLAN is propagated in the
same way as in a tagged VLAN. That is, the PVID must be manually defined as the
untagged VLAN ID.
Example
The following example enables GVRP on te1/0/4.
switchxxxxxx(config)#
interface te1/0/4
switchxxxxxx(config-if)#
gvrp enable
19.4 gvrp registration-forbid
To deregister all dynamic VLANs on a port and prevent VLAN creation or
registration on the port, use the gvrp registration-forbid Interface Configuration
mode command. To allow dynamic registration of VLANs on a port, use the no
form of this command.
Syntax
gvrp registration-forbid
no gvrp registration-forbid
Parameters
This command has no arguments or keywords.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
458
19
GARP VLAN Registration Protocol (GVRP) Commands
Default Configuration
Dynamic registration of VLANs on the port is allowed.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example forbids dynamic registration of VLANs on te1/0/2.
switchxxxxxx(config-if)#
interface te1/0/2
switchxxxxxx(config-if)#
gvrp registration-forbid
19.5 gvrp vlan-creation-forbid
To disable dynamic VLAN creation or modification, use the gvrp
vlan-creation-forbid Interface Configuration mode command. To enable dynamic
VLAN creation or modification, use the no form of this command.
Syntax
gvrp vlan-creation-forbid
no gvrp vlan-creation-forbid
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
Example
The following example disables dynamic VLAN creation on te1/0/3.
459
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
19
GARP VLAN Registration Protocol (GVRP) Commands
switchxxxxxx(config-if)#
interface te1/0/3
switchxxxxxx(config-if)#
gvrp vlan-creation-forbid
19.6 show gvrp configuration
To display GVRP configuration information, including timer values, whether GVRP
and dynamic VLAN creation are enabled, and which ports are running GVRP, use
the show gvrp configuration EXEC mode command.
Syntax
show gvrp configuration [interface-id | detailed]
Parameters
•
interface-id—(Optional) Specifies an interface ID. The interface ID can be
one of the following types: Ethernet port or port-channel.
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
All GVRP statistics are displayed for all interfaces. If detailed is not used, only
present ports are displayed.
Command Mode
User EXEC mode
Example
The following example displays GVRP configuration.
switchxxxxxx#
show gvrp configuration
GVRP Feature is currently Enabled on the device.
Maximum VLANs: 4094
Port(s) GVRP-Status
----
te1/0/1
Regist-
Dynamic
Timers(ms)
ration
VLAN Creation
Join
----------- -------Enabled
-------------
Forbidden
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Disabled
----
Leave
Leave All
-----
----------
600
200
10000
460
19
GARP VLAN Registration Protocol (GVRP) Commands
te1/0/2
Enabled
Normal
Enabled
1200
400
20000
19.7 show gvrp error-statistics
Use the show gvrp error-statistics EXEC mode command to display GVRP error
statistics for all interfaces or for a specific interface.
Syntax
show gvrp error-statistics [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of
the following types: Ethernet port or Port-channel.
Default Configuration
All GVRP error statistics are displayed.
Command Mode
User EXEC mode
Example
The following example displays GVRP error statistics.
switchxxxxxx#
show gvrp error-statistics
GVRP Error Statistics:
---------------------Legend:
INVPROT
: Invalid Protocol Id
INVATYP
: Invalid Attribute Type
INVAVAL
: Invalid Attribute Value INVEVENT: Invalid Event
Port
INVALEN : Invalid Attribute Length
INVPROT INVATYP INVAVAL INVALEN INVEVENT
-------- ------- ------- ------- ------- --------
461
te1/0/1
0
0
0
0
0
te1/0/2
0
0
0
0
0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
19
GARP VLAN Registration Protocol (GVRP) Commands
te1/0/3
0
0
0
0
0
te1/0/4
0
0
0
0
0
19.8 show gvrp statistics
To display GVRP statistics for all interfaces or for a specific interface, use the show
gvrp statistics EXEC mode command.
Syntax
show gvrp statistics [interface-id]
Parameters
interface-id—(Optional) Specifies an interface ID. The interface ID can be one of
the following types: Ethernet port or Port-channel.
Default Configuration
All GVRP statistics are displayed.
Command Mode
User EXEC mode
Example
The following example displays GVRP statistical information.
switchxxxxxx#
show gvrp statistics
GVRP statistics:
---------------Legend:
rJE :
Join Empty Received
rJIn: Join In Received
rEmp:
Empty Received
rLIn: Leave In Received
rLE :
Leave Empty Received
rLA : Leave All Received
sJE :
Join Empty Sent
sJIn: Join In Sent
sEmp:
Empty Sent
sLIn: Leave In Sent
sLE :
Leave Empty Sent
sLA : Leave All Sent
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
462
19
463
GARP VLAN Registration Protocol (GVRP) Commands
Port
rJE
rJIn
rEmp
rLIn
rLE
rLA
sJE
sJIn
sEmp
sLIn
sLE
sLA
-----
----
----
----
----
----
----
----
----
----
----
----
---
te1/0/1 0
0
0
0
0
0
0
0
0
0
0
0
te1/0/2 0
0
0
0
0
0
0
0
0
0
0
0
te1/0/3 0
0
0
0
0
0
0
0
0
0
0
0
te1/0/4 0
0
0
0
0
0
0
0
0
0
0
0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
20
Green Ethernet
.1
20.1 green-ethernet energy-detect (global)
To enable Green-Ethernet Energy-Detect mode globally, use the green-ethernet
energy-detect Global Configuration mode command. To disable this feature, use
the no form of this command.
Syntax
green-ethernet energy-detect
no green-ethernet energy-detect
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)#
green-ethernet energy-detect
20.2 green-ethernet energy-detect
(interface)
Use the green-ethernet energy-detect Interface configuration mode command to
enable Green Ethernet-Energy-Detect mode on a port. Use the no form of this
command, to disable it on a port.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
464
20
Green Ethernet
Syntax
green-ethernet energy-detect
no green-ethernet energy-detect
Parameters
This command has no arguments or keywords.
Default Configuration
Enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Energy-Detect only works on copper ports. When a port is enabled for auto
selection, copper/fiber Energy-Detect cannot work.
It takes the PHY ~5 seconds to fall into sleep mode when the link is lost after
normal operation.
Example
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
green-ethernet energy-detect
20.3 green-ethernet short-reach (global)
Use the green-ethernet short-reach Global Configuration mode command to
enable Green-Ethernet Short-Reach mode globally. Use the no form of this
command to disabled it.
Syntax
green-ethernet short-reach
no green-ethernet short-reach
465
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
20
Green Ethernet
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
switchxxxxxx(config)#
green-ethernet short-reach
20.4 green-ethernet short-reach (interface)
Use the green-ethernet short-reach Interface Configuration mode command to
enable green-ethernet short-reach mode on a port. Use the no form of this
command to disable it on a port.
Syntax
green-ethernet short-reach
no green-ethernet short-reach
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The VCT length check can be performed only on a copper port operating at a
speed of 1000 Mbps. If the media is not copper or the link speed is not 1000,
Mbps Short-Reach mode is not applied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
466
20
Green Ethernet
When the interface is set to enhanced mode, after the VCT length check has
completed and set the power to low, an active monitoring for errors is done
continuously. In the case of errors crossing a certain threshold, the PHY will be
reverted to long reach.
Note that EEE cannot be enabled if the Short-Reach mode is enabled.
Example
switchxxxxxx(config)#
interface te1/0/1
switchxxxxxx(config-if)#
green-ethernet short-reach
20.5 green-ethernet power-meter reset
Use the green-ethernet power meter reset Privileged EXEC mode command to
reset the power save meter.
Syntax
green-ethernet power-meter reset
Parameters
This command has no arguments or keywords.
Default Configuration
None
Command Mode
Privileged EXEC mode
Example
switchxxxxxx#
green-ethernet power-meter reset
20.6 show green-ethernet
To display green-ethernet configuration and information, use the show
green-ethernet Privileged EXEC mode command.
467
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
20
Green Ethernet
Syntax
show green-ethernet [interface-id | detailed ]
Parameters
•
interface-id—(Optional) Specifies an Ethernet port
•
detailed—(Optional) Displays information for non-present ports in addition
to present ports.
Default Configuration
Display for all ports. If detailed is not used, only present ports are displayed.
Command Mode
Privileged EXEC mode
User Guidelines
The power savings displayed is relevant to the power saved by:
•
Port LEDs
•
Energy detect
•
Short reach
The EEE power saving is dynamic by nature since it is based on port utilization and
is therefore not taken into consideration.
The following describes the reasons for non-operation displayed by this
command.
If there are a several reasons, then only the highest priority reason is displayed.
Energy-Detect Non-Operational Reasons
Priority
Reason Description
1
NP
Port is not present
2
LT
Link Type is not supported (fiber, auto
media select)
3
LU
Port Link is up – NA
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
468
20
Green Ethernet
Example
Short-Reach Non-Operational Reasons
Priority Reason Description
1
NP
Port is not present
2
LT
Link Type is not supported (fiber)
3
LS
Link Speed Is not Supported
(100M,10M,10G)
4
LL
Link Length received from VCT test exceeds
threshold
6
LD
Port Link is Down – NA
switchxxxxxx#
show green-ethernet
Energy-Detect mode: Enabled
Short-Reach mode: Disabled
Disable Port LEDs mode: Enabled
Power Savings: 24% (1.08W out of maximum 4.33W)
Cumulative Energy Saved: 33 [Watt*Hour]
* Estimated Annual Power saving: 300 [Watt*Hour]
* Annual estimate is based on the saving during the previous week
NA – information for previous week is not available
Short-Reach cable length threshold: 50m
Port
----
469
Energy-Detect
Short-Reach
VCT Cable
Admin Oper Reason
Admin Force Oper Reason
Length
----- ---- -------
----- ----- ---- -------
------
te1/0/1
on
on
te1/0/2
on
off
te1/0/3
on
off
off
off
off
LU
on
off
off
LU
off
off
off
< 50
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
21.0
21.1 clear ip igmp counters
To clear the Internet Group Management Protocol (IGMP) interface counters, use
the clear ip igmp counters command in Privileged EXEC mode.
Syntax
clear ip igmp counters [interface-id]
Parameters
• interface-id—(Optional) Interface Identifier
Command Mode
Privileged EXEC mode
User Guidelines
Use the clear ip igmp counters command to clear the IGMP counters, which keep
track of the number of joins and leaves received. If you omit the optional
interface-id argument, the clear ip igmp counters command clears the counters on
all interfaces.
Example
The following example clears the counters for VLAN 100:
switchxxxxxx# clear ip igmp counters vlan 100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
470
21
IGMP Commands
21.2 ip igmp last-member-query-count
To configure the Internet Group Management Protocol (IGMP) last member query
counter, use the ip igmp last-member-query-count command in Interface
Configuration mode. To restore the default value, use the no form of this command.
Syntax
ip igmp last-member-query-count count
no ip igmp last-member-query-count
Parameters
count—The number of times that group- or group-source-specific queries are sent
upon receipt of a message indicating a leave. (Range: 1–7)
Default Configuration
A value of IGMP Robustness variable.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp robustness command to change the IGMP last member query
counter.
Example
The following example changes a value of the IGMP last member query counter to
3:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip igmp last-member-query-count 3
switchxxxxxx(config-if)# exit
21.3 ip igmp last-member-query-interval
To configure the Internet Group Management Protocol (IGMP) last member query
interval, use the ip igmp last-member-query-interval command in Interface
471
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
Configuration mode. To restore the default IGMP query interval, use the no form of
this command.
Syntax
ip igmp last-member-query-interval milliseconds
no ip igmp last-member-query-interval
Parameters
• milliseconds—Interval, in milliseconds, at which IGMP group-specific host
query messages are sent on the interface. (Range: 100–25500).
Default Configuration
The default IGMP last member query interval is 1000 milliseconds.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp last-member-query-interval command to configure the IGMP last
member query interval on an interface.
Example
The following example shows how to increase the the IGMP last member query
interval to 1500 milliseconds:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp last-member-query-interval 1500
switchxxxxxx(config-if)# exit
21.4 ip igmp query-interval
To configure the frequency at which the IGMP querier sends Internet Group
Management Protocol (IGMP) host-query messages from an interface, use the ip
igmp query-interval command in Interface Configuration mode. To restore the
default IGMP query interval, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
472
21
IGMP Commands
Syntax
ip igmp query-interval seconds
no ip igmp query-interval
Parameters
• seconds—Frequency, in seconds, at which the switch sends IGMP query
messages from the interface. The range is from 30 to 18000.
Default Configuration
The default IGMP query interval is 125 seconds.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp query-interval command to configure the frequency at which the
IGMP querier sends IGMP host-query messages from an interface. The IGMP
querier sends query-host messages to discover which multicast groups have
members on the attached networks of the router.
The query interval must be bigger than the maximum query response time.
Example
The following example shows how to increase the frequency at which the IGMP
querier sends IGMP host-query messages to 180 seconds:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp query-interval 180
switchxxxxxx(config-if)# exit
21.5 ip igmp query-max-response-time
To configure the maximum response time advertised in Internet Group
Management Protocol (IGMP) queries, use the ip igmp query-max-response-time
command in Interface Configuration mode. To restore the default value, use the no
form of this command.
473
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
Syntax
ip igmp query-max-response-time seconds
no ip igmp query-max-response-time
Parameters
• seconds—Maximum response time, in seconds, advertised in IGMP
queries. (Range: 5–20)
Default Configuration
10 seconds.
Command Mode
Interface Configuration mode
User Guidelines
This command controls the period during which the responder can respond to an
IGMP query message before the router deletes the group.
This command controls how much time the hosts have to answer an IGMP query
message before the router deletes their group. Configuring a value of fewer than
10 seconds enables the router to prune groups faster.
The maximum query response time must be less than the query interval.
Note. If the hosts do not respond fast enough, they might be pruned inadvertently.
Therefore, the hosts must know to respond faster than 10 seconds (or the value
you configure).
Example
The following example configures a maximum response time of 8 seconds:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp query-max-response-time 8
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
474
21
IGMP Commands
21.6 ip igmp robustness
To configure the Internet Group Management Protocol (IGMP) robustness variable,
use the ip igmp robustness command in Interface Configuration mode. To restore
the default value, use the no form of this command.
Syntax
ip igmp robustness count
no ip igmp robustness
Parameters
• count—The number of expected packet loss on a link. Parameter range.
(Range: 1–7).
Default Configuration
The default value is 2.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp robustness command to change the IGMP robustness variable.
Example
The following example changes a value of the IGMP robustness variable to 3:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip igmp robustness 3
switchxxxxxx(config-if)# exit
21.7 ip igmp version
To configure which version of Internet Group Management Protocol (IGMP) the
router uses, use the ip igmp version command in Interface Configuration mode. To
restore the default value, use the no form of this command.
475
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
Syntax
ip igmp version {1 | 2 | 3}
no ip igmp version
Parameters
•
1—IGMP Version 1.
•
2—IGMP Version 2.
•
3—IGMP Version 3.
Default Configuration
3
Command Mode
Interface Configuration mode
User Guidelines
Use the commnad to change the default version of IGMP>
Example
The following example configures the router to use IGMP Version 2:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip igmp version 2
switchxxxxxx(config-if)# exit
21.8 show ip igmp counters
To display the Internet Group Management Protocol (IGMP) traffic counters, use
the show ip igmp counters command in User EXEC mode.
Syntax
show ip igmp counters [interface-id]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
476
21
IGMP Commands
Parameters
• interface-id—(Optional) Interface Identifier.
Command Mode
User EXEC mode
User Guidelines
Use the show ip igmp counters command to check if the expected number of
IGMP protocol messages have been received and sent.
If you omit the optional interface-id argument, the show ip igmp counters
command displays counters of all interfaces.
Example
The following example displays the IGMP protocol messages received and sent:
switchxxxxxx# show ip igmp counters vlan 100
VLAN 100
Elapsed time since counters cleared:00:00:21
Failed received Joins: 0
Total IGMPv1 received messages: 0
Total IGMPv2 received messages: 10
Total IGMPv3 received messages: 0
Total invalid received messages: 0
General Sent Queries: 0
Specific Sent Queries: 0
21.9 show ip igmp groups
To display the multicast groups that are directly connected to the router and that
were learned through Internet Group Management Protocol (IGMP), use the show
ip igmp groups command in User EXEC mode.
477
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
Syntax
show ip igmp groups [group-name | group-address | interface-id] [detail]
Parameters
• group-name | group-address—(Optional) IP address or name of the
multicast group.
• interface-id—(Optional) Interface identifier.
•
detail—(Optional) Displays detailed information about individual sources.
Command Mode
User EXEC mode
User Guidelines
Use the show ip igmp groups [detail] command to display all directly connected
groups.
Use the show ip igmp groups [group-name | group-address] [detail] command to
display one given directly connected group.
Use the show ip igmp groups interface-id [detail] command to display all groups
directly connected to the given interface.
Examples
Example 1. The following is sample output from the show ip igmp groups
command. It shows all of the groups joined by VLAN 100:
switchxxxxxx# show ip igmp groups vlan 100
IGMP Connected Group Membership
Expires: never - switch itself has joined the group
Group Address
Interface
Expires
224.1.1.1
VLAN 100
00:01:30
224.10.12.79
VLAN 100
never
225.1.1.1
VLAN 100
00:00:27
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
478
21
IGMP Commands
Example 2. The following is sample output from the show ip igmp groups
command using the detail keyword:
switchxxxxxx# show ip igmp groups detail
Expires: zero value - INCLUDE state; non-zero value - EXCLUDE state
Interface: VLAN 100
Group: 225.1.1.1
Router mode: INCLUDE
Last reporter: 10.0.119.133
Group Timer Expires: 00:20:11
Group source list:
Source Address
Expires
20.1.1.1
00:04:08
120.1.1.1
00:02:01
Group: 226.1.1.2
Router mode: EXCLUDE
Last reporter: 100.1.12.130
Group Timer Expiry: 00:22:12
Exclude Mode Expiry (Filter) Timer: 00:10:11
Group source list:
Source Address
2.2.2.1
Expires
00:04:08
192.168.1.1
00:04:08
12.1.1.10
00:00:00
40.3.4.2
00:00:00
21.10 show ip igmp groups summary
To display the number of (*, G) and (S, G) membership reports present in the
Internet Group Management Protocol (IGMP) cache, use the show ip igmp groups
summary command in User EXEC mode.
479
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
21
IGMP Commands
Syntax
show ip igmp groups summary
Parameters
This command has no arguments or keywords.
Command Mode
User EXEC mode
User Guidelines
The show ip igmp groups summary command displays the number of directly
connected multicast groups.
Example
The following is sample output from the show ip igmp groups summary command:
switchxxxxxx# show ip igmp groups summary
IGMP Route Summary
No. of (*,G) routes = 5
No. of (S,G) routes = 0
Field Descriptions:
No. of (*,G) routes = 5—Displays the number of groups present in the IGMP cache.
No. of (S,G) routes = 0—Displays the number of include and exclude mode sources present in the IGMP
cache.
21.11 show ip igmp interface
To display multicast-related information about an interface, use the show ip igmp
interface command in User EXEC mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
480
21
IGMP Commands
Syntax
show ip igmp interface [interface-id]
Parameters
• interface-id—(Optional) Interface identifier.
Command Mode
User EXEC mode
User Guidelines
If you omit the optional interface-id argument, the show ip igmp interface
command displays information about all interfaces.
Example
The following is sample output from the show ip igmp interface command for
Ethernet interface 2/1/1:
switchxxxxxx# show ip igmp interface vlan 100
VLAN 100 is up
Administrative IGMP Querier IP address is 1.1.1.1
Operational IGMP Querier IP address is 1.1.1.1
Current IGMP version is 3
Administrative IGMP robustness variable is 2 seconds
Operational IGMP robustness variable is 2 seconds
Administrative IGMP query interval is 125 seconds
Operational IGMP query interval is 125 seconds
Administrative IGMP max query response time is 10 seconds
Operational IGMP max query response time is 10 seconds
Administrative Last member query response interval is 1000 milliseconds
Operational Last member query response interval is 1000 milliseconds
481
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
22
IGMP Proxy Commands
22.0
22.1 ip igmp-proxy
To add downstream interfaces to an IGMP proxy tree, use the ip igmp-proxy
command in Interface Configuration mode. To remove downstream from
interfaces to an IGMP proxy tree, use the no form of this command.
Syntax
ip igmp-proxy upstream-interface-id
no ip igmp-proxy
Parameters
• upstream-interface-id—Upstream Interface identifier.
Default Configuration
The protocol is disabled on the interface.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp-proxy command to add downstream interfaces to an IGMP proxy
tree. If the proxy tree does not exist it is created.
Use the no format of the command to remove the downstream interface. When the
last downstream interface is removed from the proxy tree it is deleted too.
Examples
Example 1. The following example adds a downstream interface to an IGMP Proxy
process with vlan 200 as its Upstream interface:
switchxxxxxx(config)# interface vlan 100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
482
22
IGMP Proxy Commands
switchxxxxxx(config-if)# ip igmp-proxy vlan 200
switchxxxxxx(config-if)# exit
Example 2. The following example adds a range of downstream interfaces to an
IGMP Proxy process with vlan 200 as its Upstream interface:
switchxxxxxx(config)# interface range vlan 100-105
switchxxxxxx(config-if)# ip igmp-proxy vlan 200
switchxxxxxx(config-if)# exit
22.2 ip igmp-proxy downstream protected
To disable forwarding of IP Multicast traffic from downstream interfaces, use the ip
igmp-proxy downstream protected command in Global Configuration mode. To
allow forwarding from downstream interfaces, use the no form of this command.
Syntax
ip igmp-proxy downstream protected
no ip igmp-proxy downstream protected
Parameters
This command has no arguments or keywords.
Default Configuration
Forwarding from downstream interfaces is allowed.
Command Mode
Global Configuration mode
User Guidelines
Use the ip igmp-proxy downstream protected command to block forwarding from
downstream interfaces.
483
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
22
IGMP Proxy Commands
Example
The following example prohibits forwarding from downstream interfaces:
switchxxxxxx(config)# ip igmp-proxy downstream protected
22.3 ip igmp-proxy downstream protected
interface
To disable or enable forwarding of IP Multicast traffic from a given downstream
interface, use the ip igmp-proxy downstream protected interface command in
Interface Configuration mode. To return to default, use the no form of this
command.
Syntax
ip igmp-proxy downstream protected interface {enabled | disabled}
no ip igmp-proxy downstream protected interface
Parameters
•
enabled—Downstream interface protection on the interface is enabled.
IPv4 Multicast traffic arriving on the interface will not be forwarded.
•
disabled—Downstream interface protection on the interface is disabled.
IPv4 Multicast traffic arriving on the interface will be forwarded.
Default Configuration
Global downstream protection configuration (see the ip igmp-proxy downstream
protected command)
Command Mode
Interface Configuration mode
User Guidelines
Use the ip igmp-proxy downstream protected interface disabled command to
block forwarding from the given downstream interface.
Use the ip igmp-proxy downstream protected interface enabled command to
allow forwarding from the given downstream interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
484
22
IGMP Proxy Commands
The command can be configured only for a downstream interface. When a
downstream interface is removed from the IGMP Proxy tree the configuration is
removed too.
Example
The following example prohibits forwarding from downstream interface vlan 100:
switchxxxxxx(config)# interface vlan100
switchxxxxxx(config-if)# ip igmp-proxy downstream protected interface enabled
switchxxxxxx(config-if)# exit
22.4 ip igmp-proxy ssm
To define the Source Specific Multicast (SSM) range of IP Multicast addresses,
use the ip igmp-proxy ssm command in Global Configuration mode. To disable the
SSM range, use the no form of this command.
Syntax
ip igmp-proxy ssm {default | range access-list}
no ip igmp-proxy ssm
Parameters
•
default—Defines the SSM range access list to 232.0.0.0/8 (see rfc4607).
•
range access-list—Specifies the standard IP access list name defining the
SSM range.
Default Configuration
The command is disabled.
Command Mode
Global Configuration mode
User Guidelines
A new ip igmp-proxy ssm command overrides the previous ip igmp-proxy ssm
command.
485
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
22
IGMP Proxy Commands
Use the no ip igmp-proxy ssm command to remove all defined ranges.
Example
The following example shows how to configure SSM service for the default IP
address range and the IP address ranges defined by access list list1:
switchxxxxxx(config)# ip access-list list1 permit 224.2.151.0/24
switchxxxxxx(config)# ip access-list list1 deny 224.2.152.141
switchxxxxxx(config)# ip access-list list1 permit 224.2.152.0/24
switchxxxxxx(config)# ip igmp-proxy ssm range list1
22.5 show ip igmp-proxy interface
To display information about interfaces configured for IGMP Proxy, use the show ip
igmp-proxy interface command in User EXEC mode or Privileged EXEC mode.
Syntax
show ip igmp-proxy interface [interface-id]
Parameters
• interface-id—(Optional) Display IGMP Proxy information about the
interface.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
The show ip igmp-proxy interface command is used to display all interfaces
where the IGMP Proxy is enabled or to display the IGMP Proxy configuration for a
given interface.
Examples
Example 1. The following example displays IGMP Proxy status on all interfaces
where the IGMP Proxy is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
486
22
IGMP Proxy Commands
switchxxxxxx# show ip igmp-proxy interface
* - the switch is the Querier on the interface
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downdtream interfaces protection is disabled
SSM Access List Name:list1
Interface
vlan 100
Type
Interface Protection
upstream
*vlan 102
downstream
enabled
*vlan 110
downstream
default
vlan 113
downstream
disabled
Example 2. The following is sample output from the show ip igmp-proxy interface
command for given upstream interface:
switchxxxxxx# show ip igmp-proxy interface vlan 100
* - the switch is the Querier on the interface
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downdtream interfaces protection is disabled
SSM Access List Name:
IP Multicast Tarffic Discarding from Downdtream interfaces is disabled
vlan 100 is a Upstream interface
Downstream interfaces:
487
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
22
IGMP Proxy Commands
*vlan 102, *vlan 110, vlan 113
Example 3. The following is sample output from the show ip igmp-proxy interface
command for given downstream interface:
switchxxxxxx# show ip igmp-proxy interface vlan 102
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is enabled
Global Downdtream interfaces protection is disabled
vlan 102 is a Downstream interface
The switch is the Querier on vlan 102
Downsteam Interface protection is enabled
SSM Access List Name: default
Upstream interface: vlan 100
Example 4. The following is sample output from the show ip igmp-proxy interface
command for an interface on which IGMP Proxy is disabled:
switchxxxxxx# show ip igmp-proxy interface vlan 1
IP Forwarding is enabled
IP Multicast Routing is enabled
IGMP Proxy is disabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
488
23
IGMP Snooping Commands
23.0
23.1 ip igmp snooping (Global)
To enable Internet Group Management Protocol (IGMP) snooping, use the ip igmp
snooping command in Global Configuration mode. To return to the default, use the
no form of this command.
Syntax
ip igmp snooping
no ip igmp snooping
Default Configuration
Disabled.
Command Mode
Global Configuration mode
Example
The following example enables IGMP snooping.
switchxxxxxx(config)# ip igmp snooping
23.2 ip igmp snooping vlan
To enable IGMP snooping on a specific VLAN, use the ip igmp snooping vlan
command in Global Configuration mode. To return to the default, use the no form of
this command.
Syntax
ip igmp snooping vlan vlan-id
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
489
23
IGMP Snooping Commands
no ip igmp snooping vlan vlan-id
Parameters
• vlan-id—Specifies the VLAN.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
IGMP snooping can be enabled only on static VLANs.
IGMPv1, IGMPv2, and IGMPv3 Snooping are supported.
To activate IGMP snooping, bridge multicast filtering must be enabled by the
bridge multicast filtering command.
The user guidelines of the bridge multicast mode command describes the
configuration that is written into the FDB as a function of the FDB mode and the
IGMP version that is used in the network.
Example
switchxxxxxx(config)# ip igmp snooping vlan 2
23.3 ip igmp snooping vlan mrouter
To enable automatic learning of Multicast router ports on a VLAN, use the ip igmp
snooping vlan mrouter command in Global Configuration mode. To remove the
configuration, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp
no ip igmp snooping vlan vlan-id mrouter learn pim-dvmrp
Parameters
• vlan-id—Specifies the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
490
23
IGMP Snooping Commands
Default Configuration
Learning pim-dvmrp is enabled.
Command Mode
Global Configuration mode
User Guidelines
Multicast router ports are learned according to:
•
Queries received on the port
•
PIM/PIMv2 received on the port
•
DVMRP received on the port
•
MRDISC received on the port
•
MOSPF received on the port
You can execute the command before the VLAN is created.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 mrouter learn pim-dvmrp
23.4 ip igmp snooping vlan mrouter interface
To define a port that is connected to a Multicast router port, use the ip igmp
snooping mrouter interface command in Global Configuration mode. To return to
the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id mrouter interface interface-list
no ip igmp snooping vlan vlan-id mrouter interface interface-list
Parameters
• vlan-id—Specifies the VLAN.
• interface-list—Specifies the list of interfaces. The interfaces can be one of
the following types: Ethernet port or Port-channel.
491
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
Default Configuration
No ports defined
Command Mode
Global Configuration mode
User Guidelines
A port that is defined as a Multicast router port receives all IGMP packets (reports
and queries) as well as all Multicast data.
You can execute the command before the VLAN is created.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 mrouter interface te1/0/1
23.5 ip igmp snooping vlan forbidden mrouter
To forbid a port from being defined as a Multicast router port by static
configuration or by automatic learning, use the ip igmp snooping vlan forbidden
mrouter command in Global Configuration mode. To return to the default, use the
no form of this command.
Syntax
ip igmp snooping vlan vlan-id forbidden mrouter interface interface-list
no ip igmp snooping vlan vlan-id forbidden mrouter interface interface-list
Parameters
• vlan-id—Specifies the VLAN.
• interface-list—Specifies a list of interfaces. The interfaces can be of one of
the following types: Ethernet port or Port-channel.
Default Configuration
No ports defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
492
23
IGMP Snooping Commands
Command Mode
Global Configuration mode
User Guidelines
A port that is a forbidden mrouter port cannot be a Multicast router port (i.e. cannot
be learned dynamically or assigned statically).
You can execute the command before the VLAN is created.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 forbidden mrouter interface
te1/0/1
23.6 ip igmp snooping vlan static
To register an IP-layer Multicast address to the bridge table, and to add static ports
to the group defined by this address, use the ip igmp snooping vlan static
command in Global Configuration mode. To return to the default, use the no form of
this command.
Syntax
ip igmp snooping vlan vlan-id static ip-address [interface interface-list]
no ip igmp snooping vlan vlan-id static ip-address [interface interface-list]
Parameter
• vlan-id—Specifies the VLAN.
• ip-address—Specifies the IP Multicast address.
•
interface interface-list—(Optional) Specifies a list of interfaces. The
interfaces can be of one of the following types: Ethernet port or
Port-channel.
Default Configuration
No Multicast addresses are defined.
493
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
Command Mode
Global Configuration mode
User Guidelines
Static Multicast addresses can only be defined on static VLANs.
You can execute the command before the VLAN is created.
You can register an entry without specifying an interface.
Using the no command without a port-list removes the entry.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 static 239.2.2.2 interface
te1/0/1
23.7 ip igmp snooping vlan multicast-tv
To define the Multicast IP addresses that are associated with a Multicast TV VLAN,
use the ip igmp snooping vlan multicast-tv command in Global Configuration
mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id multicast-tv ip-multicast-address [count number]
no ip igmp snooping vlan vlan-id multicast-tv ip-multicast-address [count number]
Parameters
• vlan-id—Specifies the VLAN
• ip-multicast-address—Multicast IP address
•
count number—(Optional) Configures multiple contiguous Multicast IP
addresses. If not specified, the default is 1. (Range: 1–256)
Default Configuration
No Multicast IP address is associated.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
494
23
IGMP Snooping Commands
Command Mode
Global Configuration mode
User Guidelines
Use this command to define the Multicast transmissions on a Multicast-TV VLAN.
The configuration is only relevant for an Access port that is a member in the
configured VLAN as a Multicast-TV VLAN.
If an IGMP message is received on such an Access port, it is associated with the
Multicast-TV VLAN only if it is for one of the Multicast IP addresses that are
associated with the Multicast-TV VLAN.
Up to 256 VLANs can be configured.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 multicast-tv 239.2.2.2 count
3
23.8 ip igmp snooping map cpe vlan
To map CPE VLANs to Multicast-TV VLANs, use the ip igmp snooping map cpe
vlan command in Global Configuration mode. To return to the default, use the no
form of this command.
Syntax
ip igmp snooping map cpe vlan cpe-vlan-id multicast-tv vlan vlan-id
no ip igmp snooping map cpe vlan vlan-id
Parameters
• cpe-vlan-id—Specifies the CPE VLAN ID.
•
vlan-id—Specifies the Multicast-TV VLAN ID.
Default Configuration
No mapping exists.
Command Mode
Global Configuration mode
495
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
User Guidelines
Use this command to associate the CPE VLAN with a Multicast-TV VLAN.
If an IGMP message is received on a customer port tagged with a CPE VLAN, and
there is mapping from that CPE VLAN to a Multicast-TV VLAN, the IGMP message
is associated with the Multicast-TV VLAN.
Example
The following example maps CPE VLAN 2 to Multicast-TV VLAN 31.
switchxxxxxx(config)# ip igmp snooping map cpe vlan 2 multicast-tv vlan 31
23.9 ip igmp snooping querier
To enable globally the IGMP Snooping querier, use the ip igmp snooping querier
command in Global Configuration mode. To disable the IGMP Snooping querier
globally, use the no form of this command.
Syntax
ip igmp snooping querier
no ip igmp snooping querier
Parameters
N/A
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
To run the IGMP Snooping querier on a VLAN, you have enable it globally and on
the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
496
23
IGMP Snooping Commands
Example
The following example disables the IGMP Snooping querier globally:
switchxxxxxx(config)# no ip igmp snooping querier
23.10 ip igmp snooping vlan querier
To enable the IGMP Snooping querier on a specific VLAN, use the ip igmp
snooping vlan querier command in Global Configuration mode. To disable the
IGMP Snooping querier on the VLAN interface, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier
no ip igmp snooping vlan vlan-id querier
Parameters
• vlan-id—Specifies the VLAN.
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
The IGMP Snooping querier can be enabled on a VLAN only if IGMP Snooping is
enabled for that VLAN.
Example
The following example enables the IGMP Snooping querier on VLAN 1:
switchxxxxxx(config)# ip igmp snooping vlan 1 querier
497
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
23.11 ip igmp snooping vlan querier address
To define the source IP address that the IGMP snooping querier uses, use the ip
igmp snooping vlan querier address command in Global Configuration mode. To
return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier address ip-address
no ip igmp snooping vlan vlan-id querier address
Parameters
• vlan-id—Specifies the VLAN.
• ip-address—Source IP address.
Default Configuration
If an IP address is configured for the VLAN, it is used as the source address of the
IGMP snooping querier. If there are multiple IP addresses, the minimum IP address
defined on the VLAN is used.
Command Mode
Global Configuration mode
User Guidelines
If an IP address is not configured by this command, and no IP address is
configured for the querier’s VLAN, the querier is disabled.
Example
switchxxxxxx(config)# ip igmp snooping vlan 1 querier address 10.5.234.205
23.12 ip igmp snooping vlan querier election
To enable IGMP Querier election mechanism of an IGMP Snooping querier on a
specific VLAN, use the ip igmp snooping vlan querier election command in Global
Configuration mode. To disable Querier election mechanism, use the no form of
this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
498
23
IGMP Snooping Commands
Syntax
ip igmp snooping vlan vlan-id querier election
no ip igmp snooping vlan vlan-id querier election
Parameters
• vlan-id—Specifies the VLAN.
Default Configuration
Enabled
Command Mode
Global Configuration mode
User Guidelines
Use the no form of the ip igmp snooping vlan querier election command to disable
IGMP Querier election mechanism on a VLAN.
If the IGMP Querier election mechanism is enabled, the IGMP Snooping querier
supports the standard IGMP Querier election mechanism specified in RFC2236
and RFC3376.
If IGMP Querier election mechanism is disabled, IGMP Snooping Querier delays
sending General Query messages for 60 seconds from the time it was enabled.
During this time, if the switch did not receive an IGMP query from another Querier
- it starts sending General Query messages. Once the switch acts as a Querier, it
will stop sending General Query messages if it detects another Querier on the
VLAN. In this case, the switch will resume sending General Query messages if it
does hear another Querier for Query Passive interval that equals to
<Robustness>*<Query Interval> + 0.5*<Query Response Interval).
See the ip igmp robustness, ip igmp query-interval, and ip igmp
query-max-response-time commands for configurations of these parameters.
It is recommended to disable IGMP Querier election mechanism if there is an IPM
Multicast router on the VLAN.
Example
The following example disables IGMP Snooping Querier election on VLAN 1:
switchxxxxxx(config)# no ip igmp snooping vlan 1 querier election
499
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
23.13 ip igmp snooping vlan querier version
To configure the IGMP version of an IGMP Snooping querier on a specific VLAN,
use the ip igmp snooping vlan querier version command in Global Configuration
mode. To return to the default, use the no form of this command.
Syntax
ip igmp snooping vlan vlan-id querier version {2 | 3}
no ip igmp snooping vlan vlan-id querier version
Parameters
• vlan-id—Specifies the VLAN.
•
querier version 2—Specifies that the IGMP version would be IGMPv2.
•
querier version 3—Specifies that the IGMP version would be IGMPv3.
Default Configuration
IGMPv2.
Command Mode
Global Configuration mode
Example
The following example sets the version of the IGMP Snooping Querier VLAN 1 to 3:
switchxxxxxx(config)# ip igmp snooping vlan 1 querier version 3
23.14 ip igmp snooping vlan immediate-leave
To enable the IGMP Snooping Immediate-Leave processing on a VLAN, use the ip
igmp snooping vlan immediate-leave Global Configuration mode command in
Global Configuration mode. To return to the default, use the no form of this
command.
Syntax
ip igmp snooping vlan vlan-id immediate-leave
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
500
23
IGMP Snooping Commands
no ip igmp snooping vlan vlan-id immediate-leave
Parameters
• vlan-id—Specifies the VLAN ID value. (Range: 1–4094).
Default Configuration
Disabled
Command Mode
Global Configuration mode
User Guidelines
You can execute the command before the VLAN is created.
Example
The following example enables IGMP snooping immediate-leave feature on VLAN
1.
switchxxxxxx(config)# ip igmp snooping vlan 1 immediate-leave
23.15 show ip igmp snooping cpe vlans
To display the CPE VLAN to Multicast TV VLAN mappings, use the show ip igmp
snooping cpe vlans command in User EXEC mode.
Syntax
show ip igmp snooping cpe vlans [vlan vlan-id]
Parameters
•
vlan vlan-id —(Optional) Specifies the CPE VLAN ID.
Command Mode
User EXEC mode
501
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
Example
The following example displays the CPE VLAN to Multicast TV VLAN mappings.
switchxxxxxx# show ip igmp snooping cpe vlans
CPE VLAN
Multicast-TV VLAN
--------
------------------
2
1118
3
1119
23.16 show ip igmp snooping groups
To display the Multicast groups learned by the IGMP snooping, use the show ip
igmp snooping groups command in User EXEC mode.
Syntax
show ip igmp snooping groups [vlan vlan-id] [address ip-multicast-address]
[source ip-address]
Parameters
•
vlan vlan-id—(Optional) Specifies the VLAN ID.
•
address ip-multicast-address—(Optional) Specifies the IP multicast
address.
•
source ip-address—(Optional) Specifies the IP source address.
Command Mode
User EXEC mode
User Guidelines
To see all Multicast groups learned by IGMP snooping, use the show ip igmp
snooping groups command without parameters.
Use the show ip igmp snooping groups command with parameters to see a
needed subset of all Multicast groups learned by IGMP snooping
To see the full Multicast address table (including static addresses), use the show
bridge multicast address-table command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
502
23
IGMP Snooping Commands
Example
The following example shows sample output:
switchxxxxxx# show ip igmp snooping groups vlan 1
switchxxxxxx# show ip igmp snooping groups
Vlan
Group
Source
Include Ports
Exclude Ports
Comp-Mode
Address
Address
----
---------------
1
239.255.255.250
---------*
---------
--------
te1/0/1
--------v2
23.17 show ip igmp snooping interface
To display the IGMP snooping configuration for a specific VLAN, use the show ip
igmp snooping interface command in User EXEC mode.
Syntax
show ip igmp snooping interface vlan-id
Parameters
• vlan-id—Specifies the VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays the IGMP snooping configuration for VLAN 1000
switchxxxxxx# show ip igmp snooping interface 1000
IGMP Snooping is globally enabled
IGMP Snooping Querier is globally enabled
VLAN 1000
IGMP Snooping is enabled
IGMP snooping last immediate leave: enable
503
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
Automatic learning of Multicast router ports is enabled
IGMP Snooping Querier is enabled
IGMP Snooping Querier operation state: is running
IGMP Snooping Querier version: 2
IGMP Snooping Querier election is enabled
IGMP Snooping Querier address: 194.12.10.166
IGMP snooping robustness: admin 2
oper 2
IGMP snooping query interval: admin 125 sec oper 125 sec
IGMP snooping query maximum response: admin 10 sec oper 10 sec
IGMP snooping last member query counter: admin 2 oper 2
IGMP snooping last member query interval: admin 1000 msec oper 500 msec
Groups that are in IGMP version 1 compatibility mode:
231.2.2.3, 231.2.2.3
23.18 show ip igmp snooping mrouter
To display information on dynamically learned Multicast router interfaces for all
VLANs or for a specific VLAN, use the show ip igmp snooping mrouter command
in User EXEC mode.
Syntax
show ip igmp snooping mrouter [interface vlan-id]
Parameters
•
interface vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays information on dynamically learned Multicast
router interfaces for VLAN 1000:
switchxxxxxx# show ip igmp snooping mrouter interface 1000
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
504
23
IGMP Snooping Commands
VLAN
Dynamic
Static
Forbidden
----
---------
---------
----------
1000
te1/0/1
te1/0/2
te1/0/3-4
23.19 show ip igmp snooping multicast-tv
To display the IP addresses associated with Multicast TV VLANs, use the show ip
igmp snooping multicast-tv EXEC mode command in User EXEC mode.
Syntax
show ip igmp snooping multicast-tv [vlan vlan-id]
Parameters
•
vlan vlan-id—(Optional) Specifies the VLAN ID.
Command Mode
User EXEC mode
Example
The following example displays the IP addresses associated with all Multicast TV
VLANs.
switchxxxxxx# show ip igmp snooping multicast-tv
VLAN IP Address
---- ----------1000 239.255.0.0
1000 239.255.0.1
1000 239.255.0.2
1000 239.255.0.3
1000 239.255.0.4
1000 239.255.0.5
1000 239.255.0.6
505
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
23
IGMP Snooping Commands
1000 239.255.0.7
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
506
24
IP Addressing Commands
24.0
IP addresses and Layer 2 Interfaces
IP addresses can be configured on the following Layer 2 interfaces:
•
Ethernet port
•
Port channel
•
VLAN
•
Loopback port
•
OOB port
Lists of Commands
24.1 ip address
Use the ip address Interface Configuration (Ethernet, VLAN, Port-channel) mode
command to define an IP address for an interface. Use the no form of this
command to remove an IP address definition.
Syntax
OOB port:
ip address ip-address {mask | /prefix-length} [default-gateway-ip-address]
no ip address
In-Band interfaces:
ip address ip-address {mask | /prefix-length}
no ip address [ip-address]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
507
24
IP Addressing Commands
Parameters
• ip-address—Specifies the IP address.
• mask—Specifies the network mask of the IP address.
• prefix-length—Specifies the number of bits that comprise the IP address
prefix. The prefix length must be preceded by a forward slash (/). (Range:
8–30)
• default-gateway-ip-address—Specifies the default gateway IP address.
The route is gotten a metric of 6 for an In-Band interface and 2 for OOB.
Default Configuration
No IP address is defined for interfaces.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip address command to define a static IP address on an interface.
In-Band interfaces
Multiple IP addresses are supported. A new defined IP address is added on the
interface.
Defining a static IP address on an interface stops a DHCP client running on the
interface and removes the IP address assigned by the DHCP client.
If a configured IP address overlaps another configured one a warning message is
displayed. To change an existed IP address, delete the existed one and add the
new one.
OOB port
One IP address is supported. A new IP address defined on the OOB port overrides
the previously defined IP address on the OOB port.
Defining a static IP address on the OOB port stops a DHCP client running on the
OOB port and deletes an IP address assigned by the DHCP client.
While no IP address is assigned either by DHCP client or manually the default IP
address 192.168.1.254 is assigned on the OOB port
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
508
24
IP Addressing Commands
Examples
Example 1. The following example configures VLAN 1 with IP address
131.108.1.27 and subnet mask 255.255.255.0.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0
Example 2. The following example configures 3 overlapped IP addresses.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip address 1.1.1.1 255.0.0.0
switchxxxxxx(config)# exit
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ip address 1.2.1.1 255.255.0.0
switchxxxxxx(config)# This IP address overlaps IP address 1.1.1.1/8 on vlan1,
are you sure? [Y/N]Y
switchxxxxxx(config)# exit
switchxxxxxx(config)# interface vlan 3
switchxxxxxx(config-if)# ip address 1.3.1.1 255.255.0.0
switchxxxxxx(config)# This IP address overlaps IP address 1.1.1.1/8 on vlan1,
are you sure? [Y/N]Y
switchxxxxxx(config)# exit
Example 3. The following example configures IP address on OOB:
switchxxxxxx(config)# interface oob
switchxxxxxx(config-if)# ip address 131.108.1.27 255.255.255.0 131.108.1.100
509
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
24.2 ip address dhcp
Use the ip address dhcp Interface Configuration (Ethernet, VLAN, Port-channel)
mode command to acquire an IP address for an Ethernet interface from the
Dynamic Host Configuration Protocol (DHCP) server. Use the no form of this
command to release an acquired IP address.
Syntax
ip address dhcp
no ip address dhcp
Parameters
N/A
Command Mode
Interface Configuration mode
User Guidelines
Use the ip address dhcp command to enable DHCP client on the interface.
The ip address dhcp command removes all the manually configured addresses on
the interface.
The default route (Default Gateway) received in DHCP Router option (Option 3) is
assigned a metric of 8 for an In-Band interface and 4 for OOB.
Use the no form of the command to disable DHCP client on interface.
Example
The following example acquires an IP address for VLAN 100 from DHCP.
switchxxxxxx(config)# interface vlan100
switchxxxxxx(config-if)# ip address dhcp
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
510
24
IP Addressing Commands
24.3 renew dhcp
Use the renew dhcp Privileged EXEC mode command to renew an IP address that
was acquired from a DHCP server for a specific interface.
Syntax
renew dhcp interface-id [force-autoconfig]
Parameters
• interface-id—Specifies an interface.
•
force-autoconfig - If the DHCP server holds a DHCP option 67 record for the
assigned IP address, the record overwrites the existing device
configuration.
Command Mode
Privileged EXEC mode
User Guidelines
Use the renew dhcp command to renew a DHCP address on an interface.
This command does not enable DHCP client on an interface and if DHCP client is
not enabled on the interface, the command returns an error message.
Example
The following example renews an IP address on VLAN 19 that was acquired from
a DHCP server:
switchxxxxxx# renew dhcp vlan 19
24.4 ip default-gateway
The ip default-gateway Global Configuration mode command defines a default
gateway (device). Use the no form of this command to restore the default
configuration.
Syntax
ip default-gateway ip-address
511
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
no ip default-gateway [ip-address]
Parameters
• ip-address—Specifies the default gateway IP address.
Command Mode
Global Configuration mode
Default Configuration
No default gateway is defined.
User Guidelines
Use the ip default-gateway command to defines a default gateway (default route).
The ip default-gateway command adds the default route with metric of 6 for the
gateway connected on an In-Band interface and 2 for the gateway connected on
OOB.
Use the no ip default-gateway ip-address command to delete one default
gateway.
Use the no ip default-gateway command to delete all default gateways.
Example
The following example defines default gateway 192.168.1.1.
switchxxxxxx(config)# ip default-gateway 192.168.1.1
24.5 show ip interface
Use the show ip interface EXEC mode command to display the usability status of
configured IP interfaces.
Syntax
show ip interface [interface-id]
Parameters
• interface-id—Specifies an interface ID on which IP addresses are defined.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
512
24
IP Addressing Commands
Default Configuration
All IP addresses.
Command Mode
User EXEC mode
Examples
Example 1 - The following example displays all configured IP addresses and their
types:
switchxxxxxx# show ip interface
!source_precedence_is_supported &&
!broadcast_address_configuration_is_supported && ip_redirects_is_supported
IP Address
I/F
I/F Status
Type
-------------
------
----------- ------- --------
--------- -----
10.5.230.232/24
vlan 1
UP/UP
Static
disable
Enabled
Valid
10.5.234.202/24
vlan 4
UP/DOWN
Static
disable
Disabled
Valid
10.5.240.200/24
oob
UP/UP
Static
admin/oper
Directed
Redirect
Status
Broadcast
Valid
Example 2 - The following example displays the IP addresses configured on the
given L2 interfaces and their types:
switchxxxxxx# show ip interface vlan 1
!source_precedence_is_supported &&
!broadcast_address_configuration_is_supported && ip_redirects_is_supported
IP Address
I/F
I/F Status
Type
-------------
------
----------- ------- --------
--------- -----
10.5.230.232/24
vlan 1
UP/UP
Enabled
admin/oper
513
Directed
Redirect
Status
Broadcast
Static
disable
Valid
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
24.6 arp
Use the arp Global Configuration mode command to add a permanent entry to the
Address Resolution Protocol (ARP) cache. Use the no form of this command to
remove an entry from the ARP cache.
Syntax
arp ip-address mac-address [interface-id]
no arp ip-address
Parameters
• ip-address—IP address or IP alias to map to the specified MAC address.
• mac-address—MAC address to map to the specified IP address or IP alias.
• interface-id—Address pair is added for specified interface.
Command Mode
Global Configuration mode
Default Configuration
No permanent entry is defined.
If no interface ID is entered, address pair is relevant to all interfaces.
User Guidelines
The software uses ARP cache entries to translate 32-bit IP addresses into 48-bit
hardware (MAC) addresses. Because most hosts support dynamic address
resolution, static ARP cache entries generally do not need to be specified.
Example
The following example adds IP address 198.133.219.232 and MAC address
00:00:0c:40:0f:bc to the ARP table.
switchxxxxxx(config)# arp 198.133.219.232 00:00:0c:40:0f:bc vlan100
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
514
24
IP Addressing Commands
24.7 arp timeout (Global)
Use the arp timeout Global Configuration mode command to set the time interval
during which an entry remains in the ARP cache. Use the no form of this command
to restore the default configuration.
Syntax
arp timeout seconds
no arp timeout
Parameters
• seconds—Specifies the time interval (in seconds) during which an entry
remains in the ARP cache. (Range: 1–40000000).
Default Configuration
The default ARP timeout is 60000 seconds, if IP Routing is enabled, and 300
seconds if IP Routing is disabled.
Command Mode
Global Configuration mode
Example
The following example configures the ARP timeout to 12000 seconds.
switchxxxxxx(config)# arp timeout 12000
24.8 ip arp proxy disable
Use the ip arp proxy disable Global Configuration mode command to globally
disable proxy Address Resolution Protocol (ARP). Use the no form of this
command reenable proxy ARP.
Syntax
ip arp proxy disable
no ip arp proxy disable
515
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
Parameters
N/A
Default
Enabled by default.
Command Mode
Global Configuration mode
User Guidelines
This command overrides any proxy ARP interface configuration.
The command is supported only when IP Routing is enabled.
Example
The following example globally disables ARP proxy.
switchxxxxxx(config)# ip arp proxy disable
24.9 ip proxy-arp
Use the ip proxy-arp Interface Configuration mode command to enable an ARP
proxy on specific interfaces. Use the no form of this command disable it.
Syntax
ip proxy-arp
no ip proxy-arp
Default Configuration
ARP Proxy is disabled.
Command Mode
Interface Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
516
24
IP Addressing Commands
User Guidelines
This configuration can be applied only if at least one IP address is defined on a
specific interface.
The command is supported only when IP Routing is enabled.
Example
The following example enables ARP proxy when the switch is in router mode.
switchxxxxxx(config-if)# ip proxy-arp
24.10 clear arp-cache
Use the clear arp-cache Privileged EXEC mode command to delete all dynamic
entries from the ARP cache.
Syntax
clear arp-cache
Command Mode
Privileged EXEC mode
Example
The following example deletes all dynamic entries from the ARP cache.
switchxxxxxx# clear arp-cache
24.11 show arp
Use the show arp Privileged EXEC mode command to display entries in the ARP
table.
Syntax
show arp [ip-address ip-address] [mac-address mac-address] [interface-id]
517
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
Parameters
•
ip-address ip-address—Specifies the IP address.
•
mac-address mac-address—Specifies the MAC address.
• interface-id—Specifies an interface ID.
Command Mode
Privileged EXEC mode
User Guidelines
Since the associated interface of a MAC address can be aged out from the FDB
table, the Interface field can be empty.
If an ARP entry is associated with an IP interface that is defined on a port or
port-channel, the VLAN field is empty.
Example
The following example displays entries in the ARP table.
switchxxxxxx# show arp
ARP timeout: 80000 Seconds
VLAN
Interface
IP Address
HW Address
Status
-------
---------------
----------
-----------------
-------
VLAN 1
te1/0/1
10.7.1.102
00:10:B5:04:DB:4B
Dynamic
VLAN 1
te1/0/2
10.7.1.135
00:50:22:00:2A:A4
Static
VLAN 2
te1/0/1
11.7.1.135
00:12:22:00:2A:A4
Dynamic
te1/0/2
12.10.1.13
00:11:55:04:DB:4B
Dynamic
24.12 show arp configuration
Use the show arp configuration privileged EXEC command to display the global
and interface configuration of the ARP protocol.
Syntax
show arp configuration
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
518
24
IP Addressing Commands
Parameters
This command has no arguments or key words.
Command Mode
Privileged EXEC mode
Example
switchxxxxxx# show arp configuration
Global configuration:
ARP Proxy: enabled
ARP timeout:
80000 Seconds
Interface configuration:
VLAN 1:
ARP Proxy: disabled
ARP timeout:60000 Seconds
VLAN 10:
ARP Proxy: enabled
ARP timeout:70000 Seconds
VLAN 20:
ARP Proxy: enabled
ARP timeout:80000 Second (Global)
24.13 interface ip
Use the interface ip Global Configuration mode command to enter the IP Interface
Configuration mode.
Syntax
interface ip ip-address
Parameters
• ip-address—Specifies one of the IP addresses of the device.
519
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
Command Mode
Global Configuration mode
Example
The following example enters the IP interface configuration mode.
switchxxxxxx(config)# interface ip 192.168.1.1
switchxxxxxx(config-ip)#
24.14 ip helper-address
Use the ip helper-address Global Configuration mode command to enable the
forwarding of UDP Broadcast packets received on an interface to a specific
(helper) address. Use the no form of this command to disable the forwarding of
broadcast packets to a specific (helper) address.
Syntax
ip helper-address {ip-interface | all} address [udp-port-list]
no ip helper-address {ip-interface | all} address
Parameters
• ip-interface—Specifies the IP interface.
•
all—Specifies all IP interfaces.
• address—Specifies the destination broadcast or host address to which to
forward UDP broadcast packets. A value of 0.0.0.0 specifies that UDP
broadcast packets are not forwarded to any host.
• udp-port-list—Specifies the destination UDP port number to which to
forward Broadcast packets. (Range: 1–65535). This can be a list of port
numbers separated by spaces.
Default Configuration
Forwarding of UDP Broadcast packets received on an interface to a specific
(helper) address is disabled.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
520
24
IP Addressing Commands
If udp-port-list is not specified, packets for the default services are forwarded to
the helper address.
Command Mode
Global Configuration mode
User Guidelines
This command forwards specific UDP Broadcast packets from one interface to
another, by specifying a UDP port number to which UDP broadcast packets with
that destination port number are forwarded. By default, if no UDP port number is
specified, the device forwards UDP broadcast packets for the following six
services:
•
IEN-116 Name Service (port 42)
•
DNS (port 53)
•
NetBIOS Name Server (port 137)
•
NetBIOS Datagram Server (port 138)
•
TACACS Server (port 49)
•
Time Service (port 37)
Many helper addresses may be defined. However, the total number of
address-port pairs is limited to 128 for the device.
The setting of a helper address for a specific interface has precedence over the
setting of a helper address for all the interfaces.
Forwarding of BOOTP/DHCP (ports 67, 68) cannot be enabled with this command.
Use the DHCP relay commands to relay BOOTP/DHCP packets.
The ip-interface argument cannot be the OOB port.
Example
The following example enables the forwarding of UDP Broadcast packets
received on all interfaces to the UDP ports of a destination IP address and UDP
port 1 and 2.
switchxxxxxx(config)# ip helper-address all 172.16.9.9 49 53 1 2
521
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
24.15 show ip helper-address
Use the show ip helper-address Privileged EXEC mode command to display the IP
helper addresses configuration on the system.
Syntax
show ip helper-address
Parameters
This command has no arguments or key words.
Command Mode
Privileged EXEC mode
User Guidelines
Example
The following example displays the IP helper addresses configuration on the
system:
switchxxxxxx# show ip
Interface
Helper Address
UDP Ports
------------
--------------
------------------------
192.168.1.1
172.16.8.8
37, 42, 49, 53, 137, 138
192.168.2.1
172.16.9.9
37, 49
24.16 show ip dhcp client interface
Use the show ip dhcp client interface command in User EXEC or Privileged EXEC
mode to display DHCP client interface information.
Syntax
show ip dhcp client interface [interface-id]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
522
24
IP Addressing Commands
Parameters
• interface-id—Interface identifier.
Command Mode
User EXEC mode
User Guidelines
If no interfaces are specified, all interfaces on which DHCP client is enabled are
displayed. If an interface is specified, only information about the specified
interface is displayed.
Example
The following is sample output of the show ip dhcp client interface command:
switchxxxxxx# show ip dhcp client interface
VLAN 100 is in client mode
Address: 170.10.100.100 Mask: 255.255.255.0 T1 120, T2 192
Default Gateway: 170.10.100.1
DNS Servers: 115.1.1.1, 87.12.34.20
DNS Domain Search List: company.com
Host Name: switch_floor7
Configuration Server Addresses: 192.1.1.1 202.1.1.1
Configuration Path Name: qqq/config/aaa_config.dat
Image Path Name: qqq/image/aaa_image.ros
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
VLAN 1200 is in client mode
Address: 180.10.100.100 Mask: 255.255.255.0 T1 120, T2 192
Default Gateway: 180.10.100.1
DNS Servers: 115.1.1.1, 87.12.34.20
DNS Domain Search List: company.com
Host Name: switch_floor7
Configuration Server Addresses: configuration.company.com
Configuration Path Name: qqq/config/aaa_config.dat
523
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
24
IP Addressing Commands
Image Path Name: qqq/image/aaa_image.ros
POSIX Timezone string: EST5EDT4,M3.2.0/02:00,M11.1.0/02:00
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
524
25
IP Routing Protocol-Independent Commands
25.0
25.1 ip policy route-map
To enable policy routing on an interface and identify a route map, use the ip policy
route-map command in Interface Configuration mode. To disable policy routing,
use the no form of this command.
Syntax
ip policy route-map map-tag
no ip policy route-map
Parameters
• map-tag—Name of the route map to use for policy routing. The name must
match a map-tag value specified by a route-map (Policy Routing) command.
Default Configuration
No policy routing occurs on the interface.
Command Mode
Interface Configuration mode
User Guidelines
Use the ip policy route-map command to enable policy routing on an interface.
The actual policy routing will take a place if an IP address is defined on the
interface.
The IP packets matched to the route-map conditions specified by the route map
with the map-tag name will take a route depended on the action of the matched
ACL:
•
permit—The route specified by the set command Policy routing.
•
deny—The route specified by the IP Forwarding table (regular routing).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
525
IP Routing Protocol-Independent Commands
•
25
Name of the route map to use for policy routing. The name must match a
map-tag value specified by a route-map (Policy Routing) command.
The not matched IP packets will be forwarded using the obvious shortest path.
IP policy routing on a Layer 2 interface is performed only when IP interface is
defined, its status is UP, and the next hop is reachable. If the IP policy routing is not
applied then the matched IP packets will be forwarded using the obvious shortest
path.
Note. Of course, like in the case of regular IP Routing Policy Based IP Router routes
only MAC "tome" IP frames.
IP policy routing cannot be configured on an interface together with the following
features:
•
VLAN ACL
Example
The following example shows how to configure policy routing:
switchxxxxxx(config)# ip access-list extended pr-acl1
switchxxxxxx(config-ip-al)# permit tcp any any 156.12.5.0 0.0.0.255 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# ip access-list extended pr-acl2
switchxxxxxx(config-ip-al)# permit tcp any any 156.122.5.0 0.0.0.255 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# route-map pbr 10
switchxxxxxx(config-route-map)# match ip address access-list pr-acl1
switchxxxxxx(config-route-map)# set ip next-hop 56.1.1.1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# route-map pbr 20
switchxxxxxx(config-route-map)# match ip address access-list pr-acl2
switchxxxxxx(config-route-map)# set ip next-hop 50.1.1.1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip policy route-map pbr
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
526
25
IP Routing Protocol-Independent Commands
25.2 ip redirects
Use the ip redirects command in IP Interface Configuration mode to enable the
sending of ICMP redirect messages to re-send a packet through the same
interface on which the packet was received. To disable the sending of redirect
messages, use the no form of this command.
Syntax
ip redirects
no ip redirects
Parameters
N/A.
Default Configuration
The sending of ICMP redirect messages is enabled.
Command Mode
IP Configuration mode
Example
The following example disables the sending of ICMP redirect messages on IP
interface 1.1.1.1 and re-enables the messages on IP interface 2.2.2.2:
switchxxxxxx(config)# interface ip 1.1.1.1
switchxxxxxx(config-ip)# no ip redirects
switchxxxxxx(config-ip)# exit
switchxxxxxx(config)# interface ip 2.2.2.2
switchxxxxxx(config-ip)# ip redirects
switchxxxxxx(config-ip)# exit
527
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands
25
25.3 ip route
To establish static routes, use the ip route command in global configuration mode.
To remove static routes, use the no form of this command.
Syntax
ip route prefix {mask | /prefix-length} {{ip-address [metric value]} | reject-route}
no ip route prefix {mask | /prefix-length} [ip-address]
Parameters
• prefix—IP route prefix for the destination.
• mask—Prefix mask for the destination.
•
/prefix-length—Prefix mask for the destination.Specifies the number of bits
that comprise the IP address prefix. The prefix length must be preceded by
a forward slash (/). (Range: 0–32)
• ip-address—IP address of the next hop that can be used to reach that
network.
•
metric value—Metric of the route. The default metric is 6 for the Next Hop
on an In-Band interface and 2 for the Next Hop on OOB. Range: 1–255.
•
reject-route—Stopping routing to the destination network.
Default Configuration
No static routes are established.
Command Mode
Global Configuration mode
User Guidelines
Use the no ip route comamnd without the ip-address parameter to remove all
static routes to the given subnet.
Use the no ip route comand with the ip-address parameter to remove only one
static route to the given subnet via the given next hop.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
528
25
IP Routing Protocol-Independent Commands
Examples
Example 1—The following example shows how to route packets for network
172.31.0.0 to a router at 172.31.6.6 using mask:
switchxxxxxx(config)# ip route 172.31.0.0 255.255.0.0 172.31.6.6 metric 2
Example 2—The following example shows how to route packets for network
172.31.0.0 to a router at 172.31.6.6 using prefix length :
switchxxxxxx(config)# ip route 172.31.0.0 /16 172.31.6.6 metric 2
Example 3—The following example shows how to reject packets for network
194.1.1.0:
switchxxxxxx(config)# ip route 194.1.1.0 255.255.255.0 reject-route
Example 4—The following example shows how to remove all static routes to
network 194.1.1.0/24:
switchxxxxxx(config)# no ip route 194.1.1.0 /24
Example 5—The following example shows how to remove one static route to
network 194.1.1.0/24 via 1.1.1.1:
switchxxxxxx(config)# no ip route 194.1.1.0 /24 1.1.1.1
25.4 ip routing
To enable IP routing, use the ip routing command in global configuration mode. To
disable IP routing, use the no form of this command.
Syntax
ip routing
529
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands
25
no ip routing
Parameters
This command has no arguments or keywords.
Default Configuration
IP routing is enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the command to enable IP Routing.
The switch supports one IPv4 stack on in-band interfaces and the OOB port.
The IP stack is always running on the OOB port as an IP host regardless whether IP
routing is enabled.
The switch blocks routing between in-band interfaces and the OOB interface.
In the case when there are two best routes - one via an in-band and one via the
OOB port, the switch will use the route via the OOB port.
DHCP Relay and IP Helper cannot be enabled on the OOB port.
Example The following example enables IP routing
switchxxxxxx(config)# ip routing
25.5 show ip route
To display the current state of the routing table, use the show ip route command in
user EXEC or privileged EXEC mode.
Syntax
show ip route [address ip-address {mask [longer-prefixes]} [static | rejected | icmp |
connected]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
530
25
IP Routing Protocol-Independent Commands
Parameters
•
address ip-address—IP address about which routing information should be
displayed.
• mask—The value of the subnet mask.
•
longer-prefixes—Specifies that only routes matching the IP address and
mask pair should be displayed.
•
connected—Displays connected routes.
•
icmp—Displays routes added by ICMP Direct.
•
rejected—Displays rejected routes.
•
static—Displays static routes.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use this command without parameters to display the whole IPv6 Routing table.
Use this command with parameters to specify required routes.
Examples
Example 1. The following is sample output from the show ip route command when
IP Routing is not enabled:
switchxxxxxx# show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: disabled
Codes: > - best, C - connected, S - static, I - ICMP
IP Routing Table - 5 entries
Code
IP Route
Distance/ Next Hop
Metric
531
IP Address
Last Time Outgoing
Updated
------ ------------------- -----------
---------------
S
10.119.254.244 00:02:22
10.10.0.0/16
1/2
Interface
------------- -----------vlan2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
25
IP Routing Protocol-Independent Commands
S>
10.10.0.0/16
1/1
10.120.254.244 00:02:22
vlan3
S>
10.16.2.0/24
1/1
10.119.254.244 00:02:22
vlan2
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
Example 2. The following is sample output from the show ip route command when
IP Routing is enabled:
switchxxxxxx# show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Directed Broadcast Forwarding: disabled
Codes: > - best, C - connected, S - static
Codes: > - best, C - connected, S - static
Policy Routing
VLAN 1
Route Map: BPR1
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.1
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 2.2.2.2
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 3.3.3.3
Next Hop Status: Not Active (Not direct)
VLAN 100
Route Map: BPR_10
Status: Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
532
25
IP Routing Protocol-Independent Commands
Next Hop Status: Active
VLAN 110
Route Map: BPR_20
Status: Not Active (VLAN 110 status is DOWN)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 200
Route Map: BPR_A0
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
IP Routing Table - 4 entries
Code
IP Route
Distance/ Next Hop
Metric
IP Address
------ ------------------- -----------
---------------
Last Time Outgoing
Updated
Interface
------------- ------------
S>
10.175.0.0/16
1/1
10.119.254.240 00:02:22
vlan2
S>
10.180.0.0/16
1/1
10.119.254.240 00:02:42
vlan3
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
Example 3. In the following example, the logical AND operation is performed on
the address 10.16.0.0 and the mask 255.255.0.0, resulting in 10.16.0.0. On each
destination in the routing table the logical AND operation is also performed with
the mask and the result is compared with 10.16.0.0. Any destinations that fall into
that range are displayed in the output:
switchxxxxxx# show ip route 10.16.0.0 255.255.0.0 longer-prefix
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Directed Broadcast Forwarding: disabled
Codes: > - best, C - connected, S - static
533
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands
25
Policy Routing
VLAN 1
Route Map: BPR1
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.1
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 2.2.2.2
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 3.3.3.3
Next Hop Status: Not Active (Not direct)
VLAN 100
Route Map: BPR_10
Status: Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 110
Route Map: BPR_20
Status: Not Active (VLAN 110 status is DOWN)
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
VLAN 200
Route Map: BPR_A0
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 1.1.1.20
Next Hop Status: Active
IP Routing Table - 6 entries
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
534
25
IP Routing Protocol-Independent Commands
Code
IP Route
Distance/ Next Hop
Metric
IP Address
Last Time Outgoing
Updated
Interface
------ ------------------- -----------
---------------
------------- ------------
S>
10.16.2.0/24
1/1
10.119.254.244 00:02:22
vlan2
S>
10.16.2.64/26
1/1
100.1.14.244
00:02:22
vlan1
S>
10.16.2.128/26 1/1
110.9.2.2
00:02:22
vlan3
S>
10.16.208.0/24 1/1
120.120.5.44
S>
10.16.223.0/24 1/1
20.1.2.24
S>
10.16.236.0/24 1/1
30.19.54.240
C>
10.119.0.0/16
0/1
0.0.0.0
vlan2
C>
10.120.0.0/16
0/1
0.0.0.0
vlan3
C>
20.1.0.0/16
0/1
0.0.0.0
vlan5
C>
30.19.0.0/16
0/1
0.0.0.0
vlan2
C>
100.1.0.0/16
0/1
0.0.0.0
vlan1
C>
110.9.0.0/16
0/1
0.0.0.0
vlan3
C>
120.120.0.0/16
0/1
0.0.0.0
vlan2
00:02:22
00:02:22
00:02:23
vlan2
vlan5
vlan6
25.6 show ip route summary
Use the show ip route summary command in User EXEC or Privileged EXEC mode
to display the current contents of the IP routing table in summary format.
Syntax
show ip route summary
Parameters
N/A.
Command Mode
User EXEC mode
Privileged EXEC mode
535
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP Routing Protocol-Independent Commands
25
User Guidelines
Example
The following is sample output from the show ip route summary command:
switchxxxxxx# show ip route summary
IP Routing Table Summary - 90 entries
35 connected, 25 static
Number of prefixes:
/16: 16, /18: 10, /22: 15, /24: 19
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
536
26
IP System Management Commands
26.0
26.1 ping
Use the ping EXEC mode command to send ICMP echo request packets to
another node on the network.
Syntax
ping [ip] {ipv4-address | hostname} [size packet_size] [count packet_count]
[timeout time_out] [source source-address]
ping ipv6 {ipv6-address | hostname} [size packet_size] [count packet_count]
[timeout time_out] [source source-address]
Parameters
•
ip—Use IPv4 to check the network connectivity.
•
ipv6—Use IPv6 to check the network connectivity.
• ipv4-address—IPv4 address to ping.
• ipv6-address—Unicast or Multicast IPv6 address to ping. When the IPv6
address is a Link Local address (IPv6Z address), the outgoing interface
name must be specified.
• hostname—Hostname to ping (Length: 1-158 characters. Maximum label
size for each part of the host name: 58.)
•
size packet_size—Number of bytes in the packet not including the VLAN
tag. The default is 64 bytes. (IPv4:64–1518, IPv6: 68–1518)
•
count packet_count—Number of packets to send, from 1 to 65535 packets.
The default is 4 packets. If 0 is entered, it pings until stopped (0–65535).
•
time time-out—Timeout in milliseconds to wait for each reply, from 50 to
65535 milliseconds. The default is 2000 milliseconds (50–65535).
•
source source-address—Source address (Unicast IPv4 address or global
Unicast IPv6 address).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
537
IP System Management Commands
26
Default Usage
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Press Esc to stop pinging. Following are sample results of the ping command:
•
Destination does not respond—If the host does not respond, a “no answer
from host” appears within 10 seconds.
•
Destination unreachable—The gateway for this destination indicates that
the destination is unreachable.
•
Network or host unreachable—The switch found no corresponding entry in
the route table.
When using the ping ipv6 command to check network connectivity of a directly
attached host using its link local address, the egress interface may be specified in
the IPv6Z format. If the egress interface is not specified, the default interface is
selected.
When using the ping ipv6 command with a Multicast address, the information
displayed is taken from all received echo responses.
When the source keyword is configured and the source address is not an address
of the switch, the command is halted with an error message and pings are not
sent.
Examples
Example 1 - Ping an IP address.
switchxxxxxx> ping ip 10.1.1.1
Pinging 10.1.1.1 with 64 bytes of data:
64 bytes from 10.1.1.1: icmp_seq=0. time=11 ms
64 bytes from 10.1.1.1: icmp_seq=1. time=8 ms
64 bytes from 10.1.1.1: icmp_seq=2. time=8 ms
64 bytes from 10.1.1.1: icmp_seq=3. time=7 ms
----10.1.1.1 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
538
26
IP System Management Commands
round-trip (ms) min/avg/max = 7/8/11
Example 2 - Ping a site.
switchxxxxxx> ping ip yahoo.com
Pinging yahoo.com [66.218.71.198] with 64 bytes of data:
64 bytes from 66.218.71.198: icmp_seq=0. time=11 ms
64 bytes from 66.218.71.198: icmp_seq=1. time=8 ms
64 bytes from 66.218.71.198: icmp_seq=2. time=8 ms
64 bytes from 66.218.71.198: icmp_seq=3. time=7 ms
----10.1.1.1 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 7/8/11
Example 3 - Ping an IPv6 address.
switchxxxxxx> ping ipv6 3003::11
Pinging 3003::11 with 64 bytes of data:
64 bytes from 3003::11: icmp_seq=1. time=0 ms
64 bytes from 3003::11: icmp_seq=2. time=50 ms
64 bytes from 3003::11: icmp_seq=3. time=0 ms
64 bytes from 3003::11: icmp_seq=4. time=0 ms
----3003::11 PING Statistics---4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/12/50
switchxxxxxx> ping ipv6 FF02::1
Pinging FF02::1 with 64 bytes of data:
64 bytes from FF02::1: icmp_seq=1. time=0 ms
64 bytes from FF02::1: icmp_seq=1. time=70 ms
64 bytes from FF02::1: icmp_seq=2. time=0 ms
64 bytes from FF02::1: icmp_seq=1. time=1050 ms
64 bytes from FF02::1: icmp_seq=2. time=70 ms
539
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands
26
64 bytes from FF02::1: icmp_seq=2. time=1050 ms
64 bytes from FF02::1: icmp_seq=3. time=0 ms
64 bytes from FF02::1: icmp_seq=3. time=70 ms
64 bytes from FF02::1: icmp_seq=4. time=0 ms
64 bytes from FF02::1: icmp_seq=3. time=1050 ms
64 bytes from FF02::1: icmp_seq=4. time=70 ms
64 bytes from FF02::1: icmp_sq=4. time=1050 ms
---- FF02::1 PING Statistics---4 packets transmitted, 12 packets received
26.2 ssh
To start an encrypted session with a remote networking device, use the ssh
command in user EXEC or privileged EXEC mode.
Syntax
ssh {ip-address | hostname} [port] [keyword...]
Parameters
• ip-address—Specifies the destination host IP address (IPv4 or IPv6).
• hostname—Hostname to ping (Length: 1-158 characters. Maximum label
size for each part of the host name: 58.)
• port—Specifies the decimal TCP port number. The default port is the SSH
port (22).
• keyword—Specifies the one or more keywords listed in the Keywords
table in the User Guidelines.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
540
26
IP System Management Commands
Keywords Table
Options
Description
/password password
Specifies the password to use when logging in on
the remote networking device running the SSH
server. If the keyword is not specified, the password
configured by the ip ssh-client password command
is used. If this keyword is specified the the /user
keyword must be specified too.
/source-interface
Specifies the source interface which minimal
IPv4/v6 address will be used as the source IPv4/v6
address. If the keyword is not specified, the source
IPv4/IPv6 address configured by the ip ssh-client
source-interface command is used.
interface-id
/user user-name
Specifies the user name to use when logging in on
the remote networking device running the SSH
server. If the keyword is not specified, the user name
configured by the ip ssh-client username command
is used. If this keyword is specified the /password
keyword must be specified too.
Default Configuration
The default port is the SSH port (22) on the host.
Command Mode
Privileged EXEC mode
User Guidelines
The ssh command enables the switch to make a secure, encrypted connection to
another switch running an SSH server. This connection provides functionality that
is similar to that of a Telnet connection except that the connection is encrypted.
With authentication and encryption, the SSH client allows for a secure
communication over an insecure network.
Only one SSH terminal connection can be active at the same time.
541
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands
26
Examples
Example 1. The following example sets a secure session between the local device
and the edge device HQedge. The user name and password configured by the ip
ssh-client username and ip ssh-client password commands are used.
switchxxxxxx> ssh HQedge
Example 2. The following example sets a secure session between the local device
and the edge device 1.1.1.1. The user name is HQhost and the password is a
password configured by the ip ssh-client password command.
switchxxxxxx> ssh 1.1.1.1 /user HQhost
Example 3. The following example sets a secure session between the local device
and the edge device HQedge. The user name is HQhost and the password is
ar3245ddd.
switchxxxxxx> ssh HQedge /user HQhost /password ar3245ddd
Example 4. The following example sets a lookback interface as a source interface:
switchxxxxxx> ssh HQedge /source-interface loopback1
26.3 telnet
The telnet EXEC mode command logs on to a host that supports Telnet.
Syntax
telnet {ip-address | hostname} [port] [keyword...]
Parameters
• ip-address—Specifies the destination host IP address (IPv4 or IPv6).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
542
26
IP System Management Commands
• hostname—Hostname to ping (Length: 1-158 characters. Maximum label
size for each part of the host name: 58.)
• port—Specifies the decimal TCP port number or one of the keywords listed
in the Ports table in the User Guidelines.
• keyword—Specifies the one or more keywords listed in the Keywords
table in the User Guidelines.
Default Configuration
The default port is the Telnet port (23) on the host.
Command Mode
Privileged EXEC mode
User Guidelines
Telnet software supports special Telnet commands in the form of Telnet
sequences that map generic terminal control functions to operating
system-specific functions. To enter a Telnet sequence, press the escape
sequence keys (Ctrl-shift-6) followed by a Telnet command character.
Special Telnet Sequences
Telnet Sequence
Purpose
Ctrl-shift-6-b
Break
Ctrl-shift-6-c
Interrupt Process (IP)
Ctrl-shift-6-h
Erase Character (EC)
Ctrl-shift-6-o
Abort Output (AO)
Ctrl-shift-6-t
Are You There? (AYT)
Ctrl-shift-6-u
Erase Line (EL)
At any time during an active Telnet session, available Telnet commands can be
listed by pressing the ?/help keys at the system prompt.
A sample of this list follows.
switchxxxxxx> ?/help
[Special telnet escape help]
^^ B sends telnet BREAK
^^ C sends telnet IP
543
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
26
IP System Management Commands
^^ H sends telnet EC
^^ O sends telnet AO
^^ T sends telnet AYT
^^ U sends telnet EL
?/help suspends the session (return to system command prompt)
Several concurrent Telnet sessions can be opened, enabling switching between
the sessions. To open a subsequent session, the current connection has to be
suspended by pressing the escape sequence keys (Ctrl-shift-6) and x to return to
the system command prompt. Then open a new connection with the telnet EXEC
mode command.
This command lists concurrent Telnet connections to remote hosts that were
opened by the current Telnet session to the local device. It does not list Telnet
connections to remote hosts that were opened by other Telnet sessions.
Keywords Table
Options
Description
/echo
Enables local echo.
/quiet
Prevents onscreen display of all messages from
the software.
/source-interfac
e
Specifies the source interface.
/stream
Turns on stream processing, which enables a raw
TCP stream with no Telnet control sequences. A
stream connection does not process Telnet
options and can be appropriate for connections
to ports running UNIX-to-UNIX Copy Program
(UUCP) and other non-Telnet protocols.
Ctrl-shift-6 x
Returns to the System Command Prompt.
Ports Table
Keyword
Description
Port Number
BGP
Border Gateway Protocol
179
chargen
Character generator
19
cmd
Remote commands
514
daytime
Daytime
13
discard
Discard
9
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
544
26
545
IP System Management Commands
Keyword
Description
Port Number
domain
Domain Name Service
53
echo
Echo
7
exec
Exec
512
finger
Finger
79
ftp
File Transfer Protocol
21
ftp-data
FTP data connections
20
gopher
Gopher
70
hostname
NIC hostname server
101
ident
Ident Protocol
113
irc
Internet Relay Chat
194
klogin
Kerberos login
543
kshell
Kerberos shell
544
login
Login
513
lpd
Printer service
515
nntp
Network News Transport
Protocol
119
pim-auto-r
p
PIM Auto-RP
496
pop2
Post Office Protocol v2
109
pop3
Post Office Protocol v3
110
smtp
Simple Mail Transport
Protocol
25
sunrpc
Sun Remote Procedure Call
111
syslog
Syslog
514
tacacs
TAC Access Control System
49
talk
Talk
517
telnet
Telnet
23
time
Time
37
uucp
Unix-to-Unix Copy Program
540
whois
Nickname
43
www
World Wide Web
80
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
IP System Management Commands
26
Example
The following example displays logging in to IP address 176.213.10.50 via Telnet.
switchxxxxxx> telnet 176.213.10.50
26.4 traceroute
To display the routes that packets will take when traveling to their destination, use
the traceroute EXEC mode command.
Syntax
traceroute ip {ipv4-address | hostname} [size packet_size] [ttl max-ttl] [count
packet_count] [timeout time_out] [source ip-address]
traceroute ipv6 {ipv6-address | hostname} [size packet_size] [ttl max-ttl] [count
packet_count] [timeout time_out] [source ip-address]
Parameters
•
ip—Use IPv4 to discover the route.
•
ipv6—Use IPv6 to discover the route.
• ipv4-address—IPv4 address of the destination host.
• ipv6-address—IPv6 address of the destination host.
• hostname—Hostname to ping (Length: 1-158 characters. Maximum label
size for each part of the host name: 58.)
•
size packet_size—Number of bytes in the packet not including the VLAN
tag. The default is 64 bytes. (IPv4:64-1518, IPv6: 68-1518)
•
ttl max-ttl—The largest TTL value that can be used. The default is 30. The
traceroute command terminates when the destination is reached or when
this value is reached. (Range: 1–255)
•
count packet_count—The number of probes to be sent at each TTL level.
The default count is 3. (Range: 1–10)
•
timeout time_out—The number of seconds to wait for a response to a probe
packet. The default is 3 seconds. (Range: 1–60)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
546
26
IP System Management Commands
•
source ip-address—One of the interface addresses of the device to use as
a source address for the probes. The device selects the optimal source
address by default. (Range: Valid IP address)
Default Usage
N/A
Command Mode
Privileged EXEC mode
User Guidelines
The traceroute command works by taking advantage of the error messages
generated by routers when a datagram exceeds its time-to-live (TTL) value.
The traceroute command starts by sending probe datagrams with a TTL value of
one. This causes the first router to discard the probe datagram and send back an
error message. The traceroute command sends several probes at each TTL level
and displays the round-trip time for each.
The traceroute command sends out one probe at a time. Each outgoing packet can
result in one or two error messages. A "time exceeded” error message indicates
that an intermediate router has seen and discarded the probe. A "destination
unreachable" error message indicates that the destination node has received the
probe and discarded it because it could not deliver the packet. If the timer goes
off before a response comes in, the traceroute command prints an asterisk (*).
The traceroute command terminates when the destination responds, when the
maximum TTL is exceeded, or when the user interrupts the trace with Esc.
The traceroute ipv6 command is not relevant to IPv6 link local addresses.
Example
switchxxxxxx> traceroute ip umaxp1.physics.lsa.umich.edu
Type Esc to abort.
Tracing the route to umaxp1.physics.lsa.umich.edu (141.211.101.64)
1 i2-gateway.stanford.edu (192.68.191.83)
0 msec 0 msec 0 msec
2 STAN.POS.calren2.NET (171.64.1.213) 0 msec 0 msec 0 msec
3 SUNV--STAN.POS.calren2.net (198.32.249.73) 1 msec 1 msec 1 msec
4 Abilene--QSV.POS.calren2.net (198.32.249.162)
547
1 msec 1 msec 1 msec
5 kscyng-snvang.abilene.ucaid.edu (198.32.8.103)
33 msec 35 msec 35 msec
6 iplsng-kscyng.abilene.ucaid.edu (198.32.8.80)
47 msec 45 msec 45 msec
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
26
IP System Management Commands
7 so-0-2-0x1.aa1.mich.net (192.122.183.9)
56 msec
8 atm1-0x24.michnet8.mich.net (198.108.23.82)
53 msec 54 msec
56 msec 56 msec 57 msec
9 * * *
10 A-ARB3-LSA-NG.c-SEB.umnet.umich.edu(141.211.5.22)58 msec 58msec 58 msec
11 umaxp1.physics.lsa.umich.edu (141.211.101.64)
62 msec 63 msec 63 msec
Trace completed
The following table describes the significant fields shown in the display:
Field
Description
1
Indicates the sequence number of the router
in the path to the host.
i2-gateway.stanford.
edu
Host name of this router.
192.68.191.83
IP address of this router.
1 msec 1 msec 1
msec
Round-trip time for each of the probes that
are sent.
The following are characters that can appear in the traceroute command output:
Field
Description
*
The probe timed out.
?
Unknown packet type.
A
Administratively unreachable. Usually, this output
indicates that an access list is blocking traffic.
F
Fragmentation required and DF is set.
H
Host unreachable.
N
Network unreachable.
P
Protocol unreachable.
Q
Source quench.
R
Fragment reassembly time exceeded
S
Source route failed.
U
Port unreachable.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
548
27
IPv4 IPM Router Commands
27.0
27.1 ip multicast-routing
To enable IPv4 Multicast routing on all IP-enabled interfaces of the router and to
enable Multicast forwarding, use the ip multicast-routing command in global
configuration mode. To stop Multicast routing and forwarding, use the no form of
this command.
Syntax
ip multicast-routing igmp-proxy
no ip multicast-routing
Parameters
•
igmp-proxy—Enable Multicast routing using IGMP Proxy.
Default Configuration
Multicast routing is not enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the ip multicast-routing command with parameter to specify the needed IP
Multicast Routing Protocol.
To forward IPv4 Multicast packets on an interface, IPv4 Multicast forwarding must
be enabled globally and an IPMv4 Routing protocol must be enabled on the
interface.
Example
The following example enables IP Multicast routing using IGMP Proxy:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
549
27
IPv4 IPM Router Commands
switchxxxxxx(config)# ip multicast-routing igmp-proxy
27.2 ip multicast ttl-threshold
To configure the time-to-live (TTL) threshold of packets being forwarded out an
interface, use the ip multicast ttl-threshold command in Interface Configuration
mode. To return to the default TTL threshold, use the no form of this command.
Syntax
ip multicast ttl-threshold ttl-value
no ip multicast ttl-threshold
Parameters
• ttl-value—Time-to-live value, in hops. It can be a value from 0 to 256.
Default Configuration
The default TTL value is 0.
Command Mode
Interface Configuration mode
User Guidelines
Multicast packets with a TTL value less than the threshold will not be forwarded
on the interface.
The default value of 0 means all Multicast packets are forwarded on the interface.
A value of 256 means that no Multicast packets are forwarded on the interface.
You should configure the TTL threshold only on border routers. Conversely, routers
on which you configure a TTL threshold value automatically become border
routers.
Example
The following example sets the TTL threshold on a border router to 200:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ip multicast ttl-threshold 200
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
550
27
IPv4 IPM Router Commands
switchxxxxxx(config-if)# exit
27.3 show ip mroute
To display the contents of the Multicast routing (mroute) table, use the show ip
mroute command in user EXEC or privileged EXEC mode.
Syntax
show ip mroute [group-address [source-address]] [summary]
Parameters
• group-address—Destination Multicast IP address.
• source-address—Source IP address.
•
summary—Filters the output to display a one-line, abbreviated summary of
each entry in the mroute table.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the show ip mroute command to display information about Mroute entries in
the mroute table. The switch populates the Multicast routing table by creating (S,
G) entries from (*, G) entries. The asterisk (*) refers to all source addresses, the “S”
refers to a single source address, and the “G” is the destination Multicast group
address. In creating (S, G) entries, the switch uses the best path to that destination
group found in the Unicast routing table (that is, through Reverse Path Forwarding
[RPF]).
Examples
Description of Significant fields in the examples below
Timers:Uptime/Expires—“Uptime” indicates per interface how long (in hours,
minutes, and seconds) the entry has been in the IP Multicast routing table.
“Expires” indicates per interface how long (in hours, minutes, and seconds) until
the entry will be removed from the IP Multicast routing table.
551
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
27
IPv4 IPM Router Commands
(*, 224.0.255.1) and (192.168.37.100/32, 224.0.255.1)—Entry in the IP Multicast
routing table. The entry consists of the IP address of the source router followed by
the IP address of the Multicast group. An asterisk (*) in place of the source router
indicates all sources.
Entries in the first format are referred to as (*, G) or “star comma G” entries. Entries
in the second format are referred to as (S, G) or “S comma G” entries. (*, G) entries
are used to build (S, G) entries.
Incoming interface: —Expected interface for a Multicast packet from the source. If
the packet is not received on this interface, it is discarded.
Outgoing Interface List (OIF):—Interfaces through which packets will be
forwarded.
Example 1. The following is sample output from the show ip mroute command with
the summary keyword:
switchxxxxxx# show ip mroute summary
Timers: Uptime/Expires
IP Multicast Routing Table
(172.16.160.67/32, 224.2.127.254), 00:02:46/00:00:12, OIF count:2
(172.16.244.217/32, 224.2.127.254), 00:02:15/00:00:40, OIF count:
(172.16.8.33/32, 224.2.127.254), 00:00:25/00:02:32, OIF count:2
(172.16.2.62/32, 224.2.127.254), 00:00:51/00:02:03, OIF count:2
(172.16.8.3/32, 224.2.127.254), 00:00:26/00:02:33, OIF count:2
(172.16.60.189/32, 224.2.127.254), 00:03:47/00:00:46, OIF count:2
Example 2. The following is sample output from the show ip mroute command:
switchxxxxxx# show ip mroute
Timers: Uptime/Expires
IP Multicast Routing Table
(*, 224.0.255.3), 5:29:15/00:03:01
Incoming interface: vlan2
Outgoing interface list:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
552
27
IPv4 IPM Router Commands
vlan100, 5:29:15/0:02:57
(192.168.46.0/24, 224.0.255.3), 05:29:15/00:02:59
Incoming interface: vlan2
Outgoing interface list:
vlan5, 05:29:15/00:02:57
27.4 show ip multicast
To display general information about IP Multicast configuration, use the show ip
multicast command in user EXEC or privileged EXEC mode.
Syntax
show ip multicast [interface interface-id]
Parameters
•
interface—Displays IP Multicast-related information about an interface
configured for IP Multicast.
• interface-id—Interface identifier for which to display IP Multicast
information.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the show ip multicast command without the interface keyword to display
general information about the state of IP Multicast on the router.
Use the show ip multicast command with the interface keyword to display the IP
Multicast information about the specified interface.
Examples
Example 1. The following is sample output from the show ip multicast command
without the interface keyword when no IP Multicast Routing protocol is enabled:
switchxxxxxx# show ip multicast
553
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
27
IPv4 IPM Router Commands
IP Unicast Forwarding: enabled
IP Multicast Protocol: No
Example 2. The following is sample output from the show ip multicast command
without the interface keyword when IGMP Proxy is enabled:
switchxxxxxx# show ip multicast
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGMP Proxy
Example 3. The following is sample output from the show ip multicast command
about the given interface. IGMP Proxy is enabled on the interface and the interface
is an IGMP Proxy Upstream interface:
switchxxxxxx# show ip multicast interface vlan 200
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGMP Proxy
vlan 200
TTL-threshold: 0
IGMP Protocol: IGMPv3
IGMP Proxy: Upstream
Example 4. The following is sample output from the show ip multicast command
about the given interface. IGMP Proxy is enabled on the interface and the interface
is an IGMP Proxy Downlink interface:
switchxxxxxx# show ip multicast interface vlan 100
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGP Proxy
vlan 200
TTL-threshold: 0
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
554
27
IPv4 IPM Router Commands
IGMP Protocol: IGMPv3
IGMP Proxy: DownStream (Upstream: vlan 200)
Example 5. The following is sample output from the show ip multicast command
about the given interface. IGMP Proxy is disabled on the interface:
switchxxxxxx# show ip multicast interface vlan 100
IP Unicast Forwarding: enabled
IP Multicast Protocol: IGMP Proxy
vlan 200
IP Status: enabled
hop-threshold: 100
IGMP Protocol: IGMPv3
IGMP Proxy: disabled
555
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
28.0
28.1 clear ipv6 neighbors
Use the clear ipv6 neighbors command in privileged EXEC mode to delete all
entries in the IPv6 neighbor discovery cache, except static entries.
Syntax
clear ipv6 neighbors
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
Example
The following example deletes all entries, except static entries, in the neighbor
discovery cache:
switchxxxxxx# clear ipv6 neighbors
28.2 ipv6 address
Use the ipv6 address command in Interface Configuration mode to configure a
global unicast IPv6 address based on an IPv6 general prefix and enable IPv6
processing on an interface. To remove the address from the interface, use the no
form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
556
28
IPv6 Commands
Syntax
ipv6 address ipv6-address/prefix-length
no ipv6 address [ipv6-address/prefix-length]
Parameters
• ipv6-address—Specifies the global unicast IPv6 address assigned to the
interface. This argument must be in the form documented in RFC4293
where the address is specified in hexadecimal using 16-bit values between
colons.
• prefix-length—The length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
Default Configuration
No IP address is defined for the interface.
Command Mode
Interface Configuration mode
User Guidelines
The ipv6 address command cannot be applied to define an IPv6 address on an
ISATAP interface.
Using the no IPv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually configured addresses.
Example
The following example defines the IPv6 global address 2001:DB8:2222:7272::72
on vlan 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 address 2001:DB8:2222:7272::72/64
switchxxxxxx(config-if)# exit
557
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
28.3 ipv6 address anycast
Use the ipv6 address anycast command in Interface Configuration mode to
configure a global unicast IPv6 Anycast address and enable IPv6 processing on an
interface. To remove the address from the interface, use the no form of this
command.
Syntax
ipv6 address ipv6-prefix/prefix-length anycast
no ipv6 address [ipv6-prefix/prefix-length]
Parameters
• ipv6-address—Specifies the global unicast IPv6 address assigned to the
interface. This argument must be in the form documented in RFC4293
where the address is specified in hexadecimal using 16-bit values between
colons.
• prefix-length—The length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
Default Configuration
No IP address is defined for the interface.
Command Mode
Interface Configuration mode
User Guidelines
An Anycast address is an address that is assigned to a set of interfaces that
typically belong to different nodes. A packet sent to an Anycast address is
delivered to the closest interface—as defined by the routing protocols in use—
identified by the Anycast address. Anycast addresses are syntactically
indistinguishable from Unicast addresses because Anycast addresses are
allocated from the Unicast address space. Nodes to which the Anycast address is
assigned must be explicitly configured to recognize that the address is an Anycast
address.
Anycast addresses can be used only by a router, not a host, and Anycast
addresses must not be used as the source address of an IPv6 packet.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
558
28
IPv6 Commands
The subnet router Anycast address has a prefix concatenated by a series of zeros
(the interface ID). The subnet router Anycast address can be used to reach a router
on the link that is identified by the prefix in the subnet router Anycast address.
The ipv6 address anycast command cannot be applied to define an IPv6 address
on an ISATAP interface.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on the interface, assigns the
prefix 2001:0DB8:1:1::/64 to the interface, and configures the IPv6 Anycast
address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:1:1:FFFF:FFFF:FFFF:FFFE/64
anycast
switchxxxxxx(config-if)# exit
28.4 ipv6 address autoconfig
Use the ipv6 address autoconfig command in Interface Configuration mode to
enable automatic configuration of IPv6 addresses using stateless auto
configuration on an interface and enable IPv6 processing on the interface.
Addresses are configured depending on the prefixes received in Router
Advertisement messages. To disable automatic configuration of IPv6 addresses
and to remove the automatically configured address from the interface, use the no
form of this command.
Syntax
ipv6 address autoconfig
no ipv6 address autoconfig
Parameters
N/A.
559
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Default Configuration
Stateless Auto configuration is enabled.
Command Mode
Interface Configuration mode
User Guidelines
This command enables IPv6 on an interface (if it was disabled) and causes the
switch to perform IPv6 stateless address auto-configuration to discover prefixes
on the link and then to add the eui-64 based addresses to the interface.
Stateless auto configuration is applied only when IPv6 Forwarding is disabled.
When IPv6 forwarding is changed from disabled to enabled, and stateless auto
configuration is enabled the switch stops stateless auto configuration and
removes all stateless auto configured ipv6 addresses from all interfaces.
When IPv6 forwarding is changed from enabled to disabled and stateless auto
configuration is enabled the switch resumes stateless auto configuration.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example assigns the IPv6 address automatically:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 address autoconfig
switchxxxxxx(config-if)# exit
28.5 ipv6 address eui-64
Use the ipv6 address eui-64 command in Interface Configuration mode to
configure a global unicast IPv6 address for an interface and enables IPv6
processing on the interface using an EUI-64 interface ID in the low order 64 bits of
the address. To remove the address from the interface, use the no form of this
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
560
28
IPv6 Commands
Syntax
ipv6 address ipv6-prefix/prefix-length eui-64
no ipv6 address [ipv6-prefix/prefix-length eui-64]
Parameters
• ipv6-prefix—Specifies the global unicast IPv6 address assigned to the
interface. This argument must be in the form documented in RFC4293
where the address is specified in hexadecimal using 16-bit values between
colons.
• prefix-length—The length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
Default Configuration
No IP address is defined for the interface.
Command Mode
Interface Configuration mode
User Guidelines
If the value specified for the prefix-length argument is greater than 64 bits, the
prefix bits have precedence over the interface ID.
The IPv6 address is built from ipv6-prefix and the EUI-64 Interface ID by the
following way:
561
•
The first prefix-length bits are taken from ipv6-prefix.
•
If prefix-length < 64 then
-
The following (64-prefix-length) bits are filled by 0s.
-
The last 64 bits are taken from the EUI-64 Interface ID.
•
If prefix-length equals to 64 then the following 64 bits are taken from the
EUI-64 Interface ID.
•
If prefix-length > 64 then the following (128-prefix-length) bits are taken from
the last (64-(prefix-length -64)) bits of the EUI-64 Interface ID.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
If the switch detects another host using one of its IPv6 addresses, it adds the IPv6
address and displays an error message on the console.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on VLAN 1, configures IPv6 global
address 2001:0DB8:0:1::/64 and specifies an EUI-64 interface ID in the low order
64 bits of the address:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:0:1::/64 eui-64
switchxxxxxx(config-if)# exit
28.6 ipv6 address link-local
Use the ipv6 address link-local command in Interface Configuration mode to
configure an IPv6 link local address for an interface and enable IPv6 processing on
the interface. To remove the manually configured link local address from the
interface, use the no form of this command.
Syntax
ipv6 address ipv6-prefix link-local
no ipv6 address [link-local]
Parameters
• ipv6-address—Specifies the IPv6 network assigned to the interface. This
argument must be in the form documented in RFC4293 where the address
is specified in hexadecimal using 16-bit values between colons.
Default Configuration
The default Link-local address is defined.
Command Mode
Interface Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
562
28
IPv6 Commands
User Guidelines
The switch automatically generates a link local address for an interface when IPv6
processing is enabled on the interface, typically when an IPv6 address is
configured on the interface. To manually specify a link local address to be used by
an interface, use the ipv6 address link-local command.
The ipv6 address link-local command cannot be applied to define an IPv6 address
on an ISATAP interface.
Using the no form of the ipv6 address command without arguments removes all
manually-configured IPv6 addresses from an interface, including link local
manually-configured addresses.
Example
The following example enables IPv6 processing on VLAN 1 and configures
FE80::260:3EFF:FE11:6770 as the link local address for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address FE80::260:3EFF:FE11:6770 link-local
switchxxxxxx(config-if)# exit
28.7 ipv6 default-gateway
Use the ipv6 default-gateway Global Configuration mode command to define an
IPv6 default gateway. To remove the IPv6 default gateway, use the no form of this
command.
Syntax
ipv6 default-gateway ipv6-address | interface-id
no ipv6 default-gateway ipv6-address | interface-id
Parameters
• ipv6-address—Specifies the IPv6 address of an IPv6 router that can be
used to reach a network.
• interface-id—Specifies the Interface Identifier of the outgoing interface that
can be used to reach a network. This argument can be applied only to
point-to-point interfaces (manual IPv6 over IPv4 tunnels).
563
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Default Configuration
No default gateway is defined.
Command Mode
Global Configuration mode
User Guidelines
The command is an alias of the ipv6 route command with the predefined (default)
route:
ipv6 route ::/0 ipv6-address | interface-id
See the definition of the ipv6 route command for details.
Examples
Example 1. The following example defines a default gateway with a global IPv6
address:
switchxxxxxx(config)# ipv6 default-gateway 5::5
Example 2. The following example defines a default gateway with a link-local IPv6
address:
switchxxxxxx(config)# ipv6 default-gateway
FE80::260:3EFF:FE11:6770%vlan1
Example 3. The following example defines a default gateway on manual tunnel 1:
switchxxxxxx(config)# ipv6 default-gateway tunnel1
28.8 ipv6 enable
Use the ipv6 enable command in Interface Configuration mode to enable IPv6
processing on an interface.
To disable IPv6 processing on an interface that has not been configured with an
explicit IPv6 address, use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
564
28
IPv6 Commands
Syntax
ipv6 enable
no ipv6 enable
Parameters
N/A.
Default Configuration
IPv6 interface is disabled.
Command Mode
Interface Configuration mode
User Guidelines
This command automatically configures an IPv6 link-local Unicast address on the
interface while also enabling the interface for IPv6 processing. The no ipv6 enable
command does not disable IPv6 processing on an interface that is configured with
an explicit IPv6 address.
Example
The following example enables VLAN 1 for the IPv6 addressing mode.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 enable
switchxxxxxx(config-if)# exit
28.9 ipv6 hop-limit
Use the ipv6 hop-limit command in Global Configuration mode to configure the
maximum number of hops used in all IPv6 packets that are originated by the router.
To return the hop limit to its default value, use the no form of this command.
Syntax
ipv6 hop-limit value
565
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
no ipv6 hop-limit
Parameters
• value—Maximum number of hops. The acceptable range is from 1 to 255.
Default Configuration
The default is 64 hops.
Command Mode
Global Configuration mode
Example
The following example configures a maximum number of 15 hops for all IPv6
packets that are originated from the router:
switchxxxxxx(config)# ipv6 hop-limit 15
28.10 ipv6 icmp error-interval
Use the ipv6 icmp error-interval command in Global Configuration mode to
configure the interval and bucket size for IPv6 ICMP error messages. To return the
interval to its default setting, use the no form of this command.
Syntax
ipv6 icmp error-interval milliseconds [bucketsize]
no ipv6 icmp error-interval
Parameters
• milliseconds—Time interval between tokens being placed in the bucket.
Each token represents a single ICMP error message. The acceptable range
is from 0 to 2147483647. A value of 0 disables ICMP rate limiting.
• bucketsize—Maximum number of tokens stored in the bucket. The
acceptable range is from 1 to 200.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
566
28
IPv6 Commands
Default Configuration
The default interval is 100ms and the default bucketsize is 10 i.e. 100 ICMP error
messages per second.
Command Mode
Global Configuration mode
User Guidelines
Use this command to limit the rate at which IPv6 ICMP error messages are sent. A
token bucket algorithm is used with one token representing one IPv6 ICMP error
message. Tokens are placed in the virtual bucket at a specified interval until the
maximum number of tokens allowed in the bucket is reached.
The milliseconds argument specifies the time interval between tokens arriving in
the bucket. The optional bucketsize argument is used to define the maximum
number of tokens allowed in the bucket. Tokens are removed from the bucket
when IPv6 ICMP error messages are sent, which means that if the bucketsize is
set to 20, a rapid succession of 20 IPv6 ICMP error messages can be sent. When
the bucket is empty of tokens, IPv6 ICMP error messages are not sent until a new
token is placed in the bucket.
Average Packets Per Second = (1000/ milliseconds) * bucketsize.
To disable ICMP rate limiting, set the milliseconds argument to zero.
Example
The following example shows an interval of 50 milliseconds and a bucket size of
20 tokens being configured for IPv6 ICMP error messages:
switchxxxxxx(config)# ipv6 icmp error-interval 50 20
28.11 ipv6 link-local default zone
Use the Ipv6 link-local default zone command to configure an interface to egress a
link local packet without a specified interface or with the default zone 0.
Use the no form of this command to return the default link local interface to the
default value.
567
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Syntax
Ipv6 link-local default zone interface-id
no Ipv6 link-local default zone
Parameters
• interface-id—Specifies the interface that is used as the egress interface for
packets sent without a specified IPv6Z interface identifier or with the
default 0 identifier.
Default
By default, link local default zone is disabled.
Command Mode
Global Configuration mode
Example
The following example defines VLAN 1 as a default zone:
switchxxxxxx(config)# ipv6 link-local default zone vlan1
28.12 ipv6 nd advertisement-interval
Use the ipv6 nd advertisement-interval in Interface Configuration mode to
configure the advertisement interval option in router advertisements (RAs).
To reset the interval to the default value, use the no form of this command.
Syntax
ipv6 nd advertisement-interval
no ipv6 nd advertisement-interval
Parameters
N/A.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
568
28
IPv6 Commands
Default Configuration
Advertisement interval option is not sent.
Command Mode
Interface Configuration mode
User Guidelines
Use the ipv6 nd advertisement-interval command to indicate to a visiting mobile
node the interval at which that node may expect to receive RAs. The node may
use this information in its movement detection algorithm.
Example
The following example enables the advertisement interval option to be sent in
RAs:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd advertisement-interval
switchxxxxxx(config-if)# exit
28.13 ipv6 nd dad attempts
Use the ipv6 nd dad attempts command in Interface Configuration mode to
configure the number of consecutive neighbor solicitation messages that are sent
on an interface while duplicate address detection is performed on the Unicast
IPv6 addresses of the interface.
To return the number of messages to the default value, use the no form of this
command.
Syntax
ipv6 nd dad attempts value
no ipv6 nd dad attempts
Parameters
• value—The number of neighbor solicitation messages. The acceptable
range is from 0 to 600. Configuring a value of 0 disables duplicate address
569
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
detection processing on the specified interface; a value of 1 configures a
single transmission without follow-up transmissions.
Default Configuration
1
Command Mode
Interface Configuration mode
User Guidelines
Duplicate address detection verifies the uniqueness of new Unicast IPv6
addresses before the addresses are assigned to interfaces (the new addresses
remain in a tentative state while duplicate address detection is performed).
Duplicate address detection uses neighbor solicitation messages to verify the
uniqueness of Unicast IPv6 addresses.
The DupAddrDetectTransmits node configuration variable (as specified in RFC
4862, IPv6 Stateless Address Autoconfiguration) is used to automatically
determine the number of consecutive neighbor solicitation messages that are sent
on an interface, while duplicate address detection is performed on a tentative
Unicast IPv6 address.
The interval between duplicate address detection, neighbor solicitation messages
(the duplicate address detection timeout interval) is specified by the neighbor
discovery-related variable RetransTimer (as specified in RFC 4861, Neighbor
Discovery for IPv6), which is used to determine the time between retransmissions
of neighbor solicitation messages to a neighbor when resolving the address or
when probing the reachability of a neighbor. This is the same management
variable used to specify the interval for neighbor solicitation messages during
address resolution and neighbor unreachability detection. Use the ipv6 nd
ns-interval command to configure the interval between neighbor solicitation
messages that are sent during duplicate address detection.
Duplicate address detection is suspended on interfaces that are administratively
down. While an interface is administratively down, the Unicast IPv6 addresses
assigned to the interface are set to a pending state. Duplicate address detection is
automatically restarted on an interface when the interface returns to being
administratively up.
An interface returning to administratively up, restarts duplicate address detection
for all of the Unicast IPv6 addresses on the interface. While duplicate address
detection is performed on the link-local address of an interface, the state for the
other IPv6 addresses is still set to TENTATIVE. When duplicate address detection
is completed on the link-local address, duplicate address detection is performed
on the remaining IPv6 addresses.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
570
28
IPv6 Commands
When duplicate address detection identifies a duplicate address, the state of the
address is set to DUPLICATE and the address is not used. If the duplicate address
is the link-local address of the interface, the processing of IPv6 packets is
disabled on the interface and an error SYSLOG message is issued.
If the duplicate address is a global address of the interface, the address is not
used and an error SYSLOG message is issued.
All configuration commands associated with the duplicate address remain as
configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is
performed on the new link-local address and all of the other IPv6 address
associated with the interface are regenerated (duplicate address detection is
performed only on the new link-local address).
Note. Since DAD is not supported on NBMA interfaces the command is allowed
but does not impact on an IPv6 tunnel interface of the ISATAP type it does not
impact. The configuration is saved and will impacted when the interface type is
changed on another type on which DAD is supported (for example, to the IPv6
manual tunnel).
Example
The following example configures five consecutive neighbor solicitation
messages to be sent on VLAN 1 while duplicate address detection is being
performed on the tentative Unicast IPv6 address of the interface. The example
also disables duplicate address detection processing on VLAN 2.
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd dad attempts 5
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ipv6 nd dad attempts 0
switchxxxxxx(config-if)# exit
28.14 ipv6 nd hop-limit
Use the ipv6 nd hop-limit command in Global Configuration mode to configure the
maximum number of hops used in router advertisements.
To return the hop limit to its default value, use the no form of this command.
571
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Syntax
ipv6 nd hop-limit value
no ipv6 nd hop-limit
Parameters
• value—Maximum number of hops. The acceptable range is from 1 to 255.
Default Configuration
The default value is defined by the ipv6 hop-limit command, or is set to 64 hops, if
the command was not configured.
Command Mode
Interface Configuration mode
User Guidelines
Use this command if you want to change the default value. The default value is
defined by the ipv6 hop-limit command.
Example
The following example configures a maximum number of 15 hops for router
advertisements on VLAN 2:
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ipv6 nd hop-limit 15
switchxxxxxx(config-if)# exit
28.15 ipv6 nd managed-config-flag
Use the ipv6 nd managed-config-flag command in Interface Configuration mode
to set the “managed address configuration flag” in IPv6 router advertisements.
To clear the flag from IPv6 router advertisements, use the no form of this
command.
Syntax
ipv6 nd managed-config-flag
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
572
28
IPv6 Commands
no ipv6 nd managed-config-flag
Parameters
N/A.
Default Configuration
The “managed address configuration flag” flag is not set in IPv6 router
advertisements.
Command Mode
Interface Configuration mode
User Guidelines
Setting the Managed Address Configuration flag in IPv6 router advertisements
indicates to attached hosts whether they should use stateful autoconfiguration to
obtain addresses. If this flag is set, the attached hosts should use stateful
autoconfiguration to obtain addresses, and if it is not set, the attached hosts
should not use stateful autoconfiguration to obtain addresses.
Hosts may use stateful and stateless address autoconfiguration simultaneously.
Example
The following example configures the Managed Address Configuration flag in IPv6
router advertisements on VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd managed-config-flag
switchxxxxxx(config-if)# exit
28.16 ipv6 nd ns-interval
Use the ipv6 nd ns-interval command in Interface Configuration mode to configure
the interval between IPv6 neighbor solicitation retransmissions on an interface.
To restore the default interval, use the no form of this command.
573
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Syntax
ipv6 nd ns-interval milliseconds
no ipv6 nd ns-interval
Parameters
• milliseconds—Interval between IPv6 neighbor solicit transmissions. The
acceptable range is from 1000 to 3600000 milliseconds.
Default Configuration
0 seconds (unspecified) is advertised in router advertisements and the value 1000
milliseconds is used for the neighbor discovery activity of the router itself.
Command Mode
Interface Configuration mode
User Guidelines
This value will be included in all IPv6 router advertisements sent out this interface.
Very short intervals are not recommended in normal IPv6 operation. When a
non-default value is configured, the configured time is both advertised and used
by the router itself.
Example
The following example configures an IPv6 neighbor solicit transmission interval of
9000 milliseconds for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ns-interval 9000
switchxxxxxx(config-if)# exit
28.17 ipv6 nd other-config-flag
Use the ipv6 nd other-config-flag command in Interface Configuration mode to set
the Other Stateful configuration flag in IPv6 router advertisements.
To clear the flag from IPv6 router advertisements, use the no form of this
command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
574
28
IPv6 Commands
Syntax
ipv6 nd other-config-flag
no ipv6 nd other-config-flag
Parameters
N/A.
Default Configuration
The Other Stateful configuration flag is not set in IPv6 router advertisements.
Command Mode
Interface Configuration mode
User Guidelines
The setting of the Other Stateful configuration flag in IPv6 router advertisements
indicates to attached hosts how they can obtain autoconfiguration information
other than addresses. If the flag is set, the attached hosts should use stateful
autoconfiguration to obtain the other (nonaddress) information.
Note. If the Managed Address Configuration flag is set using the ipv6 nd
managed-config-flag command, then an attached host can use stateful
autoconfiguration to obtain the other (nonaddress) information regardless of the
setting of the Other Stateful configuration flag.
Example
The following example configures the Other Stateful configuration flag in IPv6
router advertisements on VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd other-config-flag
switchxxxxxx(config-if)# exit
28.18 ipv6 nd prefix
Use the ipv6 nd prefix command in Interface Configuration mode to configure
which IPv6 prefixes are included in IPv6 Neighbor Discovery (ND) router
advertisements.
575
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
To remove the prefixes, use the no form of this command.
Syntax
ipv6 nd prefix {ipv6-prefix/prefix-length | default} [no-advertise | {[valid-lifetime
preferred-lifetime] [no-autoconfig] [off-link | no-onlink]}]
no ipv6 nd prefix [ipv6-prefix/prefix-length | default]
Parameters
• ipv6-prefix—IPv6 network number to include in router advertisements. This
argument must be in the form documented in RFC4293, where the address
is specified in hexadecimal using 16-bit values between colons.
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
•
default—Default values used for automatic advertised prefixes configured
as addresses on the interface using the ipv6 address command.
•
no-advertise—Prefix is not advertised.
• valid-lifetime—Remaining length of time, in seconds, that this prefix will
continue to be valid, i.e., time until invalidation. A value of 4,294,967,295
represents infinity. The address generated from an invalidated prefix should
not appear as the destination or source address of a packet.
• preferred-lifetime—Remaining length of time, in seconds, that this prefix will
continue to be preferred, i.e., time until deprecation. A value of
4,294,967,295 represents infinity. The address generated from a
deprecated prefix should no longer be used as a source address in new
communications, but packets received on such an interface are processed
as expected. The preferred-lifetime must not be larger than the
valid-lifetime.
•
no-autoconfig—Indicates to hosts on the local link that the specified prefix
cannot be used for IPv6 autoconfiguration.The prefix will be advertised with
the A-bit clear.
•
off-link—Configures the specified prefix as off-link. The prefix will be
advertised with the L-bit clear. The prefix will not be inserted into the routing
table as a connected prefix. If the prefix is already present in the routing
table as a connected prefix (for example, because the prefix was also
configured using the ipv6 address command), then it will be removed.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
576
28
IPv6 Commands
•
no-onlink—Configures the specified prefix as not on-link. The prefix will be
advertised with the L-bit clear.
Default Configuration
All prefixes configured on interfaces that originate IPv6 router advertisements are
advertised with a valid lifetime of 2,592,000 seconds (30 days) and a preferred
lifetime of 604,800 seconds (7 days).
Note that by default:
•
All prefixes are inserted in the routing table as connected prefixes.
•
All prefixes are advertised as on-link (for example, the L-bit is set in the
advertisement)
•
All prefixes are advertised as an auto-configuration prefix (for example, the
A-bit is set in the advertisement)
Command Mode
Interface Configuration mode
User Guidelines
This command enables control over the individual parameters per prefix, including
whether the prefix should be advertised.
Use the ipv6 nd prefix ipv6-prefix/prefix-length command to add the prefix to the
Prefix table.
Use the no ipv6 nd prefix ipv6-prefix/prefix-length command to remove the prefix
from the Prefix table.
Use the no ipv6 nd prefix command without the ipv6-prefix/prefix-length
argument o remove all prefixes from the Prefix Table.
Note. The no ipv6 nd prefix command does not return the default values to the
original default values.
The switch supports the following advertisement algorithm:
•
577
Advertise all prefixes that are configured as addresses on the interface
using the parameters defined by the ipv6 nd prefix default command (or the
default value if the command has not been configured) except refixes that
are placed in the Prefix table (changed (configured) by the ipv6 nd prefix
command).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
•
Advertise all prefixes configured by the ipv6 nd prefix command without
the no-advertise keyword.
Default Keyword
The default keyword can be used to set default values for automatic advertised
prefixes configured as addresses on the interface using the ipv6 address
command.
Note. These default values are not used as the default values in the ipv6 nd prefix
command.
Use the no ipv6 nd prefix default command to return the default values to the
original default values.
On-Link
When on-link is “on” (by default), the specified prefix is assigned to the link. Nodes
sending traffic to such addresses that contain the specified prefix consider the
destination to be locally reachable on the link. An on-link prefix is inserted into the
routing table as a Connected prefix.
Auto-configuration
When auto-configuration is on (by default), it indicates to hosts on the local link that
the specified prefix can be used for IPv6 auto-configuration.
The configuration options affect the L-bit and A-bit settings associated with the
prefix in the IPv6 ND Router Advertisement, and presence of the prefix in the
routing table, as follows:
•
Default
L=1 A=1, In the Routing Table
•
no-onlink
L=0 A=1, In the Routing Table
•
no-autoconfig
L=1 A=0, In the Routing Table
•
no-onlink no-autoconfig
L=0 A=0, In the Routing Table
•
off-link
•
off-link no-autoconfig
L=0 A=1, Not in the Routing Table
L=0 A=0, Not in the Routing Table
Examples
Example 1. The following example includes the IPv6 prefix 2001:0DB8::/35 in
router advertisements sent out VLAN 1 with a valid lifetime of 1000 seconds and a
preferred lifetime of 900 seconds. The prefix is inserted in the Routing table:
switchxxxxxx(config)# interface vlan 1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
578
28
IPv6 Commands
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8::/35 1000 900
switchxxxxxx(config-if)# exit
Example 2. The following example advertises the prefix with the L-bit clear:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 address 2001::1/64
switchxxxxxx(config-if)# ipv6 nd prefix 2001::/64 3600 3600 no-onlink
switchxxxxxx(config-if)# exit
28.19 ipv6 nd ra interval
Use the ipv6 nd ra interval command in Interface Configuration mode to configure
the interval between IPv6 router advertisement (RA) transmissions on an interface.
To restore the default interval, use the no form of this command.
Syntax
ipv6 nd ra interval maximum-secs [minimum-secs]
no ipv6 nd ra interval
Parameters
• maximum-secs—Maximum interval between IPv6 RA transmissions in
seconds. The range is from 4 to 1800.
• minimum-secs—Minimum interval between IPv6 RA transmissions in
seconds. The range is from 3 to 1350.
Default Configuration
maximum-secs is 600 seconds.
minimum-secs is 0.33*maximum-secs, if the value .=> 3 seconds and is 3 seconds,
if the value .< 3 seconds.
Command Mode
Interface Configuration mode
579
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
User Guidelines
The interval between transmissions should be less than or equal to the IPv6 router
advertisement lifetime if you configure the route as a default router by using this
command. To prevent synchronization with other IPv6 nodes, the actual interval
used is randomly selected from a value between the minimum and maximum
values.
The minimum RA interval may never be more than 75% of the maximum RA
interval and never less than 3 seconds.
Examples
Example 1. The following example configures an IPv6 router advertisement
interval of 201 seconds for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra interval 201
switchxxxxxx(config-if)# exit
Example 2. The following examples shows a maximum RA interval of 200 seconds
and a minimum RA interval of 50 seconds:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra interval 200 50
switchxxxxxx(config-if)# exit
28.20 ipv6 nd ra lifetime
Use the ipv6 nd ra lifetime command in Interface Configuration mode to configure
the Router Lifetime value in IPv6 router advertisements on an interface.
To restore the default lifetime, use the no form of this command.
Syntax
ipv6 nd ra lifetime seconds
no ipv6 nd ra lifetime
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
580
28
IPv6 Commands
Parameters
• seconds—Remaining length of time, in seconds, that this router will
continue to be useful as a default router (Router Lifetime value). A value of
zero indicates that it is no longer useful as a default router. The acceptable
range is 0 or from <Maximum RA Interval> to 9000 seconds.
Default Configuration
The default lifetime value is 3*<Maximum RA Interval> seconds.
Command Mode
Interface Configuration mode
User Guidelines
The Router Lifetime value is included in all IPv6 router advertisements sent out the
interface. The value indicates the usefulness of the router as a default router on
this interface. Setting the value to 0 indicates that the router should not be
considered a default router on this interface. The Router Lifetime value can be set
to a non-zero value to indicate that it should be considered a default router on this
interface. The non-zero value for the Router Lifetime value should not be less than
the router advertisement interval.
Example
The following example configures an IPv6 router advertisement lifetime of 1801
seconds for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra lifetime 1801
switchxxxxxx(config-if)# exit
28.21 ipv6 nd ra suppress
Use the ipv6 nd ra suppress command in Interface Configuration mode to
suppress IPv6 router advertisement transmissions on an interface. To re-enable
the sending of IPv6 router advertisement transmissions on an interface, use the no
form of this command.
581
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Syntax
ipv6 nd ra suppress
no ipv6 nd ra suppress
Parameters
N/A.
Default Configuration
LAN interface - IPv6 router advertisements are automatically sent.
Point-to-Point interface - IPv6 router advertisements are suppressed.
NBMA interface - IPv6 router advertisements are suppressed.
Command Mode
Interface Configuration mode
User Guidelines
Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router
advertisement transmissions on a Point-to-Point interface (for example, manual
tunnel).
NBMA interface - IPv6 router advertisements are suppressed.
Use the no ipv6 nd ra suppress command to enable the sending of IPv6 router
advertisement transmissions on a NBMA interface (for example, ISATAP tunnel).
Examples
Example 1. The following example suppresses IPv6 router advertisements on vlan
1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd ra suppress
switchxxxxxx(config-if)# exit
Example 2. The following example enables the sending of IPv6 router
advertisements on tunnel 1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
582
28
IPv6 Commands
switchxxxxxx(config)# interface tunnel 1
switchxxxxxx(config-if)# no ipv6 nd ra suppress
switchxxxxxx(config-if)# exit
28.22 ipv6 nd reachable-time
Use the ipv6 nd reachable-time command in Interface Configuration mode to
configure the amount of time that a remote IPv6 node is considered reachable
after some reachability confirmation event has occurred.
To restore the default time, use the no form of this command.
Syntax
ipv6 nd reachable-time milliseconds
no ipv6 nd reachable-time
Parameters
• milliseconds—Amount of time that a remote IPv6 node is considered
reachable (in milliseconds). The acceptable range is from 0 to 3600000
milliseconds.
Default Configuration
0 milliseconds (unspecified) is advertised in router advertisements and the value
30000 (30 seconds) is used for the neighbor discovery activity of the router itself.
Command Mode
Interface Configuration mode
User Guidelines
The configured time enables the router to detect unavailable neighbors. Shorter
configured times enable the router to detect unavailable neighbors more quickly;
however, shorter times consume more IPv6 network bandwidth and processing
resources in all IPv6 network devices. Very short configured times are not
recommended in normal IPv6 operation.
The configured time is included in all router advertisements sent out of an
interface so that nodes on the same link use the same time value. A value of 0
means indicates that the configured time is unspecified by this router.
583
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Example
The following example configures an IPv6 reachable time of 1,700,000
milliseconds for VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd reachable-time 1700000
switchxxxxxx(config-if)# exit
28.23 ipv6 nd router-preference
Use the ipv6 nd router-preference command in Interface Configuration mode to
configure a default router preference (DRP) for the router on a specific interface.
To return to the default DRP, use the no form of this command.
Syntax
ipv6 nd router-preference {high | medium | low}
no ipv6 nd router-preference
Parameters
•
high—Preference for the router specified on an interface is high.
•
medium—Preference for the router specified on an interface is medium.
•
low—Preference for the router specified on an interface is low.
Default Configuration
Router advertisements (RAs) are sent with the medium preference.
Command Mode
Interface Configuration mode
User Guidelines
RA messages are sent with the DRP configured by the this command. If no DRP is
configured, RAs are sent with a medium preference.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
584
28
IPv6 Commands
A DRP is useful when, for example, two routers on a link may provide equivalent,
but not equal-cost, routing, and policy may dictate that hosts should prefer one of
the routers.
Example
The following example configures a DRP of high for the router on VLAN 1:
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 nd router-preference high
switchxxxxxx(config-if)# exit
28.24 ipv6 neighbor
Use the ipv6 neighbor command in Global Configuration mode to configure a
static entry in the IPv6 neighbor discovery cache. To remove a static IPv6 entry
from the IPv6 neighbor discovery cache, use the no form of this command.
Syntax
ipv6 neighbor ipv6-address interface-id mac-address
no ipv6 neighbor [[ipv6-address] interface-id]
Parameters
• ipv6-address—Specified IPv6 address. This argument must be in the form
documented in RFC4293 where the address is specified in hexadecimal
using 16-bit values between colons.
• interface-id—Specified interface identifier.
• mac-address—Interface MAC address.
Default Configuration
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Mode
Global Configuration mode
585
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
User Guidelines
This command is similar to the arp command.
Use the ipv6 neighbor command to add a static entry in the IPv6 neighbor
discovery cache.
If the specified IPv6 address is a global IPv6 address it must belong to one of
static on-link prefixes defined in the interface. When a static on-link prefix is
deleted all static entries in the IPv6 neighbor discovery cache corresponding the
prefix is deleted to.
If an entry for the specified IPv6 address already exists in the neighbor discovery
cache, learned through the IPv6 neighbor discovery process, the entry is
automatically converted to a static entry.
Static entries in the IPv6 neighbor discovery cache are not modified by the
neighbor discovery process.
Use the no ipv6 neighbor ipv6-address interface-id command to remove the one
given static entry on the given interface. The command does not remove the entry
from the cache, if it is a dynamic entry, learned from the IPv6 neighbor discovery
process.
Use the no ipv6 neighbor interface-id command to delete the all static entries on
the given interface.
Use the no ipv6 neighbor command to remove the all static entries on all
interfaces.
Use the show ipv6 neighbors command to view static entries in the IPv6 neighbor
discovery cache. A static entry in the IPv6 neighbor discovery cache can have one
of the following states:
•
NCMP (Incomplete)—The interface for this entry is down.
•
REACH (Reachable)—The interface for this entry is up.
Note. Reachability detection is not applied to static entries in the IPv6 neighbor
discovery cache; therefore, the descriptions for the INCMP and REACH states are
different for dynamic and static cache entries.
Examples
Example 1. The following example configures a static entry in the IPv6 neighbor
discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and
link-layer address 0002.7D1A.9472 on VLAN 1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
586
28
IPv6 Commands
switchxxxxxx(config)# ipv6 neighbor 2001:0DB8::45A vlan1 0002.7D1A.9472
Example 2. The following example deletes the static entry in the IPv6 neighbor
discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and
link-layer address 0002.7D1A.9472 on VLAN 1:
switchxxxxxx(config)# no ipv6 neighbor 2001:0DB8::45A vlan1
Example 3. The following example deletes all static entries in the IPv6 neighbor
discovery cache on VLAN 1:
switchxxxxxx(config)# no ipv6 neighbor vlan1
Example 4. The following example deletes all static entries in the IPv6 neighbor
discovery cache on all interfaces:
switchxxxxxx(config)# no ipv6 neighbor
28.25 ipv6 policy route-map
To enable policy routing on an interface and identify a route map, use the ipv6
policy route-map command in Interface Configuration mode. To disable policy
routing, use the no form of this command.
Syntax
ipv6 policy route-map map-tag
no ipv6 policy route-map
Parameters
• map-tag—Name of the route map to use for policy routing. The name must
match a map-tag value specified by a route-map (Policy Routing) command.
Default Configuration
No policy routing occurs on the interface.
587
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Command Mode
Interface Configuration mode
User Guidelines
Use the ipv6 policy route-map command to enable IPv6 policy routing.
Use the ipv6 policy route-map command to enable policy routing on an interface.
The actual policy routing will take a place if an IPv6 is enabled on the interface.
The IPv6 packets matched to the route-map conditions specified by the route map
with the map-tag name will take a route depended on the action of the matched
ACL:
•
permit—The route specified by the set command Policy routing.
•
deny—The route specified by the IPv6 Forwarding table (regular routing).
•
Name of the route map to use for policy routing. The name must match a
map-tag value specified by a route-map (Policy Routing) command.
The not matched IPv6 packets will be forwarded using the obvious shortest path.
IPv6 policy routing on a Layer 2 interface is performed only when IPv6 interface is
defined, its status is UP, and the next hop is reachable. If the IPv6 policy routing is
not applied then the matched IPv6 packets will be forwarded using the obvious
shortest path.
Note. Of course, like in the case of regular IPv6 Routing Policy Based IPv6 Router
routes only MAC "tome" IPv6 frames.
IPv6 policy routing cannot be configured on an interface together with the
following features:
•
IPv6 First Hop Security
•
VLAN ACL
•
VLAN Rate Limit
Example
The following example shows how to configure policy routing:
switchxxxxxx(config)# ipv6 access-list pr-acl1
switchxxxxxx(config-ip-al)# permit tcp any any 3002:08FA/32 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# ipv6 access-list pr-acl2
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
588
28
IPv6 Commands
switchxxxxxx(config-ip-al)# permit tcp any any 3002:0800/32 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# route-map pbr 10
switchxxxxxx(config-route-map)# match ipv6 address access-list pr-acl1
switchxxxxxx(config-route-map)# set ipv6 next-hop 3012:12af::1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# route-map pbr 20
switchxxxxxx(config-route-map)# match ipv6 address access-list pr-acl2
switchxxxxxx(config-route-map)# set ipv6 next-hop 3012:1223::1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ipv6 policy route-map pbr
switchxxxxxx(config-if)# exit
28.26 ipv6 redirects
Use the ipv6 redirects command in Interface Configuration mode to enable the
sending of ICMP IPv6 redirect messages to re-send a packet through the same
interface on which the packet was received.
To disable the sending of redirect messages, use the no form of this command.
Syntax
ipv6 redirects
no ipv6 redirects
Parameters
N/A.
Default Configuration
The sending of ICMP IPv6 redirect messages is enabled.
Command Mode
Interface Configuration mode
589
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Example
The following example disables the sending of ICMP IPv6 redirect messages on
VLAN 100 and re-enables the messages on VLAN 2:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# no ipv6 redirects
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# interface vlan 2
switchxxxxxx(config-if)# ipv6 redirects
switchxxxxxx(config-if)# exit
28.27 ipv6 route
Use the ipv6 route command in Global Configuration mode to establish static IPv6
routes.
To remove a previously configured static route, use the no form of this command.
Syntax
ipv6 route ipv6-prefix/prefix-length {next--ipv6-address | interface-id} [metric]
no ipv6 route ipv6-prefix/prefix-length {next--ipv6-address | interface-id}
Parameters
• ipv6-prefix—IPv6 network that is the destination of the static route. Can also
be a host name when static host routes are configured.
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
• next-ipv6-address—IPv6 address of the next hop that can be used to reach
the specified network.
-
If the next--ipv6-address argument is a link local address it must be
defined in the zone format: IPv6 Zone Format> ::=
IPv6-Link-Local-Address%Interface-ID
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
590
28
IPv6 Commands
-
The interface-id argument must be coded without spaces.
• interface-id—Outgoing Interface identifier. This argument can be applied
only to point-to-point interfaces (manual IPv6 over IPv4 tunnels).
• metric—Static route metric. Acceptable values are from 1 to 65535. The
default value is 1.
Default Configuration
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Mode
Global Configuration mode
User Guidelines
If the next IPv6 address is a global IPv6 address, it should belong to a static on-link
prefix. When an on-link prefix is removed or is changed to non on-link prefix, the
static routes with next hop belonging to the prefix are removed from the
configuration.
Examples
Example 1. The following example defines a static route with a global next hop:
switchxxxxxx(config)# ipv6 route 2001::/64 5::5 10
Example 2. The following example defines a static route with a link-local next hop:
switchxxxxxx(config)# ipv6 route 2001:DB8:2222::/48
FE80::260:3EFF:FE11:6770%vlan1 12
Example 3. The following example defines a static route on manual tunnel 1:
switchxxxxxx(config)# ipv6 route 2001:DB8:2222::/48 tunnel1
591
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
28.28 ipv6 unicast-routing
Use the ipv6 unicast-routing command in Global Configuration mode to enable the
forwarding of IPv6 Unicast datagrams.
To disable the forwarding of IPv6 Unicast datagrams, use the no form of this
command.
Syntax
ipv6 unicast-routing
no ipv6 unicast-routing
Parameters
N/A.
Default Configuration
IPv6 Unicast routing is disabled.
Command Mode
Global Configuration mode
Example
The following example enables the forwarding of IPv6 Unicast datagrams:
switchxxxxxx(config)# ipv6 unicast-routing
28.29 ipv6 unreachables
Use the ipv6 unreachables command in Interface Configuration mode to enable
the generation of Internet Control Message Protocol for IPv6 (ICMPv6)
unreachable messages for any packets arriving on a specified interface.
To prevent the generation of unreachable messages, use the no form of this
command.
Syntax
ipv6 unreachables
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
592
28
IPv6 Commands
no ipv6 unreachables
Parameters
N/A.
Default Configuration
The sending of ICMP IPv6 unreachable messages is enabled.
Command Mode
Interface Configuration mode
User Guidelines
If the switch receives a Unicast packet destined for itself that uses a protocol it
does not recognize, it sends an ICMPv6 unreachable message to the source.
If the switch receives a datagram that it cannot deliver to its ultimate destination
because it knows of no route to the destination address, it replies to the originator
of that datagram with an ICMP host unreachable message.
Example
The following example disables the generation of ICMPv6 unreachable messages,
as appropriate, on an interface:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# no ipv6 unreachables
switchxxxxxx(config-if)# exit
28.30 show ipv6 interface
Use the show ipv6 interface command in user EXEC or privileged EXEC mode to
display the usability status of interfaces configured for IPv6.
Syntax
show ipv6 interface [brief] | [[interface-id] [prefix]]
593
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Parameters
•
brief—Displays a brief summary of IPv6 status and configuration for each
interface where IPv6 is defined.
• interface-id—Interface identifier about which to display information.
•
prefix—Prefix generated from a local IPv6 prefix pool.
Default Configuration
Option brief - all IPv6 interfaces are displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use this command to validate the IPv6 status of an interface and its configured
addresses. This command also displays the parameters that IPv6 uses for
operation on this interface and any configured features.
If the interface’s hardware is usable, the interface is marked up.
If you specify an optional interface identifier, the command displays information
only about that specific interface. For a specific interface, you can enter the prefix
keyword to see the IPv6 neighbor discovery (ND) prefixes that are configured on
the interface.
The keyword is supported only if IPv6 unicast routing is enabled.
Examples
Example 1. The show ipv6 interface command displays information about the
specified interface:
switchxxxxxx# show ipv6 interface vlan 1
VLAN 1 is up/up
IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01
IPv6 Forwarding is enabled
Global unicast address(es):
Ipv6 Global Address
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Type
594
28
IPv6 Commands
2000:0DB8::2/64 (ANY)
Manual
2000:0DB8::2/64
Manual
2000:1DB8::2011/64
Manual
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF11:6770
MTU is 1500 bytes
ICMP error messages limited interval is 100ms; Bucket size is 10 tokens
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router maximum advertisement interval is 600 seconds
ND router minimum advertisement interval is 198 seconds (DEFAULT)
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Stateless autoconfiguration is enabled.
MLD Version is 2
Field Descriptions:
595
•
vlan 1 is up/up—Indicates the interface status: administrative/operational.
•
IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in
sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the
interface. If IPv6 is enabled, the interface is marked Enabled. If duplicate
address detection processing identified the link-local address of the
interface as being a duplicate address, the processing of IPv6 packets is
disabled on the interface and the interface is marked Stalled. If IPv6 is not
enabled, the interface is marked Disabled.
•
link-local address—Displays the link-local address assigned to the
interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
•
Global unicast address(es):—Displays the global Unicast addresses
assigned to the interface. The type is manual or autoconfig.
•
Joined group address(es):—Indicates the Multicast groups to which this
interface belongs.
•
MTU is 1500 bytes—Maximum transmission unit of the interface.
•
ICMP error messages—Specifies the minimum interval (in milliseconds)
between error messages sent on this interface.
•
ICMP redirects—State of ICMP IPv6 redirect messages on the interface
(the sending of the messages is enabled or disabled).
•
ND DAD—The state of duplicate address detection on the interface
(enabled or disabled).
•
number of DAD attempts:—Number of consecutive neighbor solicitation
messages that are sent on the interface while duplicate address detection
is performed.
•
ND reachable time—Displays the neighbor discovery reachable time (in
milliseconds) assigned to this interface.
•
ND advertised reachable time—Displays the neighbor discovery reachable
time (in milliseconds) advertised on this interface.
•
ND advertised retransmit interval—Displays the neighbor discovery
retransmit interval (in milliseconds) advertised on this interface.
•
ND router advertisements—Specifies the interval (in seconds) for neighbor
discovery router advertisements sent on this interface and the amount of
time before the advertisements expire.
•
ND advertised default router preference is Medium—DRP for the router on a
specific interface.
•
MLD Version—Version of MLD
Example 2. The show ipv6 interface command displays information about the
specified manual Ipv6 tunnel:
switchxxxxxx# show ipv6 interface tunnel 2
Tunnel 2 is up/up
IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
596
28
IPv6 Commands
IPv6 Forwarding is enabled
Global unicast address(es):
Ipv6 Global Address
Type
2000:0DB8::2/64 (ANY)
Manual
2000:0DB8::2/64
Manual
2000:1DB8::2011/64
Manual
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF11:6770
MTU is 1500 bytes
ICMP error messages limited interval is 100ms; Bucket size is 10 tokens
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
MLD Version is 2
Tunnel mode is manual
Tunnel Local IPv4 address : 10.10.10.1(auto)
Tunnel Remote Ipv4 address : 10.1.1.1
Field Descriptions:
597
•
vlan 1 is up/up—Indicates the interface status: administrative/operational.
•
IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in
sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the
interface. If IPv6 is enabled, the interface is marked “enabled.” If duplicate
address detection processing identified the link-local address of the
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
interface as being a duplicate address, the processing of IPv6 packets is
disabled on the interface and the interface is marked “stalled.” If IPv6 is not
enabled, the interface is marked “disabled.”
•
link-local address—Displays the link-local address assigned to the
interface.
•
Global Unicast address(es):—Displays the global Unicast addresses
assigned to the interface. The type is manual or autoconfig.
•
Joined group address(es):—Indicates the Multicast groups to which this
interface belongs.
•
—Maximum transmission unit of the interface.
•
ICMP error messages—Specifies the minimum interval (in milliseconds)
between error messages sent on this interface.
•
ICMP redirects—The state of Internet Control Message Protocol (ICMP)
IPv6 redirect messages on the interface (the sending of the messages is
enabled or disabled).
•
ND DAD—The state of duplicate address detection on the interface
(enabled or disabled).
•
number of DAD attempts:—Number of consecutive neighbor solicitation
messages that are sent on the interface while duplicate address detection
is performed.
•
ND reachable time—Displays the neighbor discovery reachable time (in
milliseconds) assigned to this interface.
•
ND advertised reachable time—Displays the neighbor discovery reachable
time (in milliseconds) advertised on this interface.
•
ND advertised retransmit interval—Displays the neighbor discovery
retransmit interval (in milliseconds) advertised on this interface.
•
ND router advertisements—Specifies the interval (in seconds) for neighbor
discovery router advertisements sent on this interface and the amount of
time before the advertisements expire.
•
ND advertised default router preference is Medium—The DRP for the router
on a specific interface.
•
MLD Version—The version of MLD
•
Tunnel mode—Specifies the tunnel mode: manual
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
598
28
IPv6 Commands
•
Tunnel Local IPv4 address—Specifies the tunnel local IPv4 address and
have one of the following formats:
-
ipv4-address
- ipv4-address (auto)
- ipv4-address (interface-id)
•
Tunnel Remote Ipv4 address—Specifies the tunnel remote IPv4 address
Example 3. The show ipv6 interface command displays information about the
specified ISATAP tunnel:
switchxxxxxx# show ipv6 interface tunnel 1
Tunnel 1 is up/up
IPv6 is enabled, link-local address is FE80::0DB8:12AB:FA01
ICMP redirects are disabled
Global unicast address(es):
Ipv6 Global Address
Type
2000:0DB8::2/64 (ANY)
Manual
2000:0DB8::2/64
Manual
2000:1DB8::2011/64
Manual
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF11:6770
is 1500 bytes
ICMP error messages limited interval is 100ms; Bucket size is 10 tokens
ICMP redirects are enabled
ND DAD is disabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
599
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
MLD Version is 2
Tunnel mode is ISATAP
Tunnel Local IPv4 address : 10.10.10.1(VLAN 1)
ISATAP Router DNS name is isatap
Field Descriptions:
•
ND DAD—The state of duplicate address detection on the interface
(enabled or disabled). Note. The state of duplicate address detection on an
IPv6 tunnel interface of ISATAP type always is displayed as disabled
regardless of a value of the number of DAD attempts parameter because
DAD is not supported on NBMA interfaces. The switch will enable DAD
automatically when the user change the type of the tunnel to manual if a the
parameter value bigger than 0.
•
number of DAD attempts:—Number of consecutive neighbor solicitation
messages that are sent on the interface while duplicate address detection
is performed.
•
vlan 1 is up/up—Indicates the interface status: administrative/operational.
•
IPv6 is enabled, stalled, disabled (stalled and disabled are not shown in
sample output)—Indicates that IPv6 is enabled, stalled, or disabled on the
interface. If IPv6 is enabled, the interface is marked “enabled.” If duplicate
address detection processing identified the link-local address of the
interface as being a duplicate address, the processing of IPv6 packets is
disabled on the interface and the interface is marked “stalled.” If IPv6 is not
enabled, the interface is marked “disabled.”
•
link-local address—Displays the link-local address assigned to the
interface.
•
Global Unicast address(es):—Displays the global Unicast addresses
assigned to the interface. The type is manual or autoconfig.
•
Joined group address(es):—Indicates the Multicast groups to which this
interface belongs.
•
—Maximum transmission unit of the interface.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
600
28
IPv6 Commands
•
ICMP error messages—Specifies the minimum interval (in milliseconds)
between error messages sent on this interface.
•
ICMP redirects—The state of Internet Control Message Protocol (ICMP)
IPv6 redirect messages on the interface (the sending of the messages is
enabled or disabled).
•
number of DAD attempts:—Number of consecutive neighbor solicitation
messages that are sent on the interface while duplicate address detection
is performed.
•
ND reachable time—Displays the neighbor discovery reachable time (in
milliseconds) assigned to this interface.
•
ND advertised reachable time—Displays the neighbor discovery reachable
time (in milliseconds) advertised on this interface.
•
ND advertised retransmit interval—Displays the neighbor discovery
retransmit interval (in milliseconds) advertised on this interface.
•
ND router advertisements—Specifies the interval (in seconds) for neighbor
discovery router advertisements sent on this interface and the amount of
time before the advertisements expire.
•
ND advertised default router preference is Medium—The DRP for the router
on a specific interface.
•
MLD Version—The version of MLD
•
Tunnel mode—Specifies the tunnel mode: isatap
•
Tunnel Local IPv4 address—Specifies the tunnel local IPv4 address and
have one of the following formats:
-
ipv4-address
- ipv4-address (auto)
- ipv4-address (interface-id)
•
Tunnel Remote Ipv4 address—Specifies the tunnel remote IPv4 address
•
ISATAP Router DNS name is—The DNS name of the ISATAP Router
Example 4. The following command with the brief keyword displays information
about all interfaces that IPv6 is defined on:
601
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
switchxxxxxx# show ipv6 interface brief
Interface
Interface
State
IPv6
Link Local
State
IPv6 Address
MLD
Version
Number of
Global Addresses
---------
--------- -------
----------------- -------
----------------
vlan 1
up/up
enabled
FE80::0DB8:12AB:FA01
1
1
vlan 2
up/up
stalled
FE80::0DB8:12AB:FA01
1
1
vlan 3
up/down
enabled
FE80::0DB8:12AB:FA01
1
3
vlan 4
down/down enabled
FE80::0DB8:12AB:FA01
2
2
vlan 5
up/up
enabled
FE80::0DB8:12AB:FA01
1
1
vlan 100
up/up
enabled
FE80::0DB8:12AB:FA01
1
1
vlan 1000
up/up
stalled
FE80::0DB8:12AB:FA01
1
1
Example 5. This sample output shows the characteristics of VLAN 1 that has
generated a prefix from a local IPv6 prefix pool:
switchxxxxxx# configure terminal
switchxxxxxx(config)# interface vlan1
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:1::1/64
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:2::1/64
switchxxxxxx(config-if)# ipv6 address 2001:0DB8:3::1/64
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:1::/64 no-advertise
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:3::/64 2912000 564900
off-link
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:4::/64
switchxxxxxx(config-if)# ipv6 nd prefix 2001:0DB8:5::/64 2912000 564900
off-link
switchxxxxxx(config-if)# exit
switchxxxxxx(config)# exit
switchxxxxxx# show ipv6 interface vlan 1 prefix
IPv6 Prefix Advertisements VLAN 1
Codes: A - Address, P - Prefix is advertised, R is in Routing Table
Code Prefix
Flags
Valid Lifetime
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
Preferred Lifetime
602
28
IPv6 Commands
---- ----------------
----
---------------
-----------------------
default
LA
2592000
604800
AR
2001:0DB8:1::/64
LA
infinite
infinite
APR
2001:0DB8:2::/64
LA
infinite
infinite
AP
2001:0DB8:3::/64
A
infinite
infinite
PR
2001:0DB8:4::/64
LA
2592000
604800
P
2001:0DB8:5::/64
A
2912000
564900
28.31 show ipv6 link-local default zone
Use the show ipv6 link-local default zone command in user EXEC or privileged
EXEC mode to display the IPv6 link local default zone.
Syntax
show ipv6 link-local default zone
Command Mode
User EXEC mode
Privileged EXEC mode
Examples
Example 1. The following example displays the default zone when it is defined:
switchxxxxxx# show ipv6 link-local default zone
Link Local Default Zone is VLAN 1
Example 2. The following example displays the default zone when it is not defined:
switchxxxxxx# show ipv6 link-local default zone
Link Local Default Zone is not defined
603
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
28.32 show ipv6 nd prefix
Use the show ipv6 nd prefix command in user EXEC or privileged EXEC mode to
display IPv6 prefixes included in IPv6 Neighbor Discovery (ND) router
advertisements.
Syntax
show ipv6 nd prefix [interface-id]
Parameters
• interface-id—Specified interface identifier on which prefixes are
advertised.
Default Configuration
No prefixes are displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the how ipv6 nd prefix command with the interface-id argument to display
prefixes advertised on a single interface.
Example
The following example displays IPv6 prefixes:
switchxxxxxx# show ipv6 nd prefix vlan 100
vlan 100
default
valid-lifetime 2,592,000 secs
preferred-lifetime 604,800 secs
on-link
auto-config
prefix 2001::1/64
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
604
28
IPv6 Commands
valid-lifetime 3,600 secs
preferred-lifetime 2,700 secs
prefix 2001:2:12/64
no advertise
prefix 2002::1/64
valid-lifetime 3,600 secs
preferred-lifetime 2,700 secs
on-link
prefix 2011::1/64
valid-lifetime 3,600 secs
preferred-lifetime 2,700 secs
off-link
auto-config
28.33 show ipv6 neighbors
Use the show ipv6 neighbors command in User EXEC or Privileged EXEC mode to
display IPv6 neighbor discovery (ND) cache information.
Syntax
show ipv6 neighbors [interface-id | ipv6-address | ipv6-hostname]
Parameters
• interface-id—Specifies the identifier of the interface from which IPv6
neighbor information is to be displayed.
• ipv6-address—Specifies the IPv6 address of the neighbor. This argument
must be in the form documented in RFC4293 where the address is
specified in hexadecimal using 16-bit values between colons.
• ipv6-hostname—Specifies the IPv6 host name of the remote networking
device.
Default Configuration
All IPv6 ND cache entries are listed.
605
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
When the interface-id argument is not specified, cache information for all IPv6
neighbors is displayed. Specifying the interface-id argument displays only cache
information about the specified interface.
Examples
Example 1. The following is sample output from the show ipv6 neighbors
command when entered with an interface-id:
switchxxxxxx# show ipv6 neighbors vlan 1
IPv6 Address
Age Link-layer Addr
State
Interface Router
2000:0:0:4::2
0
0003.a0d6.141e
REACH
VLAN1
Yes
3001:1::45a
-
0002.7d1a.9472
REACH
VLAN1
-
FE80::203:A0FF:FED6:141E
0
0003.a0d6.141e
REACH
VLAN1
No
Example 2. The following is sample output from the show ipv6 neighbors
command when entered with an IPv6 address:
switchxxxxxx# show ipv6 neighbors 2000:0:0:4::2
IPv6 Address
2000:0:0:4::2
Age Link-layer Addr
0
0003.a0d6.141e
State
Interface Router
REACH
VLAN1
Yes
Field Descriptions:
•
Total number of entries—Number of entries (peers) in the cache.
•
IPv6 Address—IPv6 address of neighbor or interface.
•
Age—Time (in minutes) since the address was confirmed to be reachable. A
hyphen (-) indicates a static entry.
•
Link-layer Addr—MAC address. If the address is unknown, a hyphen (-) is
displayed.
•
Interface—Interface which the neighbor is connected to.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
606
28
IPv6 Commands
•
Router—Specifies if the neighbor is a Router. A hyphen (-) is displayed for
static entries.
28.34 show ipv6 route
Use the show ipv6 route command in user EXEC or privileged EXEC mode to
display the current contents of the IPv6 routing table.
Syntax
show ipv6 route [ipv6-address | ipv6-prefix/prefix-length | protocol | interface
interface-id]
Parameters
• ipv6-address—Displays routing information for a specific IPv6 address.
This argument must be in the form documented in RFC4293 where the
address is specified in hexadecimal using 16-bit values between colons.
• ipv6-prefix—Displays routing information for a specific IPv6 network. This
argument must be in the form documented in RFC4293 where the address
is specified in hexadecimal using 16-bit values between colons.
•
/prefix-length—The length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
•
protocol—Displays routes for the specified routing protocol using any of
these keywords: bgp, isis, ospf, or rip; or displays routes for the specified
type of route using any of these keywords: connected, static, nd, or icmp.
•
interface interface-id—Identifier of an interface.
Default Configuration
All IPv6 routing information for all active routing tables is displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
607
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
User Guidelines
This command provides output similar to the show ip route command, except that
the information is IPv6-specific.
When the ipv6-address or ipv6-prefix/prefix-length argument is specified, a
longest match lookup is performed from the routing table and only route
information for that address or network is displayed. When the icmp, nd,
connected, local, or static keywords are specified, only that type of route is
displayed. When the interface-id argument are specified, only the specified
interface-specific routes are displayed.
Examples
Example 1. The following is sample output from the show ipv6 route command
when IPv6 Routing is not enabled and the command is entered without an IPv6
address or prefix specified:
switchxxxxxx# show ipv6 route
Codes: > - Best
S - Static, C - Connected, I - ICMP Redirect, ND - Router Advertisment
[d/m]: d - route’s distance, m - route’s metric
IPv6 Routing Table - 6 entries
C> 3002:1:1:1:1/64
[0/0]
via fe80::200:cff:fe4a:dfa8 VLAN 1 Lifetime 1784 sec
S> ::/0 [1/1]
via fe80::77
ND> ::/0
VLAN 1
[11/0]
via fe80::200:cff:fe4a:dfa8 VLAN 1 Lifetime 1784 sec
ND> 2001::/64 [2/1]
via :: fe80::200:cff:fe4a:dfa8 VLAN 100
ND> 2002:1:1:1::/64 [2/1]
via :: fe80::200:cff:fe4a:dfa8 VLAN 100
ND> 3001::/64 [2/1]
via :: fe80::200:cff:fe4a:dfa8 VLAN 101
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
608
28
IPv6 Commands
Example 2. The following is sample output from the show ipv6 route command
when IPv6 Routing is enabled and the command is entered without an IPv6
address or prefix specified and IPv6 Routing is enabled:
switchxxxxxx# show ipv6 route
Codes: > - Best
S - Static, C - Connected,
L - Local(on-link prefixes defined by the ipv6 nd prefix command with on-link
keyword,
[d/m]: d - route’s distance, m - route’s metric
IPv6 Policy Routing
VLAN 1
Route Map: BPR1
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: fe80::77
Next Hop Status: Active
ACL Name: ACLTCPTELNET
Next Hop: 4001::27
Next Hop Status: Not Active (Unreachable)
ACL Name: ACL_AA
Next Hop: 301a:23:24
Next Hop Status: Not Active (Not direct)
VLAN 100
Route Map: BPR_10
Status: Not Active (No IP interface on VLAN 100)
ACL Name: ACLTCPHTTP
Next Hop: 4214::10
Next Hop Status: Active
VLAN 110
Route Map: BPR_20
Status: Not Active (VLAN 110 status is DOWN)
609
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
ACL Name: ACLTCPHTTP
Next Hop: 3004:1241::73
Next Hop Status: Active
VLAN 200
Route Map: BPR_A0
Status: Active
ACL Name: ACLTCPHTTP
Next Hop: 3004:1241::73
Next Hop Status: Active
IPv6 Routing Table - 3 entries
S>
3000::/64 [1/1]
via FE80::A8BB:CCFF:FE02:8B00
C>
4001::/64 [0/0]
via ::
L>
VLAN 100
VLAN 100
4002::/64 [0/0]
via ::
VLAN 100 Lifetime 9000 sec
28.35 show ipv6 route summary
Use the show ipv6 route summary command in User EXEC or Privileged EXEC
mode to display the current contents of the IPv6 routing table in summary format.
Syntax
show ipv6 route summary
Parameters
N/A.
Command Mode
User EXEC mode
Privileged EXEC mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
610
28
IPv6 Commands
Example
The following is sample output from the show ipv6 route summary command:
switchxxxxxx# show ipv6 route summary
IPv6 Routing Table Summary - 97 entries
37 local, 35 connected, 25 static
Number of prefixes:
/16: 1, /28: 10, /32: 5, /35: 25, /40: 1, /64: 9
/96: 5, /112: 1, /127: 4, /128: 36
28.36 show ipv6 static
Use the show ipv6 static command in user EXEC or privileged EXEC mode to
display the current static routes of the IPv6 routing table.
Syntax
show ipv6 static [ipv6-address | ipv6-prefix/prefix-length] [interface
interface-id][detail]
Parameters
• ipv6-address—Provides routing information for a specific IPv6 address.
This argument must be in the form documented in RFC4293 where the
address is specified in hexadecimal using 16-bit values between colons.
• ipv6-prefix—Provides routing information for a specific IPv6 network. This
argument must be in the form documented in RFC4293 where the address
is specified in hexadecimal using 16-bit values between colons.
611
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
•
interface interface-id—Identifier of an interface.
•
detail—Specifies for invalid routes, the reason why the route is not valid.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
Default Configuration
All IPv6 static routing information for all active routing tables is displayed.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
When the ipv6-address or ipv6-prefix/prefix-length argument is specified, a
longest match lookup is performed from the routing table and only route
information for that address or network is displayed. Only the information matching
the criteria specified in the command syntax is displayed. For example, when the
interface-id argument is specified, only the specified interface-specific routes are
displayed.
When the detail keyword is specified, the reason why the route is not valid is
displayed for invalid direct or fully specified routes.
Examples
Example 1. The following is sample output from the show ipv6 static command
without specified options:
switchxxxxxx# show ipv6 static
IPv6 Static routes
Code: * - installed in Routing Information Base (RIB)
IPv6 Static routes distance is 1
* 3000::/16, interface VLAN1, metric 1
* 4000::/16, via nexthop 2001:1::1, metric 1
5000::/16, interface VLAN2, metric 1
* 5555::/16, via nexthop 4000::1, metric 1
5555::/16, via nexthop 9999::1, metric 1
* 5555::/16, via nexthop 4001:AF00::1, metric 1
* 6000::/16, via nexthop 2007::1, metric 1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
612
28
IPv6 Commands
Example 2. The following is sample output from the show ipv6 route command
when entered with the IPv6 prefix 2001:200::/35:
switchxxxxxx# show ipv6 static 2001:200::/35
IPv6 Static routes
Code: * - installed in Routing Information Base (RIB)
IPv6 Static routes distance is 1
* 2001:200::/35, via nexthop 4000::1, metric 1
2001:200::/35, via nexthop 9999::1, metric 1
* 2001:200::/35, interface VLAN1, metric 1
Example 3. The following is sample output from the show ipv6 route command
when entered with the interface VLAN 1:
switchxxxxxx# show ipv6 static interface vlan 1
IPv6 Static routes
Code: * - installed in Routing Information Base (RIB)
IPv6 Static routes distance is 1
* 5000::/16, interface VLAN1, metric 1
Example 4. The following is sample output from the show ipv6 route command
with the detail keyword:
switchxxxxxx# show ipv6 static detail
IPv6 Static routes
Code: * - installed in Routing Information Base (RIB)
IPv6 Static routes distance is 1
* 3000::/16, interface VLAN1, metric 1
* 4000::/16, via nexthop 2001:1::1, metric 1
5000::/16, interface VLAN2, metric 1
Interface is down
* 5555::/16, via nexthop 4000::1, metric 1
5555::/16, via nexthop 9999::1, metric 1
Route does not fully resolve
* 5555::/16, via nexthop 4001:AF00::1, metric 1
613
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
28
IPv6 Commands
* 6000::/16, via nexthop 2007::1, metric 1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
614
29
IPv6 First Hop Security
29.0
Policies
Policies contain the rules of verification that will be performed on input packets.
They can be attached to VLANs and/or port (Ethernet port or port channel).
The final set of rules that is applied to an input packet on a port is built in the
following way:
1. The rules configured in policies attached to the port on the VLAN on which the
packet arrived are added to the set.
1.
2.
The rules configured in the policy attached to the VLAN are added to the set if they have not been
added at the port level.
The global rules are added to the set if they have not been added at the VLAN or port level.
Rules defined at the port level override the rules set at the VLAN level. Rules
defined at the VLAN level override the globally-configured rules. The
globally-configured rules override the system defaults.
You can only attach 1 policy (for a specific sub-feature) to a VLAN.
You can attach multiple policies (for a specific sub-feature) to a port if they specify
different VLANs.
A sub-feature policy does not take effect until:
•
IPv6 First Hop Security is enabled on the VLAN
•
The sub-feature is enabled on the VLAN
•
The policy is attached to the VLAN or port
Default Policies
Empty default polices exist for each sub-feature and are by default attached to all
VLANs and ports. The default policies are named: "vlan_default" and "port_default":
Rules can be added to these default policies. You do not have to manually attach
default policies to ports. They are attached by default.
When a user-defined policy is attached to a port the default policy for that port is
detached. If the user-define policy is detached from the port, the default policy is
reattached.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
615
29
IPv6 First Hop Security
Default policies can never be deleted. You can only delete the user-added
configuration.
Lists of Commands
29.1 address-config
To specify allowed configuration methods of global IPv6 addresses within an IPv6
Neighbor Binding policy, use the address-config command in Neighbor Binding
Policy Configuration mode. To return to the default, use the no form of this
command.
Syntax
address-config [stateless | any] [dhcp]
no address-config
Parameters
•
stateless—Only auto configuration for global IPv6 bound from NDP
messages is allowed.
•
any—All configuration methods for global IPv6 bound from NDP messages
(stateless and manual) are allowed. If no keyword is defined the any
keyword is applied.
•
dhcp—Bound from DHCPv6 is allowed.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
616
29
IPv6 First Hop Security
If no keyword is defined the address-config any command is applied.
Example
The following example shows how to change the global configuration to allow only
DHCP address configuration method:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# address-config dhcp
switchxxxxxx(config-nbr-binding)# exit
29.2 address-prefix-validation
To define the bound address prefix validation within an IPv6 Neighbor Binding
policy, use the address-prefix-validation command in Neighbor Binding Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
address-prefix-validation [enable | disable]
no address-prefix-validation
Parameters
•
enable—Enables bound address prefix validation. If no keyword is
configured, this keyword is applied by default.
•
disable—Disables bound address prefix validation.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configured value.
Command Mode
Neighbor Binding Policy Configuration mode.
617
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
When a policy containing this command is attached to a VLAN, it overrides the
global configuration and is applied to all ports of the VLAN. When this command is
used in a policy attached to a port, it overrides the global and the VLAN
configurations.
Example
The following example shows how to define policy1 that changes the global
bound address verification in Neighbor Binding:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# address-prefix-validation enable
switchxxxxxx(config-nbr-binding)# exit
29.3 clear ipv6 first hop security counters
To clear IPv6 First Hop Security port counters, use the clear ipv6 first hop security
counters command in privileged EXEC mode.
Syntax
clear ipv6 first hop security counters [interface interface-id]
Parameters
•
interface interface-id—Clear IPv6 First Hop Security counters for the
specified Ethernet port or port channel.
Command Mode
Privileged EXEC mode
User Guidelines
This command clears port counters about packets handled by IPv6 First Hop
Security.
Use the interface keyword to clear all counters for the specific port.
Use the command without keyword to clear all counters.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
618
29
IPv6 First Hop Security
Example
The following example clears IPv6 First Hop Security counters on port te1/0/1
switchxxxxxx# clear ipv6 first hop security counters interface te1/0/1
29.4 clear ipv6 first hop security error
counters
To clear IPv6 First Hop Security global error counters, use the clear ipv6 first hop
security error counters command in privileged EXEC mode.
Syntax
clear ipv6 first hop security error counters
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command clears global error counters.
Example
The following example clears IPv6 First Hop Security error counters:
switchxxxxxx# clear ipv6 first hop security error counters
29.5 clear ipv6 neighbor binding prefix table
To remove dynamic entries from the Neighbor Prefix table, use the clear ipv6
neighbor binding prefix table command in Privilege EXEC configuration mode.
619
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Syntax
clear ipv6 neighbor binding prefix table [vlan vlan-id]
[prefix-address/prefix-length]
Parameters
• vlan-id—Clear the dynamic prefixes that match the specified VLAN.
• prefix-address/prefix-length—Clear the specific dynamic prefix.
Command Mode
Privileged EXEC mode
User Guidelines
This command deletes the dynamic entries of the Neighbor Prefix table.
Use the clear ipv6 neighbor binding prefix table vlan vlan-id
prefix-address/prefix-length command to delete one specific entry.
Use the clear ipv6 neighbor binding prefix table vlan vlan-id command to delete
the dynamic entries that match the specified VLAN.
Use the clear ipv6 neighbor binding prefix table command to delete all dynamic
entries.
Examples
Example 1. The following example clears all dynamic entries:
switchxxxxxx# clear ipv6 neighbor binding prefix table
Example 2. The following example clears all dynamic prefixes that match VLAN
100:
switchxxxxxx# clear ipv6 neighbor binding prefix table vlan 100
Example 3. The following example clears one specific prefix:
switchxxxxxx# clear ipv6 neighbor binding prefix table vlan 100
2002:11aa:0000:0001::/64
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
620
29
IPv6 First Hop Security
29.6 clear ipv6 neighbor binding table
To remove dynamic entries from the Neighbor Binding table, use the clear ipv6
neighbor binding table command in Privilege EXEC configuration mode.
Syntax
clear ipv6 neighbor binding table [vlan vlan-id] [interface interface-id] [ipv6
ipv6-address] [mac mac-address] [ndp | dhcp]
Parameters
•
vlan vlan-id—Clear the dynamic entries that match the specified VLAN.
•
interface interface-id—Clear the dynamic entries that match the specified
port (Ethernet port or port channel).
•
ipv6 ipv6-address—Clear the dynamic entries that match the specified
IPv6 address.
•
mac mac-address—Clear the dynamic entries that match the specified
MAC address.
•
ndp—Clear the dynamic entries that are bound from NDP messages.
•
dhcp—Clear the dynamic entries that are bound from DHCPv6 messages.
Command Mode
Privileged EXEC mode
User Guidelines
This command deletes the dynamic entries of the Neighbor Binding table.
The dynamic entries to be deleted can be specified by the vlan-id argument, the
interface-id argument, IPv6 address, MAC address, or by type of message from
which they were bound.
If the ndp keyword and the dhcp keyword is not defined, the entries are removed
regardless their origin.
If no keywords or arguments are entered, all dynamic entries are deleted.
All keyword and argument combinations are allowed.
621
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example
The following example clears all dynamic entries that exist on VLAN 100 & port
te1/0/1:
switchxxxxxx# clear ipv6 neighbor binding table vlan 100 interface te1/0/1
29.7 device-role (IPv6 DHCP Guard)
To specify the role of the device attached to the port within an IPv6 DHCP Guard
policy, use the device-role command in IPv6 DHCPv6 Guard Policy Configuration
mode. To return to the default, use the no form of this command.
Syntax
device-role {client | server}
no device-role
Parameters
•
client—Sets the role of the device to DHCPv6 client.
•
server—Sets the role of the device to DHCPv6 server.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: client.
Command Mode
DHCP Guard Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
IPv6 DHCP Guard discards the following DHCPv6 messages sent by DHCPv6
servers/relays and received on ports configured as client:
•
ADVERTISE
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
622
29
IPv6 First Hop Security
•
REPLY
•
RECONFIGURE
•
RELAY-REPL
•
LEASEQUERY-REPLY
Example
The following example defines an IPv6 DHCP Guard policy named policy 1 and
configures the port role as the server:
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
switchxxxxxx(config-dhcp-guard)# device-role server
switchxxxxxx(config-dhcp-guard)# exit
29.8 device-role (Neighbor Binding)
To specify the role of the device attached to the port within an IPv6 Neighbor
Binding policy, use the device-role command within IPv6 Neighbor Binding Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
device-role {perimeter | internal}
no device-role
Parameters
•
perimeter—Specifies that the port is connected to devices not supporting
IPv6 First Hop Security.
•
internal—Specifies that the port is connected to devices supporting IPv6
First Hop Security.
Default Configuration
Policy attached to port or port channel: Value configured in the policy attached to
the VLAN.
Policy attached to VLAN: Perimeter.
623
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
NB Integrity supports the perimetrical model (see RFC 6620).
This model specifies two types of ports:
•
Perimeter Port—Specifies ports connected to devices not supporting NB
Integrity. NB Integrity establishes binding for neighbors connected to these
ports. Source Guard does not function on these ports.
•
Internal Port—The second type specifies ports connected to devices
supporting IPv6 First Hop Security. NB Integrity does not establish binding
for neighbors connected to these ports, but it does propagate the bindings
established on perimeter ports.
A dynamic IPv6 address bound to a port is deleted when its role is changed from
perimetrical to internal. A static IPv6 address is kept.
Example
The following example defines a Neighbor Binding policy named policy 1 and
configures the port role as an internal port:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# device-role internal
switchxxxxxx(config-nbr-binding)# exit
29.9 device-role (ND Inspection Policy)
To specify the role of the device attached to the port within an IPv6 ND Inspection
policy, use the device-role command in ND Inspection Policy Configuration mode.
To disable this function, use the no form of this command.
Syntax
device-role {host | router}
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
624
29
IPv6 First Hop Security
no device-role
Parameters
•
host—Sets the role of the device to host.
•
router—Sets the role of the device to router.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: host.
Command Mode
ND inspection Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
ND Inspection performs egress filtering of NDP messages depending on a port
role.The following table specifies the filtering rules.
Message
Host
Router
RA
Permit
Permit
RS
Deny
Permit
CPA
Permit
Permit
CPS
Deny
Permit
ICMP Redirect
Permit
Permit
Example
The following example defines an ND Inspection policy named policy 1 and
configures the port role as router:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# device-role router
switchxxxxxx(config-nd-inspection)# exit
625
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
29.10 device-role (RA Guard Policy)
To specify the role of the device attached to the port within an IPv6 RA Guard
policy, use the device-role command in RA Guard Policy Configuration mode. To
returned to the default, use the no form of this command.
Syntax
device-role {host | router}
no device-role
Parameters
•
host—Sets the role of the device to host.
•
router—Sets the role of the device to router.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: host.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
RA Guard discards input RA, CPA, and ICMPv6 Redirect messages received on
ports configured as host.
Example
The following example defines an RA Guard policy named policy 1 and configures
the port role as router:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# device-role router
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
626
29
IPv6 First Hop Security
switchxxxxxx(config-ra-guard)# exit
29.11 drop-unsecure
To enable dropping messages with no or invalid options or an invalid signature
within an IPv6 ND Inspection policy, use the drop-unsecure command in ND
Inspection Policy Configuration mode. To return to the default, use the no form of
this command.
Syntax
drop-unsecure [enable | disable]
no drop-unsecure
Parameters
•
enable—Enables dropping messages with no or invalid options or an invalid
signature. If no keyword is configured this keyword is applied by default.
•
disable—Disables dropping messages with no or invalid options or an
invalid signature.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
ND inspection Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
627
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example
The following example defines an ND Inspection policy named policy1, places the
switch in ND Inspection Policy Configuration mode, and enables the switch to drop
messages with no or invalid options or an invalid signature:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# exit
29.12 hop-limit
To enable the verification of the advertised Cur Hop Limit value in RA messages
within an IPv6 RA Guard policy, use the hop-limit command in RA Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
hop-limit {[maximum {value | disable}] [minimum {value | disable}]}
no hop-limit [maximum] [minimum]
Parameters
•
maximum value—Verifies that the hop-count limit is less than or equal to the
value argument. Range 1-255. The value of the high boundary must be
equal or greater than the value of the low boundary.
•
maximum disable—Disables verification of the high boundary of the
hop-count limit.
•
minimum value—Verifies that the hop-count limit is greater than or equal to
the value argument. Range 1-255.
•
minimum disable—Disables verification of the lower boundary of the
hop-count limit.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
628
29
IPv6 First Hop Security
Command Mode
RA Guard Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Use the disable keyword to disable verification regardless of the global or VLAN
configuration.
Examples
Example 1—The following example defines an RA Guard policy named policy1,
places the switch in RA Guard Policy Configuration mode, and defines a minimum
Cur Hop Limit value of 5:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# hop-limit minimum 5
switchxxxxxx(config-ra-guard)# exit
Example 2—The following example defines an RA Guard policy named policy1,
places the switch in RA Guard Policy Configuration mode, and disables validation
of the Cur Hop Limit high boundary:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# hop-limit maximum disable
switchxxxxxx(config-ra-guard)# exit
29.13 ipv6 dhcp guard
To enable the DHCPv6 guard feature on a VLAN, use the ipv6 dhcp guard
command in VLAN Configuration mode. To return to the default, use the no form of
this command.
Syntax
ipv6 dhcp guard
629
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
no ipv6 dhcp guard
Parameters
N/A
Default Configuration
DHCPv6 Guard on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
DHCPv6 Guard blocks messages sent by DHCPv6 servers/relays to clients
received on ports that are not configured as a DHCPv6 server. Client messages or
messages sent by relay agents from clients to servers are not blocked. See the
device-role (IPv6 DHCP Guard) command for details.
DHCPv6 Guard validates received DHCPv6 messages based on a DHCPv6 Guard
policy attached to the source port.
Examples
Example 1—The following example enables DHCPv6 Guard on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp guard
switchxxxxxx(config-if)# exit
Example 2—The following example enables DHCPv6 Guard on VLANs 100-107:
switchxxxxxx(config)# interface range vlan 100-107
switchxxxxxx(config-if-range)# ipv6 dhcp guard
switchxxxxxx(config-if-range)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
630
29
IPv6 First Hop Security
29.14 ipv6 dhcp guard attach-policy (port
mode)
To attach a DHCPv6 Guard policy to a specific port, use the ipv6 dhcp guard
attach-policy command in Interface Configuration mode. To return to the default,
use the no form of this command.
Syntax
ipv6 dhcp guard attach-policy policy-name [vlan vlan-list]
no ipv6 dhcp guard attach-policy [policy-name]
Parameters
• policy-name—The DHCPv6 Guard policy name (up to 32 characters).
•
vlan vlan-list—Specifies that the DHCPv6 Guard policy is to be attached to
the VLAN(s) in vlan-list. If the vlan keyword is not configured, the policy is
applied to all VLANs on the device on which DHCPv6 Guard is enabled.
Default Configuration
The DHCPv6 Guard default policy is applied.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use this command to attach a DHCPv6 Guard policy to a port.
Each time the command is used, it overrides the previous command within the
same policy.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
•
631
The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
•
The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
•
The global rules are added to the set if they have not been added.
Use no ipv6 dhcp guard attach-policy to detach all user-defined DHCP Guard
policies attached to the port.
Use no ipv6 dhcp guard attach-policy policy-name to detach the specific policy
from the port.
Examples
Example 1—In the following example, the DHCPv6 Guard policy policy1 is
attached to the te1/0/1 port and the default policy port_default is detached:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 dhcp guard attach-policy policy1
switchxxxxxx(config-if)# exit
Example 2—In the following example, the DHCPv6 Guard policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 dhcp guard attach-policy policy1 vlan 1-10,12-20
switchxxxxxx(config-if)# exit
Example 3—In the following example, the DHCPv6 Guard policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and the DHCPv6 Guard
policy policy2 is attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 dhcp guard attach-policy policy1 vlan 1-10
switchxxxxxx(config-if)# ipv6 dhcp guard attach-policy policy2 vlan 12-20
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
632
29
IPv6 First Hop Security
Example 4—In the following example DHCPv6 Guard detaches policy1 from the
te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# no ipv6 dhcp guard attach-policy policy1
switchxxxxxx(config-if)# exit
29.15 ipv6 dhcp guard attach-policy (VLAN
mode)
To attach a DHCPv6 Guard policy to a specified VLAN, use the ipv6 dhcp guard
attach-policy command in VLAN Configuration mode. To return to the default, use
the no form of this command.
Syntax
ipv6 dhcp guard attach-policy policy-name
no ipv6 dhcp guard attach-policy
Parameters
• policy-name—The DHCPv6 Guard policy name (up to 32 characters).
Default Configuration
The DHCPv6 Guard default policy is applied.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to attach a DHCPv6 Guard policy to a VLAN.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Use the no form of the command to detach the current policy and to re-attach the
default policy. The the no form of the command has no effect if the default policy
was attached.
633
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example
In the following example, the DHCPv6 Guard policy policy1 is attached to VLAN
100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 dhcp guard attach-policy policy1
switchxxxxxx(config-if)# exit
29.16 ipv6 dhcp guard policy
To define a DHCP Guard policy and place the switch in DHCPv6 Guard Policy
Configuration mode, use the ipv6 dhcp guard policy command in Global
Configuration mode. To remove the DHCPv6 guard policy, use the no form of this
command.
Syntax
ipv6 dhcp guard policy policy-name
no ipv6 dhcp guard policy policy-name
Parameters
• policy-name—The DHCPv6 Guard policy name (up to 32 characters).
Default Configuration
No DHCPv6 Guard policy are configured
Command Mode
Global Configuration mode
User Guidelines
This command defines the DHCPv6 Guard policy name, and places the router in
DHCPv6 Guard Policy Configuration mode.
The following commands can be configured in IPv6 DHCP Guard Policy
Configuration mode:
•
device-role (IPv6 DHCP Guard)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
634
29
IPv6 First Hop Security
•
match server address
•
match reply
•
preference
Each policy of the same type (for example, DHCPv6 Guard policies) must have a
unique name. Policies of different types can have the same policy name.
The switch supports two predefined, default DHCPv6 Guard policies named:
"vlan_default" and "port_default":
ipv6 dhcp guard policy vlan_default
exit
ipv6 dhcp guard policy port_default
exit
The default policies are empty and cannot be removed, but can be changed. The
no ipv6 dhcp guard policy does not remove the default policies, it only removes
the policy configuration defined by the user.
The default policies cannot be attached by the ipv6 dhcp guard attach-policy
(port mode) or ipv6 dhcp guard attach-policy (VLAN mode) command. The
vlan_default policy is attached by default to a VLAN, if no other policy is attached
to the VLAN. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
You can define a policy using the ipv6 dhcp guard policy command multiple times.
Before an attached policy is removed, a request for confirmation is presented to
the user, as shown in Example 3 below.
Examples
Example 1—The following example defines a DHCPv6 Guard policy named
policy1, places the router in DHCPv6 Guard Policy Configuration mode, configures
the port to drop unsecure messages and sets the device role as router:
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
switchxxxxxx(config-dhcp-guard)# match server address list1
switchxxxxxx(config-dhcp-guard)# device-role server
switchxxxxxx(config-dhcp-guard)# exit
635
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example 2—The following example defines a DHCPv6 Guard named policy1 by
multiple steps:
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
switchxxxxxx(config-dhcp-guard)# match server address list1
switchxxxxxx(config-dhcp-guard)# exit
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
switchxxxxxx(config-dhcp-guard)# device-role server
switchxxxxxx(config-dhcp-guard)# exit
Example 3—The following example removes an attached DHCPv6 Guard policy:
switchxxxxxx(config)# no ipv6 dhcp guard policy policy1
Policy policy1 is applied on the following ports:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
29.17 ipv6 dhcp guard preference
To globally enable verification of the preference in messages sent by DHCPv6
servers, use the ipv6 dhcp guard preference command in Global Configuration
mode. To return to the default, use the no form of this command.
Syntax
ipv6 dhcp guard preference {[maximum value] [minimum value]}
no ipv6 dhcp guard preference [maximum] [minimum]
Parameters
•
maximum value—Advertised preference value is lower than or equal to the
value argument. Range 0-255. The value of the high boundary must be
equal to or greater than the value of the low boundary.
•
minimum value—Advertised preference value is greater than or equal to the
value argument. Range 0-255.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
636
29
IPv6 First Hop Security
Default Configuration
Verification is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables verification that the preference value in messages sent by
DHCPv6 servers messages (see RFC3315) is greater than or less than the value
argument.
Note. When DHCPv6 Guard receives a RELAY-REPL message, it takes it from the
encapsulated message.
Configuring the minimum value keyword and argument specifies the minimum
allowed value. The received DHCPv6 reply message with a preference value less
than a value specified by the value argument is dropped.
Configuring the maximum value keyword and argument specifies the maximum
allowed value. The received DHCPv6 reply message with a preference value
greater than the value specified by the value argument is dropped.
Use no ipv6 dhcp guard preference to disable verification of the advertised
preference value in DHCPv6 reply messages.
Use no ipv6 dhcp guard preference maximum to disable verification of the
maximum boundary of the value of the advertised preference value in DHCPv6
messages.
Use the no ipv6 dhcp guard preference minimum command to disable verification
of the minimum boundary of the value of the advertised preference value in
DHCPv6 messages.
Examples
Example 1—The following example defines a global minimum preference value of
10 and a global maximum preference value of 102 using two commands:
switchxxxxxx(config)# ipv6 dhcp guard preference minimum 10
switchxxxxxx(config)# ipv6 dhcp guard preference maximum 102
637
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example 2—The following example defines a global minimum preference value of
10 and a global maximum preference value of 102 using a single command:
switchxxxxxx(config)# ipv6 dhcp guard preference minimum 10 maximum 102
29.18 ipv6 first hop security
To globally enable IPv6 First Hop Security on a VLAN, use the ipv6 first hop
security command in VLAN Configuration mode. To return to the default, use the
no form of this command.
Syntax
ipv6 first hop security
no ipv6 first hop security
Parameters
N/A
Default Configuration
IPv6 First Hop Security on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the ipv6 first hop security command to enable IPv6 First Hop Security on a
VLAN.
Examples
Example 1—The following example enables IPv6 First Hop Security on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 first hop security
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
638
29
IPv6 First Hop Security
switchxxxxxx(config-if)# exit
Example 2—The following example enables IPv6 First Hop Security on VLANs
100-107:
switchxxxxxx(config)# interface range vlan 100-107
switchxxxxxx(config-if-range)# ipv6 first hop security
switchxxxxxx(config-if-range)# exit
29.19 ipv6 first hop security attach-policy
(port mode)
To attach an IPv6 First Hop Security policy to a specific port, use the ipv6 first hop
security attach-policy command in Interface Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 first hop security attach-policy policy-name [vlan vlan-list]
no ipv6 first hop security attach-policy [policy-name]
Parameters
• policy-name—The IPv6 First Hop Security policy name (up to 32
characters).
•
vlan vlan-list—Specifies that the IPv6 First Hop Security policy is to be
attached to the VLAN(s) in vlan-list. If the vlan keyword is not configured, the
policy is applied to all VLANs on the device on which IPv6 First Hop
Security is enabled.
Default Configuration
The IPv6 First Hop Security default policy is applied.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
639
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
Use this command to attach an IPv6 First Hop Security policy to a port.
Each succeeding usage of this command overrides the previous usage of the
command with the same policy.
Each time the command is used, it overrides the previous command within the
same policy.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
•
The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
•
The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
•
The global rules are added to the set if they have not been added.
Use the no ipv6 first hop security attach-policy command to detach all
user-defined policies attached to the port. The default policy is reattached.
Use the no ipv6 first hop security attach-policy policy-name command to detach
the specific policy from the port.
Examples
Example 1—In the following example, the IPv6 First Hop Security policy policy1 is
attached to the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 first hop security attach-policy policy1
switchxxxxxx(config-if)# exit
Example 2—In the following example, the IPv6 First Hop Security policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config)# interface te1/0/1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
640
29
IPv6 First Hop Security
switchxxxxxx(config-if)# ipv6 first hop security attach-policy policy1 vlan
1-10,12-20
switchxxxxxx(config-if)# exit
Example 3—In the following example, the IPv6 First Hop Security policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and the IPv6 First Hop
Security policy policy2 is attached to the te1/0/1 port and applied to VLANs
12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 first hop security attach-policy policy1 vlan
1-10
switchxxxxxx(config-if)# ipv6 first hop security attach-policy policy2 vlan
12-20
switchxxxxxx(config-if)# exit
Example 4—In the following example IPv6 First Hop Security detaches policy
policy1 detached to the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# no ipv6 first hop security attach-policy policy1
switchxxxxxx(config-if)# exit
29.20 ipv6 first hop security attach-policy
(VLAN mode)
To attach an IPv6 First Hop Security policy to a specified VLAN, use the ipv6 first
hop security attach-policy command in VLAN Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 first hop security attach-policy policy-name
no ipv6 first hop security attach-policy
641
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Parameters
• policy-name—The IPv6 First Hop Security policy name (up to 32
characters).
Default Configuration
The IPv6 First Hop Security default policy is applied.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to attach an IPv6 First Hop Security policy to a VLAN.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Use the no form of the command to return to detach the current policy and to
reattach the default policy. The no form of the command does not have an effect if
the default policy was attached.
Example
In the following example, the IPv6 First Hop Security policy policy1 is attached to
VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 first hop security attach-policy policy1
switchxxxxxx(config-if)# exit
29.21 ipv6 first hop security logging packet
drop
To globally enable the logging of dropped packets by the IPv6 First Hop Security
feature, use the ipv6 first hop security logging packet drop command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ipv6 first hop security logging packet drop
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
642
29
IPv6 First Hop Security
no ipv6 first hop security logging packet drop
Parameters
N/A
Default Configuration
Logging is disabled.
Command Mode
Global Configuration mode
User Guidelines
Use this command to log packets that are dropped. If logging is enabled, the
switch sends a rate-limited SYSLOG message every time it drops a message.
Example
The following example shows how to enable logging of dropped packets by the
IPv6 first-hop security feature:
switchxxxxxx(config)# ipv6 first hop security logging packet drop
29.22 ipv6 first hop security policy
To define an IPv6 First Hop Security policy and place the switch in IPv6 First Hop
Security Policy Configuration mode, use the ipv6 first hop security policy
command in Global Configuration mode. To remove the IPv6 First Hop Security
policy, use the no form of this command.
Syntax
ipv6 first hop security policy policy-name
no ipv6 first hop security policy policy-name
Parameters
• policy-name—The IPv6 First Hop Security policy name (up to 32
characters).
643
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Default Configuration
No IPv6 First Hop Security policy is configured
Command Mode
Global Configuration mode
User Guidelines
This command defines an IPv6 First Hop Security policy, and places the switch in
IPv6 First Hop Security Policy Configuration mode
The following command can be configured in IPv6 First Hop Security Policy
Configuration mode:
•
logging packet drop
Each policy of the same type (for example, IPv6 First Hop Security policies) must
have a unique name. Policies of different types can have the same policy name.
The switch supports two predefined, empty, default IPv6 First Hop Security
policies named: "vlan_default" and "port_default":
ipv6 first hop security policy vlan_default
exit
ipv6 first hop security policy port_default
exit
These policies cannot be removed but they can be changed. The no ipv6 first hop
security policy does not remove these policies, it only removes the policy
configurations defined by the user.
The default policies do not need to be attached by the ipv6 first hop security
attach-policy (port mode) or ipv6 first hop security attach-policy (VLAN mode)
command. The vlan_default policy is attached by default to a VLAN, if no other
policy is attached to the VLAN. The port_default policy is attached by default to a
port, if no other policy is attached to the port.
You can define a policy using the ipv6 first hop security policy command multiple
times.
If an attached policy is removed, it is detached automatically before removing.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
644
29
IPv6 First Hop Security
Examples
Example 1—The following example defines the IPv6 First Hop Security policy
named policy1, places the switch in IPv6 First Hop Security Policy Configuration
mode, and enables logging of dropped packets:
switchxxxxxx(config)# ipv6 first hop security policy policy1
switchxxxxxx(config-ipv6-fhs)# logging packet drop
switchxxxxxx(config)# exit
Example 2—The following example removes an attached IPv6 First Hop Security
policy:
switchxxxxxx(config)# no ipv6 first hop security policy policy1
Policy policy1 is applied on the following ports:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
29.23 ipv6 nd inspection
To enable the IPv6 Neighbor Discovery (ND) Inspection feature on a VLAN, use the
ipv6 nd inspection command in VLAN Configuration mode. To return to the default,
use the no form of this command.
Syntax
ipv6 nd inspection
no ipv6 nd inspection
Parameters
N/A
Default Configuration
ND Inspection on a VLAN is disabled.
645
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the command to enable ND Inspection on a VLAN.
IPv6 ND Inspection validates the Neighbor Discovery Protocol (NDP) messages
using the ND Inspection policies and global ND Inspection configuration.
ND Inspection bridges NDP messages to all ports excluding the source port within
the VLAN with the following exception: RS and CPS messages are not bridged to
ports configured as host (see the device-role command).
ND inspection is performed after RA Guard.
Examples
Example 1—The following example enables ND Inspection on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 nd inspection
switchxxxxxx(config-if)# exit
Example 2—The following example enables ND Inspection on VLANs 100-107:
switchxxxxxx(config)# interface range vlan 100-107
switchxxxxxx(config-if-range)# ipv6 nd inspection
switchxxxxxx(config-if-range)# exit
29.24 ipv6 nd inspection attach-policy (port
mode)
To attach an ND Inspection policy to a specific port, use the ipv6 nd inspection
attach-policy command in Interface Configuration mode. To return to the default,
use the no form of this command.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
646
29
IPv6 First Hop Security
Syntax
ipv6 nd inspection attach-policy policy-name [vlan vlan-list]
no ipv6 nd inspection attach-policy [policy-name]
Parameters
• policy-name—The ND Inspection policy name (up to 32 characters).
•
vlan vlan-list—Specifies that the ND Inspection policy is to be attached to
the VLAN(s) in vlan-list. If the vlan keyword is not configured, the policy is
applied to all VLANs on the device on which ND Inspection is enabled.
Default Configuration
The ND Inspection default policy is applied.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use the ipv6 nd inspection attach-policy command to attach an ND Inspection
policy to a port.
Use the ipv6 nd inspection command to activate the attached policy on required
VLANs.
Each time the command is used, it overrides the previous command within the
same policy.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
647
•
The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
•
The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
•
The global rules are added to the set if they have not been added.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Use the no ipv6 nd inspection attach-policy command to detach all user-defined
policies attached to the port.
Use the no ipv6 nd inspection attach-policy policy-name command to detach the
specific policy from the port.
Examples
Example 1—In the following example, the ND Inspection policy policy1 is attached
to the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 nd inspection attach-policy policy1
switchxxxxxx(config-if)# exit
Example 2—In the following example, the ND Inspection policy policy1 is attached
to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 nd inspection attach-policy policy1 vlan
1-10,12-20
switchxxxxxx(config-if)# exit
Example 3—In the following example, the ND Inspection policy policy1 is attached
to the te1/0/1 port and applied to VLANs 1-10 and the ND Inspection policy policy2
is attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 nd inspection attach-policy policy1 vlan 1-10
switchxxxxxx(config-if)# ipv6 nd inspection attach-policy policy2 vlan 12-20
switchxxxxxx(config-if)# exit
Example 4—In the following example, ND Inspection detaches policy policy1 from
the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
648
29
IPv6 First Hop Security
switchxxxxxx(config-if)# no ipv6 nd inspection attach-policy policy1
switchxxxxxx(config-if)# exit
29.25 ipv6 nd inspection attach-policy (VLAN
mode)
To attach an ND Inspection policy to a specified VLAN, use the ipv6 nd inspection
attach-policy command in VLAN Configuration mode. To return to the default, use
the no form of this command.
Syntax
ipv6 nd inspection attach-policy policy-name
no ipv6 nd inspection attach-policy
Parameters
• policy-name—The ND Inspection policy name (up to 32 characters).
Default Configuration
The ND Inspection default policy is applied.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to attach a ND Inspection policy to a VLAN.
If the policy specified by the policy-name argument is not defined, the command
is rejected.
Use the no form of the command to detach the current policy and to reattach the
default policy. The no form of the command does not have an effect if the default
policy was attached.
Example
In the following example, the ND Inspection policy policy1 is attached to VLAN
100:
649
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 nd inspection attach-policy policy1
switchxxxxxx(config-if)# exit
29.26 ipv6 nd inspection drop-unsecure
To globally enable dropping messages with no CGA and RSA Signature options,
use the ipv6 nd inspection drop-unsecure command in Global Configuration
mode. To disable this function, use the no form of this command.
Syntax
ipv6 nd inspection drop-unsecure
no ipv6 nd inspection drop-unsecure
Parameters
N/A
Default Configuration
All messages are bridged.
Command Mode
Global Configuration mode
User Guidelines
This command drops NDP messages if they do not contain CGA and RSA
Signature options.
If this command is not configured, then the sec-level minimum command does not
have an effect.
If this command is configured, then only the sec-level minimum command has an
effect and all other configured ND Inspection policy commands are ignored.
Example
The following example enables the switch to drop messages with no or invalid
options or an invalid signature:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
650
29
IPv6 First Hop Security
switchxxxxxx(config)# ipv6 nd inspection drop-unsecure
29.27 ipv6 nd inspection policy
To define an ND Inspection policy and place the switch in IPv6 ND Inspection
Policy Configuration mode, use the ipv6 nd inspection policy command in Global
Configuration mode. To remove the ND Inspection policy, use the no form of this
command.
Syntax
ipv6 nd inspection policy policy-name
no ipv6 nd inspection policy policy-name
Parameters
• policy-name—The ND Inspection policy name (up to 32 characters).
Default Configuration
No ND Inspection policies are configured.
Command Mode
Global Configuration mode
User Guidelines
This command defines the ND Inspection policy name, and places the router in ND
Inspection Policy Configuration mode.
The following commands can be configured into a ND Inspection policy:
•
device-role (ND Inspection Policy)
•
drop-unsecure
•
sec-level minimum
•
validate source-mac
Each policy of the same type (for example, ND Inspection policies) must have a
unique name. Policies of different types can have a same policy name.
The switch supports two predefined ND Inspection policies named: "vlan_default"
and "port_default":
651
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
ipv6 nd inspection policy vlan_default
exit
ipv6 nd inspection policy port_default
exit
These policies cannot be removed, but they can be changed. The no ipv6 nd
inspection policy does not remove these policies, it only removes the policy
configuration defined by the user.
The default policies cannot be attached by the ipv6 nd inspection attach-policy
(port mode) or ipv6 nd inspection attach-policy (VLAN mode) command. The
vlan_default policy is attached by default to a VLAN, if no other policy is attached
to the VLAN. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
You can define a policy using the ipv6 nd inspection policy command multiple
times.
If an attached policy is removed it is detached automatically before removing.
Examples
Example 1. The following example defines a ND Inspection policy named policy1,
places the switch in ND Inspection Policy Configuration mode, and configures the
port to drop unsecured messages and sets the device role as router:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# device-role router
switchxxxxxx(config-nd-inspection)# exit
Example 2. The following example defines an ND Inspection policy as policy1 by a
few steps:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# drop-unsecure
switchxxxxxx(config-nd-inspection)# exit
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# device-role router
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
652
29
IPv6 First Hop Security
switchxxxxxx(config-nd-inspection)# exit
Example 3. The following example removes an attached ND Inspection policy:
switchxxxxxx(config)# no ipv6 nd inspection policy policy1
Policy policy1 is applied on the following ports:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
29.28 ipv6 nd inspection sec-level minimum
To globally specify the minimum security level value, use the ipv6 nd inspection
sec-level minimum command in Global Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 nd inspection sec-level minimum value
no ipv6 nd inspection sec-level minimum
Parameters
• value—Sets the minimum security level. Range: 0–7.
Default Configuration
All messages are bridged.
Command Mode
Global Configuration mode
User Guidelines
This command specifies the minimum security level parameter value when the
drop-unsecured feature is configured.
This command has no effect if dropping of non secure messages is disabled.
653
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example
The following example enables the switch to specify 2 as the minimum CGA
security level:
switchxxxxxx(config)# ipv6 nd inspection sec-level minimum 2
29.29 ipv6 nd inspection validate source-mac
To globally enable checking source MAC address against the link-layer address in
the source/target link-layer option, use the ipv6 nd inspection validate source-mac
command in Global Configuration mode. To disable this function, use the no form
of this command.
Syntax
ipv6 nd inspection validate source-mac
no ipv6 nd inspection validate source-mac
Parameters
N/A
Default Configuration
This command is disabled by default.
Command Mode
Global Configuration mode
User Guidelines
When the switch receives an NDP message, which contains a link-layer address in
the source/target link layer option, the source MAC address is checked against
the link-layer address. Use this command to drop the packet if the link-layer
address and the MAC addresses are different from each other.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
654
29
IPv6 First Hop Security
Example
The following example enables the switch to drop an NDP message whose
link-layer address in the source/target link-layer option does not match the MAC
address:
switchxxxxxx(config)# ipv6 nd inspection validate source-mac
29.30 ipv6 nd raguard
To globally enable the Router Advertisements (RA) guard feature on a VLAN, use
the ipv6 nd raguard command in VLAN Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 nd raguard
no ipv6 nd raguard
Parameters
N/A
Default Configuration
RA Guard on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the ipv6 nd raguard command, to enable IPv6 RA Guard on a VLAN.
RA Guard discards RA, CPA, and ICMP Redirect messages received on ports that
are not configured as router (see the device-role command).
RA Guard validates received RA messages based on an RA Guard policy
attached to the source port.
RA Guard is performed before ND inspection.
655
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Examples
Example 1—The following example enables RA Guard on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 nd raguard
switchxxxxxx(config-if)# exit
Example 2—The following example enables RA Guard on VLANs 100-107:
switchxxxxxx(config)# interface range vlan 100-107
switchxxxxxx(config-if-range)# ipv6 nd raguard
switchxxxxxx(config-if-range)# exit
29.31 ipv6 nd raguard attach-policy (port
mode)
To attach an RA Guard policy to a specific port, use the ipv6 nd raguard
attach-policy command in Interface Configuration mode. To return to the default,
use the no form of this command.
Syntax
ipv6 nd raguard attach-policy policy-name [vlan vlan-list]
no ipv6 nd raguard attach-policy [policy-name]
Parameters
• policy-name—The RA Guard policy name (up to 32 characters).
•
vlan vlan-list—Specifies that the RA Guard policy is to be attached to the
VLAN(s) in vlan-list. If the vlan keyword is not configured, the policy is
applied to all VLANs on the device on which RA Guard policy is enabled.
Default Configuration
The RA Guard default policy is applied.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
656
29
IPv6 First Hop Security
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use this command to attach an RA Guard policy to a port.
Each time the command is used, it overrides the previous command within the
same policy.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
•
The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
•
The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
•
The global rules are added to the set if they have not been added.
Use the no ipv6 nd raguard attach-policy command to detach all user-defined
policies attached to the port.
Use the no ipv6 nd raguard attach-policy policy-name command to detach the
specific policy from the port.
Examples
Example 1—In the following example, the RA Guard policy policy1 is attached to
the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy1
switchxxxxxx(config-if)# exit
Example 2—In the following example, the RA Guard policy policy1 is attached to
the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config)# interface te1/0/1
657
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy1 vlan 1-10,12-20
switchxxxxxx(config-if)# exit
Example 3—In the following example, the RA Guard policy policy1 is attached to
the te1/0/1 port and applied to VLANs 1-10 and the RA Guard policy policy2 is
attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy1 vlan 1-10
switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy2 vlan 12-20
switchxxxxxx(config-if)# exit
Example 4—In the following example RA Guard detaches policy policy1 from the
te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# no ipv6 nd raguard attach-policy policy1
switchxxxxxx(config-if)# exit
29.32 ipv6 nd raguard attach-policy (VLAN
mode)
To attach an RA Guard policy to a specified VLAN, use the ipv6 nd raguard
attach-policy command in VLAN Configuration mode. To return to the default, use
the no form of this command.
Syntax
ipv6 nd raguard attach-policy policy-name
no ipv6 nd raguard attach-policy
Parameters
• policy-name—The RA Guard policy name (up to 32 characters).
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
658
29
IPv6 First Hop Security
Default Configuration
The RA Guard default policy is applied.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to attach an RA Guard policy to a VLAN.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Use the no form of the command to rdetach the current policy and toreattach the
default policy. The no form of the command has no effect if the default policy was
attached.
Example
In the following example, the RA Guard policy policy1 is attached to VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 nd raguard attach-policy policy1
switchxxxxxx(config-if)# exit
29.33 ipv6 nd raguard hop-limit
To globally enable verification of the advertised Cur Hop Limit value in RA
messages, use the ipv6 nd raguard hop-limit command in Global Configuration
mode. To return to the default, use the no form of this command.
Syntax
ipv6 nd raguard hop-limit {[maximum value] [minimum value]}
no ipv6 nd raguard hop-limit [maximum] [minimum]
Parameters
•
659
maximum value—Verifies that the hop-count limit is lower than or equal to
the value argument. Range 1-255. The value of the high boundary must be
equal to or greater than the value of the low boundary.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
•
minimum value—Verifies that the hop-count limit is greater than or equal to
the value argument. Range 1-255.
Default Configuration
No hop-count limit is verified.
Command Mode
Global Configuration mode
User Guidelines
This command enables verification that the advertised Cur Hop Limit value in an
RA message (see RFC4861) is greater than or less than the value set by the value
argument.
Configuring the minimum value keyword and argument can prevent an attacker
from setting a low Cur Hop Limit value on the hosts to block them from generating
traffic to remote destinations; that is, beyond their default router. If the advertised
Cur Hop Limit value is unspecified (which is the same as setting a value of 0), the
packet is dropped.
Configuring the maximum value keyword and argument enables verification that
the advertised Cur Hop Limit value is less than or equal to the value set by the
value argument. If the advertised Cur Hop Limit value is unspecified (which is the
same as setting a value of 0), the packet is dropped.
Use the no ipv6 nd raguard hop-limit maximum command to disable verification of
the maximum boundary of the advertised Cur Hop Limit value in an RA message.
Use the no ipv6 nd raguard hop-limit minimum command to disable verification of
the minimum boundary of the advertised Cur Hop Limit value in an RA message.
Examples
Example 1—The following example defines a minimum Cur Hop Limit value of 3
and a maximum Cur Hop Limit value of 100 using two commands:
switchxxxxxx(config)# ipv6 nd raguard hop-limit minimum 3
switchxxxxxx(config)# ipv6 nd raguard hop-limit maximum 100
Example 2—The following example defines a minimum Cur Hop Limit value of 3
and a maximum Cur Hop Limit value of 100 using a single command:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
660
29
IPv6 First Hop Security
switchxxxxxx(config)# ipv6 nd raguard hop-limit minimum 3 maximum 100
29.34 ipv6 nd raguard managed-config-flag
To globally enable verification of the advertised the Managed Address
Configuration flag in RA messages, use the ipv6 nd raguard managed-config-flag
command in Global Configuration mode. To return to the default, use the no form of
this command.
Syntax
ipv6 nd raguard managed-config-flag {on | off}
no ipv6 nd raguard managed-config-flag
Parameters
•
on—The value of the flag must be 1.
•
off—The value of the flag must be 0.
Default Configuration
Verification is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables verification of the advertised the Managed Address
Configuration flag (or the M flag) in an RA message (see RFC4861). This flag could
be set by an attacker to force hosts to obtain addresses through a DHCPv6 server
that might not be trustworthy.
Example
The following example enables M flag verification that checks if the value of the
flag is 0:
switchxxxxxx(config)# ipv6 nd raguard managed-config-flag off
661
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
29.35 ipv6 nd raguard other-config-flag
To globally enable verification of the advertised “Other Configuration” flag in RA
messages, use the ipv6 nd raguard other-config-flag command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ipv6 nd raguard other-config-flag {on | off}
no ipv6 nd raguard other-config-flag
Parameters
•
on—The value of the flag must be 1.
•
off—The value of the flag must be 0.
Default Configuration
Verification is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables verification of the advertised “Other Configuration” flag (or
"O" flag) in an RA message (see RFC4861). This flag could be set by an attacker to
force hosts to retrieve other configuration information through a DHCPv6 server
that might not be trustworthy.
Example
The following example shows how the command enables O flag verification that
checks if the value of the flag is 0:
switchxxxxxx(config)# ipv6 nd raguard other-config-flag off
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
662
29
IPv6 First Hop Security
29.36 ipv6 nd raguard policy
To define an RA Guard policy name and place the switch in IPv6 RA Guard Policy
Configuration mode, use the ipv6 nd raguard policy command in Global
Configuration mode. To remove the RA Guard policy, use the no form of this
command.
Syntax
ipv6 nd raguard policy policy-name
no ipv6 nd raguard policy policy-name
Parameters
• policy-name—The RA Guard policy name (up to 32 characters).
Default Configuration
No RA Guard policy is configured
Command Mode
Global Configuration mode
User Guidelines
This command defines the RA Guard policy name, and places the switch in IPv6
RA Guard Policy Configuration mode.
Each policy of the same type (for example, RA Guard policies) must have a unique
name. Policies of different types can have a same policy name.
The switch supports two predefined RA Guard policies, named: "vlan_default" and
"port_default":
ipv6 nd raguard policy vlan_default
exit
ipv6 nd raguard policy port_default
exit
The policies cannot be removed, but they can be changed. The no ipv6 nd raguard
policy does not remove these policies, it only removes the policy configuration
defined by the user.
663
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
The policies cannot be attached by the ipv6 nd raguard attach-policy (port mode)
or ipv6 nd raguard attach-policy (VLAN mode) command. The vlan_default policy
is attached by default to a VLAN, if no other policy is attached to the VLAN. The
port_default policy is attached by default to a port, if no other policy is attached to
the port.
You can define a policy using the ipv6 nd raguard policy command multiple times.
If an attached policy is removed, it is detached automatically before removing.
The following commands can be configured in RA Guard Policy Configuration
mode:
•
device-role (RA Guard Policy)
•
hop-limit
•
managed-config-flag
•
match ra addresshop-limit
•
match ra prefixes
•
other-config-flag
•
router-preference
Examples
Example 1—The following example defines an RA Guard policy named policy1,
places the router in RA Guard Policy Configuration mode, and disenabled
validation of the Other Configuration flag, and sets the device role as router:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# other-config-flag disable
switchxxxxxx(config-ra-guard)# device-role router
switchxxxxxx(config-ra-guard)# exit
Example 2—The following example defines an RA Guard named policy1 using
multiple steps:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# other-config-flag disable
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
664
29
IPv6 First Hop Security
switchxxxxxx(config-ra-guard)# exit
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# device-role router
switchxxxxxx(config-ra-guard)# exit
Example 3—The following example removes an attached RA Guard policy:
switchxxxxxx(config)# no ipv6 nd raguard policy policy1
Policy policy1 is applied on the following ports:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
29.37 ipv6 nd raguard router-preference
To globally enable verification of the advertised Default Router Preference value in
RA messages, use the ipv6 nd raguard router-preference command in Global
Configuration mode. To return to the default, use the no form of this command.
Syntax
ipv6 nd raguard router-preference {[maximum value] [minimum value]}
no ipv6 nd raguard router-preference [maximum] [minimum]
Parameters
•
maximum value—Specifies the maximum allowed Advertised Default
Router Preference value. The following values are acceptable: low, medium
and high (see RFC4191). The value of the high boundary must be equal to or
greater than the value of the low boundary.
•
minimum value—Specifies the minimum allowed Advertised Default Router
Preference value. The following values are acceptable: low, medium and
high (see RFC4191).
Default Configuration
Verification is disabled.
665
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Command Mode
Global Configuration mode
User Guidelines
This command enables verification of the advertised Default Router Preference
value in RA messages (see RFC4191).
Configuring the minimum value keyword and argument specifies the minimum
allowed value. Received RA messages with a Default Router Preference value less
than the value argument are dropped.
Configuring the maximum value keyword and argument specifies the maximum
allowed value. Received RA messages with a Default Router Preference value
greater than the value argument are dropped.
Use the no ipv6 nd raguard router-preference command to disable verification of
the advertised Default Router Preference value in RA messages.
Use the no ipv6 nd raguard router-preference maximum command to disable
verification of the maximum boundary of the advertised Default Router Preference
value in RA messages.
Use the no ipv6 nd raguard router-preference minimum command to disable
verification of the advertised Default Router Preference value in RA messages.
Examples
Example 1—The following example defines that only a value of medium is
acceptable using two commands:
switchxxxxxx(config)# ipv6 nd raguard router-preference minimum medium
switchxxxxxx(config)# ipv6 nd raguard router-preference maximum medium
Example 2—The following example defines that only a value of medium is
acceptable using a single command:
switchxxxxxx(config)# ipv6 nd raguard router-preference minimum medium
maximum medium
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
666
29
IPv6 First Hop Security
29.38 ipv6 neighbor binding
To globally enable the Neighbor Binding (NB) integrity feature on a VLAN, use the
ipv6 neighbor binding command in VLAN Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 neighbor binding
no ipv6 neighbor binding
Parameters
N/A
Default Configuration
NB integrity on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
NB integrity establishes binding for neighbors connected to the perimetrical ports
(see the device-role (Neighbor Binding) command) belonging to the VLANs on
which the feature is enabled.
Examples
Example 1—The following example enables NB integrity on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 neighbor binding
switchxxxxxx(config-if)# exit
Example 2—The following example enables NB integrity on VLANs 100-107:
switchxxxxxx(config)# interface range vlan 100-107
switchxxxxxx(config-if-range)# ipv6 neighbor binding
667
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx(config-if-range)# exit
29.39 ipv6 neighbor binding address-config
To specify allowed configuration methods of global IPv6 addresses, use the ipv6
neighbor binding address-config command in Global Configuration mode. To
return to the default setting, use the no form of this command.
Syntax
ipv6 neighbor binding address-config [stateless | any] [dhcp]
no ipv6 neighbor binding address-config
Parameters
•
stateless—Only auto configuration is allowed for global IPv6 bound from
NDP messages.
•
any—All configuration methods for global IPv6 bound from NDP messages
(stateless and manual) are allowed. If no keyword is defined the any
keyword is applied.
•
dhcp—Binding from DHCPv6 is allowed.
Default Configuration
Any is the default parameter.
Command Mode
Global Configuration mode
User Guidelines
This command defines allowed IPv6 address configuration methods for global
IPv6 addresses.
The stateless and any keywords specify the following:
•
Global IPv6 addresses are bound from NDP messages. If none of these
keywords are configured, only link-local addresses are bound from NDP
messages.
•
How global IPv6 addresses, bound from NDP messages, are checked
against the Neighbor Prefix table, if prefix validation is enabled:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
668
29
IPv6 First Hop Security
-
stateless—IPv6 addresses are bound from NDP messages, and only
global addresses belonging to learned prefixes with set A-flag or
prefixes manually configured with the autoconfig keyword are allowed.
-
any—IPv6 addresses are bound from NDP messages and only global
addresses belonging to prefixes in NPT are allowed.
Use the dhcp keyword, to allow binding from DHCPv6 message. IPv6 addresses
bound from DHCPv6 messages are never verified against the Neighbor Prefix
table. IPv6 addresses bound from DHCPv6 messages override IPv6 addresses
bound from NDP messages.
Note. If the dhcp keyword is not configured, the switch will bind IPv6 addresses
assigned by DHCPv6 from NDP messages, because a host must execute the DAD
process for these addresses.
If no keyword is defined the ipv6 neighbor binding address-config any command
is applied.
Examples
Example 1. The following example specifies that any global IPv6 address
configuration method can be applied and there will be no binding from DHCPv6
messages:
switchxxxxxx(config)# ipv6 neighbor binding address-prefix-validation
switchxxxxxx(config)# ipv6 neighbor binding address-config any
Example 2. The following example specifies that any global IPv6 address binding
from NDP and global IPv6 address binding from DHCPv6 messages can be
applied:
switchxxxxxx(config)# ipv6 neighbor binding address-prefix-validation
switchxxxxxx(config)# ipv6 neighbor binding address-config any dhcp
Example 3. The following example specifies that only stateless global IPv6
address binding from NDP can be applied
switchxxxxxx(config)# ipv6 neighbor binding address-prefix-validation
669
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx(config)# ipv6 neighbor binding address-config stateless
Example 4. The following example specifies that only the stateless IPv6 address
configuration and assignment by DHCPv6 methods can be applied and binding
only from NDP messages is supported:
switchxxxxxx(config)# ipv6 neighbor binding address-prefix-validation
switchxxxxxx(config)# ipv6 neighbor binding address-config stateless dhcp
Example 5. The following example specifies that global IPv6 addresses can be
assigned only by DHCPv6:
switchxxxxxx(config)# ipv6 neighbor binding address-config dhcp
29.40 ipv6 neighbor binding address-prefix
To define a static prefix for global IPv6 addresses bound from NDP messages, use
the ipv6 neighbor binding address-prefix command in Global Configuration mode.
To delete the prefix, use the no form of this command.
Syntax
ipv6 neighbor binding address-prefix vlan vlan-id ipv6-prefix/prefix-length
[autoconfig]
no ipv6 neighbor binding address-prefix [vlan vlan-id] [ipv6-prefix/prefix-length]
Parameters
• ipv6-prefix/prefix-length—IPv6 prefix.
•
vlan vlan-id—ID of the specified VLAN.
•
autoconfig—The prefix can be used for stateless configuration.
Default Configuration
No static prefix
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
670
29
IPv6 First Hop Security
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 neighbor binding address-prefix command to add a static prefix to
the Neighbor Prefix table.
Use the no ipv6 neighbor binding address-prefix vlan vlan-id
ipv6-prefix/prefix-length command to remove one static entry from the Neighbor
Prefix table.
Use the no ipv6 neighbor binding address-prefix vlan vlan-id command to remove
all static entries from the Neighbor Prefix table defined on the given VLAN.
Use the no ipv6 neighbor binding address-prefix command to remove all static
entries from the Neighbor Prefix table.
Examples
Example 1. The following example adds two static entries. The second one can be
used for stateless configuration.
switchxxxxxx(config)# ipv6 neighbor binding address-prefix vlan 100
2001:0DB8:101::/64
switchxxxxxx(config)# ipv6 neighbor binding address-prefix vlan 100
2001:0DB8:100::/64 autoconfig
Example 2. The following example deletes a single static entry:
switchxxxxxx(config)# no ipv6 neighbor binding address-prefix vlan 100
2001:0DB8:101::/64
Example 3. The following example deletes all static entries defined on the
specified VLAN:
switchxxxxxx(config)# no ipv6 neighbor binding address-prefix vlan 100
671
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example 4. The following example deletes all static entries:
switchxxxxxx(config)# no ipv6 neighbor binding address-prefix
29.41 ipv6 neighbor binding
address-prefix-validation
To globally enable validation of a bound IPv6 address against the Neighbor Prefix
table, use the ipv6 neighbor binding address-prefix-validation command in Global
Configuration mode. To disable this feature, use the no form of this command.
Syntax
ipv6 neighbor binding address-prefix-validation
no ipv6 neighbor binding address-prefix-validation
Parameters
N/A
Default Configuration
The feature is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command enables bound address prefix validation. If the Neighbor Binding
feature is enabled, the switch checks if a bound address belongs to one of the
prefixes of the Neighbor Prefix table or to a manually-configured prefix list by the
ipv6 neighbor binding address-prefix command in the Neighbor Binding
configuration mode. If an address does not belong, it is not bound.
Example
The following example shows how to enable bound address validation against the
Neighbor Prefix table:
switchxxxxxx(config)# ipv6 neighbor binding address-prefix-validation
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
672
29
IPv6 First Hop Security
29.42 ipv6 neighbor binding attach-policy (port
mode)
To attach a Neighbor Binding policy to a specific port, use the ipv6 neighbor
binding attach-policy command in Interface Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 neighbor binding attach-policy policy-name [vlan vlan-list]
no ipv6 neighbor binding attach-policy [policy-name]
Parameters
• policy-name—The Neighbor Binding policy name (up to 32 characters).
•
vlan vlan-list—Specifies that the Neighbor Binding policy is to be attached
to the VLAN(s) in vlan-list. If the vlan keyword is not configured, the policy is
applied to all VLANs on the device on which Neighbor Binding policy is
enabled.
Default Configuration
The Neighbor Binding default policy is applied.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
User Guidelines
Use this command to attach a Neighbor Binding policy to a port.
Each time the command is used, it overrides the previous command within the
same policy.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Multiple policies with the vlan keyword can be attached to the same port if they
do not have common VLANs.
The set of rules that is applied to an input packet is built in the following way:
•
673
The rules, configured in the policy attached to the port on the VLAN on
which the packet arrived are added to the set.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
•
The rules, configured in the policy attached to the VLAN are added to the
set if they have not been added.
•
The global rules are added to the set if they have not been added.
Use the no ipv6 neighbor binding attach-policy command to detach all
user-defined policies attached to the port.
Use the no ipv6 neighbor binding attach-policy policy-name command to detach
the specific policy from the port.
Examples
Example 1—In the following example, the Neighbor Binding policy policy1 is
attached to the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 neighbor binding attach-policy policy1
switchxxxxxx(config-if)# exit
Example 2—In the following example, the Neighbor Binding policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10 and 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 neighbor binding attach-policy policy1 vlan
1-10,12-20
switchxxxxxx(config-if)# exit
Example 3—In the following example, the Neighbor Binding policy policy1 is
attached to the te1/0/1 port and applied to VLANs 1-10, and the Neighbor Binding
policy policy2 is attached to the te1/0/1 port and applied to VLANs 12-20:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 neighbor binding attach-policy policy1 vlan 1-10
switchxxxxxx(config-if)# ipv6 neighbor binding attach-policy policy2 vlan
12-20
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
674
29
IPv6 First Hop Security
Example 4—In the following example, Neighbor Binding Integrity detaches policy
policy1 detached to the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# no ipv6 neighbor binding attach-policy policy1
switchxxxxxx(config-if)# exit
29.43 ipv6 neighbor binding attach-policy
(VLAN mode)
To attach a Neighbor Binding policy to a specific VLAN, use the ipv6 neighbor
binding attach-policy command in VLAN Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 neighbor binding attach-policy policy-name
no ipv6 neighbor binding attach-policy
Parameters
• policy-name—The Neighbor Binding policy name (up to 32 characters).
Default Configuration
The Neighbor Binding default policy is applied.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use this command to attach a Neighbor Binding policy to a VLAN.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
Use the no form of the command to return to detach the current policy and
reattach the default policy. The no form of the command has no effect if the default
policy was attached.
675
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example
In the following example, the Neighbor Binding policy policy1 is attached to VLAN
100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 neighbor binding attach-policy policy1
switchxxxxxx(config-if)# exit
29.44 ipv6 neighbor binding lifetime
To globally change the default of the Neighbor Binding table entry lifetime, use the
ipv6 neighbor binding lifetime command in Global Configuration mode. To return to
the default setting, use the no form of this command.
Syntax
ipv6 neighbor binding lifetime value
no ipv6 neighbor binding lifetime
Parameters
• value—The lifetime in minutes. The range is from 1 through 60 minutes.
Default Configuration
5 minutes
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 neighbor binding lifetime command to change the default lifetime.
Example
The following example changes the lifetime for binding entries to 10 minutes:
switchxxxxxx(config)# ipv6 neighbor binding lifetime 10
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
676
29
IPv6 First Hop Security
29.45 ipv6 neighbor binding logging
To globally enable the logging of Binding table main events, use the ipv6 neighbor
binding logging command in Global Configuration mode. To disable this feature,
use the no form of this command.
Syntax
ipv6 neighbor binding logging
no ipv6 neighbor binding logging
Parameters
N/A
Default Configuration
Binding table events are not logged.
Command Mode
Global Configuration mode
User Guidelines
This command enables the logging of the following Binding table events:
•
An entry is inserted into the Binding table.
•
A Binding table entry was updated.
•
A Binding table entry was deleted from the Binding table.
•
A Binding table entry was not inserted into the Binding table, possibly
because the maximum number of entries has been reached or because of
Binding table overflow.
Example
The following example shows how to enable Binding table event logging:
switchxxxxxx(config)# ipv6 neighbor binding logging
677
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
29.46 ipv6 neighbor binding max-entries
To globally specify the maximum number of dynamic entries that are allowed to be
inserted in the Binding table cache, use the ipv6 neighbor binding max-entries
command in Global Configuration mode. To return to the default, use the no form of
this command.
Syntax
ipv6 neighbor binding max-entries {[vlan-limit number] [interface-limit number]
[mac-limit number]}
no ipv6 neighbor binding max-entries [vlan-limit] [interface-limit] [mac-limit]
Parameters
•
vlan-limit number—Specifies a neighbor binding limit per number of VLANs.
•
interface-limit number—Specifies a neighbor binding limit per port.
•
mac-limit number—Specifies a neighbor binding limit per MAC address.
Default Configuration
This command is disabled.
Command Mode
Global Configuration mode
User Guidelines
This command is used to control the contents of the Binding table. This command
specifies the maximum number of dynamic entries that can be inserted in the
Binding table cache. After this limit is reached, new entries are refused, and a
Neighbor Discovery Protocol (NDP) traffic source with a new entry is dropped.
If the maximum number of entries specified is lower than the current number of
entries in the database, no entries are cleared, and the new threshold is reached
after normal cache attrition.
Example
The following example shows how to specify globally the maximum number of
entries that can be inserted into the cache per MAC:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
678
29
IPv6 First Hop Security
switchxxxxxx(config)# ipv6 neighbor binding max-entries mac-limit 2
29.47 ipv6 neighbor binding policy
To define a Neighbor Binding policy and place the switch in IPv6 Neighbor Binding
Policy Configuration mode, use the ipv6 neighbor binding policy command in
Global Configuration mode. To remove the Neighbor Binding policy, use the no
form of this command.
Syntax
ipv6 neighbor binding policy policy-name
no ipv6 neighbor binding policy policy-name
Parameters
• policy-name—The Neighbor Binding policy name (up to 32 characters).
Default Configuration
No Neighbor Binding policy is configured
Command Mode
Global Configuration mode
User Guidelines
This command defines a Neighbor Binding policy name, and places the router in
Neighbor Binding Policy Configuration mode so that additional commands can be
added to the policy.
The switch supports two predefined Neighbor Binding policies, named:
"vlan_default" and "port_default":
ipv6 neighbor binding policy vlan_default
exit
ipv6 neighbor binding policy port_default
exit
The policies cannot be removed, but they can be changed. The no ipv6 neighbor
binding policy does not remove these policies, it only removes the policy
configuration defined by the user.
679
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
The policies cannot be attached by the ipv6 neighbor binding attach-policy (port
mode) or ipv6 neighbor binding attach-policy (VLAN mode) command. The
vlan_default policy is attached by default to a VLAN, if no other policy is attached
to the VLAN. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
You can define a policy using the ipv6 neighbor binding policy command multiple
times.
If an attached policy is removed, it is detached automatically before removing.
The following commands can be configured into IPv6 Neighbor Binding Policy
Configuration mode:
•
device-role (Neighbor Binding)
•
logging binding
•
max-entries
•
address-config
•
address-prefix-validation
Examples
Example 1—The following example defines a Neighbor Binding policy named
policy1, places the router in Neighbor Binding Policy Configuration mode, enables
logging, and defines the port as internal:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# device-role internal
switchxxxxxx(config-nbr-binding)# logging binding
switchxxxxxx(config-nbr-binding)# exit
Example 2—The following example defines a Neighbor Binding policy named
policy1 using multiple steps:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# device-role internal
switchxxxxxx(config-nbr-binding)# exit
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
680
29
IPv6 First Hop Security
logging binding
switchxxxxxx(config-nbr-binding)# exit
Example 3—The following example remove an attached Neighbor Binding policy:
switchxxxxxx(config)# no ipv6 neighbor binding policy policy1
Policy policy1 is applied on the following ports:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
29.48 ipv6 neighbor binding static
To add a static entry to the Neighbor Binding table, use the ipv6 neighbor binding
static command in Global Configuration mode. To remove the static entry, use the
no form of this command.
Syntax
ipv6 neighbor binding static ipv6 ipv6-address vlan vlan-id interface interface-id
mac mac-address
no ipv6 neighbor binding static ipv6 ipv6-address vlan vlan-id
Parameters
•
ipv6 ipv6-address—IPv6 address of the static entry.
•
vlan vlan-id—ID of the specified VLAN.
•
interface interface-id—Adds static entries to the specified port.
•
mac mac-address—MAC address of the static entry.
Default Configuration
No static entry.
Command Mode
Global Configuration mode
681
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
This command is used to add static entries to the Neighbor Binding table. Static
entries can be configured regardless the port role.
If the entry (dynamic or static) already exists, the new static entry overrides the
existing one.
If the Neighbor Binding table overflows, the static entry is not added.
Example
The following example adds a static entry:
switchxxxxxx(config)# ipv6 neighbor binding static ipv6 2001:600::1 vlan 100
interface te1/0/1 mac 00BB.CC01.F500
29.49 ipv6 source guard
To enable the IPv6 Source Guard feature on a VLAN, use the ipv6 source guard
command in VLAN Configuration mode. To return to the default, use the no form of
this command.
Syntax
ipv6 source guard
no ipv6 source guard
Parameters
N/A
Default Configuration
Source Guard on a VLAN is disabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
IPv6 Source Guard blocks an IPv6 data message arriving on a port if its source
IPv6 address is bound to another port, or it is unknown.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
682
29
IPv6 First Hop Security
Examples
Example 1—The following example enables IPv6 Source Guard on VLAN 100:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 source guard
switchxxxxxx(config-if)# exit
Example 2—The following example enables IPv6 Source Guard on VLANs
100-107:
switchxxxxxx(config)# interface range vlan 100-107
switchxxxxxx(config-if-range)# ipv6 source guard
switchxxxxxx(config-if-range)# exit
29.50 ipv6 source guard attach-policy (port
mode)
To attach an IPv6 Source Guard policy to a specific port, use the ipv6 source
guard attach-policy command in Interface Configuration mode. To return to the
default, use the no form of this command.
Syntax
ipv6 source guard attach-policy policy-name
no ipv6 source guard attach-policy
Parameters
• policy-name—The IPv6 Source Guard policy name (up to 32 characters).
Default Configuration
The IPv6 Source Guard default policy is applied.
Command Mode
Interface (Ethernet, Port Channel) Configuration mode
683
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
Use this command to attach an IPv6 Source Guard policy to a port.
Each succeeding ipv6 source guard attach-policy command overrides the
previous policy attachment on the same port.
IPv6 Source guard policies can be used to block forwarding IPv6 data messages
with unknown source IPv6 addresses or with source IPv6 addresses bound to a
port differing from the input one.
If a policy specified by the policy-name argument is not defined, the command is
rejected.
The set of rules that is applied to an input packet is built in the following way:
•
The rules, configured in the policy attached to the port.
•
The global rules are added to the set if they have not been added.
Use the no ipv6 source guard attach-policy command to detach the user defined policy
attached to the port and to reattach the default policy with name "port_default".
Examples
Example 1—In the following example, the IPv6 Source Guard policy policy1 is
attached to the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# ipv6 source guard attach-policy policy1
switchxxxxxx(config-if)# exit
Example 2—In the following example IPv6 Source Guard detaches policy1 from
the te1/0/1 port:
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# no ipv6 source guard attach-policy
switchxxxxxx(config-if)# exit
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
684
29
IPv6 First Hop Security
29.51 ipv6 source guard policy
To define an IPv6 Source Guard policy name and place the user in IPv6 Source
Guard Configuration, use the ipv6 source guard policy command in Global
Configuration mode. To remove the IPv6 Source Guard policy name, use the no
form of this command.
Syntax
ipv6 source guard policy policy-name
no ipv6 source guard policy policy-name
Parameters
• policy-name—The IPv6 Source Guard policy name (up to 32 characters).
Default Configuration
No IPv6 Source Guard policies are configured.
Command Mode
Global Configuration mode
User Guidelines
This command defines the IPv6 Source Guard policy name, and places the router
in IPv6 Source Guard Policy Configuration mode.
The following commands can be configured in IPv6 Source Guard Policy
Configuration mode:
•
trusted-port (IPv6 Source Guard)
Each policy of the same type (for example, IPv6 Source Guard policies) must have
a unique name. Policies of different types can have the same policy name.
The switch supports one predefined IPv6 Source Guard policy named:
"port_default":
ipv6 source guard policy port_default
exit
The policy cannot be removed, but it can be changed. The no ipv6 source guard
policy does not remove the policy, it only removes any policy configurations
defined by the user.
685
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
The policy can be attached by the ipv6 source guard attach-policy (port mode)
command. The port_default policy is attached by default to a port, if no other
policy is attached to the port.
If an attached policy is removed, it is detached automatically before removing.
Examples
Example 1—The following example defines the IPv6 Source Guard policy named
policy1, places the router in IPv6 Source Guard Policy Configuration mode, and
configures the port as trusted:
switchxxxxxx(config)# ipv6 source guard policy policy1
switchxxxxxx(config-ipv6-srcguard)# trusted-port
switchxxxxxx(config)# exit
Example 2—The following example removes the attached IPv6 Source Guard
policy:
switchxxxxxx(config)# no ipv6 source guard policy policy1
Policy policy1 is applied on the following ports:
te1/0/1, te1/0/2
The policy1 will be detached and removed, are you sure [Y/N]Y
29.52 logging binding
To enable the logging of Binding table main events within an IPv6 Neighbor
Binding policy, use the logging binding command in Neighbor Binding Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
logging binding [enable | disable]
no logging binding
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
686
29
IPv6 First Hop Security
Parameters
•
enable—Enables logging of Binding table main events. If no keyword is
configured, this keyword is applied by default.
•
disable—Disables logging of Binding table main events.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example enables logging of Binding table main events within the
IPv6 Neighbor Binding policy named policy1:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# logging binding enable
switchxxxxxx(config-nbr-binding)# exit
29.53 logging packet drop
To enable the logging of dropped packets within an IPv6 First Hop Security policy,
use the logging packet drop command in IPv6 First Hop Security Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
logging packet drop [enable | disable]
no logging packet drop
687
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Parameters
•
enable—Enables logging of dropped packets. If no keyword is configured,
this keyword is applied by default.
•
disable—Disables logging of dropped packets.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
IPv6 First Hop Security Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example enables logging of dropped messaged with the IPv6 First
Hop Security Policy named policy1:
switchxxxxxx(config)# ipv6 first hop security policy policy1
switchxxxxxx(config-ipv6-fhs)# logging packet drop
switchxxxxxx(config-ipv6-fhs)# exit
29.54 managed-config-flag
To enable verification of the advertised Managed Address Configuration flag
within an IPv6 RA Guard policy, use the managed-config-flag command in RA
Guard Policy Configuration mode. To return to the default, use the no form of this
command.
Syntax
managed-config-flag {on | off | disable}
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
688
29
IPv6 First Hop Security
no managed-config-flag
Parameters
•
on—The value of the flag must be 1.
•
off—The value of the flag must be 0.
•
disable—The value of the flag is not validated.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
Use this command to change the global configuration specified by the ipv6 nd
raguard managed-config-flag command on the port on which this policy applies.
Use the disable keyword to disable the flag validation in both global or the VLAN
configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and enables M flag verification that
checks if the value of the flag is 0:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# managed-config-flag off
switchxxxxxx(config-ra-guard)# exit
29.55 match ra address
To enable verification of the router's IPv6 address in received RA messages within
an IPv6 RA Guard policy, use the match ra address command in RA Guard Policy
Configuration mode. To return to the default, use the no form of this command.
689
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Syntax
match ra address {prefix-list ipv6-prefix-list-name} | disable
no match ra address
Parameters
•
prefix-list ipv6-prefix-list-name—The IPv6 prefix list to be matched.
•
disable—Disables verification of the router’s IPv6 address.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: router's addresses are not verified.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
This command enables verification of the router's IPv6 address in received RA
messages by a configured prefix list. If the router’s source IPv6 address does not
match the prefix list or if the prefix list is not configured, the RA message is
dropped.
Use the disable keyword to disable verification of the router’s IPv6 address
regardless of the VLAN configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, matches the router addresses to
the prefix list named list1, and defines the prefix list named list1 authorizing the
router with link-local address FE80::A8BB:CCFF:FE01:F700 only:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# match ra address prefix-list list1
switchxxxxxx(config-ra-guard)# exit
switchxxxxxx(config)# ipv6 prefix-list list1 permit
FE80::A8BB:CCFF:FE01:F700/128
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
690
29
IPv6 First Hop Security
29.56 match ra prefixes
To enable verification of the advertised prefixes in received RA messages within
an IPv6 RA Guard policy, use the match ra prefixes command in RA Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
match ra prefixes {prefix-list ipv6-prefix-list-name} | disable
no match ra prefixes
Parameters
•
prefix-list ipv6-prefix-list-name—The IPv6 prefix list to be matched.
•
disable—Disables verification of the advertised prefixes in received RA
messages.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: advertised prefixes are not verified.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
This command enables verification of the advertised prefixes in received RA
messages by a configured prefix list. If an advertised prefix does not match the
prefix list, or if the prefix list is not configured, the RA message is dropped.
Use the disable keyword to disable verification of the advertised prefixes in
received RA messages in both global or the VLAN configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard configuration mode, matches the prefixes to the prefix list
named list1, and the 2001:101::/64 prefixes and denies 2001:100::/64 prefixes:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
691
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx(config-ra-guard)# match ra prefixes prefix-list list1
switchxxxxxx(config-ra-guard)# exit
switchxxxxxx(config)# ipv6 prefix-list list1 deny 2001:0DB8:101::/64
switchxxxxxx(config)# ipv6 prefix-list list1 permit 2001:0DB8:100::/64
29.57 match reply
To enable verification of the assigned IPv6 addressed in messages sent by
DHCPv6 servers/relays to a configured prefix list within a DHCPv6 Guard policy,
use the match reply command in DHCPv6 Guard Policy Configuration mode. To
return to the default, use the no form of this command.
Syntax
match reply {prefix-list ipv6-prefix-list-name} | disable
no match reply
Parameters
• ipv6-prefix-list-name—The IPv6 prefix list to be matched.
•
disable—Disables verification of the advertised prefixes in replies.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: advertised prefixes are not verified.
Command Mode
DHCP Guard Policy Configuration mode
User Guidelines
IPv6 DHCP Guard verifies the assigned IPv6 addresses to the configure prefix list
passed in the IA_NA and IA_TA options of the following DHCPv6 messages sent
by DHCPv6 servers/relays:
•
ADVERTISE
•
REPLY
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
692
29
IPv6 First Hop Security
•
RELAY-REPL
Note 1. Assigned addresses are not verified if a value of the Status Code option (if
it presents) differs from the following ones:
•
Success
•
UseMulticast
Note 2. In RELAY-REPL messages DHCPv6 Guard validates the message
encapsulated in the DHCP-relay-message option.
Use the disable keyword to disable verification of the assigned IPv6 addresses in
replies.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard policy configuration mode, matches the assigned
addresses to the prefix list named list1: all assigned IPv6 addresses must belong
to 2001:0DB8:100:200/64 or to 2001:0DB8:100::/48. The "ge 128" parameter must
be configured for each prefix of the prefix-list with prefix length less than
128.
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
switchxxxxxx(config-dhcp-guard)# match reply prefix-list list1
switchxxxxxx(config-dhcp-guard)# exit
switchxxxxxx(config)# ipv6 prefix-list list1 deny 2001:0DB8:100:200/64 ge
128
switchxxxxxx(config)# ipv6 prefix-list list1 permit 2001:0DB8:100::/48 ge
128
29.58 match server address
To enable verification of the source IPv6 address in messages sent by DHCPv6
servers or DHCPv6 Relays to a configured prefix list within a DHCPv6 Guard
policy, use the match server address command in DHCPv6 Guard Policy
Configuration mode. To return to the default, use the no form of this command.
Syntax
match server address {prefix-list ipv6-prefix-list-name} | disable
693
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
no match server address
Parameters
•
prefix-list ipv6-prefix-list-name—The IPv6 prefix list to be matched.
•
disable—Disables verification of the DHCP server's and relay’s IPv6
address.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: server's addresses are not verified.
Command Mode
DHCP Guard Policy Configuration mode
User Guidelines
This command enables verification of the source IPv6 address in messages sent
by DHCPv6 servers and DHCPv6 Relays to a configured prefix list. If the source
IPv6 address does not match the configured prefix list, or if the prefix list is not
configured, the DHCPv6 reply is dropped.
IPv6 DHCP Guard verifies the source IPv6 address in the following DHCPv6
messages sent by DHCPv6 servers/relays:
•
ADVERTISE
•
REPLY
•
RECONFIGURE
•
RELAY-REPL
•
LEASEQUERY-REPLY
Use the disable keyword to disable verification of the DHCP server's and relay’s
IPv6 address.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard Policy Configuration mode, matches the server or relay
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
694
29
IPv6 First Hop Security
addresses to the prefix list named list1, and defines the prefix list named list1
authorizing the server with link-local address FE80::A8BB:CCFF:FE01:F700 only:
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
switchxxxxxx(config-dhcp-guard)# match server address prefix-list list1
switchxxxxxx(config-dhcp-guard)# exit
switchxxxxxx(config)# ipv6 prefix-list list1 permit
FE80::A8BB:CCFF:FE01:F700/128
29.59 max-entries
To define the maximum number of dynamic entries that can be inserted in the
Binding table cache within an IPv6 Neighbor Binding policy, use the max-entries
command in Neighbor Binding Policy Configuration mode.To return to the default,
use the no form of this command.
Syntax
max-entries {[vlan-limit {number | disable}] [interface-limit {number | disable}]
[mac-limit {number | disable}]}
no max-entries [vlan-limit] [interface-limit] [mac-limit]
Parameters
•
vlan-limit number—Specifies a neighbor binding limit per VLANs. The
parameter is ignored in a policy attached to port.
•
vlan-limit disable—Disables a neighbor binding limit per VLANs.
•
interface-limit number—Specifies a neighbor binding limit per port.
•
interface-limit disable—Disables a neighbor binding limit per port.
•
mac-limit number—Specifies a neighbor binding limit per MAC address.
•
mac-limit disable—Disables a neighbor binding limit per MAC address.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
695
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Command Mode
Neighbor Binding Policy Configuration mode.
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Examples
Example 1—The following example defines an Neighbor Binding policy named
policy1, places the router in Neighbor Binding Policy Configuration mode, and
limits the number of IPv6 addresses allowed on the port to 25:
switchxxxxxx(config)# ipv6 neighbor binding policy policy1
switchxxxxxx(config-nbr-binding)# max-entries interface-limit 25
switchxxxxxx(config)# exit
Example 2—The following example defines an RA Guard policy named policy1,
places the switch in RA Guard Policy Configuration mode, and disables limit per
MAC:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# max-entries mac-limit disable
switchxxxxxx(config-ra-guard)# exit
29.60 other-config-flag
To enable the verification of the advertised the Other Configuration flag in RA
messages within an IPv6 RA Guard policy, use the other-config-flag command in
RA Guard Policy Configuration mode. To return to the default, use the no form of
this command.
Syntax
other-config-flag {on | off | disable}
no other-config-flag
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
696
29
IPv6 First Hop Security
Parameters
•
on—The value of the flag must be 1.
•
off—The value of the flag must be 0.
•
disable—The value of the flag is not validated.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
RA Guard Policy Configuration mode
User Guidelines
Use this command to change the global configuration specified by the ipv6 nd
raguard other-config-flag command on the port on which this policy applies.
Use the disable keyword to disable flag validation in both global or VLAN
configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and enables O flag verification that
checks if the value of the flag is 0:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# other-config-flag off
switchxxxxxx(config-ra-guard)# exit
29.61 preference
To enable verification of the preference in messages sent by DHCPv6 servers
within a DHCPv6 Guard policy, use the preference command in DHCPv6 Guard
Policy Configuration mode. To return to the default, use the no form of this
command.
697
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Syntax
preference {[maximum {value | disable}] [minimum {value | disable}]}
no preference [maximum] [minimum]
Parameters
•
maximum value—Advertised preference value is lower or equal than that
set by the value argument. Range 0-255. A value of the high boundary must
be equal to or greater than a value of the low boundary.
•
maximum disable—Disables verification of the high boundary of the
advertised preference value.
•
minimum value—Advertised preference value is greater than or equal to the
value argument. Range 0-255.
•
minimum disable—Disables verification of the lower boundary of the
advertised preference value.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
DHCP Guard Policy Configuration mode
User Guidelines
Use this command to change the global configuration specified by the ipv6 dhcp
guard preference command on the port to which this policy applies.
Use the disable keyword to disable verification in both global or VLAN
configuration.
Example
The following example defines a DHCPv6 Guard policy named policy1, places the
switch in DHCPv6 Guard Policy Configuration mode, and defines a minimum
preference value of 10:
switchxxxxxx(config)# ipv6 dhcp guard policy policy1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
698
29
IPv6 First Hop Security
switchxxxxxx(config-dhcp-guard)# preference minimum 10
switchxxxxxx(config-dhcp-guard)# exit
29.62 router-preference
To enable verification of advertised Default Router Preference value in RA
messages within an IPv6 RA Guard policy, use the router-preference command in
RA Guard Policy Configuration mode. To return to the default, use the no form of
this command.
Syntax
router-preference [maximum {value | disable}] [minimum {value | disable}]
no router-preference [maximum] [minimum]
Parameters
•
maximum value—Specifies the maximum allowed Advertised Default
Router Preference value. The following values are acceptable: low, medium
and high (see RFC4191). A value of the high boundary must be equal to or
greater than a value of the low boundary.
•
maximum disable—Disables verification of the high boundary of Advertised
Default Router Preference.
•
minimum value—Specifies the minimum allowed Advertised Default Router
Preference value. The following values are acceptable: low, medium and
high (see RFC4191).
•
minimum disable—Disables verification of the low boundary of Advertised
Default Router Preference.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
RA Guard Policy Configuration mode
699
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
Use this command to change the global configuration specified by the ipv6 nd
raguard router-preference command on the port on which this policy applies.
Use the disable keyword to disable of verification in both global or VLAN
configuration.
Example
The following example defines an RA Guard policy named policy1, places the
switch in RA Guard Policy Configuration mode, and defines a minimum Default
Router Preference value of medium:
switchxxxxxx(config)# ipv6 nd raguard policy policy1
switchxxxxxx(config-ra-guard)# router-preference minimum medium
switchxxxxxx(config-ra-guard)# exit
29.63 sec-level minimum
To specify the minimum security level value within an Ipv6 ND Inspection policy,
use the sec-level minimum command in ND Inspection policy Configuration mode.
To return to the default, use the no form of this command.
Syntax
sec-level minimum value | disable
no sec-level minimum
Parameters
• value—Sets the minimum security level, which is a value from 0 through 7.
•
disable—Disables verification of security level parameter
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
700
29
IPv6 First Hop Security
Command Mode
ND inspection Policy Configuration mode
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
This command has no effect if dropping of unsecured messages is disabled.
Example
The following example defines an NDP Inspection policy named policy1, places
the switch in ND Inspection Policy Configuration mode, and specifies 2 as the
minimum CGA security level:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# sec-level minimum 2
switchxxxxxx(config-nd-inspection)# exit
29.64 show ipv6 dhcp guard
To display DHCPv6 Guard global configuration, use the show ipv6 dhcp guard
command in Privilege EXEC configuration mode.
Syntax
show ipv6 dhcp guard
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
The show ipv6 dhcp guard command displays DHCPv6 Guard global
configuration.
701
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Example
The following example gives an example of the output of the show ipv6 dhcp
guard command:
switchxxxxxx# show ipv6 dhcp guard
IPv6 DHCP Guard is enabled on VLANs:1-4,6,7,100-120
Default Preference
minimum: 10
maximum: 100
29.65 show ipv6 dhcp guard policy
To display DHCPv6 guard policies on all ports configured with the DHCPv6 guard
feature, use the show ipv6 dhcp guard policy command in privileged EXEC mode.
Syntax
show ipv6 dhcp guard policy [policy-name | active]
Parameters
• policy-name—Displays the DHCPv6 guard policy with the given name.
•
active—Displays the attached DHCPv6 guard policies.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays the options configured for the policy on all ports configured with the
DHCPv6 guard feature.
Examples
Example 1—The following example displays the Policy Configuration for a policy
named policy1:
switchxxxxxx# show ipv6 dhcp guard policy policy1
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
702
29
IPv6 First Hop Security
DHCPv6 Guard Policy: policy1
device-role: server
preference
minimum: 1
maximum: 200
server address prefix list: list1
reply prefix list name: list10
Attached to VLANs: 1-100,111-4094
Attached to ports:
Ports
VLANs
te1/0/1-2
1-58,68-4094
te1/0/3-4
1-4094
Po1-4
1-4094
Example 2—The following example displays the attached policies:
switchxxxxxx# show ipv6 dhcp guard policy active
Attached to VLAN:
Policy Name
VLANs
policy2
200-300
vlan-default
1-199,301-4094
Attached to ports:
Policy Name
Ports
VLANs
policy1
te1/0/1-2
1-100
port-default
te1/0/1-2
101-4094
te1/0/3-4
1-1094
Example 3—The following example displays the user defined policies:
703
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx# show ipv6 dhcp guard policy
policy1
policy2
29.66 show ipv6 first hop security
To display all IPv6 First Hop Security global configuration, use the show ipv6 first
hop security command in Privilege EXEC configuration mode.
Syntax
show ipv6 first hop security
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command displays all IPv6 First Hop Security global configuration.
Example
The following example gives an example of the show ipv6 first hop security
command:
switchxxxxxx# show ipv6 first hop security
IPv6 First Hop Security is enabled on VLANs:1-4,6,7,100-120
Logging Packet Drop: enabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
704
29
IPv6 First Hop Security
29.67 show ipv6 first hop security active
policies
To display information about the policies applied to the port and to the VLAN, use
the show ipv6 first hop security active policies command in privileged EXEC
mode.
Syntax
show ipv6 first hop security active policies interface interface-id vlan vlan-id
Parameters
•
interface interface-id—Port Identifier (Ethernet port or port channel).
•
vlan vlan-id—VLAN Identifier.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays policies applied to frames arriving on given port and
belonging to the given VLAN. The policies are calculated automatically by using
the policies attached to the port, VLAN, and the global configuration
Example
The following example displays the active attached policies on te1/0/1 and VLAN
100:
switchxxxxxx# show ipv6 first hop security active policies interface te1/0/1
vlan 100
IPv6 First Hop Security is enabled on VLANs:1-4,6,7,100-120
IPv6 DHCP Guard is enabled on VLANs:1-4
IPv6 ND Inspection is enabled on VLANs:1-4,6,7,100-120
IPv6 Neighbor Binding Integrity is enabled on VLANs:1-4,6,7,100-120
IPv6 RA Guard is enabled on VLANs:1-4,6,7,100-120
IPv6 Source Guard is enabled on VLANs:1-3,7,100-112
te1/0/1, VLAN 100
705
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
IPv6 First Hop Security Policy:
logging packet drop: enabled (from global configuration)
DHCPv6 Guard Policy:
device-role: server (from policy1 attached to the port)
reply prefix list name: list10 (from policy2 attached to the VLAN)
server address prefix list name: list22 (from policy2 attached to the VLAN)
preference
minimum: 1 (from policy2 attached to the VLAN)
maximum: 200 (from policy2 attached to the VLAN)
ND Inspection Policy:
device-role: host (default)
drop-unsecure: enabled (from policy2 attached to the VLAN)
sec-level minimum: 3 (from policy1 attached to the port)
validate source-mac: enabled (from global configuration)
Neighbor Binding Policy: policy1
device-role: perimiter (default)
logging binding: enabled (from policy1 attached to the port)
address-prefix-validation: enabled (from policy2 attached to the VLAN)
address-config: any (default)
maximum entries
VLAN: unlimited (from global configuration)
Port: 1 (from policy1 attached to the port)
MAC: 2 (from policy2 attached to the VLAN)
RA Guard Policy:
device-role: router (from policy1 attached to the port)
hop-limit:
minimum: 10 (from policy2 attached to the VLAN)
maximum: 20 (from global configuration)
manage-config-flag: on(from policy2 attached to the VLAN)
ra address verification::
disabled(default)
ra prefixes prefix list name: list1(from policy2 attached to the VLAN)
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
706
29
IPv6 First Hop Security
other-flag: disabled (default)
router-preference:
minimum: medium (from policy2 attached to the VLAN)
maximum: medium (from policy2 attached to the VLAN)
IPv6 Source Guard Policy:
trusted port: enabled (from policy1 attached to the port)
29.68 show ipv6 first hop security attached
policies
To display information about the policies attached to the port and to the VLAN, use
the show ipv6 first hop security attached policies command in privileged EXEC
mode.
Syntax
show ipv6 first hop security attached policies interface interface-id vlan vlan-id
Parameters
•
interface interface-id—Port Identifier (Ethernet port or port channel).
•
vlan vlan-id—VLAN Identifier.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays policies of all IPv6 First Hop Security attached to a VLAN
specified by the vlan-id argument and displays all policies attached to a port and
to VLAN specified by the interface-id and vlan-id arguments.
Examples
The following example displays the attached policy on te1/0/1 and VLAN 100:
switchxxxxxx# show ipv6 first hop security attached policies interface te1/0/1
vlan 100
707
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Attached to VLAN 100
RA Guard Policy: policy1
Neighbor Bind Policy: policy2
Attached to port te1/0/1 and VLAN 100
IPv6 First Hop Security Policy: FHSpolicy
ND Inspection Policy: policy1
RA Guard Policy: policy3
Neighbor Bind Policy: policy3
IPv6 Source Guard Policy: policy4
29.69 show ipv6 first hop security counters
To display information about the packets counted by the port counter, use the
show ipv6 first hop security counters command in privileged EXEC mode.
Syntax
show ipv6 first hop security counters interface interface-id
Parameters
•
interface interface-id—Displays counters for specified Ethernet port or port
channel.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays packets handled by the switch that are being counted in
port counters. The switch counts packets captured per port and records whether
the packet was received, bridged, or dropped. If a packet is dropped, the reason
for the drop and the feature that caused the drop are both also provided.
Examples
The following examples displays information about packets counted on port
te1/0/1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
708
29
IPv6 First Hop Security
switchxxxxxx# show ipv6 first hop security counters interface te1/0/1
Received messages on te1/0/1:
Protocol
Protocol message
NDP
RA[63] RS[0] NA[13] NS[0] REDIR[0]
DHCPv6
ADV[0] REP[20] REC[0] REL-REP[0] LEAS-REP[10] RLS[0] DEC[0]
Dropped messages on te1/0/1:
Protocol
Protocol message
NDP
RA[2] RS[0] NA[0] NS[0] REDIR[0]
DHCPv6
ADV[1] REP[2] REC[0] REL-REP[1] LEAS-REP[0] RLS[0] DEC[0]
Dropped reasons on te1/0/1:
Feature
709
Number Reason
DHCP Guard
2
Server message on client port
DHCP Guard
1
Unauthorized assigned address
DHCP Guard
1
Unauthorized server source address
DHCP Guard
0
Unauthorized server preference
RA guard
1
Router message on host port
RA guard
1
Unauthorized source address
RA guard
0
Unauthorized advertise prefix
RA guard
0
Unauthorized router preference
RA guard
0
Unauthorized other config flag
RA guard
0
Unauthorized managed config flag
RA guard
0
Unauthorized cur hop limit
ND Inspection
0
Invalid source MAC
ND Inspection
0
Unsecure message
ND Inspection
0
Unauthorized sec level
Source guard
0
NoBinding
NB Integrity
0
Illegal ICMPv6 message
NB Integrity
0
Illegal DHCPv6 message
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
29.70 show ipv6 first hop security error
counters
To display global error counters, use the show ipv6 first hop security error
counters command in privileged EXEC mode.
Syntax
show ipv6 first hop security error counters
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command displays global error counters.
Examples
Example 1—The following examples displays global error counters:
switchxxxxxx# show ipv6 first hop security error counters
Neighbor Binding Table Overflow counter: 0
Neighbor Prefix Table Overflow counter: 0
TCAM Overflow counter: 0
29.71 show ipv6 first hop security policy
To display IPv6 First Hop Security policies on all ports configured with the IPv6
First Hop Security feature, use the show ipv6 first hop security policy command in
privileged EXEC mode.
Syntax
show ipv6 first hop security policy [policy-name | active]
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
710
29
IPv6 First Hop Security
Parameters
• policy-name—Displays the IPv6 First Hop policy with the given name.
•
active—Displays the attached Ipv6 First Hop Security policies.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays the options configured for the policy on all ports configured with the
IPv6 First Hop feature.
Examples
Example 1—The following example displays the Policy Configuration for a policy
named policy1:
switchxxxxxx# show ipv6 first hop security policy policy1
IPv6D First Hop Security Policy: policy1
logging packet drop: enabled
Attached to VLANs: 1-100,111-4094
Attached to ports:
Ports
VLANs
te1/0/1-2
1-58,68-4094
te1/0/3-4
1-4094
Po1-4
1-4094
Example 2—The following example displays the attached policies:
switchxxxxxx# show ipv6 first hop security policy active
Attached to VLAN:
711
Policy Name
VLANs
policy2
200-300
vlan-default
1-199,301-4094
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Attached to ports:
Policy Name
Ports
VLANs
policy1
te1/0/1-2
1-100
port-default
te1/0/1-2
101-4094
te1/0/3-4
1-1094
Example 3—The following example displays the user defined policies:
switchxxxxxx# show ipv6 first hop security policy
policy1
policy2
29.72 show ipv6 nd inspection
To display ND Inspection global configuration, use the show ipv6 nd inspection
command in Privilege EXEC configuration mode.
Syntax
show ipv6 nd inspection
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This command displays ND Inspection global configuration.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
712
29
IPv6 First Hop Security
Example
The following example gives an example of the show ipv6 nd snooping command
output:
switchxxxxxx# show ipv6 nd snooping
IPv6 ND Inspection is enabled on VLANs:1-4,6,7,100-120
unsecure drop: enabled
sec-level minimum value: 2
source mac validation: disabled
29.73 show ipv6 nd inspection policy
To display an IPv6 ND Inspection policy on all ports configured with the ND
Inspection feature, use the show ipv6 nd inspection policy command in privileged
EXEC mode.
Syntax
show ipv6 nd inspection policy [policy-name | active]
Parameters
• policy-name—Displays the ND Inspection policy with the given name.
•
active—Displays the attached ND Inspection policies.
Command Mode
Privileged EXEC mode
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
switchxxxxxx# show ipv6 nd inspection policy policy1
ND Inspection Policy: policy1
device-role: router
drop-unsecure: enabled
713
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Attached to VLANs: 1-100,111-4094
Attached to ports:
Ports
VLANs
te1/0/1-2
1-58,68-4094
te1/0/3-4
1-4094
Po1
1-4094
Example 2—The following example displays the attached policies:
switchxxxxxx# show ipv6 nd inspection policy active
Attached to VLANs:
Policy Name
VLANs
vlan-default
1-4094
Attached to ports:
Policy Name
Ports
VLANs
policy1
te1/0/1-2
1-100
port-default
te1/0/1-2
101-4094
te1/0/3-4
1-1094
Example 3—The following example displays the user defined policies:
switchxxxxxx# show ipv6 nd inspection policy
policy1
policy2
29.74 show ipv6 nd raguard
To display RA Guard global configuration, use the show ipv6 nd raguard command
in Privilege EXEC configuration mode.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
714
29
IPv6 First Hop Security
Syntax
show ipv6 nd raguard
Parameters
N/A
Command Mode
Privileged EXEC mode
Example
The following example gives an example of the show ipv6 nd raguard command
output:
switchxxxxxx# show ipv6 nd raguard
IPv6 RA Guard is enabled on VLANs:1-4,6,7,100-120
"Managed address configuration" flag (M-flag:) off
"Other configuration" flag (O-flag): disabled
Hop Limit:
minimum: 10
maximum: 100
Default Router Preference:
minimum: 1
maximum: 1
29.75 show ipv6 nd raguard policy
To display a router advertisements (RAs) guard policy on all ports configured with
the RA guard feature, use the show ipv6 nd raguard policy command in privileged
EXEC mode.
Syntax
show ipv6 nd raguard policy [policy-name | active]
715
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Parameters
• policy-name—Displays the RA guard policy with the given name.
•
active—Displays the attached user defined RA guard policies.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays the options configured for the policy on all ports configured with the RA
guard feature.
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
switchxxxxxx# show ipv6 nd raguard policy raguard1
RA Guard Policy: policy1
device-role: router
router address prefix list name: list1
prefixes prefix list name: list2
Attached to VLANs: 1-100,111-4094
Attached to ports:
Ports
VLANs
te1/0/1-2
1-58,68-4094
te1/0/3-4
1-4094
Po1-4
1-4094
Example 2—The following example displays the attached policies:
switchxxxxxx# show ipv6 nd raguard policy active
Attached to VLANs:
Policy Name
VLANs
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
716
29
IPv6 First Hop Security
vlan-default
1-4094
Attached to ports:
Policy Name
Ports
VLANs
port-default
te1/0/1-4
1-4094
Example 3—The following example displays the user defined policies:
switchxxxxxx# show ipv6 nd raguard policy
policy1
policy2
29.76 show ipv6 neighbor binding
To display Neighbor Binding global configuration, use the show ipv6 neighbor
binding command in Privilege EXEC configuration mode.
Syntax
show ipv6 neighbor binding
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This displays Neighbor Binding global configuration.
Example
The following example gives an example of the show ipv6 neighbor binding
command output:
717
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
switchxxxxxx# show ipv6 neighbor binding
Neighbor Binding Integrity is enabled on VLANs:1-4,6-7,100-120
Binding logging: disabled
Binding lifetime: 56 minutes
Address Configuration method: dhcp
Binding address prefix validation: disabled
Maximum entries
VLAN: unlimited
Port: 1
MAC: 1
29.77 show ipv6 neighbor binding policy
To display Neighbor Binding policies, use the show ipv6 neighbor binding policy
command in Privilege EXEC configuration mode.
Syntax
show ipv6 neighbor binding policy [policy-name | active]
Parameters
• policy-name—Neighbor Binding policy name.
•
active—Displays the attached Neighbor Binding policies.
Command Mode
Privileged EXEC mode
User Guidelines
This command either displays all policies or a specific one.
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
718
29
IPv6 First Hop Security
switchxxxxxx# show ipv6 neighbor binding policy policy1
Neighbor Binding Policy: policy1
address configuration method: dhcp
binding address prefix validation: disabled
device-role: perimiter
binding logging: disabled
max-entries
VLAN: unlimited
Port: 10
MAC: 2
Attached to VLANs: 1-100,111-4094
Attached to ports:
Ports
VLANs
te1/0/1-2
1-58,68-4094
te1/0/3-4
1-4094
Po1-4
1-4094
Example 2—The following example displays the attached policies:
switchxxxxxx# show ipv6 neighbor binding policy active
Attached to VLAN:
719
Policy Name
VLANs
policy2
200-300
vlan-default
1-199,301-4094
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
Attached to ports:
Policy Name
Ports
VLANs
policy1
te1/0/1-4
1-100
port-default
te1/0/1-4
101-4094
Example 3—The following example displays the user defined policies:
switchxxxxxx# show ipv6 neighbor binding policy
policy1
policy2
29.78 show ipv6 neighbor binding prefix table
To display contents of the Neighbor Prefix table, use the show ipv6 neighbor
binding prefix table command in Privilege EXEC configuration mode.
Syntax
show ipv6 neighbor binding prefix table [vlan vlan-id]
Parameters
•
vlan vlan-id—Displays the prefixes that match the specified VLAN.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays the Neighbor Prefix table. The display output can be
limited to the specified VLAN. If no VLAN is configured, all prefixes are displayed.
Example
The following example displays the learned prefixes:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
720
29
IPv6 First Hop Security
switchxxxxxx# show ipv6 neighbor binding prefix table
Flags: A - the prefix can be used for autoconfig (stateless configuration)
Neighbor Prefix Table has 4 entries
VLAN
Prefix
Type
7
2004:1::/64
static
7
2006:1::/64
dynamic
7
2008:1::/64
static
1027
2002:1::/64
dynamic
Flags
Remaining Lifetime
A
1230
A
230
29.79 show ipv6 neighbor binding table
To display contents of the Binding table, use the show ipv6 neighbor binding table
command in Privilege EXEC configuration mode.
Syntax
show ipv6 neighbor binding table [vlan vlan-id] [interface interface-id] [ipv6
ipv6-address] [mac mac-address]
Parameters
•
vlan vlan-id—Displays the Binding table entries that match the specified
VLAN.
•
interface interface-id—Displays the Binding table entries that match the
specified port (Ethernet port or port channel).
•
ipv6 ipv6-address—Displays the Binding table entries that match the
specified IPv6 address.
•
mac mac-address—Displays the Binding table entries that match the
specified MAC address.
Command Mode
Privileged EXEC mode
721
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
This displays the contents of the Binding table. The display output can be
specified by the specified VLAN, port, IPv6 address, or MAC address. If no
keywords or arguments are entered, all Binding table contents are displayed.
Any keyword and argument combinations are allowed.
Example
The following example displays the contents of the Binding table:
switchxxxxxx# show ipv6 neighbor binding table
Binding Table has 4 entries
VLAN
IPv6 address
Inter
MAC address
Origin
State
Expir
TCAM
Time
Ovrfl
-----
-----
-----------
-------
--------------
------
-----
------
100
2001:300::1
te1/0/1
AABB.CC01.F500
VALID
559
100
2001:600::1
te1/0/1
AABB.CC01.F501
AABB.CC01.F100
NDP
NDP
NDP
NDP
100
2001:100::2
te1/0/2
TENT
VALID
96
VALID
79
AABB.CC01.F160
200
2001:200::3
te1/0/2
*
Field Descriptions:
•
VLAN—VLAN the host belongs to.
•
IPv6 address—IPv6 address of the host.
•
Inter—port the host is connected on.
•
MAC address—MAC address of the host.
•
Origin—Protocol that has added the IPv6 address:
•
•
•
•
Static—The static IPv6 address manually defined by the ipv6
neighbor binding static command.
NDP—The IPv6 address learnt from the NDP protocol messages.
DHCP—The IPv6 address learnt from the DHCPv6 protocol
messages.
State—Entry’s state:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
722
29
IPv6 First Hop Security
•
TENT—The new host IPv6 address is under validation. Since its
lifetime is less than 1sec its expiration time is not displayed.
•
VALID—The host IPv6 address was bound.
•
Expir. Time—Left time in seconds until the entry will be removed, if it is not
confirmed.
•
TCAM Ovrflw—Entries marked by ’*’ have not been added to TCAM
because TCAM overflow.
29.80 show ipv6 source guard
To display IPv6 Source Guard global configuration, use the show ipv6 source
guard command in Privilege EXEC configuration mode.
Syntax
show ipv6 source guard
Parameters
N/A
Command Mode
Privileged EXEC mode
User Guidelines
This displays IPv6 Source Guard global configuration.
Example
The following example gives an example of the show ipv6 source guard command
output:
switchxxxxxx# show ipv6 source guard
IPv6 Source Guard is enabled on VLANs:1-4,6,7,100-120
723
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
29.81 show ipv6 source guard policy
To display IPv6 Source Guard policies, use the show ipv6 source guard policy
command in Privilege EXEC configuration mode.
Syntax
show ipv6 source guard policy [policy-name | active]
Parameters
• policy-name—IPv6 Source Guard policy name.
•
active—Displays the attached IPv6 Source Guard policies.
Command Mode
Privileged EXEC mode
User Guidelines
This command displays all configured IPv6 Source Guard policies, the given one
or all attached IPv6 Source Guard policies.
Examples
Example 1—The following example displays the policy configuration for a policy
named policy1:
switchxxxxxx# show ipv6 source guard policy policy1
Neighbor Binding Policy: policy1
trusted port: disabled
Attached to ports:
Ports
te1/0/1-2
te1/0/4
Po1-4
Example 2—The following example displays the attached policies:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
724
29
IPv6 First Hop Security
switchxxxxxx# show ipv6 source guard policy active
Attached to VLAN:
Attached to ports:
Policy Name
Ports
policy1
te1/0/1-2
port-default
te1/0/1-2
te1/0/3
Example 3—The following example displays the user defined policies:
switchxxxxxx# show ipv6 source guard policy
policy1
policy2
29.82 trusted-port (IPv6 Source Guard)
To configure a port as trusted port within an IPv6 Source Guard policy, use the
trusted-port command in IPv6 Source Guard Policy Configuration mode. To return
to the default, use the no form of this command.
Syntax
trusted-port
no trusted-port
Parameters
N/A
Default Configuration
not trusted.
Command Mode
IPv6 Source Guard Policy Configuration mode
725
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
29
IPv6 First Hop Security
User Guidelines
IPv6 data messages bridged from trusted ports are not validated by IPv6 Source
Guard.
Example
The following example defines a policy that defines a port as trusted:
switchxxxxxx(config)# ipv6 ipv6 source guard policy policy1
switchxxxxxx(config-ipv6-srcguard)# trusted-port
switchxxxxxx(config-ipv6-srcguard)# exit
29.83 validate source-mac
To enable checking the MAC addresses against the link-layer address within an
IPv6 ND Inspection policy, use the validate source-mac command in ND Inspection
Policy Configuration mode. To return to the default, use the no form of this
command.
Syntax
validate source-mac [enable | disable]
no validate source-mac
Parameters
•
enable—Enables validation of the MAC address against the link-layer
address. If no keyword is configured, this keyword is applied by default.
•
disable—Disables validation of MAC address against the link-layer address.
Default Configuration
Policy attached to port or port channel: the value configured in the policy attached
to the VLAN.
Policy attached to VLAN: global configuration.
Command Mode
ND inspection Policy Configuration mode
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
726
29
IPv6 First Hop Security
User Guidelines
If this command is part of a policy attached to a VLAN, it is applied to all the ports
in the VLAN. If it is defined in a policy attached to a port in the VLAN, this value
overrides the value in the policy attached to the VLAN.
Example
The following example enables the router to drop an NDP message whose
link-layer address does not match the MAC address:
switchxxxxxx(config)# ipv6 nd inspection policy policy1
switchxxxxxx(config-nd-inspection)# validate source-mac
switchxxxxxx(config-nd-inspection)# exit
727
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
30
IPv6 IPM Router Commands
30.0
30.1 ipv6 multicast-routing
To enable IPv6 Multicast routing on all IPv6-enabled interfaces of the router and to
enable Multicast forwarding, use the ipv6 multicast-routing command in global
configuration mode. To stop Multicast routing and forwarding, use the no form of
this command.
Syntax
ipv6 multicast-routing mld-proxy
no ipv6 multicast-routing
Parameters
•
mld-proxy—Enable Multicast routing using MLD Proxy.
Default Configuration
Multicast routing is not enabled.
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 multicast-routing command with parameter to specify the needed
IPv6 Multicast Routing Protocol.
To forward IPv6 Multicast packets on an interface, IPv6 Multicast forwarding must
be enabled globally and an IPMv6 Routing protocol must be enabled on the
interface.
Example
The following example enables IPv6 Multicast routing using MLD Proxy:
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
728
30
IPv6 IPM Router Commands
switchxxxxxx(config)# ipv6 multicast-routing mld-proxy
30.2 ipv6 multicast hop-threshold
To configure the Hop Limit threshold of packets being forwarded out an interface,
use the ipv6 multicast hop-threshold command in Interface Configuration mode.
To return to the default Hop Limit threshold, use the no form of this command.
Syntax
ipv6 multicast hop-threshold hop-value
no ipv6 multicast hop-threshold
Parameters
• hop-value—Hop Limit value. It can be a value from 0 to 256.
Default Configuration
The default Hop Limit value is 0.
Command Mode
Interface Configuration mode
User Guidelines
Multicast packets with a hop value less than the threshold will not be forwarded on
the interface.
The default value of 0 means all Multicast packets are forwarded on the interface.
A value of 256 means that no Multicast packets are forwarded on the interface.
You should configure the hop threshold only on border routers. Conversely, routers
on which you configure a hop threshold value automatically become border
routers.
Example
The following example sets the Hop Limit threshold on a border router to 200:
switchxxxxxx(config)# interface vlan 100
switchxxxxxx(config-if)# ipv6 multicast hop-threshold 200
729
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
30
IPv6 IPM Router Commands
switchxxxxxx(config-if)# exit
30.3 show ipv6 mroute
To display the contents of the Multicast routing (mroute) table, use the show ipv6
mroute command in user EXEC or privileged EXEC mode.
Syntax
show ipv6 mroute [group-address [source-address]] [summary]
Parameters
• group-address—Destination Multicast IPv6 address.
• source-address—Source IPv6 address.
•
summary—Filters the output to display a one-line, abbreviated summary of
each entry in the mroute table.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the show ip mroute command to display information about Mroute entries in
the mroute table. The switch populates the Multicast routing table by creating (S,
G) entries from (*, G) entries. The asterisk (*) refers to all source addresses, the “S”
refers to a single source address, and the “G” is the destination Multicast group
address. In creating (S, G) entries, the switch uses the best path to that destination
group found in the Unicast routing table (that is, through Reverse Path Forwarding
[RPF]).
Examples
Description of Significant fields in the examples below
Timers:Uptime/Expires—“Uptime” indicates per interface how long (in hours,
minutes, and seconds) the entry has been in the IPv6 Multicast routing table.
“Expires” indicates per interface how long (in hours, minutes, and seconds) until
the entry will be removed from the IPv6 Multicast routing table.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
730
30
IPv6 IPM Router Commands
(*, FF07::1) and (FF07::1/128, FF07::1)—Entry in the IPv6 Multicast routing table. The
entry consists of the IP address of the source router followed by the IP address of
the Multicast group. An asterisk (*) in place of the source router indicates all
sources.
Entries in the first format are referred to as (*, G) or “star comma G” entries. Entries
in the second format are referred to as (S, G) or “S comma G” entries. (*, G) entries
are used to build (S, G) entries.
Incoming interface: —Expected interface for a Multicast packet from the source. If
the packet is not received on this interface, it is discarded.
Outgoing Interface List (OIF):—Interfaces through which packets will be forwarded.
Example 1. The following is sample output from the show ipv6 mroute command
with the summary keyword:
switchxxxxxx# show ip mroute summary
Timers: Uptime/Expires
IPv6 Multicast Routing Table
(2001:0DB8:999::99, FF07::5), 00:04:55/00:02:36, OIF count:1
(2001:0DB8:999::99, FF07::1), 00:02:46/00:00:12, OIF count:1
Example 2. The following is sample output from the show ipv6 mroute command:
switchxxxxxx# show ip mroute
Timers: Uptime/Expires
IPv6 Multicast Routing Table
(*, FF07::1), 00:04:45/00:02:47, RP 2001:0DB8:6::6
Incoming interface: vlan5
Outgoing interface list:
vlan40, 00:04:45/00:02:47
731
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
30
IPv6 IPM Router Commands
(2001:0DB8:999::99, FF07::1), 00:02:06/00:01:23
Incoming interface: vlan5
Outgoing interface list:
vlan40, 00:02:06/00:03:27
30.4 show ipv6 multicast
To display general information about IPv6 Multicast configuration, use the show
ipv6 multicast command in user EXEC or privileged EXEC mode.
Syntax
show ipv6 multicast [interface [interface-id]]
Parameters
•
interface—Displays IPv6 Multicast-related information about interfaces
configured for IPv6 Multicast.
• interface-id—Interface identifier for which to display IPv6 Multicast
information.
Command Mode
User EXEC mode
Privileged EXEC mode
User Guidelines
Use the show ipv6 multicast command without the interface keyword to display
general information about the state of IPv6 Multicast on the router.
Use the show ipv6 multicast command with the interface keyword to display the
IPv6 Multicast information about the specified interface.
Examples
Example 1. The following is sample output from the show ipv6 multicast command
without the interface keyword when no IPv6 Multicast Routing protocol is enabled:
switchxxxxxx# show ipv6 multicast
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
732
30
IPv6 IPM Router Commands
IPv6 Unicast Forwarding: enabled
IPv6 Multicast Protocol: No
Example 2. The following is sample output from the show ipv6 multicast command
without the interface keyword when MLD Proxy is enabled:
switchxxxxxx# show ipv6 multicast
IPv6 Unicast Forwarding: enabled
IPv6 Multicast Protocol: MLD Proxy
Example 3. The following is sample output from the show ipv6 multicast command
about the given interface. MLD Proxy is enabled on the interface and the interface
is an MLD Proxy Upstream interface:
switchxxxxxx# show ipv6 multicast interface vlan 200
IPv6 Unicast Forwarding: enabled
IPv6 Multicast Protocol: MLD Proxy
vlan 200
IPv6 Status: enabled
hop-threshold: 0
MLD Protocol: MLDv2
MLD Proxy: Upstream
Example 4. The following is sample output from the show ipv6 multicast command
about the given interface. MLD Proxy is enabled on the interface and the interface
is an MLD Proxy Downlink interface:
switchxxxxxx# show ipv6 multicast interface vlan 100
IPv6 Unicast Forwarding: enabled
733
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
30
IPv6 IPM Router Commands
IPv6 Multicast Protocol: PIM
vlan 200
IPv6 Status: enabled
hop-threshold: 0
MLD Protocol: MLDv2
MLD Proxy: DownStream (Upstream: vlan 200)
Example 5. The following is sample output from the show ipv6 multicast command
about the given interface. MLD Proxy is disabled on the interface:
switchxxxxxx# show ipv6 multicast interface vlan 100
IPv6 Unicast Forwarding: enabled
IPv6 Multicast Protocol: MLD Proxy
vlan 200
IPv6 Status: enabled
hop-threshold: 100
MLD Protocol: MLDv2
MLD Proxy: disabled
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
734
31
IPv6 Prefix List Commands
31.0
31.1 clear ipv6 prefix-list
Use the clear ipv6 prefix-list command in privileged EXEC mode to reset the hit
count of the IPv6 prefix list entries.
Syntax
clear ipv6 prefix-list [prefix-list-name [ipv6-prefix/prefix-length]]
Parameters
• prefix-list-name—The name of the prefix list from which the hit count is to
be cleared.
• ipv6-prefix—The IPv6 network from which the hit count is to be cleared.
This argument must be in the form documented in RFC 4293 where the
address is specified in hexadecimal using 16-bit values between colons.
•
/prefix-length—The length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value.
Default Configuration
The hit count is automatically cleared for all IPv6 prefix lists.
Command Mode
Privileged EXEC mode
User Guidelines
The hit count is a value indicating the number of matches to a specific prefix list
entry.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
735
31
IPv6 Prefix List Commands
Example
The following example clears the hit count from the prefix list entries for the prefix
list named first_list that match the network mask 2001:0DB8::/35:
switchxxxxxx# clear ipv6 prefix-list first_list 2001:0DB8::/35
31.2 ipv6 prefix-list
Use the ipv6 prefix-list command in Global Configuration mode to create an entry
in an IPv6 prefix list. To delete the entry, use the no form of this command.
Syntax
ipv6 prefix-list list-name [seq number] {{deny|permit} ipv6-prefix/prefix-length [ge
ge-length] [le le-length]} | description text
no ipv6 prefix-list list-name [seq number]
Parameters
• list-name—Name of the prefix list. The name may contain up to 32
characters.
•
seq seq-number—Sequence number of the prefix list entry being
configured. This is an integer value from 1 to 4294967294.
•
deny—Denies networks that matches the condition.
•
permit—Permits networks that matches the condition.
• ipv6-prefix—IPv6 network assigned to the specified prefix list. This
argument must be in the form documented in RFC 4293 where the address
is specified in hexadecimal—using 16-bit values between colons.
•
/prefix-length—Length of the IPv6 prefix. A decimal value that indicates
how many of the high-order contiguous bits of the address comprise the
prefix (the network portion of the address). A slash mark must precede the
decimal value from 0 to 128. The zero prefix-length may be used only with
the zero ipv6-prefix (::).
•
description text—Text that can be up to 80 characters in length.
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
736
31
IPv6 Prefix List Commands
•
ge ge-value—Specifies a prefix length greater than or equal to the
/prefix-length argument. It is the lowest value of a range of the length (the
“from” portion of the length range).
•
le le-value—Specifies a prefix length greater than or equal to the
/prefix-length argument. It is the highest value of a range of the length (the
“to” portion of the length range).
Default Configuration
No prefix list is created.
Command Mode
Global Configuration mode
User Guidelines
This command without the seq keyword adds the new entry after the last entry of
the prefix list with the sequence number equals to the last number plus 5. For
example, if the last configured sequence number is 43, the new entry will have the
sequence number of 48. If the list is empty, the first prefix-list entry is assigned the
number 5 and subsequent prefix list entries increment by 5.
This command with the seq keyword puts the new entry into the place specified
by the parameter, if an entry with the number exists it is replaced by the new one.
This command without the seq keyword removes the prefix list.
The no version of this command with the seq keyword removes the specified
entry.
The sequence number of a prefix list entry determines the order of the entries in
the list. The router compares network addresses to the prefix list entries. The
router begins the comparison at the top of the prefix list, with the entry having the
lowest sequence number.
If multiple entries of a prefix list match a prefix, the entry with the lowest sequence
number is considered the real match. Once a match or deny occurs, the router
does not go through the rest of the prefix list. For efficiency, you might want to put
the most common permits or denies near the top of the list, using the seq-number
argument.
The show ipv6 prefix-list command displays the sequence numbers of entries.
IPv6 prefix lists are used to specify certain prefixes or a range of prefixes that
must be matched before a permit or deny statement can be applied. Two operand
keywords can be used to designate a range of prefix lengths to be matched. A
prefix length of less than, or equal to, a value is configured with the le keyword. A
737
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
31
IPv6 Prefix List Commands
prefix length greater than, or equal to, a value is specified using the ge keyword.
The ge and le keywords can be used to specify the range of the prefix length to be
matched in more detail than the usual ipv6-prefix/prefix-length argument.
For a candidate prefix to match against a prefix list entry the following conditions
must exist:
•
The candidate prefix must match the specified prefix list and prefix length
entry
•
The value of the optional le keyword specifies the range of allowed prefix
lengths from 0 up to the value of the le-length argument, and including, this
value.
•
The value of the optional ge keyword specifies the range of allowed prefix
lengths from the value of the ge-length argument up to, and including, 128.
Note that the first condition must match before the other conditions take effect.
An exact match is assumed when the ge or le keywords are not specified. If only
one keyword operand is specified then the condition for that keyword is applied,
and the other condition is not applied. The prefix-length value must be less than
the ge value. The ge value must be less than, or equal to, the le value. The le value
must be less than or equal to 128.
Every IPv6 prefix list, including prefix lists that do not have permit and deny
condition statements, has an implicit deny any any statement as its last match
condition.
Formal Specification
Checked prefix is cP and checked prefix length is cL.
Function PrefixIsEqual(P1, P2, L) compares the first L bits of two addresses P1 and
P2 and returns TRUE if they are equal.
Case 1. A prefix-list entry is:
•
P - prefix address
•
L - prefix length
•
ge - is not defined
•
le - is not defined
The prefix cP/cL matches the prefix-list entry if PrefixIsEqual(cP,P,L) && cL == L
Case 2. An prefix-list entry is:
•
P - prefix address
SG350XG and Sx350X Ph. 2.2.5 Devices - Command Line Interface Reference Guide
738
31
IPv6 Prefix List Commands
•
L - prefix length
•
ge - is defined
•
le - is not defined
The prefix cP/cL matches the prefix-list entry if PrefixIsEqual(cP,P,L) && cL >= ge
Case 3. An prefix-list entry is:
•
P - prefix address
•
L - prefix length
•
ge - is not defined
•
le - is defined
The prefix cP/cL matches to the prefix-list entry if PrefixIsEqual(cP,P,L) && cL