Advertisement
Advertisement
Motorola Solutions
EX-3524/EX-3548
Layer 2 Gigabit Ethernet PoE/PoE+ Switch
CLI Reference Guide www.edge-core.com
How to Use This Guide
This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Who Should
Read this Guide?
This guide is for network administrators who are responsible for operating and maintaining network equipment. The guide assumes a basic working knowledge of
LANs (Local Area Networks), the Internet Protocol (IP), and Simple Network
Management Protocol (SNMP).
How this Guide is Organized
This guide describes the switch’s command line interface (CLI). For more detailed information on the switch’s key features refer to the System Reference Guide .
The guide includes these sections:
◆ Section I “Getting Started” — Includes information on initial configuration.
◆ Section II “Command Line Interface” — Includes all management options available through the CLI.
◆ Section III “Appendices” — Includes information on troubleshooting switch management access.
Related
Documentation
This guide focuses on switch software configuration through the CLI.
For information on how to manage the switch through the Web management interface, see the following guide:
System Reference Guide
For information on how to install the switch, see the following guide:
Installation Guide
For all safety information and regulatory statements, see the following documents:
Quick Start Guide
Safety and Regulatory Information
– 3 –
How to Use This Guide
Conventions
The following conventions are used throughout this guide to show information:
Note: Emphasizes important information or calls your attention to related features or instructions.
Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Warning: Alerts you to a potential hazard that could cause personal injury.
– 4 –
Contents
Section I
How to Use This Guide 3
Contents 5
Figures 27
Tables 29
Getting Started 33
1 Initial Switch Configuration
Connecting to the Switch
Configuration Options
Connecting to the Console Port
Logging Onto the Command Line Interface
Setting Passwords
Remote Connections
Configuring the Switch for Remote Management
Setting an IP Address
Enabling SNMP Management Access
Managing System Files
Upgrading the Operation Code
Saving or Restoring Configuration Settings
Configuring Automatic Installation of Operation Code and
Configuration Settings
Downloading Operation Code from a File Server
Specifying a DHCP Client Identifier
Downloading a Configuration File Referenced by a DHCP Server
Setting the System Clock
Setting the Time Manually
Configuring SNTP
35
35
38
39
39
44
35
36
37
37
47
48
48
55
55
56
50
50
52
53
– 5 –
Contents
Section II
Configuring NTP 56
Command Line Interface 59
2 Using the Command Line Interface
Accessing the CLI
Console Connection
Telnet Connection
Entering Commands
Keywords and Arguments
Minimum Abbreviation
Command Completion
Getting Help on Commands
Partial Keyword Lookup
Negating the Effect of Commands
Using Command History
Understanding Command Modes
Exec Commands
Configuration Commands
Command Line Processing
Output Modifiers
CLI Command Groups
3 General Commands 73
prompt 73 reload (Global Configuration) 74 enable 75 quit 76 show history 76 configure 77 disable 78 reload (Privileged Exec) 78 show reload 79 end 79 exit 79
61
61
67
69
69
70
66
66
66
66
63
63
64
65
61
62
63
63
– 6 –
Contents
4 System Management Commands 81
Device Designation 81 hostname 82
System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show users show version
Frame Size jumbo frame
File Management
General Commands boot system
91
91 copy 92 delete 95 dir 96
88
89
89
90
84
85
86
87
82
83
83
84 whichboot 97
Automatic Code Upgrade Commands 97 upgrade opcode auto 97 upgrade opcode path show upgrade
98
99
Line 100 line 101 databits 101 exec-timeout 102 login 103 parity 104 password 104 password-thresh 105 silent-time 106 speed 107
– 7 –
Contents stopbits 107 timeout login response 108 disconnect 109 show line 109
Event Logging logging facility logging history logging host
110
110
111
112 logging on logging trap clear log show log show logging
SMTP Alerts logging sendmail logging sendmail host
115
116
117
117
112
113
114
114 logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail
Time 120
SNTP Commands 121 sntp client 121 sntp poll sntp server
122
122
118
119
119
120 show sntp
Manual Configuration Commands clock summer-time clock timezone clock timezone-predefined calendar set show calendar
Time Range 128 time-range 128 absolute 129
123
124
124
125
126
126
127
– 8 –
Contents periodic 130 show time-range 131
Switch Clustering 131 cluster 132 cluster commander cluster ip-pool
133
134 cluster member 134 rcommand 135 show cluster show cluster members show cluster candidates
136
136
136
5 SNMP Commands 137
General SNMP Commands 138 snmp-server 138 snmp-server community snmp-server contact snmp-server location show snmp
SNMP Target Host Commands snmp-server enable traps snmp-server host
SNMPv3 Commands snmp-server engine-id snmp-server group snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view
151
152
Notification Log Commands 153 nlm 153 snmp-server notify-filter 153 show nlm oper-status 155
141
141
142
145
145
146
139
139
140
140
147
148
149
150
– 9 –
Contents show snmp notify-filter
6 Remote Monitoring Commands
rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics
7 Authentication Commands
User Accounts
165
165 enable password 166 username 167
Authentication Sequence authentication enable
168
168 authentication login
RADIUS Client radius-server acct-port radius-server auth-port
169
170
170
171 radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server
TACACS+ Client tacacs-server host tacacs-server key
174
174
175
175
171
172
173
173 tacacs-server port show tacacs-server
176
176
AAA 177 aaa accounting dot1x 177 aaa accounting exec aaa accounting update
178
179
155
157
158
159
160
161
162
162
162
163
– 10 –
Contents aaa authorization exec aaa group server
180
181 server 181 accounting dot1x 182 accounting exec authorization exec show accounting
Web Server
182
183
183
184 ip http port ip http server ip http secure-port ip http secure-server
Telnet Server ip telnet max-sessions ip telnet port ip telnet server
188
188
189
189
185
185
186
186 show ip telnet
Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh
802.1X Port Authentication
General Commands dot1x default dot1x eapol-pass-through dot1x system-auth-control
199
200
201
201
202
202
197
197
198
198
194
195
195
196
190
190
193
193
– 11 –
Contents
Authenticator Commands dot1x intrusion-action dot1x max-req dot1x operation-mode dot1x port-control dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate
Supplicant Commands dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period dot1x timeout start-period
Information Display Commands show dot1x
Management IP Filter
212
212
215 management 215 show management 216
210
211
211
212
206
207
208
208
209
209
209
203
203
203
204
205
205
206
8 General Security Measures
Port Security port security
Network Access (MAC Address Authentication) network-access aging network-access mac-filter mac-authentication reauth-time network-access dynamic-qos network-access dynamic-vlan network-access guest-vlan network-access link-detection
219
220
220
225
226
227
228
222
223
224
224
– 12 –
Contents network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down network-access max-mac-count network-access mode mac-authentication network-access port-mac-filter mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access show network-access mac-address-table show network-access mac-filter
Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control 238 web-auth 239 web-auth re-authenticate (Port) web-auth re-authenticate (IP)
239
240 show web-auth show web-auth interface show web-auth summary
DHCP Snooping
240
241
241
242 ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information policy ip dhcp snooping verify mac-address ip dhcp snooping vlan ip dhcp snooping trust clear ip dhcp snooping database flash ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding
246
247
248
248
242
244
245
246
249
249
236
237
237
238
233
233
234
235
230
231
232
232
228
229
229
230
– 13 –
Contents
IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding
ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration show ip arp inspection interface show ip arp inspection log show ip arp inspection statistics show ip arp inspection vlan
Denial of Service Protection flow tcp-udp-port-zero show flow
Port-based Traffic Segmentation traffic-segmentation show traffic-segmentation
9 Access Control Lists
IPv4 ACLs access-list ip permit, deny, redirect-to (Standard IP ACL) permit, deny, redirect-to (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list
– 14 –
269
269
270
271
272
274
275
275
260
261
262
262
257
258
259
259
254
254
255
256
250
250
252
253
264
265
265
266
267
263
263
263
264
Contents
IPv6 ACLs access-list ipv6 permit, deny, redirect-to (Standard IPv6 ACL) permit, deny, redirect-to (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group
MAC ACLs access-list mac permit, deny, redirect-to
(MAC ACL) mac access-group show mac access-group show mac access-list
ARP ACLs access-list arp permit, deny (ARP ACL) show arp access-list
ACL Information show access-group show access-list
10 Interface Commands 293
Interface Configuration 294 interface 294 alias 295 capabilities 295 description 296 flowcontrol 297 giga-phy-mode 298 negotiation 299 shutdown 300 speed-duplex 300 clear counters show interfaces brief
301
302
288
288
289
290
284
286
287
287
290
290
291
281
282
282
283
283
277
277
278
279
– 15 –
Contents show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver
Cable Diagnostics test cable-diagnostics show cable-diagnostics
Power Savings power-save show power-save
11 Link Aggregation Commands 313
Manual Configuration Commands channel-group
314
314
Dynamic Configuration Commands 315 lacp 315 lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel)
Trunk Status Display Commands show lacp
316
317
318
319
320
320
12 Power over Ethernet Commands
power inline compatible power inline power inline maximum allocation power inline priority power inline time-range show power inline status show power inline time-range show power poe
13 Port Mirroring Commands
Local Port Mirroring Commands port monitor
333
333
333
325
325
326
327
328
329
330
331
331
308
308
309
310
310
311
302
304
305
307
– 16 –
Contents show port monitor
RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan
14 Congestion Control Commands
Rate Limit Commands
343
343 rate-limit 344
Storm Control Commands 345 switchport packet-rate
Automatic Traffic Control Commands
345
346
Threshold Commands auto-traffic-control apply-timer auto-traffic-control release-timer
349
349
350 auto-traffic-control 351 auto-traffic-control action 351 auto-traffic-control alarm-clear-threshold 352 auto-traffic-control alarm-fire-threshold 353 auto-traffic-control auto-control-release 354 auto-traffic-control control-release 355
SNMP Trap Commands snmp-server enable port-traps atc broadcast-alarm-clear snmp-server enable port-traps atc broadcast-alarm-fire
355
355
356 snmp-server enable port-traps atc broadcast-control-apply snmp-server enable port-traps atc broadcast-control-release snmp-server enable port-traps atc multicast-alarm-clear snmp-server enable port-traps atc multicast-alarm-fire
356
357
357
358 snmp-server enable port-traps atc multicast-control-apply snmp-server enable port-traps atc multicast-control-release
ATC Display Commands show auto-traffic-control show auto-traffic-control interface
358
359
359
359
360
335
336
338
339
340
341
341
– 17 –
Contents
15 Address Table Commands
mac-address-table aging-time mac-address-table static clear mac-address-table dynamic show mac-address-table show mac-address-table aging-time show mac-address-table count
16 Spanning Tree Commands 367
spanning-tree 368 spanning-tree cisco-prestandard 369 spanning-tree forward-time spanning-tree hello-time spanning-tree max-age spanning-tree mode spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration spanning-tree transmission-limit max-hops 375 mst priority 376 mst vlan 376 name 377 revision 378 spanning-tree bpdu-filter 378 spanning-tree bpdu-guard spanning-tree cost
379
380
373
373
374
374
369
370
371
371 spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection action spanning-tree loopback-detection release-mode spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority
384
385
385
386
381
382
382
383
361
361
362
363
363
364
365
– 18 –
Contents spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration
17 VLAN Commands
GVRP and Bridge Extension Commands
393
394 bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration
Editing VLAN Groups vlan database 400 vlan 400
Configuring VLAN Interfaces interface vlan
401
402 switchport acceptable-frame-types switchport allowed vlan switchport ingress-filtering switchport mode
403
403
404
405
397
398
399
399
394
395
396
397 switchport native vlan 406 vlan-trunking 407
Displaying VLAN Information show vlan
408
408
Configuring IEEE 802.1Q Tunneling dot1q-tunnel system-tunnel-control dot1q-tunnel tpid switchport dot1q-tunnel mode show dot1q-tunnel
409
410
411
412
413
387
388
389
389
390
390
392
– 19 –
Contents
Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group
Configuring IP Subnet VLANs
416
417 subnet-vlan 417 show subnet-vlan 418
413
414
415
416
Configuring MAC Based VLANs 419 mac-vlan 419 show mac-vlan
Configuring Voice VLANs
420
421 voice vlan voice vlan aging voice vlan mac-address switchport voice vlan
421
422
423
424 switchport voice vlan priority switchport voice vlan rule switchport voice vlan security show voice vlan
424
425
426
426
18 Class of Service Commands
Priority Commands (Layer 2) queue mode queue weight switchport priority default show queue mode show queue weight
Priority Commands (Layer 3 and 4) qos map cos-dscp qos map dscp-mutation qos map phb-queue qos map trust-mode show qos map cos-dscp show qos map dscp-mutation
429
429
430
434
434
436
437
431
432
433
433
438
439
439
– 20 –
Contents show qos map phb-queue show qos map trust-mode
440
440
19 Quality of Service Commands 441
class-map 442 description 443 match 444 rename 445 policy-map 445 class 446 police flow police srtcm-color police trtcm-color set cos
447
449
451
453 set ip dscp set phb
454
455 service-policy 456 show class-map 457 show policy-map show policy-map interface
457
458
20 Multicast Filtering Commands
IGMP Snooping ip igmp snooping ip igmp snooping proxy-reporting ip igmp snooping querier ip igmp snooping router-alert-option-check ip igmp snooping router-port-expire-time ip igmp snooping tcn-flood ip igmp snooping tcn-query-solicit ip igmp snooping unregistered-data-flood ip igmp snooping unsolicited-report-interval ip igmp snooping version ip igmp snooping version-exclusive ip igmp snooping vlan general-query-suppression ip igmp snooping vlan immediate-leave
459
459
461
464
465
466
466
461
462
462
463
467
468
468
469
– 21 –
Contents ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static show ip igmp snooping show ip igmp snooping group show ip igmp snooping mrouter
Static Multicast Routing ip igmp snooping vlan mrouter
IGMP Filtering and Throttling ip igmp filter (Global Configuration) ip igmp profile permit, deny range 481 ip igmp filter (Interface Configuration) 482 ip igmp max-groups ip igmp max-groups action
482
483 show ip igmp filter show ip igmp profile show ip igmp throttle interface
Multicast VLAN Registration
484
484
485
486 mvr mvr immediate-leave mvr type mvr vlan group show mvr
486
487
488
489
490
479
479
480
481
476
477
478
478
473
474
475
475
470
470
471
472
21 LLDP Commands 493
lldp 495 lldp holdtime-multiplier lldp med-fast-start-count lldp notification-interval
495
496
496
– 22 –
lldp refresh-interval lldp reinit-delay lldp tx-delay lldp admin-status lldp basic-tlv management-ip-address lldp basic-tlv port-description lldp basic-tlv system-capabilities lldp basic-tlv system-description lldp basic-tlv system-name lldp dot1-tlv proto-ident lldp dot1-tlv proto-vid lldp dot1-tlv pvid lldp dot1-tlv vlan-name lldp dot3-tlv link-agg lldp dot3-tlv max-frame lldp dot3-tlv poe lldp med-location civic-addr lldp med-notification lldp med-tlv ext-poe lldp med-tlv inventory lldp med-tlv location lldp med-tlv med-cap lldp med-tlv network-policy lldp notification show lldp config show lldp info local-device show lldp info remote-device show lldp info statistics
22 CDP Commands
cdp (Global Configuration) cdp hold-time cdp transmit-interval cdp version cdp (Interface Configuration)
– 23 –
Contents
517
518
518
519
519
520
509
510
510
511
506
507
508
509
512
513
514
516
503
504
504
505
501
502
502
503
499
500
500
501
497
497
498
499
Contents clear cdp table show cdp show cdp interface show cdp neighbors
23 Domain Name Service Commands
ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts
24 DHCP Commands
DHCP Client
DHCP for IPv4 ip dhcp client class-id ip dhcp restart client show ip dhcp client-identifier
DHCP for IPv6 ipv6 dhcp client rapid-commit vlan ipv6 dhcp restart client vlan show ipv6 dhcp duid show ipv6 dhcp vlan
25 IP Interface Commands
IPv4 Interface
Basic IPv4 Configuration ip address ip default-gateway show ip interface
– 24 –
531
531
532
532
532
533
534
534
534
536
536
537
537
538
538
540
541
523
523
524
528
528
529
529
530
525
526
526
527
520
520
521
521
Contents show ip traffic 541 traceroute 542 ping 543
ARP Configuration 545 arp 545 ip proxy-arp 546 clear arp-cache show arp
547
547
IPv6 Interface
Interface Address Configuration and Utilities ipv6 default-gateway
548
549
549 ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu show ipv6 default-gateway show ipv6 interface
555
556
557
558
550
551
552
554 show ipv6 mtu show ipv6 traffic
559
560 clear ipv6 traffic 564 ping6 565
Neighbor Discovery ipv6 hop-limit ipv6 nd dad attempts
566
566
566 ipv6 nd ns-interval ipv6 nd reachable-time clear ipv6 neighbors show ipv6 neighbors
568
569
570
570
26 IP Routing Commands
Global Routing Configuration
IPv4 Commands ip route
573
573
574
574
– 25 –
Contents
Section I
show ip route show ip route database show ip route summary
575
576
576
Appendices 577
A Troubleshooting 579
Problems Accessing the Management Interface 579
Using System Logs 580
B License Information
The GNU General Public License
GNU Lesser General Public License, version 3.0
The BSD License
Open Source Software Used
ISC License
581
581
584
586
587
587
C Customer Support
Motorola Solutions Enterprise Mobility Support Center
Customer Support Web Site
593
593
593
Manuals 593
Glossary 595
Index of CLI Commands 603
Index 609
– 26 –
Figures
Figure 1: Storm Control by Limiting the Traffic Rate
Figure 2: Storm Control by Shutting Down a Port
Figure 3: Configuring VLAN Trunking
348
349
407
– 27 –
Figures
– 28 –
Tables
Table 1: Options 60, 66 and 67 Statements
Table 2: Options 55 and 124 Statements
Table 3: General Command Modes
Table 4: Configuration Command Modes
Table 5: Keystroke Commands
Table 6: Command Group Index
Table 7: General Commands
Table 8: System Management Commands
Table 9: Device Designation Commands
Table 10: System Status Commands
Table 11: show system – display description
Table 12: show version – display description
Table 13: Frame Size Commands
Table 14: Flash/File Commands
Table 15: File Directory Information
Table 16: Line Commands
Table 17: Event Logging Commands
Table 18: Logging Levels
Table 19: show logging flash/ram - display description
Table 20: show logging trap - display description
Table 21: Event Logging Commands
Table 22: Time Commands
Table 23: Time Range Commands
Table 24: Switch Cluster Commands
Table 25: SNMP Commands
Table 26: show snmp engine-id - display description
Table 27: show snmp group - display description
Table 28: show snmp user - display description
Table 29: show snmp view - display description
– 29 –
131
137
150
151
151
152
116
116
120
128
100
110
111
116
88
89
90
96
81
81
82
87
68
69
70
73
54
54
66
Tables
Table 30: RMON Commands
Table 31: Authentication Commands
Table 32: User Access Commands
Table 33: Default Login Settings
Table 34: Authentication Sequence Commands
Table 35: RADIUS Client Commands
Table 36: TACACS+ Client Commands
Table 37: AAA Commands
Table 38: Web Server Commands
Table 39: HTTPS System Support
Table 40: Telnet Server Commands
Table 41: Secure Shell Commands
Table 42: show ssh - display description
Table 43: 802.1X Port Authentication Commands
Table 44: Management IP Filter Commands
Table 45: General Security Commands
Table 46: Management IP Filter Commands
Table 47: Network Access Commands
Table 48: Dynamic QoS Profiles
Table 49: Web Authentication
Table 50: DHCP Snooping Commands
Table 51: IP Source Guard Commands
Table 52: ARP Inspection Commands
Table 53: DoS Protection Commands
Table 54: Commands for Configuring Traffic Segmentation
Table 55: Access Control List Commands
Table 56: IPv4 ACL Commands
Table 57: IPv4 ACL Commands
Table 58: MAC ACL Commands
Table 59: ARP ACL Commands
Table 60: ACL Information Commands
Table 61: Interface Commands
Table 62: show interfaces switchport - display description
Table 63: Link Aggregation Commands
Table 64: show lacp counters - display description
– 30 –
283
288
290
293
265
269
269
277
242
250
255
264
220
222
225
236
306
313
320
199
200
215
219
184
187
188
190
168
170
174
177
157
165
165
167
Table 65: show lacp internal - display description
Table 66: show lacp neighbors - display description
Table 67: show lacp sysid - display description
Table 68: PoE Commands
Table 69: show power inline status - display description
Table 70: show power mainpower - display description
Table 71: Port Mirroring Commands
Table 72: Mirror Port Commands
Table 73: RSPAN Commands
Table 74: Congestion Control Commands
Table 75: Rate Limit Commands
Table 76: Rate Limit Commands
Table 77: ATC Commands
Table 78: Address Table Commands
Table 79: Spanning Tree Commands
Table 80: Recommended STA Path Cost Range
Table 81: Default STA Path Costs
Table 82: VLAN Commands
Table 83: GVRP and Bridge Extension Commands
Table 84: show bridge-ext - display description
Table 85: Commands for Editing VLAN Groups
Table 86: Commands for Configuring VLAN Interfaces
Table 87: Commands for Displaying VLAN Information
Table 88: 802.1Q Tunneling Commands
Table 89: Protocol-based VLAN Commands
Table 90: IP Subnet VLAN Commands
Table 91: MAC Based VLAN Commands
Table 92: Voice VLAN Commands
Table 93: Priority Commands
Table 94: Priority Commands (Layer 2)
Table 95: Priority Commands (Layer 3 and 4)
Table 96: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence
Table 97: Default Mapping of DSCP Values to Internal PHB/Drop Values
Table 98: Mapping Internal Per-hop Behavior to Hardware Queues
Table 99: Quality of Service Commands
– 31 –
Tables
429
429
434
435
413
417
419
421
399
401
408
409
380
393
394
398
436
437
441
346
361
367
380
336
343
343
345
330
332
333
333
321
322
323
325
Tables
Table 100: Multicast Filtering Commands
Table 101: IGMP Snooping Commands
Table 102: Static Multicast Interface Commands
Table 103: IGMP Filtering and Throttling Commands
Table 104: Multicast VLAN Registration Commands
Table 105: show mvr - display description
Table 106: show mvr interface - display description
Table 107: show mvr members - display description
Table 108: LLDP Commands
Table 109: LLDP MED Location CA Types
Table 110: CDP Commands
Table 111: show cdp neighbors - display description
Table 112: Address Table Commands
Table 113: show dns cache - display description
Table 114: show hosts - display description
Table 115: DHCP Commands
Table 116: DHCP Client Commands
Table 117: IP Interface Commands
Table 118: IPv4 Interface Commands
Table 119: Basic IP Configuration Commands
Table 120: Address Resolution Protocol Commands
Table 121: IPv6 Configuration Commands
Table 122: show ipv6 interface - display description
Table 123: show ipv6 mtu - display description
Table 124: show ipv6 traffic - display description
Table 125: show ipv6 neighbors - display description
Table 203: IP Routing Commands
Table 204: Global Routing Configuration Commands
Table 205: Troubleshooting Chart
– 32 –
545
548
558
560
531
537
537
538
561
571
573
573
579
523
529
530
531
493
506
517
522
486
491
491
492
459
459
478
479
Section I
Getting Started
This section describes how to configure the switch for management access through the web interface or SNMP.
This section includes these chapters:
◆ "Initial Switch Configuration" on page 35
– 33 –
Section I | Getting Started
– 34 –
1
Initial Switch Configuration
This chapter includes information on connecting to the switch and basic configuration procedures.
Connecting to the Switch
The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface.
A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Note: An IPv4 address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 39 .
Configuration Options
The switch’s HTTP web agent allows you to configure switch parameters, monitor port connections, and display statistics using a standard web browser such as
Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions.
The switch’s web management interface can be accessed from any computer attached to the network.
The CLI program can be accessed by a direct connection to the RS-232 serial console port on the switch, or remotely by a Telnet connection over the network.
The switch’s management agent also supports SNMP (Simple Network
Management Protocol). This SNMP agent permits the switch to be managed from any system in the network using network management software.
The switch’s web interface, console interface, and SNMP agent allow you to perform the following management functions:
◆
◆
◆
◆
◆
◆
◆
Set user names and passwords
Set an IP interface for any VLAN
Configure SNMP parameters
Enable/disable any port
Set the speed/duplex mode for any port
Configure the bandwidth of any port by limiting input or output rates
Control port access through IEEE 802.1X security or static address filtering
– 35 –
Chapter 1 | Initial Switch Configuration
Connecting to the Switch
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
Filter packets using Access Control Lists (ACLs)
Configure up to 256 IEEE 802.1Q VLANs
Enable GVRP automatic VLAN registration
Configure IP routing for unicast traffic
Configure IGMP multicast filtering
Upload and download system firmware or configuration files via HTTP (using the web interface) or FTP/TFTP (using the command line or web interface)
Configure Spanning Tree parameters
Configure Class of Service (CoS) priority queuing
Configure static or LACP trunks (up to 12)
Enable port mirroring
Set storm control on any port for excessive broadcast, multicast, or unknown unicast traffic
Display system information and statistics
Connecting to the
Console Port
The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
Attach a VT100-compatible terminal, or a PC running a terminal emulation program to the switch. You can use the console cable provided with this package, or use a null-modem cable that complies with the wiring assignments shown in the
Installation Guide .
To connect a terminal to the console port, complete the following steps:
1.
Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the
DB-9 connector.
2.
Connect the other end of the cable to the RS-45 serial port on the switch.
3.
Make sure the terminal emulation software is set as follows:
■ Select the appropriate serial port (COM port 1 or COM port 2).
■
■
■
■
■
Set the baud rate to any of 9600, 19200, 38400, 57600, or 115200 bps.
Set the data format to 8 data bits, 1 stop bit, and no parity.
Set flow control to none.
Set the emulation mode to VT100.
When using HyperTerminal, select Terminal keys, not Windows keys.
– 36 –
Chapter 1 | Initial Switch Configuration
Connecting to the Switch
4.
Power on the switch.
After the system completes the boot cycle, the logon screen appears.
Logging Onto the
Command Line
Interface
The CLI program provides two different command levels — normal access level
(Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the
Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the
Privileged Exec level.
Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the
Privileged Exec level using the default user name and password, perform these steps:
1.
To initiate your console connection, press <Enter>. The “User Access
Verification” procedure starts.
2.
At the Username prompt, enter “motorola.”
3.
At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.)
4.
The session is opened and the CLI displays the “Console#” prompt indicating you have access at the Privileged Exec level.
Setting Passwords
If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place.
Passwords can consist of up to 32 alphanumeric characters and are case sensitive.
To prevent unauthorized access to the switch, set the passwords as follows:
1.
Open the console interface with the default user name “motorola” and password “admin” to access the Privileged Exec level.
2.
Type “configure” and press <Enter>.
3.
Type “username guest password 0 password ,” for the Normal Exec level, where password is your new password. Press <Enter>.
– 37 –
Chapter 1 | Initial Switch Configuration
Connecting to the Switch
4.
Type “username motorola password 0 password ,” for the Privileged Exec level, where password is your new password. Press <Enter>.
Username: motorola
Password:
CLI session with the EX-3524* is opened.
To end the CLI session, enter [Exit].
Console#configure
Console(config)#username guest password 0 [password]
Console(config)#username motorola password 0 [password]
Console(config)#
* This manual covers both the EX-3524 and EX-3548 Gigabit Ethernet PoE/PoE+ switches. Other than the difference in the number of ports, there are no other significant differences. Therefore nearly all of the screen display examples are based on the EX-3524.
Remote Connections
Prior to accessing the switch’s onboard agent via a network connection, you must first configure switch’s network interface with a valid IPv4 or IPv6 address.
The default network interface is VLAN 1 which includes ports 1-28/52. When configuring the network interface, the IP address, subnet mask, and default gateway may all be set using a console connection, or DHCP protocol as described in the following sections.
An IPv4 address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see
“Setting an IP Address” on page 39 .
After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network. The onboard configuration program can be accessed using Telnet or SSH from any computer attached to the network. The switch can also be managed by any computer using a web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions), or from a network computer using SNMP network management software.
Note: This switch supports four Telnet sessions or SSH sessions.
The onboard program only provides access to basic configuration functions. To access the full range of SNMP management functions, you must use SNMP-based network management software.
– 38 –
Chapter 1 | Initial Switch Configuration
Configuring the Switch for Remote Management
Configuring the Switch for Remote Management
Setting an IP Address
You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways:
◆ Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
◆ Dynamic — The switch can send IPv4 configuration requests to BOOTP or
DHCP address allocation servers on the network, or automatically generate a unique IPv6 host address based on the local subnet address prefix received in router advertisement messages. An IPv6 link local address for use in a local network can also be dynamically generated as described in “Obtaining an IPv6
Address” on page 43 .
The current software supports DHCP for IPv6, so an IPv6 global unicast address for use in a network containing more than one subnet can obtained through the DHCPv6 server, or manually configured as described in “Assigning an IPv6
Address” on page 40 .
Manual Configuration
You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. Anything outside this format will not be accepted by the CLI program.
Note: The IPv4 address for VLAN 1 is obtained via DHCP by default.
◆
◆
◆
Assigning an IPv4 Address
Before you can assign an IP address to the switch, you must obtain the following information from your network administrator:
IP address for the switch
Network mask for this network
Default gateway for the network
To assign an IPv4 address to the switch, complete the following steps
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
Type “ip address ip-address netmask ,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press <Enter>.
– 39 –
Chapter 1 | Initial Switch Configuration
Configuring the Switch for Remote Management
3.
Type “exit” to return to the global configuration mode prompt. Press <Enter>.
4.
To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway ,” where “gateway” is the IP address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 192.168.1.254
Assigning an IPv6 Address
This section describes how to configure a “link local” address for connectivity within the local subnet only, and also how to configure a “global unicast” address, including a network prefix for use on a multi-segment network and the host portion of the address.
An IPv6 prefix or address must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used to indicate the appropriate number of zeros required to fill the undefined fields. For detailed information on the other ways to assign IPv6 addresses, see “IPv6 Interface” on page 548 .
Link Local Address — All link-local addresses must be configured with a prefix in the range of FE80~FEBF. Remember that this address type makes the switch accessible over IPv6 for all devices attached to the same local subnet only. Also, if the switch detects that the address you configured conflicts with that in use by another device on the subnet, it will stop using the address in question, and automatically generate a link local address that does not conflict with any other devices on the local subnet.
To configure an IPv6 link local address for the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
Link-Local Address:
FE80::260:3EFF:FE11:6700/64
Global Unicast Address(es):
(None)
– 40 –
Chapter 1 | Initial Switch Configuration
Configuring the Switch for Remote Management
Joined Group Address(es):
FF02::1:FF11:6700
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
◆
◆
◆
Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator:
Prefix for this network
IP address for the switch
Default gateway for the network
For networks that encompass several different subnets, you must define the full address, including a network prefix and the host address for the switch. You can specify either the full IPv6 address, or the IPv6 address and prefix length. The prefix length for an IPv6 network is the number of bits (from the left) of the prefix that form the network address, and is expressed as a decimal number. For example, all
IPv6 addresses that start with the first byte of 73 (hexadecimal) could be expressed as 73:0:0:0:0:0:0:0/8 or 73::/8.
To generate an IPv6 global unicast address for the switch, complete the following steps:
1.
From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
From the interface prompt, type “ipv6 address ipv6-address ” or “ipv6 address ipv6-address / prefix-length ,” where “prefix-length” indicates the address bits used to form the network portion of the address. (The network address starts from the left of the prefix and should encompass some of the ipv6-address bits.) The remaining bits are assigned to the host interface. Press <Enter>.
3.
Type “exit” to return to the global configuration mode prompt. Press <Enter>.
4.
To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway ,” where “gateway” is the
IPv6 address of the default gateway. Press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address 2001:DB8:2222:7272::66/64
Console(config-if)#exit
Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254
Console(config)end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
– 41 –
Chapter 1 | Initial Switch Configuration
Configuring the Switch for Remote Management
Link-Local Address:
FE80::260:3EFF:FE11:6700/64
Global Unicast Address(es):
2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64
Joined Group Address(es):
FF02::1:FF00:0
FF02::1:FF11:6700
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#show ipv6 default-gateway ipv6 default gateway: 2001:DB8:2222:7272::254
Console#
Dynamic Configuration
Obtaining an IPv4 Address
If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a
BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a
BOOTP or DHCP server. BOOTP and DHCP values can include the IP address, subnet mask, and default gateway. If the DHCP/BOOTP server is slow to respond, you may need to use the “ip dhcp restart client” command to re-start broadcasting service requests.
Note that the “ip dhcp restart client” command can also be used to start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP. It may be necessary to use this command when DHCP is configured on a VLAN, and the member ports which were previously shut down are now enabled.
If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on.
To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
At the interface-configuration mode prompt, use one of the following commands:
■ To obtain IP settings via DHCP, type “ip address dhcp” and press <Enter>.
■ To obtain IP settings via BOOTP, type “ip address bootp” and press <Enter>.
3.
Type “end” to return to the Privileged Exec mode. Press <Enter>.
– 42 –
Chapter 1 | Initial Switch Configuration
Configuring the Switch for Remote Management
4.
Wait a few minutes, and then check the IP configuration settings by typing the
“show ip interface” command. Press <Enter>.
5.
Then save your configuration changes by typing “copy running-config startupconfig.” Enter the startup file name and press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#end
Console#show ip interface
Vlan 1 is Administrative Up - Link Up
Address is B4-0E-DC-34-E6-3C
Index: 1001, MTU: 1500, Bandwidth: 1g
Address Mode is DHCP
IP Address: 192.168.0.5 Mask: 255.255.255.0
Proxy ARP is disabled
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Obtaining an IPv6 Address
Link Local Address — There are several ways to configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix in the range of FE80~FEBF). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet.
To generate an IPv6 link local address for the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
Type “ipv6 enable” and press <Enter>.
Console(config)#interface vlan 1
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
FE80::2E0:CFF:FE00:FD/64
Global unicast address(es):
(None)
Joined group address(es):
FF02::1:FF11:6700
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
– 43 –
Chapter 1 | Initial Switch Configuration
Enabling SNMP Management Access
Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages. (DHCP for IPv6 can also be used to obtain a unique IPv6 host address.)
To dynamically generate an IPv6 host address for the switch, complete the following steps:
1.
From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>.
2.
From the interface prompt, type “ipv6 address autoconfig” and press <Enter>.
3.
Type “ipv6 enable” and press <Enter> to enable IPv6 on an interface that has not been configured with an explicit IPv6 address.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address autoconfig
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
FE80::212:CFFF:FE0B:4600/64
Global unicast address(es):
2001:DB8:2222:7272:2E0:CFF:FE00:FD/64, subnet is 2001:DB8:2222:7272::/
64[AUTOCONFIG]
valid lifetime 2591978 preferred lifetime 604778
Joined group address(es):
FF02::1:FF00:FD
FF02::1:FF11:6700
FF02::1
MTU is 1500 bytes.
ND DAD is enabled, number of DAD attempts: 1.
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
Enabling SNMP Management Access
The switch can be configured to accept management commands from Simple
Network Management Protocol (SNMP) applications. You can configure the switch to respond to SNMP requests or generate SNMP traps.
When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter. The switch can also be configured to send information to
SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred.
– 44 –
Chapter 1 | Initial Switch Configuration
Enabling SNMP Management Access
The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients.
To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e., an SNMPv3 construct) for the default “public” community string that provides read access to the entire MIB tree, and a default view for the “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see snmp-server view command).
Community Strings (for SNMP version 1 and 2c clients)
Community strings are used to control management access to SNMP version 1 and
2c stations, as well as to authorize SNMP stations to receive trap messages from the switch. You therefore need to assign community strings to specified users, and set the access level.
The default strings are:
◆ public - with read-only access. Authorized management stations are only able to retrieve MIB objects.
◆ private - with read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings.
To configure a community string, complete the following steps:
1.
From the Privileged Exec level global configuration mode prompt, type “snmpserver community string mode ,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.)
2.
To remove an existing string, simply type “no snmp-server community string ,” where “string” is the community access string to remove. Press <Enter>.
Console(config)#snmp-server community motorola rw
Console(config)#snmp-server community private
Console(config)#
Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
– 45 –
Chapter 1 | Initial Switch Configuration
Enabling SNMP Management Access
Trap Receivers
You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the
Privileged Exec level global configuration mode prompt, type:
“snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]” where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host,
“version” indicates the SNMP client version, and “auth | noauth | priv” means that authentication, no authentication, or authentication and privacy is used for v3 clients. Then press <Enter>. For a more detailed description of these parameters, see the snmp-server host command. The following example creates a trap host for each type of SNMP client.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server host 10.1.19.98 robin version 2c
Console(config)#snmp-server host 10.1.19.34 barbie version 3 auth
Console(config)#
Configuring Access for SNMP Version 3 Clients
To configure management access for SNMPv3 clients, you need to first create a view that defines the portions of MIB that the client can read or write, assign the view to a group, and then assign the user to a group. The following example creates one view called “mib-2” that includes the entire MIB-2 tree branch, and then another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that
MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#snmp-server view 802.1d 1.3.6.1.2.1.17 included
Console(config)#snmp-server group r&d v3 auth read mib-2 write 802.1d
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien
Console(config)#
For a more detailed explanation on how to configure the switch for access from
SNMP v3 clients, refer to “Simple Network Management Protocol” in the System
Reference Guide , or refer to the specific CLI commands for SNMP starting on page 137 in this guide.
– 46 –
Chapter 1 | Initial Switch Configuration
Managing System Files
Managing System Files
The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
The types of files are:
◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved. Saved configuration files can be selected as a system start-up file or can be uploaded via FTP/TFTP to a server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the switch will also create a file named
“startup1.cfg” that contains system settings for switch initialization, including information about the unit identifier, and MAC address for the switch. The configuration settings from the factory defaults configuration file are copied to this file, which is then used to boot the switch. See “Saving or Restoring
Configuration Settings” on page 48 for more information.
◆ Operation Code — System software that is executed after boot-up, also known as run-time code. This code runs the switch operations and provides the
CLI and web management interfaces.
◆ Diagnostic Code — Software that is run during system boot-up, also known as
POST (Power On Self-Test).
Note: The Boot ROM and Loader cannot be uploaded or downloaded from the
FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 32 Mbytes of flash memory for system files.
In the system flash memory, one file of each type must be set as the start-up file.
During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded.
Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the runningconfig, the system will reboot, and the settings will have to be copied from the running-config to a permanent file.
– 47 –
Chapter 1 | Initial Switch Configuration
Managing System Files
Upgrading the
Operation Code
The following example shows how to download new firmware to the switch and activate it. The TFTP server could be any standards-compliant server running on
Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server. Note that
“anonymous” is set as the default user name.
File names on the switch are case-sensitive. The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 128 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”)
Console#copy tftp file
TFTP server ip address: 10.1.0.19
Choose file type:
1. config: 2. opcode: 2
Source file name: m360.bix
Destination file name: m360.bix
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#config
Console(config)#boot system opcode: m360.bix
Console(config)#exit
Console#dir
File Name Type Startup Modify Time Size(bytes)
-------------------------- -------------- ------- ------------------- ----------
Unit 1: m360.bix OpCode Y 2013-02-25 15:41:04 25812529 m355.bix OpCode N 2012-12-04 13:23:59 25783857
Factory_Default_Config.cfg Config N 2012-12-04 13:18:37 455 startup1.cfg Config Y 2013-03-21 05:39:15 3463
-----------------------------------------------------------------------------
Free space for compressed user config files:1593241600
Console#
Saving or Restoring
Configuration
Settings
Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.
New startup configuration files must have a name specified. File names on the switch are case-sensitive, can be from 1 to 31 characters, must not contain slashes
(\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”)
There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config: < filename > command.
– 48 –
Chapter 1 | Initial Switch Configuration
Managing System Files
The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command.
To save the current configuration settings, enter the following command:
1.
From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press <Enter>.
2.
Enter the name of the start-up file. Press <Enter>.
Console#copy running-config startup-config
Startup configuration file name []: startup
\Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
To restore configuration settings from a backup server, enter the following command:
1.
From the Privileged Exec mode prompt, type “copy tftp startup-config” and press <Enter>.
2.
Enter the address of the TFTP server. Press <Enter>.
3.
Enter the name of the startup file stored on the server. Press <Enter>.
4.
Enter the name for the startup file on the switch. Press <Enter>.
Console#copy file startup-config
Console#copy tftp startup-config
TFTP server IP address: 192.168.0.4
Source configuration file name: startup-rd.cfg
Startup configuration file name [startup1.cfg]:
Success.
Console#
– 49 –
Chapter 1 | Initial Switch Configuration
Configuring Automatic Installation of Operation Code and Configuration Settings
Configuring Automatic Installation of Operation Code and Configuration Settings
Downloading
Operation Code from a File Server
Automatic Operation Code Upgrade can automatically download an operation code file when a file newer than the currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
Usage Guidelines
◆ If this feature is enabled, the switch searches the defined URL once during the bootup sequence.
◆ FTP (port 21) and TFTP (port 69) are both supported. Note that the TCP/UDP port bindings cannot be modified to support servers listening on non-standard ports.
◆ The host portion of the upgrade file location URL must be a valid IPv4 IP address. DNS host names are not recognized. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
◆ The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/” to indicate this (e.g., ftp://
192.168.0.1/).
◆ The file name must not be included in the upgrade file location URL. The file name of the code stored on the remote server must be ECS4620-28T.bix (using lower case letters as indicated).
◆ The FTP connection is made with PASV mode enabled. PASV mode is needed to traverse some fire walls, even if FTP traffic is not blocked. PASV mode cannot be disabled.
◆ The switch-based search function is case-insensitive in that it will accept a file name in upper or lower case (i.e., the switch will accept EX3524_Op.BIX
from the server even though EX3524_Op.bix
was requested). However, keep in mind that the file systems of many operating systems such as Unix and most Unix-like systems (FreeBSD, NetBSD, OpenBSD, and most Linux distributions, etc.) are case-sensitive, meaning that two files in the same directory, ex3524_op.bix
and
EX3524_Op.BIX
are considered to be unique files. Thus, if the upgrade file is stored as EX3524_Op.BIX
(or even Ex3524_Op.bix
) on a case-sensitive server, then the switch (requesting EX3524_Op.BIX
) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal. A notable exception in the list of case-sensitive Unix-like operating systems is Mac OS X, which by default is case-insensitive. Please check the documentation for your server’s operating system if you are unsure of its file system’s behavior.
– 50 –
Chapter 1 | Initial Switch Configuration
Configuring Automatic Installation of Operation Code and Configuration Settings
◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image.
◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
◆ The automatic upgrade process will take place in the background without impeding normal operations (data switching, etc.) of the switch.
◆ During the automatic search and transfer process, the administrator cannot transfer or update another operation code image, configuration file, public key, or HTTPS certificate (i.e., no other concurrent file management operations are possible).
◆ The upgrade operation code image is set as the startup image after it has been successfully written to the file system.
◆ The switch will send an SNMP trap and make a log entry upon all upgrade successes and failures.
◆ The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image.
To enable automatic upgrade, enter the following commands:
1.
Specify the TFTP or FTP server to check for new operation code.
■ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/
■ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/
If the user name is omitted, “anonymous” will be used for the connection. If the password is omitted a null string (“”) will be used for the connection.
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
This shows how to specify an FTP server where new code is stored.
Console(config)#upgrade opcode path ftp://motorola:[email protected]/sm24/
Console(config)#
– 51 –
Chapter 1 | Initial Switch Configuration
Configuring Automatic Installation of Operation Code and Configuration Settings
2.
Set the switch to automatically reboot and load the new code after the opcode upgrade is completed.
Console(config)#upgrade opcode reload
Console(config)#
3.
Set the switch to automatically upgrade the current operational code when a new version is detected on the server. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up: a.
It will search for a new version of the image at the location specified by upgrade opcode path command. The name for the new image stored on the TFTP server must be EX3524_Op.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
b.
After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
c.
It sets the new version as the startup image.
d.
It then restarts the system to start using the new image.
Console(config)#upgrade opcode auto
Console(config)#
4.
Display the automatic upgrade settings.
Console#show upgrade
Auto Image Upgrade Global Settings:
Status : Enabled
Reload Status : Enabled
Path :
File Name : EX3524_Op.bix
Console#
Specifying a DHCP
Client Identifier
DHCP servers index their database of address bindings using the client’s Media
Access Control (MAC) Address or a unique client identifier. The client identifier is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
DHCP client Identifier (Option 60) is used by DHCP clients to specify their unique identifier. The client identifier is optional and can be specified while configuring
DHCP on the primary network interface. DHCP Option 60 is disabled by default.
– 52 –
Chapter 1 | Initial Switch Configuration
Configuring Automatic Installation of Operation Code and Configuration Settings
The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator. Options 60 (vendor-class-identifier), 66
(tftp-server-name) and 67 (bootfile-name) statements can be added to the server daemon’s configuration file as described in the following section.
If the DHCP server has an index entry for a switch requesting service, it should reply with the TFTP server name and boot file name. Note that the vendor class identifier can be formatted in either text or hexadecimal, but the format used by both the client and server must be the same.
Console(config)#interface vlan 2
Console(config-if)#ip dhcp client class-id hex 0000e8666572
Console(config-if)#
Downloading a
Configuration File
Referenced by a
DHCP Server
Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed. If the Factory Default Configuration file is used to provision the switch at startup, in addition to requesting IP configuration settings from the DHCP server, it will also ask for the name of a bootup configuration file and TFTP servers where that file is stored.
If the switch receives information that allows it to download the remote bootup file, it will save this file to a local buffer, and then restart the provision process.
Note the following DHCP client behavior:
◆ The bootup configuration file received from a TFTP server is stored on the switch with the original file name. If this file name already exists in the switch, the file is overwritten.
◆ If the name of the bootup configuration file is the same as the Factory Default
Configuration file, the download procedure will be terminated, and the switch will not send any further DHCP client requests.
◆ If the switch fails to download the bootup configuration file based on information passed by the DHCP server, it will not send any further DHCP client requests.
◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
– 53 –
Chapter 1 | Initial Switch Configuration
Configuring Automatic Installation of Operation Code and Configuration Settings
To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information:
◆ Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Table 1: Options 60, 66 and 67 Statements
60
66
67
Option
Keyword vendor-class-identifier tftp-server-name bootfile-name
Statement
Parameter a string indicating the vendor class identifier a string indicating the tftp server name a string indicating the bootfile name
◆ By default, DHCP option 66/67 parameters are not carried in a DHCP server reply. To ask for a DHCP reply with option 66/67 information, the DHCP client request sent by this switch includes a “parameter request list” asking for this information. Besides these items, the client request also includes a “vendor class identifier” that allows the DHCP server to identify the device, and select the appropriate configuration file for download. This information is included in
Option 55 and 124.
Table 2: Options 55 and 124 Statements
Option
55
124
Statement
Keyword Parameter dhcp-parameter-request-list a list of parameters, separated by a comma ',' vendor-class-identifier a string indicating the vendor class identifier
The following configuration example is provided for a Linux-based DHCP daemon
(dhcpd.conf file). In the “Vendor class” section, the server will always send Option
66 and 67 to tell the switch to download the “test” configuration file from server
192.168.255.101.
ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; log-facility local7; server-name "Server1";
Server-identifier 192.168.255.250;
#option 66, 67
option space dynamicProvision code width 1 length 1 hash size 2;
option dynamicProvision.tftp-server-name code 66 = text;
option dynamicProvision.bootfile-name code 67 = text;
– 54 –
Chapter 1 | Initial Switch Configuration
Setting the System Clock subnet 192.168.255.0 netmask 255.255.255.0 {
range 192.168.255.160 192.168.255.200;
option routers 192.168.255.101;
option tftp-server-name "192.168.255.100"; #Default Option 66
option bootfile-name "bootfile"; #Default Option 67
} class "Option66,67_1" { #DHCP Option 60 Vendor class two
match if option vendor-class-identifier = "EX3524_Op.cfg";
option tftp-server-name "192.168.255.101";
option bootfile-name "test";
}
Note: Use “EX3524_Op.cfg” for the vendor-class-identifier in the dhcpd.conf file.
Setting the System Clock
Simple Network Time Protocol (SNTP) or Network Time Protocol (NTP) can be used to set the switch’s internal clock based on periodic updates from a time server.
Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock. If the clock is not set manually or via SNTP or NTP, the switch will only record the time from the factory default set at the last bootup.
When the SNTP client is enabled, the switch periodically sends a request for a time update to a configured time server. You can configure up to three time server IP addresses. The switch will attempt to poll each server in the configured sequence.
The switch also supports the following time settings:
◆ Time Zone – You can specify the offset from Coordinated Universal Time (UTC), also known as Greenwich Mean Time (GMT).
◆ Summer Time/Daylight Saving Time (DST) – In some regions, the time shifts by one hour in the fall and spring. The switch supports manual entry for one-time or recurring clock shifts.
Setting the
Time Manually
To manually set the clock to 14:11:36, April 1st, 2013, enter this command.
Console#calendar set 14 11 36 1 April 2013
Console#
To set the time zone, enter a command similar to the following.
Console(config)#clock timezone Japan hours 8 after-UTC
Console(config)#
– 55 –
Chapter 1 | Initial Switch Configuration
Setting the System Clock
To set the time shift for summer time, enter a command similar to the following.
Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0
0
Console(config)#
To display the clock configuration settings, enter the following command.
Console#show calendar
Current Time : Apr 2 15:56:12 2013
Time Zone : UTC, 08:00
Summer Time : SUMMER, offset 60 minutes
Apr 2 2013 00:00 to Jun 30 2013 00:00
Summer Time in Effect : Yes
Console#
Configuring SNTP
Setting the clock based on an SNTP server can provide more accurate clock synchronization across network switches than manually-configured time. To configure SNTP, set the switch as an SNTP client, and then set the polling interval, and specify a time server as shown in the following example.
Console(config)#sntp client
Console(config)#sntp poll 60
Console(config)#sntp server 10.1.0.19
Console(config)#exit
Console#show sntp
Current Time : Apr 2 16:06:07 2013
Poll Interval : 60 seconds
Current Mode : Unicast
SNTP Status : Enabled
SNTP Server : 10.1.0.19
Current Server : 10.1.0.19
Console#
Configuring NTP
Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
The key numbers and key values must match on both the server and client.
When more than one time server is configured, the client will poll all of the time servers, and compare the responses to determine the most reliable and accurate time update for the switch.
To configure NTP time synchronization, enter commands similar to the following.
Console(config)#ntp client
Console(config)#ntp authentication-key 45 md5 thisiskey45
Console(config)#ntp authenticate
Console(config)#ntp server 192.168.3.20
– 56 –
Chapter 1 | Initial Switch Configuration
Setting the System Clock
Console(config)#ntp server 192.168.3.21
Console(config)#ntp server 192.168.5.23 key 19
Console(config)#exit
Console#show ntp
Current Time : Apr 29 13:57:32 2011
Polling : 1024 seconds
Current Mode : unicast
NTP Status : Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server : 192.168.0.88 Port: 123
Last Update Time : Mar 12 02:41:01 2013 UTC
NTP Server 192.168.0.88 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.4.22 version 3 key 19
NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885
Current Time : Apr 2 16:28:34 2013
Polling : 1024 seconds
Current Mode : unicast
NTP Status : Enabled
NTP Authenticate Status : Enabled
Last Update NTP Server : 192.168.5.23 Port: 0
Last Update Time : Apr 2 16:00:00 2013 UTC
NTP Server 192.168.3.20 version 3
NTP Server 192.168.3.21 version 3
NTP Server 192.168.5.23 version 3 key 19
NTP Authentication Key 45 md5 2662T75S5658RU5424180034777
Console#
– 57 –
Chapter 1 | Initial Switch Configuration
Setting the System Clock
– 58 –
Section II
Command Line Interface
This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
This section includes these chapters:
◆ “General Commands” on page 73
◆ “System Management Commands” on page 81
◆ “SNMP Commands” on page 137
◆ “Remote Monitoring Commands” on page 157
◆ “Authentication Commands” on page 165
◆ “General Security Measures” on page 219
◆ “Access Control Lists” on page 269
◆ “Interface Commands” on page 293
◆ “Link Aggregation Commands” on page 313
◆ “Power over Ethernet Commands” on page 325
◆ “Port Mirroring Commands” on page 333
◆ “Congestion Control Commands” on page 343
◆ “Address Table Commands” on page 361
◆ “Spanning Tree Commands” on page 367
◆ “VLAN Commands” on page 393
◆ “Class of Service Commands” on page 429
– 59 –
Section II | Command Line Interface
◆ “Quality of Service Commands” on page 441
◆ “Multicast Filtering Commands” on page 459
◆ “LLDP Commands” on page 493
◆ “CDP Commands” on page 517
◆ “Domain Name Service Commands” on page 523
◆ “DHCP Commands” on page 531
◆ “IP Interface Commands” on page 537
◆ “IP Routing Commands” on page 573
– 60 –
2
Using the Command Line
Interface
This chapter describes how to use the Command Line Interface (CLI).
Accessing the CLI
When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Console Connection
To access the switch through the console port, perform these steps:
1.
At the console prompt, enter the user name and password. (The default user names are “motorola” and “guest” with corresponding passwords of “admin” and “guest.”) When the administrator user name and password is entered, the
CLI displays the “Console#” prompt and enters privileged access mode
(i.e., Privileged Exec). But when the guest user name and password is entered, the CLI displays the “Console>” prompt and enters normal access mode
(i.e., Normal Exec).
2.
Enter the necessary commands to complete your desired tasks.
3.
When finished, exit the session with the “quit” or “exit” command.
After connecting to the system through the console port, the login screen displays:
User Access Verification
Username: motorola
Password:
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Console#
– 61 –
Chapter 2 | Using the Command Line Interface
Accessing the CLI
Telnet Connection
Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1).
Note: The IP address for this switch is obtained via DHCP by default.
To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet. For example,
Console(config)#interface vlan 1
Console(config-if)#ip address 10.1.0.254 255.255.255.0
Console(config-if)#exit
Console(config)#ip default-gateway 10.1.0.254
Console(config)#
If your corporate network is connected to another network outside your office or to the Internet, you need to apply for a registered IP address. However, if you are attached to an isolated network, then you can use any IP address that matches the network segment to which you are attached.
After you configure the switch with an IP address, you can open a Telnet session by performing these steps:
1.
From the remote host, enter the Telnet command and the IP address of the device you want to access.
2.
At the prompt, enter the user name and system password. The CLI will display the “Vtyn #” prompt for the administrator to show that you are using privileged access mode (i.e., Privileged Exec), or “Vtyn >” for the guest to show that you are using normal access mode (i.e., Normal Exec), where n indicates the number of the current Telnet session.
3.
Enter the necessary commands to complete your desired tasks.
4.
When finished, exit the session with the “quit” or “exit” command.
After entering the Telnet command, the login screen displays:
Username: motorola
Password:
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Vty-0#
– 62 –
Chapter 2 | Using the Command Line Interface
Entering Commands
Note: You can open up to four sessions to the device via Telnet or SSH.
Entering Commands
This section describes how to enter CLI commands.
Keywords and
Arguments
A CLI command is a series of keywords and arguments. Keywords identify a command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
You can enter commands as follows:
◆ To enter a simple command, enter the command keyword.
◆ To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter:
Console> enable
Console# show startup-config
◆ To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter:
Console(config)# username motorola password 0 smith
Minimum
Abbreviation
The CLI will accept a minimum number of characters that uniquely identify a command. For example, the command “configure” can be entered as con . If an entry is ambiguous, the system will prompt for further input.
Command
Completion
If you terminate input with a Tab key, the CLI will print the remaining characters of a partial keyword up to the point of ambiguity. In the “logging history” example, typing log followed by a tab will result in printing the command up to “ logging .”
– 63 –
Chapter 2 | Using the Command Line Interface
Entering Commands
Getting Help on
Commands
You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list keywords or parameters.
Showing Commands
If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command. For example, the command “ system ?
” displays a list of possible system commands:
Console#show ?
access-group Access groups
access-list Access lists
accounting Uses an accounting list with this name
arp Information of ARP cache
authorization Enables EXEC accounting
auto-traffic-control Auto traffic control information
bridge-ext Bridge extension information
cable-diagnostics Shows the information of cable diagnostics
calendar Date and time information
cdp CDP
class-map Displays class maps
cluster Display cluster
dns DNS information
dot1q-tunnel dot1q-tunnel
dot1x 802.1X content
flow Shows packet flow information
garp GARP properties
gvrp GVRP interface information
history Shows history information
hosts Host information
interfaces Shows interface information
ip IP information
ipv6 IPv6 information
lacp LACP statistics
line TTY line information
lldp LLDP
log Log records
logging Logging setting
mac MAC access list
mac-address-table Configuration of the address table
mac-vlan MAC-based VLAN information
management Shows management information
memory Memory utilization
mvr multicast vlan registration
network-access Shows the entries of the secure port.
nlm Show notification log
policy-map Displays policy maps
port Port characteristics
power Shows power
power-save Shows the power saving information
process Device process
protocol-vlan Protocol-VLAN information
public-key Public key information
qos Quality of Service
queue Priority queue information
radius-server RADIUS server information
reload Shows the reload settings
rmon Remote Monitoring Protocol
rspan Display status of the current RSPAN configuration
– 64 –
Chapter 2 | Using the Command Line Interface
Entering Commands
running-config Information on the running configuration
snmp Simple Network Management Protocol configuration and statistics
sntp Simple Network Time Protocol configuration
spanning-tree Spanning-tree configuration
ssh Secure shell server connections
startup-config Startup system configuration
subnet-vlan IP subnet-based VLAN information
system System information
tacacs-server TACACS server information
tech-support Technical information
time-range Time range
traffic-segmentation Traffic segmentation information
upgrade Shows upgrade information
users Information about users logged in
version System hardware and software versions
vlan Shows virtual LAN settings
voice Shows the voice VLAN information
web-auth Shows web authentication configuration
Console#show
The command “ show interfaces ?
” will display the following information:
Console#show interfaces ?
brief Shows brief interface description
counters Interface counters information
protocol-vlan Protocol-VLAN information
status Shows interface status
switchport Shows interface switchport information
transceiver Interface of transceiver information
Console#
Show commands which display more than one page of information (e.g., show running-config ) pause and require you to press the [Space] bar to continue displaying one more page, the [Enter] key to display one more line, or the [a] key to display the rest of the information without stopping. You can press any other key to terminate the display.
Partial Keyword
Lookup
If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “ s?
” shows all the keywords starting with “s.”
Console#show s?
snmp sntp spanning-tree ssh startup-config subnet-vlan system
Console#show s
– 65 –
Chapter 2 | Using the Command Line Interface
Entering Commands
Negating the Effect of
Commands
For many configuration commands you can enter the prefix keyword “ no ” to cancel the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
Using Command
History
The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed.
Using the show history command displays a longer list of recently executed commands.
Understanding
Command Modes
The command set is divided into Exec and Configuration classes. Exec commands generally display information on system status or clear statistical counters.
Configuration commands, on the other hand, modify interface parameters or enable certain switching functions. These classes are further divided into different modes. Available commands depend on the selected mode. You can always enter a question mark “ ?
” at the prompt to display a list of the commands available for the current mode. The command classes and associated modes are displayed in the following table:
Table 3: General Command Modes
Class
Exec
Mode
Normal
Privileged
Global * Configuration Access Control List
Class Map
IGMP Profile
Interface
Line
Multiple Spanning Tree
Policy Map
Time Range
VLAN Database
* You must be in Privileged Exec mode to access the Global configuration mode.
You must be in Global Configuration mode to access any of the other configuration modes.
Exec Commands
When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the
Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name “motorola” and password
“admin.” The system will now display the “Console#” command prompt. You can
– 66 –
Chapter 2 | Using the Command Line Interface
Entering Commands also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.”
To enter Privileged Exec mode, enter the following user names and passwords:
Username: motorola
Password: [admin login password]
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Console#
Username: guest
Password: [guest login password]
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Console>enable
Password: [privileged level password]
Console#
Configuration
Commands
Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
The configuration commands are organized into different modes:
◆ Global Configuration - These commands modify the system level configuration, and include commands such as hostname and snmp-server community .
◆ Access Control List Configuration - These commands are used for packet filtering.
◆ Class Map Configuration - Creates a DiffServ class map for a specified traffic type.
◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode.
◆ Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation .
◆ Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits .
◆ Multiple Spanning Tree Configuration - These commands configure settings for the selected multiple spanning tree instance.
– 67 –
Chapter 2 | Using the Command Line Interface
Entering Commands
◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces.
◆ Time Range - Sets a time range for use by other functions, such as Access
Control Lists.
◆ VLAN Configuration - Includes the command to create VLAN groups.
To enter the Global Configuration mode, enter the command configure in
Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands.
Console#configure
Console(config)#
To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Table 4: Configuration Command Modes
Mode
Line
Command line {console | vty}
Access Control
List access-list ip standard access-list ip extended access-list ipv6 standard access-list ipv6 extended access-list mac
Class Map
Interface class-map interface {ethernet port | port-channel id | vlan id }
MSTP
Policy Map
Time Range
VLAN spanning-tree mst-configuration policy-map time-range vlan database
Prompt
Console(config-line)
Console(config-std-acl)
Console(config-ext-acl)
Console(config-mac-acl)
Console(config-cmap)
Console(config-if )
Console(config-mstp)
Console(config-pmap)
Console(config-time-range)
Console(config-vlan)
374
445
128
400
Page
101
270
270
283
442
294
For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode
Console(config)#interface ethernet 1/5
.
.
.
Console(config-if)#exit
Console(config)#
– 68 –
Chapter 2 | Using the Command Line Interface
Entering Commands
Command Line
Processing
Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches. You can also use the following editing keystrokes for command-line processing:
Table 5: Keystroke Commands
Keystroke
Ctrl-A
Ctrl-B
Ctrl-C
Ctrl-E
Ctrl-F
Ctrl-K
Ctrl-L
Ctrl-N
Ctrl-P
Ctrl-R
Ctrl-U
Ctrl-W
Esc-B
Esc-D
Esc-F
Delete key or backspace key
Function
Shifts cursor to start of command line.
Shifts cursor to the left one character.
Terminates the current task and displays the command prompt.
Shifts cursor to end of command line.
Shifts cursor to the right one character.
Deletes all characters from the cursor to the end of the line.
Repeats current command line on a new line.
Enters the next command line in the history buffer.
Enters the last command.
Repeats current command line on a new line.
Deletes from the cursor to the beginning of the line.
Deletes the last word typed.
Moves the cursor back one word.
Deletes from the cursor to the end of the word.
Moves the cursor forward one word.
Erases a mistake when entering a command.
Output Modifiers
Some of the show commands include options for output modifiers. For example, the “show running-config” command includes the following keyword options:
Console#show running-config ?
| Output modifiers
<cr>
The output modifiers include options which indicate a string that occurs at the beginning of a line, in lines that are to be excluded, or in lines that are to be included.
Console#show running-config | ?
begin Begin with line that matches exclude Exclude lines that match include Include lines that match
– 69 –
Chapter 2 | Using the Command Line Interface
CLI Command Groups
Note that the output modifier begin can only be used as the first modifier if more than one modifier is used in a command.
CLI Command Groups
The system commands can be broken down into the functional groups shown below
.
Table 6: Command Group Index
Command Group
General
Page
73
System Management Display and setting of system information, basic modes of operation, maximum frame size, file management, console port and telnet settings, system logs, SMTP alerts, the system clock, and switch clustering
81
Activates authentication failure traps; configures community access strings, and trap receivers
137 Simple Network
Management Protocol
Remote Monitoring
User Authentication
Link Aggregation
Supports statistics, history, alarm and event groups 157
Configures user names and passwords, logon access using local or remote authentication, management access through the web server, Telnet server and Secure Shell; as well as port security, IEEE 802.1X port access control, and restricted access based on specified IP addresses
165
General Security Measures Segregates traffic for clients attached to common data ports; and prevents unauthorized access by configuring valid static or dynamic addresses, web authentication, MAC address authentication, filtering DHCP requests and replies, and discarding invalid ARP responses
219
Access Control List Provides filtering for IPv4 frames (based on address, protocol,
TCP/UDP port number or TCP control code), IPv6 frames
(based on address or DSCP traffic class), or non-IP frames
(based on MAC address or Ethernet type)
269
Interface Configures the connection parameters for all Ethernet ports, aggregated links, and VLANs
293
Statically groups multiple ports into a single logical trunk; configures Link Aggregation Control Protocol for port trunks
313
Power over Ethernet
Mirror Port
Description
Basic commands for entering privileged access mode, restarting the system, or quitting the CLI
Congestion Control
Address Table
Spanning Tree
Configures power output for connected devices 325
Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port
333
Sets the input/output rate limits, traffic storm thresholds, and thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
343
Configures the address table for filtering specified addresses, displays current entries, clears the table, or sets the aging time
361
Configures Spanning Tree settings for the switch 367
– 70 –
Chapter 2 | Using the Command Line Interface
CLI Command Groups
Table 6: Command Group Index (Continued)
Command Group
VLANs
Class of Service
Quality of Service
Multicast Filtering
Link Layer Discovery
Protocol
Cisco Discovery Protocol
Domain Name Service
Dynamic Host
Configuration Protocol
IP Interface
IP Routing
Description
Configures VLAN settings, and defines port membership for
VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling
Page
393
Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue, also sets priority for DSCP
429
Configures Differentiated Services 441
Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router; also configures multicast VLAN registration
459
Configures LLDP settings to enable information discovery about neighbor devices
493
Configures CDP settings to enable information discovery about neighbor devices
Configures DNS services.
Configures DHCP client functions
517
523
531
Configures IP address for the switch interfaces; also configures ARP parameters and static entries
Configures static unicast routing
537
573
The access mode shown in the following tables is indicated by these abbreviations:
ACL (Access Control List Configuration)
CM (Class Map Configuration)
GC (Global Configuration)
IC (Interface Configuration)
IPC (IGMP Profile Configuration)
LC (Line Configuration)
MST (Multiple Spanning Tree)
NE (Normal Exec)
PE (Privileged Exec)
PM (Policy Map Configuration)
VC (VLAN Database Configuration)
– 71 –
Chapter 2 | Using the Command Line Interface
CLI Command Groups
– 72 –
3
General Commands
The general commands are used to control the command access mode, configuration mode, and other basic functions.
Table 7: General Commands
Command prompt reload
Function
Customizes the CLI prompt
Mode
GC
Restarts the system at a specified time, after a specified delay, or at a periodic interval
GC enable quit
Activates privileged mode
Exits a CLI session show history Shows the command history buffer configure Activates global configuration mode
NE
NE, PE
NE, PE
PE disable reload show reload end
Returns to normal mode from privileged mode
Restarts the system immediately
Displays the current reload settings, and the time at which next scheduled reload will take place
Returns to Privileged Exec mode
PE
PE
PE exit
? help
Returns to the previous configuration mode, or exits the CLI
Shows how to use help
Shows options for command completion (context sensitive) any config. mode any mode any mode any mode
prompt
This command customizes the CLI prompt. Use the no form to restore the default prompt.
Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt.
(Maximum length: 255 characters)
Default Setting
Console
– 73 –
Chapter 3 | General Commands
Command Mode
Global Configuration
Command Usage
This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Example
Console(config)#prompt RD2
RD2(config)#
reload
(Global Configuration)
This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Syntax reload { at hour minute [{ month day | day month } [ year ]] | in { hour hours | minute minutes | hour hours minute minutes } | regularity hour minute [ period { daily | weekly day-of-week | monthly day }] | cancel [ at | in | regularity ]} reload at - A specified time at which to reload the switch.
hour - The hour at which to reload. (Range: 0-23) minute - The minute at which to reload. (Range: 0-59) month - The month at which to reload. (january ... december) day - The day of the month at which to reload. (Range: 1-31) year - The year at which to reload. (Range: 1970-2037) reload in - An interval after which to reload the switch.
hours - The number of hours, combined with the minutes, before the switch resets. (Range: 0-576) minutes - The number of minutes, combined with the hours, before the switch resets. (Range: 0-59) reload regularity - A periodic interval at which to reload the switch.
hour - The hour at which to reload. (Range: 0-23) minute - The minute at which to reload. (Range: 0-59) day-of-week - Day of the week at which to reload.
(Range: monday ... saturday) day - Day of the month at which to reload. (Range: 1-31) reload cancel - Cancels the specified reload option.
– 74 –
Chapter 3 | General Commands
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ This command resets the entire system.
◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten.
◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 92 ).
Example
This example shows how to reset the switch after 30 minutes:
Console(config)#reload in minute 30
***
*** --- Rebooting at January 1 02:10:43 2007 ---
***
Are you sure to reboot the system at the specified time? <y/n>
enable
This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information.
See “Understanding Command Modes” on page 66 .
Syntax enable [ level ] level - Privilege level to log into the device.
The device has two predefined privilege levels: 0: Normal Exec,
15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
Default Setting
Level 15
Command Mode
Normal Exec
Command Usage
◆ “super” is the default password required to change the command mode from
Normal Exec to Privileged Exec. (To set this password, see the enable password command.)
– 75 –
Chapter 3 | General Commands
◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode.
Example
Console>enable
Password: [privileged level password]
Console#
Related Commands disable (78) enable password (166)
quit
This command exits the configuration program.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
The quit and exit commands can both exit the configuration program.
Example
This example shows how to quit a CLI session:
Console#quit
Press ENTER to start session
User Access Verification
Username:
show history
This command shows the contents of the command history buffer.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
– 76 –
Chapter 3 | General Commands
Example
In this example, the show history command lists the contents of the command history buffer:
Console#show history
Execution command history:
2 config
1 show history
Configuration command history:
4 interface vlan 1
3 exit
2 interface vlan 1
1 end
Console#
The !
command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the
Configuration command history buffer when you are in any of the configuration modes. In this example, the !2
command repeats the second command in the
Execution history buffer ( config ).
Console#!2
Console#config
Console(config)#
configure
This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, such as Interface
Configuration, Line Configuration, and VLAN Database Configuration. See
“Understanding Command Modes” on page 66 .
Default Setting
None
Command Mode
Privileged Exec
Example
Console#configure
Console(config)#
Related Commands end (79)
– 77 –
Chapter 3 | General Commands
disable
This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 66 .
Default Setting
None
Command Mode
Privileged Exec
Command Usage
The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Example
Console#disable
Console>
Related Commands enable (75)
reload
(Privileged Exec) This command restarts the system.
Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
This command resets the entire system.
Example
This example shows how to reset the switch:
Console#reload
System will be restarted, continue <y/n>? y
– 78 –
Chapter 3 | General Commands
show reload
This command displays the current reload settings, and the time at which next scheduled reload will take place.
Command Mode
Privileged Exec
Example
Console#show reload
Reloading switch in time: 0 hours 29 minutes.
The switch will be rebooted at January 1 02:11:50 2001.
Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds.
Console#
end
This command returns to Privileged Exec mode.
Default Setting
None
Command Mode
Global Configuration, Interface Configuration, Line Configuration, VLAN Database
Configuration, and Multiple Spanning Tree Configuration.
Example
This example shows how to return to the Privileged Exec mode from the Interface
Configuration mode:
Console(config-if)#end
Console#
exit
This command returns to the previous configuration mode or exits the configuration program.
Default Setting
None
Command Mode
Any
– 79 –
Chapter 3 | General Commands
Example
This example shows how to return to the Privileged Exec mode from the Global
Configuration mode, and then quit the CLI session:
Console(config)#exit
Console#exit
Press ENTER to start session
User Access Verification
Username:
– 80 –
4
System Management
Commands
The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Table 8: System Management Commands
Command Group
Device Designation
System Status
Frame Size
File Management
Line
Event Logging
SMTP Alerts
Time (System Clock)
Time Range
Switch Clustering
Function
Configures information that uniquely identifies this switch
Displays system configuration, active managers, and version information
Enables support for jumbo frames
Manages code image or switch configuration files
Sets communication parameters for the serial port, including baud rate and console time-out
Controls logging of error messages
Configures SMTP email alerts
Sets the system clock automatically via NTP/SNTP server or manually
Sets a time range for use by other functions, such as Access Control Lists
Configures management of multiple devices via a single IP address
Device Designation
This section describes commands used to configure information that uniquely identifies the switch.
Table 9: Device Designation Commands
Command hostname snmp-server contact snmp-server location
Function
Specifies the host name for the switch
Sets the system contact string
Sets the system location string
Mode
GC
GC
GC
– 81 –
Chapter 4 | System Management Commands
System Status
hostname
This command specifies or modifies the host name for this device. Use the no form to restore the default host name.
Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
◆ This command and the prompt command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Example
Console(config)#hostname RD#1
RD#1(config)#
System Status
This section describes commands used to display system information.
Table 10: System Status Commands
Command show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system
Function
Shows utilization parameters for TCAM
Shows memory utilization parameters
Shows CPU utilization parameters
Displays the configuration data currently in use
Displays the contents of the configuration file (stored in flash memory) that is used to start up the system
Displays system information
Mode
PE
NE, PE
NE, PE
PE
PE
NE, PE
– 82 –
Chapter 4 | System Management Commands
System Status
Table 10: System Status Commands (Continued)
Command show users show version
Function Mode
Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet clients
NE, PE
Displays version information for the system NE, PE
show access-list tcam-utilization
This command shows utilization parameters for TCAM (Ternary Content
Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Command Mode
Privileged Exec
Command Usage
Policy control entries (PCEs) are used by various system functions which rely on rule-based searches, including Access Control Lists (ACLs), IP Source Guard filter rules, Quality of Service (QoS) processes, or traps.
For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Example
Console#show access-list tcam-utilization
Total Policy Control Entries : 512
Free Policy Control Entries : 352
Entries Used by System : 160
Entries Used by User : 0
TCAM Utilization : 31.25%
Console#
show memory
This command shows memory utilization parameters.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command shows the amount of memory currently free for use, the amount of memory allocated to active processes, and the total amount of system memory.
Example
Console#show memory
Status Bytes
------ ----------
Free 50917376
Used 83300352
Total 134217728
– 83 –
Chapter 4 | System Management Commands
System Status
Console#
show process cpu
This command shows the CPU utilization parameters.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show process cpu
CPU Utilization in the past 5 seconds : 3.98%
Console#
show running-config
This command displays the configuration information currently in use.
Command Mode
Privileged Exec
Command Usage
◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in nonvolatile memory.
◆
■
■
■
■
■
■
■
■
■
■
■
■
This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information:
MAC address for the switch
SNTP server settings
SNMP community strings
Users (names, access levels, and encrypted passwords)
VLAN database (VLAN ID, name and state)
VLAN configuration settings for each interface
Multiple spanning tree instances (name and interfaces)
IP address configured for management VLAN
Layer 4 precedence settings
Spanning tree settings
Interface settings
Any configured settings for the console port and Telnet
Example
Console#show running-config
Building startup configuration. Please wait...
!<stackingDB>00</stackingDB>
!<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac>
!
snmp-server community public ro
– 84 –
Chapter 4 | System Management Commands
System Status snmp-server community private rw
!
snmp-server enable traps authentication
!
username motorola access-level 15 username motorola password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
!
vlan database
vlan 1 name DefaultVlan media ethernet state active
!
spanning-tree mst configuration
!
interface ethernet 1/1
switchport allowed vlan add 1 untagged
switchport native vlan 1
qos map dscp-mutation 6 0 from 46
.
!
interface vlan 1
ip address 192.168.1.10 255.255.255.0
!
queue mode strict-wrr 0 0 0 1
!
line console
!
line vty
!
end
!
Console#
Related Commands show startup-config (85)
show startup-config
This command displays the configuration file stored in non-volatile memory that is used to start up the system.
Command Mode
Privileged Exec
Command Usage
◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory.
◆
■
■
■
■
This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information:
MAC address for the switch
SNMP community strings
SNMP trap authentication
RMON alarms settings
– 85 –
Chapter 4 | System Management Commands
System Status
■
■
■
■
■
■
Users (names and access levels)
VLAN database (VLAN ID, name and state)
Multiple spanning tree instances (name and interfaces)
Interface settings and VLAN configuration settings for each interface
IP address for management VLAN
Any configured settings for the console port and Telnet
Example
Refer to the example for the running configuration file.
Related Commands show running-config (84)
show system
This command displays system information.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
◆ The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance.
◆ The number of fans provided: EX-3524 - 2, EX-3548 - 3
Example
Console#show system
System Description : EX-3524 Managed POE/POE+ Switch
System OID String : 1.3.6.1.4.1.388.19.101
System Information
System Up Time : 0 days, 5 hours, 45 minutes, and 35.48 seconds
System Name :
System Location :
System Contact :
MAC Address (Unit 1) : 70-72-CF-95-DC-46
Web Server : Enabled
Web Server Port : 80
Web Secure Server : Disabled
Web Secure Server Port : 443
Telnet Server : Enabled
Telnet Server Port : 23
Jumbo Frame : Disabled
System Fan:
Unit 1
Fan 1: OK Fan 2: OK
POST Result:
Console#
– 86 –
Chapter 4 | System Management Commands
System Status
Table 11: show system – display description
Parameter
System Description
System OID String
System Up Time
System Name
System Location
System Contact
MAC Address
Web Server/Port
Web Secure Server/Port
Telnet Server/Port
Jumbo Frame
System Fan
POST Result
Description
Brief description of device type.
MIB II object ID for switch’s network management subsystem.
Length of time the management agent has been up.
Name assigned to the switch system.
Specifies the system location.
Administrator responsible for the system.
MAC address assigned to this switch.
Shows administrative status of web server and UDP port number.
Shows administrative status of secure web server and UDP port number.
Shows administrative status of Telnet server and TCP port number.
Shows if jumbo frames are enabled or disabled.
Shows the status of the system fans.
The POST results should all display “PASS.” If any POST test indicates
“FAIL,” contact your distributor for assistance.
show users
Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Command Usage
The session used to execute this command is indicated by a “*” symbol next to the
Line (i.e., session) index number.
Example
Console#show users
User Name Accounts:
User Name Privilege Public-Key
--------- --------- ----------
motorola 15 None
guest 0 None
steve 15 RSA
Online Users:
Line Username Idle time (h:m:s) Remote IP addr.
----------- -------- ----------------- ---------------
0 console motorola 0:14:14
* 1 VTY 0 motorola 0:00:00 192.168.1.19
– 87 –
Chapter 4 | System Management Commands
System Status
2 SSH 1 steve 0:00:06 192.168.1.19
Web Online Users:
Line Remote IP Addr User Name Idle time (h:m:s)
----------- --------------- --------- ------------------
1 HTTP 192.168.1.19 motorola 0:00:0
Console#
show version
This command displays hardware and software version information for the system.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show version
Unit 1
Serial Number : LN11130371
Hardware Version : R0B
CPLD Version : 0.00
Number of Ports : 28
Main Power Status : Up
Role : Master
Loader Version : 4.0.0.0-01R
Linux Kernel Version : 2.6.22.18
Operation Code Version : 4.0.0.0-03R
Console#
Table 12: show version – display description
Parameter
Serial Number
Hardware Version
CPLD Version
Number of Ports
Main Power Status
Role
Loader Version
Linux Kernel Version
Operation Code Version
Description
The serial number of the switch.
Hardware version of the main board.
Version number of Complex Programmable Logic Device.
Number of built-in ports.
Displays the status of the internal power supply.
Shows that this switch is operating as Master or Slave.
Version number of loader code.
Version number of Linux kernel.
Version number of runtime code.
– 88 –
Chapter 4 | System Management Commands
Frame Size
Frame Size
This section describes commands used to configure the Ethernet frame size on the switch.
Table 13: Frame Size Commands
Command jumbo frame
Function
Enables support for jumbo frames
Mode
GC
jumbo frame
This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
Syntax
[ no ] jumbo frame
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ This switch provides more efficient throughput for large sequential data transfers by supporting Layer 2 jumbo frames on Gigabit Ethernet ports or trunks up to 10240 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.
◆ The current setting for jumbo frames can be displayed with the show system command.
Example
Console(config)#jumbo frame
Console(config)#
– 89 –
Chapter 4 | System Management Commands
File Management
File Management
Managing Firmware
Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file.
Saving or Restoring Configuration Settings
Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings.
The configuration file can be downloaded under a new file name and then set as the startup file, or the current startup configuration file can be specified as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the FTP/TFTP server, but cannot be used as the destination on the switch.
Table 14: Flash/File Commands
Command
General Commands boot system copy delete dir
Function Mode
Specifies the file or image used to start up the system
Copies a code image or a switch configuration to or from flash memory or an FTP/TFTP server
GC
PE
Deletes a file or code image
Displays a list of files in flash memory whichboot Displays the files booted
Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path show upgrade
Automatically upgrades the current image when a new version is detected on the indicated server
Specifies an FTP/TFTP server and directory in which the new opcode is stored
Shows the opcode upgrade configuration settings.
PE
PE
PE
GC
GC
PE
– 90 –
Chapter 4 | System Management Commands
File Management
General Commands
boot system
This command specifies the file or image used to start up the system.
Syntax boot system { boot-rom | config | opcode }: filename boot-rom * - Boot ROM.
config * - Configuration file.
opcode * - Run-time operation code.
filename - Name of configuration file or code image.
* The colon (:) is required.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ A colon (:) is required after the specified file type.
◆ If the file contains an error, it cannot be set as the default file.
Example
Console(config)#boot system config: startup
Console(config)#
Related Commands dir (96) whichboot (97)
– 91 –
Chapter 4 | System Management Commands
File Management
copy
This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Syntax copy file { file | ftp | running-config | startup-config | tftp } copy running-config { file | ftp | startup-config | tftp } copy startup-config { file | ftp | running-config | tftp } copy tftp { file | https-certificate | public-key | running-config | startup-config } file - Keyword that allows you to copy to/from a file. ftp - Keyword that allows you to copy to/from an FTP server.
https-certificate - Keyword that allows you to copy the HTTPS secure site certificate.
public-key - Keyword that allows you to copy a SSH key from a TFTP server.
( See “Secure Shell” on page 190.
) running-config - Keyword that allows you to copy to/from the current running configuration. startup-config - The configuration used for system initialization. tftp - Keyword that allows you to copy to/from a TFTP server.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ The system prompts for data required to complete the copy command.
◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”)
◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16.
◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination.
– 92 –
Chapter 4 | System Management Commands
File Management
◆ To replace the startup configuration, you must use startup-config as the destination.
◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/
TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
◆ For information on specifying an https-certificate, see “Replacing the Default
Secure-site Certificate” in the System Reference Guide . For information on configuring the switch to use HTTPS for a secure connection, see the ip http secure-server command.
◆ When logging into an FTP server, the interface prompts for a user name and password configured on the remote server. Note that “anonymous” is set as the default user name.
Example
The following example shows how to download new firmware from a TFTP server:
Console#copy tftp file
TFTP server ip address: 10.1.0.19
Choose file type:
1. config: 2. opcode: 2
Source file name: m360.bix
Destination file name: m360.bix
\Write to FLASH Programming.
-Write to FLASH finish.
Success.
Console#
The following example shows how to upload the configuration settings to a file on the TFTP server:
Console#copy file tftp
Choose file type:
1. config: 2. opcode: 1
Source file name: startup
TFTP server ip address: 10.1.0.99
Destination file name: startup.01
TFTP completed.
Success.
Console#
– 93 –
Chapter 4 | System Management Commands
File Management
The following example shows how to copy the running configuration to a startup file.
Console#copy running-config file destination file name: startup
Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
The following example shows how to download a configuration file:
Console#copy tftp startup-config
TFTP server ip address: 10.1.0.99
Source configuration file name: startup.01
Startup configuration file name [startup]:
Write to FLASH Programming.
\Write to FLASH finish.
Success.
Console#
This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate:
Console#copy tftp https-certificate
TFTP server ip address: 10.1.0.19
Source certificate file name: SS-certificate
Source private file name: SS-private
Private password: ********
Success.
Console#reload
System will be restarted, continue <y/n>? y
This example shows how to copy a public-key used by SSH from an TFTP server.
Note that public key authentication via SSH is only supported for users configured locally on the switch.
Console#copy tftp public-key
TFTP server IP address: 192.168.1.19
Choose public key type:
1. RSA: 2. DSA: 1
Source file name: steve.pub
Username: steve
TFTP Download
Success.
Write to FLASH Programming.
Success.
Console#
– 94 –
Chapter 4 | System Management Commands
File Management
This example shows how to copy a file to an FTP server.
Console#copy ftp file
FTP server IP address: 169.254.1.11
User[anonymous]: motorola
Password[]: *****
Choose file type:
1. config: 2. opcode: 2
Source file name: BLANC.BIX
Destination file name: BLANC.BIX
Console#
delete
This command deletes a file or image.
Syntax delete filename filename - Name of configuration file or code image.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ If the file type is used for system startup, then this file cannot be deleted.
◆ “Factory_Default_Config.cfg” cannot be deleted.
Example
This example shows how to delete the test2.cfg configuration file from flash memory.
Console#delete test2.cfg
Console#
Related Commands dir (96) delete public-key (195)
– 95 –
Chapter 4 | System Management Commands
File Management
dir
This command displays a list of files in flash memory.
Syntax dir { boot-rom: | config: | opcode: } [ filename ]} boot-rom - Boot ROM (or diagnostic) image file.
config - Switch configuration file.
opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
If you enter the command dir without any parameters, the system displays all files.
File information is shown below:
Table 15: File Directory Information
Column Heading
File Name
File Type
Startup
Create Time
Size
Description
The name of the file.
File types: Boot-Rom, Operation Code, and Config file.
Shows if this file is used when the system is started.
The date and time the file was created.
The length of the file in bytes.
Example
The following example shows how to display all file information:
Console#dir
File Name Type Startup Modify Time Size(bytes)
-------------------------- -------------- ------- ------------------- ---------
Unit 1:
EX3524_Op_V0.0.0.2.bix OpCode Y 2013-10-18 05:21:23 7499044
Factory_Default_Config.cfg Config N 2013-10-18 01:43:38 517 startup1.cfg Config Y 2013-10-16 10:46:12 3559
-----------------------------------------------------------------------------
Free space for compressed user config files : 573440
Used space : 32980992
Total space : 33554432
Console#
– 96 –
Chapter 4 | System Management Commands
File Management
whichboot
This command displays which files were booted when the system powered up.
Syntax whichboot
Default Setting
None
Command Mode
Privileged Exec
Example
This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Console#whichboot
File Name Type Startup Modify Time Size(bytes)
-------------------------------- ------- ------- ------------------- ----------
Unit 1:
EX3524_Op_V0.0.0.2.bix OpCode Y 2013-10-18 05:21:23 7499044 startup1.cfg Config Y 2013-10-16 10:46:12 3559
Console#
Automatic Code Upgrade Commands
upgrade opcode auto
This command automatically upgrades the current operational code when a new version is detected on the server indicated by the upgrade opcode path command.
Use the no form of this command to restore the default setting.
Syntax
[ no ] upgrade opcode auto
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ This command is used to enable or disable automatic upgrade of the operational code. When the switch starts up and automatic image upgrade is enabled by this command, the switch will follow these steps when it boots up:
1.
It will search for a new version of the image at the location specified by upgrade opcode path command. The name for the new image stored on the TFTP server must be EX3524_Op.bix. If the switch detects a code
– 97 –
Chapter 4 | System Management Commands
File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version.
2.
After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
3.
It sets the new version as the startup image.
4.
It then restarts the system to start using the new image.
◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands.
Example
Console(config)#upgrade opcode auto
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
If a new image is found at the specified location, the following type of messages will be displayed during bootup.
.
.
Automatic Upgrade is looking for a new image
New image detected: current version 1.0.1.5; new version 1.1.2.0
Image upgrade in progress
The switch will restart after upgrade succeeds
Downloading new image
Flash programming started
Flash programming completed
The switch will now restart
.
.
upgrade opcode path
This command specifies an TFTP server and directory in which the new opcode is stored. Use the no form of this command to clear the current setting.
Syntax upgrade opcode path opcode-dir-url no upgrade opcode path opcode-dir-url - The location of the new code.
Default Setting
None
Command Mode
Global Configuration
– 98 –
Chapter 4 | System Management Commands
File Management
Command Usage
◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command.
◆ The name for the new image stored on the TFTP server must be
EX3524_Op.bix. However, note that file name is not to be included in this command.
◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/
◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/
If the user name is omitted, “anonymous” will be used for the connection. If the password is omitted a null string (“”) will be used for the connection.
Example
This shows how to specify a TFTP server where new code is stored.
Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/
Console(config)#
This shows how to specify an FTP server where new code is stored.
Console(config)#upgrade opcode path ftp://motorola:[email protected]/sm24/
Console(config)#
show upgrade
This command shows the opcode upgrade configuration settings.
Command Mode
Privileged Exec
Example
Console#show upgrade
Auto Image Upgrade Global Settings:
Status : Disabled
Path :
File Name : EX3524_Op.bix
Console#
– 99 –
Chapter 4 | System Management Commands
Line
Line
You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Table 16: Line Commands
Command line accounting exec authorization exec databits exec-timeout login
* parity * password password-thresh silent-time *
Function Mode
Identifies a specific line for configuration and starts the line configuration mode
GC
Applies an accounting method to local console, Telnet or
SSH connections
LC
Applies an authorization method to local console, Telnet or
SSH connections
LC
Sets the number of data bits per character that are interpreted and generated by hardware
LC
Sets the interval that the command interpreter waits until user input is detected
LC
Enables password checking at login
Defines the generation of a parity bit
LC
LC
Specifies a password on a line
Sets the password intrusion threshold, which limits the number of failed logon attempts
Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the passwordthresh command
Sets the terminal baud rate speed * stopbits * timeout login response disconnect show line
* These commands only apply to the serial port.
LC
LC
LC
LC
Sets the number of the stop bits transmitted per byte LC
Sets the interval that the system waits for a login attempt LC
Terminates a line connection
Displays a terminal line's parameters
PE
NE, PE
– 100 –
Chapter 4 | System Management Commands
Line
line
This command identifies a specific line for configuration, and to process subsequent line configuration commands.
Syntax line { console | vty } console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Default Setting
There is no default line.
Command Mode
Global Configuration
Command Usage
Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users . However, the serial communication parameters
(e.g., databits) do not affect Telnet connections.
Example
To enter console line mode, enter the following command:
Console(config)#line console
Console(config-line)#
Related Commands show line (109) show users (87)
databits
This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value.
Syntax databits { 7 | 8 } no databits
7 - Seven data bits per character.
8 - Eight data bits per character.
Default Setting
8 data bits per character
Command Mode
Line Configuration
– 101 –
Chapter 4 | System Management Commands
Line
Command Usage
The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Example
To specify 7 data bits, enter this command:
Console(config-line)#databits 7
Console(config-line)#
Related Commands parity (104)
exec-timeout
This command sets the interval that the system waits until user input is detected.
Use the no form to restore the default.
Syntax exec-timeout [ seconds ] no exec-timeout seconds - Integer that specifies the timeout interval.
(Range: 0 - 65535 seconds; 0: no timeout)
Default Setting
CLI: No timeout
Telnet: 10 minutes
Command Mode
Line Configuration
Command Usage
◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated.
◆ This command applies to both the local console and Telnet connections.
◆ The timeout for Telnet cannot be disabled.
◆ Using the command without specifying a timeout restores the default setting.
Example
To set the timeout to two minutes, enter this command:
Console(config-line)#exec-timeout 120
Console(config-line)#
– 102 –
Chapter 4 | System Management Commands
Line
login
This command enables password checking at login. Use the no form to disable password checking and allow connections without a password.
Syntax login [ local ] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Default Setting login local
Command Mode
Line Configuration
Command Usage
◆ There are three authentication modes provided by the switch itself at login:
■ login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
■ login local selects authentication via the user name and password specified by the username command (i.e., default setting). When using this method, the management interface starts in Normal Exec (NE) or Privileged
Exec (PE) mode, depending on the user’s privilege level (0 or 15 respectively).
■ no login selects no authentication. When using this method, the management interface starts in Normal Exec (NE) mode.
◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the
RADIUS or TACACS software installed on those servers.
Example
Console(config-line)#login local
Console(config-line)#
Related Commands username (167) password (104)
– 103 –
Chapter 4 | System Management Commands
Line
parity
This command defines the generation of a parity bit. Use the no form to restore the default setting.
Syntax parity { none | even | odd } no parity none - No parity even - Even parity odd - Odd parity
Default Setting
No parity
Command Mode
Line Configuration
Command Usage
Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Example
To specify no parity, enter this command:
Console(config-line)#parity none
Console(config-line)#
password
This command specifies the password for a line. Use the no form to remove the password.
Syntax password { 0 | 7 } password no password
{ 0 | 7 } - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password.
(Maximum length: 32 characters plain text or encrypted, case sensitive)
Default Setting
No password is specified.
Command Mode
Line Configuration
– 104 –
Chapter 4 | System Management Commands
Line
Command Usage
◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
◆ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Example
Console(config-line)#password 0 secret
Console(config-line)#
Related Commands login (103) password-thresh (105)
password-thresh
This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value.
Syntax password-thresh [ threshold ] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold)
Default Setting
The default value is three attempts.
Command Mode
Line Configuration
Command Usage
When the logon attempt threshold is reached, the system interface becomes silent for a specified amount of time before allowing the next logon attempt. (Use the silent-time command to set this interval.) When this threshold is reached for Telnet, the Telnet logon interface shuts down.
– 105 –
Chapter 4 | System Management Commands
Line
Example
To set the password threshold to five attempts, enter this command:
Console(config-line)#password-thresh 5
Console(config-line)#
Related Commands silent-time (106)
silent-time
This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Syntax silent-time [ seconds ] no silent-time seconds - The number of seconds to disable console response.
(Range: 0-65535; where 0 means disabled)
Default Setting
30 seconds
Command Mode
Line Configuration
Example
To set the silent time to 60 seconds, enter this command:
Console(config-line)#silent-time 60
Console(config-line)#
Related Commands password-thresh (105)
– 106 –
Chapter 4 | System Management Commands
Line
speed
This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting.
Syntax speed bps no speed bps - Baud rate in bits per second.
(Options: 9600, 19200, 38400, 57600, 115200 bps, or auto)
Default Setting auto
Command Mode
Line Configuration
Command Usage
Set the speed to match the baud rate of the device connected to the serial port.
Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
Note: Auto-detection of baud rate is only performed at user log in.
Note: Due to a hardware limitation, the terminal program connected to the console port must be set to 8 data bits when using auto baud rate detection.
Example
To specify 57600 bps, enter this command:
Console(config-line)#speed 57600
Console(config-line)#
stopbits
This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
Syntax stopbits { 1 | 2 } no stopbits
1 - One stop bit
2 - Two stop bits
– 107 –
Chapter 4 | System Management Commands
Line
Default Setting
1 stop bit
Command Mode
Line Configuration
Example
To specify 2 stop bits, enter this command:
Console(config-line)#stopbits 2
Console(config-line)#
timeout login response
This command sets the interval that the system waits for a user to log into the CLI.
Use the no form to restore the default setting.
Syntax timeout login response [ seconds ] no timeout login response seconds - Integer that specifies the timeout interval.
(Range: 0 - 300 seconds for CLI. 1 - 300 seconds for Telnet)
Default Setting
CLI: Disabled (0 seconds)
Telnet: 300 seconds
Command Mode
Line Configuration
Command Usage
◆ If a login attempt is not detected within the timeout interval, the connection is terminated for the session.
◆ This command applies to both the local console and Telnet connections.
◆ The timeout for Telnet cannot be disabled.
◆ Using the command without specifying a timeout restores the default setting.
Example
To set the timeout to two minutes, enter this command:
Console(config-line)#timeout login response 120
Console(config-line)#
– 108 –
Chapter 4 | System Management Commands
Line
disconnect
This command terminates an SSH, Telnet, or console connection.
Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
(Range: 0-8)
Command Mode
Privileged Exec
Command Usage
Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Example
Console#disconnect 1
Console#
Related Commands show ssh (199) show users (87)
show line
This command displays the terminal line’s parameters.
Syntax show line [ console | vty ] console - Console terminal line.
vty - Virtual terminal for remote console access (i.e., Telnet).
Default Setting
Shows all lines
Command Mode
Normal Exec, Privileged Exec
Example
To show all lines, enter this command:
Console#show line
Console Configuration:
Password Threshold : 3 times
Inactive Timeout : Disabled
Login Timeout : Disabled
Silent Time : 30 sec.
– 109 –
Chapter 4 | System Management Commands
Event Logging
Baud Rate : 115200
Data Bits : 8
Parity : None
Stop Bits : 1
VTY Configuration:
Password Threshold : 3 times
Inactive Timeout : 600 sec.
Login Timeout : 300 sec.
Silent Time : 30 sec.
Console#
Event Logging
This section describes commands used to configure event logging on the switch.
Table 17: Event Logging Commands
Command logging facility logging history logging host logging on logging trap clear log show log show logging
Function Mode
Sets the facility type for remote logging of syslog messages GC
Limits syslog messages saved to switch memory based on severity
GC
GC Adds a syslog server host IP address that will receive logging messages
Controls logging of error messages GC
Limits syslog messages saved to a remote server based on severity
GC
Clears messages from the logging buffer
Displays log messages
Displays the state of logging
PE
PE
PE
logging facility
This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default.
Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service. (Range: 16-23)
Default Setting
23
Command Mode
Global Configuration
– 110 –
Chapter 4 | System Management Commands
Event Logging
Command Usage
The command specifies the facility type tag sent in syslog messages. (See RFC
3164.) This type has no effect on the kind of messages reported by the switch.
However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Example
Console(config)#logging facility 19
Console(config)#
logging history
This command limits syslog messages saved to switch memory based on severity.
The no form returns the logging of syslog messages to the default level.
Syntax logging history { flash | ram } level no logging history { flash | ram } flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7)
Table 18: Logging Levels
1
0
4
3
2
6
5
Level Severity Name
7 debugging informational notifications warnings errors critical alerts emergencies
Description
Debugging messages
Informational messages only
Normal but significant condition, such as cold start
Warning conditions (e.g., return false, unexpected return)
Error conditions (e.g., invalid input, default used)
Critical conditions (e.g., memory allocation, or free memory error - resource exhausted)
Immediate action needed
System unusable
Default Setting
Flash: errors (level 3 - 0)
RAM: debugging (level 7 - 0)
Command Mode
Global Configuration
– 111 –
Chapter 4 | System Management Commands
Event Logging
Command Usage
The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM.
Example
Console(config)#logging history ram 0
Console(config)#
logging host
This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host.
Syntax
[ no ] logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Use this command more than once to build up a list of host IP addresses.
◆ The maximum number of host IP addresses allowed is five.
Example
Console(config)#logging host 10.1.0.3
Console(config)#
logging on
This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Syntax
[ no ] logging on
Default Setting
None
Command Mode
Global Configuration
– 112 –
Chapter 4 | System Management Commands
Event Logging
Command Usage
The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Example
Console(config)#logging on
Console(config)#
Related Commands logging history (111) logging trap (113) clear log (114)
logging trap
This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Syntax logging trap [ level level ] no logging trap [ level ] level - One of the syslog severity levels listed in the table on page 111 .
Messages sent include the selected level through level 0.
Default Setting
Disabled
Level 7
Command Mode
Global Configuration
Command Usage
◆ Using this command with a specified level enables remote logging and sets the minimum severity level to be saved.
◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default.
Example
Console(config)#logging trap 4
Console(config)#
– 113 –
Chapter 4 | System Management Commands
Event Logging
clear log
This command clears messages from the log buffer.
Syntax clear log [ flash | ram ] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Default Setting
Flash and RAM
Command Mode
Privileged Exec
Example
Console#clear log
Console#
Related Commands show log (114)
show log
This command displays the log messages stored in local memory.
Syntax show log { flash | ram } flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
◆ All log messages are retained in Flash and purged from RAM after a cold restart
(i.e., power is turned off and then on through the power source).
– 114 –
Chapter 4 | System Management Commands
Event Logging
Example
The following example shows the event message stored in RAM.
Console#show log ram
[1] 00:01:30 2001-01-01
"VLAN 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
[0] 00:01:30 2001-01-01
"Unit 1, Port 1 link-up notification."
level: 6, module: 5, function: 1, and event no.: 1
Console#
show logging
This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server.
Syntax show logging { flash | ram | sendmail | trap } flash - Displays settings for storing event messages in flash memory
(i.e., permanent memory). ram - Displays settings for storing event messages in temporary RAM
(i.e., memory flushed on power reset). sendmail - Displays settings for the SMTP event handler ( page 120 ).
trap - Displays settings for the trap function.
Default Setting
None
Command Mode
Privileged Exec
Example
The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is
“debugging” (i.e., default level 7 - 0).
Console#show logging flash
Syslog logging: Enabled
History logging in FLASH: level errors
Console#show logging ram
Syslog logging: Enabled
History logging in RAM: level debugging
Console#
– 115 –
Chapter 4 | System Management Commands
SMTP Alerts
Table 19: show logging flash/ram - display description
Field
Syslog logging
Description
Shows if system logging has been enabled via the logging on command.
History logging in FLASH The message level(s) reported based on the logging history command.
History logging in RAM The message level(s) reported based on the logging history command.
The following example displays settings for the trap function.
Console#show logging trap
Remote Log Status : Enabled
Remote Log Facility Type : Local use 7
Remote Log Level Type : Debugging messages
Remote Log Server IP Address : 1.2.3.4
Remote Log Server IP Address : 0.0.0.0
Remote Log Server IP Address : 0.0.0.0
Remote Log Server IP Address : 0.0.0.0
Remote Log Server IP Address : 0.0.0.0
Console#
Table 20: show logging trap - display description
Field
Remote Log Status
Remote Log Facility Type
Remote Log Level Type
Remote Log Server IP
Address
Description
Shows if remote logging has been enabled via the logging trap command.
The facility type for remote logging of syslog messages as specified in the logging facility command.
The severity threshold for syslog messages sent to a remote server as specified in the logging trap command.
The address of syslog servers as specified in the logging host command.
Related Commands show logging sendmail (120)
SMTP Alerts
These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Table 21: Event Logging Commands
Command logging sendmail logging sendmail host
Function
Enables SMTP event handling
SMTP servers to receive alert messages
Mode
GC
GC
– 116 –
Chapter 4 | System Management Commands
SMTP Alerts
Table 21: Event Logging Commands (Continued)
Command logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail
Function
Severity threshold used to trigger alert messages
Email recipients of alert messages
Email address used for “From” field of alert messages
Displays SMTP event handler settings
Mode
GC
GC
GC
NE, PE
logging sendmail
This command enables SMTP event handling. Use the no form to disable this function.
Syntax
[ no ] logging sendmail
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#logging sendmail
Console(config)#
logging sendmail host
This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Syntax
[ no ] logging sendmail host host [ username username password password auth-basic ] host - IP address of an SMTP server that will be sent alert messages for event handling. username - Name of SMTP server user. (Range: 1-64 characters) password - Password of SMTP server user. (Range: 1-64 characters) auth-basic - Indicates that Base 64 encoding is used.
Default Setting
None
– 117 –
Chapter 4 | System Management Commands
SMTP Alerts
Command Mode
Global Configuration
Command Usage
◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server.
◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
◆ To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command.
If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.)
Example
Console(config)#logging sendmail host 192.168.1.19
Console(config)#
logging sendmail level
This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting.
Syntax logging sendmail level level no logging sendmail level level - One of the system message levels ( page 111 ). Messages sent include the selected level down to level 0. (Range: 0-7; Default: 7)
Default Setting
Level 7
Command Mode
Global Configuration
Command Usage
The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.)
– 118 –
Chapter 4 | System Management Commands
SMTP Alerts
Example
This example will send email alerts for system errors from level 3 through 0.
Console(config)#logging sendmail level 3
Console(config)#
logging sendmail destination-email
This command specifies the email recipients of alert messages. Use the no form to remove a recipient.
Syntax
[ no ] logging sendmail destination-email email-address email-address - The source email address used in alert messages.
(Range: 1-41 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient.
Example
Console(config)#logging sendmail destination-email [email protected]
Console(config)#
logging sendmail source-email
This command sets the email address used for the “From” field in alert messages.
Use the no form to restore the default value.
Syntax logging sendmail source-email email-address no logging sendmail source-email email-address - The source email address used in alert messages.
(Range: 1-41 characters)
Default Setting
None
Command Mode
Global Configuration
– 119 –
Chapter 4 | System Management Commands
Time
Command Usage
You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch.
Example
Console(config)#logging sendmail source-email [email protected]
Console(config)#
show logging sendmail
This command displays the settings for the SMTP event handler.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show logging sendmail
SMTP servers
-----------------------------------------------
192.168.1.19
SMTP Minimum Severity Level: 7
SMTP destination email addresses
----------------------------------------------ted@this-company.com
SMTP Source Email Address: [email protected]
SMTP Status: Enabled
Console#
Time
The system clock can be dynamically set by polling a set of specified time servers
(NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Table 22: Time Commands
Function Command
SNTP Commands sntp client sntp poll sntp server show sntp
Accepts time from specified time servers
Sets the interval at which the client polls for time
Specifies one or more time servers
Shows current SNTP configuration settings
Mode
GC
GC
GC
NE, PE
– 120 –
Chapter 4 | System Management Commands
Time
Table 22: Time Commands (Continued)
Command Function
Manual Configuration Commands clock summer-time Configures summer time * for the switch’s internal clock clock timezone Sets the time zone for the switch’s internal clock clock timezone-predefined Sets the time zone for the switch’s internal clock using predefined time zone configurations calendar set show calendar
Sets the system date and time
Displays the current date and time setting
* Daylight savings time.
Mode
GC
GC
GC
PE
NE, PE
SNTP Commands
sntp client
This command enables SNTP client requests for time synchronization from NTP or
SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests.
Syntax
[ no ] sntp client
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command.
Example
Console(config)#sntp server 10.1.0.19
Console(config)#sntp poll 60
Console(config)#sntp client
Console(config)#end
Console#show sntp
Current Time: Dec 23 02:52:44 2002
Poll Interval: 60
Current Mode: unicast
SNTP Status : Enabled
SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0
– 121 –
Chapter 4 | System Management Commands
Time
Current Server: 137.92.140.80
Console#
Related Commands sntp server (122) sntp poll (122) show sntp (123)
sntp poll
This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default.
Syntax sntp poll seconds no sntp poll seconds - Interval between time requests. (Range: 16-16384 seconds)
Default Setting
16 seconds
Command Mode
Global Configuration
Example
Console(config)#sntp poll 60
Console#
Related Commands sntp client (121)
sntp server
This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Syntax sntp server [ ip1 [ ip2 [ ip3 ]]] no sntp server [ ip1 [ ip2 [ ip3 ]]] ip - IP address of an time server (NTP or SNTP). (Range: 1 - 3 addresses)
Default Setting
None
– 122 –
Chapter 4 | System Management Commands
Time
Command Mode
Global Configuration
Command Usage
This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command.
Example
Console(config)#sntp server 10.1.0.19
Console#
Related Commands sntp client (121) sntp poll (122) show sntp (123)
show sntp
This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
Example
Console#show sntp
Current Time : Nov 5 18:51:22 2006
Poll Interval : 16 seconds
Current Mode : Unicast
SNTP Status : Enabled
SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0
Current Server : 137.92.140.80
Console#
– 123 –
Chapter 4 | System Management Commands
Time
Manual Configuration Commands
clock summer-time
This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time.
Syntax clock summer-time name date b-date b-month b-year b-hour b-minute e-date e-month e-year e-hour e-minute [ offset ] no clock summer-time name - Name of the time zone while summer time is in effect, usually an acronym. (Range: 1-30 characters) b-date - Day of the month when summer time will begin. (Range: 1-31) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october
| november | december ) b-year - The year summer time will begin.
b-hour The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october
| november | december ) e-year - The year summer time will end.
e-hour The hour summer time will end. (Range: 0-23 hours) e-minute - The minute summer time will end. (Range: 0-59 minutes) offset - Summer time offset from the regular time zone, in minutes.
(Range: 0-99 minutes)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as
Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn.
◆ This command sets the summer-time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer
– 124 –
Chapter 4 | System Management Commands
Time time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone.
Example
Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007
23 23 60
Console(config)#
Related Commands show sntp (123)
clock timezone
This command sets the time zone for the switch’s internal clock.
Syntax clock timezone name hour hours minute minutes
{ before-utc | after-utc } name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC,
0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
after-utc - Sets the local time zone after (west) of UTC.
Default Setting
None
Command Mode
Global Configuration
Command Usage
This command sets the local time zone relative to the Coordinated Universal Time
(UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Example
Console(config)#clock timezone Japan hours 8 minute 0 after-UTC
Console(config)#
Related Commands show sntp (123)
– 125 –
Chapter 4 | System Management Commands
Time
clock timezonepredefined
This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default.
Syntax clock timezone-predefined offset city no clock timezone-predefined offset - Select the offset from GMT. (Range: GMT-0100 - GMT-1200; GMT-
Greenwich-Mean-Time; GMT+0100 - GMT+1300) city - Select the city associated with the chosen GMT offset. After the offset has been entered, use the tab-complete function to display the available city options.
Default Setting
GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London
Command Mode
Global Configuration
Command Usage
This command sets the local time zone relative to the Coordinated Universal Time
(UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Example
Console(config)#clock timezone-predefined GMT-0930-Taiohae
Console(config)#
Related Commands show sntp (123)
calendar set
This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server.
Syntax calendar set hour min sec { day month year | month day year } hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month. (Range: 1 - 31)
– 126 –
Chapter 4 | System Management Commands
Time month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit). (Range: 1970-2037)
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Note that when SNTP is enabled, the system clock cannot be manually configured.
Example
This example shows how to set the system clock to 15:12:34, February 1st, 2012.
Console#calendar set 15:12:34 1 February 2012
Console#
show calendar
This command displays the system clock.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
Example
Console#show calendar
Current Time : Nov 20 13:05:50 2012
Time Zone : GMT-Greenwich-Mean-Time Dublin,Edinburgh,Lisbon,London
Summer Time : Not configured
Summer Time in Effect: No
Console#
– 127 –
Chapter 4 | System Management Commands
Time Range
Time Range
This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Table 23: Time Range Commands
Command time-range absolute periodic show time-range
Function Mode
Specifies the name of a time range, and enters time range configuration mode
GC
Sets the time range for the execution of a command
Sets the time range for the periodic execution of a command
Shows configured time ranges.
TR
TR
PE
time-range
This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range.
Syntax
[ no ] time-range name name - Name of the time range. (Range: 1-16 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ This command sets a time range for use by other functions, such as Access
Control Lists.
◆ A maximum of seven rules can be configured for a time range.
Example
Console(config)#time-range r&d
Console(config-time-range)#
Related Commands
Access Control Lists (269)
– 128 –
Chapter 4 | System Management Commands
Time Range
absolute
This command sets the time range for the execution of a command. Use the no form to remove a previously specified time.
Syntax absolute start hour minute day month year
[ end hour minutes day month year ] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month. (Range: 1-31) month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit). (Range: 2009-2037)
Default Setting
None
Command Mode
Time Range Configuration
Command Usage
◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range.
◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Example
This example configures the time for the single occurrence of an event.
Console(config)#time-range r&d
Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april
2009
Console(config-time-range)#
– 129 –
Chapter 4 | System Management Commands
Time Range
periodic
This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Syntax
[ no ] periodic { daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend } hour minute to { daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays
| weekend | hour minute } daily - Daily friday - Friday monday - Monday saturday - Saturday sunday - Sunday thursday - Thursday tuesday - Tuesday wednesday - Wednesday weekdays - Weekdays weekend - Weekends hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59)
Default Setting
None
Command Mode
Time Range Configuration
Command Usage
◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range.
◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
Example
This example configures a time range for the periodic occurrence of an event.
Console(config)#time-range sales
Console(config-time-range)#periodic daily 1 1 to 2 1
Console(config-time-range)#
– 130 –
Chapter 4 | System Management Commands
Switch Clustering
show time-range
This command shows configured time ranges.
Syntax show time-range [ name ] name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show time-range r&d
Time-range r&d:
absolute start 01:01 01 April 2009
periodic Daily 01:01 to Daily 02:01
periodic Daily 02:01 to Daily 03:01
Console#
Switch Clustering
Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
Table 24: Switch Cluster Commands
Command cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates
Function
Configures clustering on the switch
Configures the switch as a cluster Commander
Sets the cluster IP address pool for Members
Sets Candidate switches as cluster members
Provides configuration access to Member switches
Displays the switch clustering status
Displays current cluster Members
Displays current cluster Candidates in the network
GC
GC
PE
PE
PE
Mode
GC
GC
GC
Using Switch Clustering
◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster. The management station can use either Telnet or the web interface to communicate directly with the
– 131 –
Chapter 4 | System Management Commands
Switch Clustering
Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses.
◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
◆ The cluster VLAN 4093 is not configured by default. Before using clustering, take the following actions to set up this VLAN:
1.
Create VLAN 4093 (see “Editing VLAN Groups” on page 399 ).
2.
Add the participating ports to this VLAN (see “Configuring VLAN Interfaces” on page 401 ), and set them to hybrid mode, tagged members, PVID = 1, and acceptable frame type = all.
Note: Cluster Member switches can be managed either through a Telnet connection to the Commander, or through a web management connection to the
Commander. When using a console connection, from the Commander CLI prompt, use the rcommand to connect to the Member switch.
cluster
This command enables clustering on the switch. Use the no form to disable clustering.
Syntax
[ no ] cluster
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ To create a switch cluster, first be sure that clustering is enabled on the switch
(the default is enabled), then set the switch as a Cluster Commander. Set a
Cluster IP Pool that does not conflict with any other IP subnets in the network.
Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander.
◆ Switch clusters are limited to the same Ethernet broadcast domain.
– 132 –
Chapter 4 | System Management Commands
Switch Clustering
◆ There can be up to 100 candidates and 36 member switches in one cluster.
◆ A switch can only be a Member of one cluster.
◆ Configured switch clusters are maintained across power resets and network changes.
Example
Console(config)#cluster
Console(config)#
cluster commander
This command enables the switch as a cluster Commander. Use the no form to disable the switch as cluster Commander.
Syntax
[ no ] cluster commander
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station.
◆ Cluster Member switches can be managed through a Telnet connection to the
Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch.
Example
Console(config)#cluster commander
Console(config)#
– 133 –
Chapter 4 | System Management Commands
Switch Clustering
cluster ip-pool
This command sets the cluster IP address pool. Use the no form to reset to the default address.
Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster
Members. The IP address must start 10.x.x.x.
Default Setting
10.254.254.1
Command Mode
Global Configuration
Command Usage
◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster. Internal cluster IP addresses are in the form 10.
x.x.member-ID .
Only the base IP address of the pool needs to be set since Member IDs can only be between 1 and 36.
◆ Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet. Cluster IP addresses are assigned to switches when they become
Members and are used for communication between Member switches and the
Commander.
◆ You cannot change the cluster IP pool when the switch is currently in
Commander mode. Commander mode must first be disabled.
Example
Console(config)#cluster ip-pool 10.2.3.4
Console(config)#
cluster member
This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster.
Syntax cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch.
member-id - The ID number to assign to the Member switch. (Range: 1-36)
Default Setting
No Members
– 134 –
Chapter 4 | System Management Commands
Switch Clustering
Command Mode
Global Configuration
Command Usage
◆ The maximum number of cluster Members is 36.
◆ The maximum number of cluster Candidates is 100.
Example
Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5
Console(config)#
rcommand
This command provides access to a cluster Member CLI for configuration.
Syntax rcommand id member-id member-id - The ID number of the Member switch.
(Range: 1-36)
Command Mode
Privileged Exec
Command Usage
◆ This command only operates through a Telnet connection to the Commander switch. Managing cluster Members using the local console CLI on the
Commander is not supported.
◆ There is no need to enter the username and password for access to the Member switch CLI.
Example
Console#rcommand id 1
CLI session with the EX-3524 is opened.
To end the CLI session, enter [Exit].
Vty-0##
– 135 –
Chapter 4 | System Management Commands
Switch Clustering
show cluster
This command shows the switch clustering configuration.
Command Mode
Privileged Exec
Example
Console#show cluster
Role : commander
Interval Heartbeat : 30
Heartbeat Loss Count : 3 seconds
Number of Members : 1
Number of Candidates : 2
Console#
show cluster members
This command shows the current switch cluster members.
Command Mode
Privileged Exec
Example
Console#show cluster members
Cluster Members:
ID : 1
Role : Active member
IP Address : 10.254.254.2
MAC Address : 00-E0-0C-00-00-FE
Description : EX-3524 Managed POE/POE+ Switch
Console#
show cluster candidates
This command shows the discovered Candidate switches in the network.
Command Mode
Privileged Exec
Example
Console#show cluster candidates
Cluster Candidates:
Role MAC Address Description
--------------- ----------------- ----------------------------------------
Active member 00-E0-0C-00-00-FE EX-3524 Managed POE/POE+ Switch
CANDIDATE 00-12-CF-0B-47-A0 EX-3524 Managed POE/POE+ Switch
Console#
– 136 –
5
SNMP Commands
SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers.
SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. To use SNMPv3, first set an SNMP engine ID (or accept the default), specify read and write access views for the MIB tree, configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy), and then assign SNMP users to these groups, along with their specific authentication and privacy passwords.
Table 25: SNMP Commands
Command
General SNMP Commands snmp-server snmp-server community
Function
Enables the SNMP agent
Sets up the community access string to permit access to
SNMP commands snmp-server contact snmp-server location
Sets the system contact string
Sets the system location string show snmp
SNMP Target Host Commands
Displays the status of SNMP communications snmp-server enable traps Enables the device to send SNMP traps (i.e., SNMP notifications)
Mode
GC
GC
GC
GC
NE, PE
GC snmp-server host
SNMPv3 Engine Commands
Specifies the recipient of an SNMP notification operation GC snmp-server engine-id snmp-server group
Sets the SNMP engine ID
Adds an SNMP group, mapping users to views
GC
GC snmp-server user snmp-server view show snmp engine-id show snmp group show snmp user show snmp view
Adds a user to an SNMP group
Adds an SNMP view
Shows the SNMP engine ID
Shows the SNMP groups
Shows the SNMP users
Shows the SNMP views
PE
PE
GC
GC
PE
PE
– 137 –
Chapter 5 | SNMP Commands
General SNMP Commands
Table 25: SNMP Commands (Continued)
Command Function
Notification Log Commands nlm Enables the specified notification log snmp-server notify-filter show nlm oper-status show snmp notify-filter
ATC Trap Commands
Creates a notification log and specifies the target host
Shows operation status of configured notification logs
Displays the configured notification logs
Mode
GC
GC
PE
PE snmp-server enable porttraps atc broadcast-alarmclear snmp-server enable porttraps atc broadcast-alarmfire
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control
IC (Port)
IC (Port) snmp-server enable porttraps atc broadcast-controlapply
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
IC (Port) snmp-server enable porttraps atc broadcast-controlrelease
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port) snmp-server enable porttraps atc multicast-alarmclear snmp-server enable porttraps atc multicast-alarmfire
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered
IC (Port)
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control
IC (Port) snmp-server enable porttraps atc multicast-controlapply
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
IC (Port) snmp-server enable porttraps atc multicast-controlrelease
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port)
General SNMP Commands
snmp-server
This command enables the SNMPv3 engine and services for all management clients
(i.e., versions 1, 2c, 3). Use the no form to disable the server.
Syntax
[ no ] snmp-server
Default Setting
Enabled
Command Mode
Global Configuration
– 138 –
Chapter 5 | SNMP Commands
General SNMP Commands
Example
Console(config)#snmp-server
Console(config)#
snmp-server community
This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string.
Syntax snmp-server community string [ ro | rw ] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive;
Maximum number of strings: 5) ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Default Setting
◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects.
◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Command Mode
Global Configuration
Example
Console(config)#snmp-server community alpha rw
Console(config)#
snmp-server contact
This command sets the system contact string. Use the no form to remove the system contact information.
Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
(Maximum length: 255 characters)
– 139 –
Chapter 5 | SNMP Commands
General SNMP Commands
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#snmp-server contact Paul
Console(config)#
Related Commands snmp-server location (140)
snmp-server location
This command sets the system location string. Use the no form to remove the location string.
Syntax snmp-server location text no snmp-server location text - String that describes the system location.
(Maximum length: 255 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#snmp-server location WC-19
Console(config)#
Related Commands snmp-server contact (139)
show snmp
This command can be used to check the status of SNMP communications.
Default Setting
None
Command Mode
Normal Exec, Privileged Exec
– 140 –
Chapter 5 | SNMP Commands
SNMP Target Host Commands
Command Usage
This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not
SNMP logging has been enabled with the snmp-server enable traps command.
Example
Console#show snmp
SNMP Agent : Enabled
SNMP Traps :
Authentication : Enabled
Link-up-down : Enabled
SNMP Communities :
1. public, and the access level is read-only
2. private, and the access level is read/write
0 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 SNMP packets output
0 Too big errors
0 No such name errors
0 Bad values errors
0 General errors
0 Response PDUs
0 Trap PDUs
SNMP Logging: Disabled
Console#
SNMP Target Host Commands
snmp-server enable traps
This command enables this device to send Simple Network Management Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
Syntax
[ no ] snmp-server enable traps [ authentication | link-up-down ] authentication - Keyword to issue authentication failure notifications.
link-up-down - Keyword to issue link-up or link-down notifications.
Default Setting
Issue authentication and link-up-down traps.
– 141 –
Chapter 5 | SNMP Commands
SNMP Target Host Commands
Command Mode
Global Configuration
Command Usage
◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send
SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled.
◆ The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
◆ The authentication, link-up, and link-down traps are legacy notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
Example
Console(config)#snmp-server enable traps link-up-down
Console(config)#
Related Commands snmp-server host (142)
snmp-server host
This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
Syntax snmp-server host host-addr [ inform [ retry retries | timeout seconds ]] community-string
[ version { 1 | 2c | 3 { auth | noauth | priv } [ udp-port port ]} no snmp-server host host-addr host-addr - Internet address of the host (the targeted recipient).
(Maximum host addresses: 5 trap destination IP address entries) inform - Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) retries - The maximum number of times to resend an inform message if the recipient does not acknowledge receipt. (Range: 0-255; Default: 3) seconds - The number of seconds to wait for an acknowledgment before resending an inform message. (Range: 0-2147483647 centiseconds; Default: 1500 centiseconds)
– 142 –
Chapter 5 | SNMP Commands
SNMP Target Host Commands community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend defining it with the snmp-server community command prior to using the snmp-server host command. (Maximum length: 32 characters) version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple
Network Management Protocol” in the System Reference Guide for further information about these authentication and encryption options.
port - Host UDP port to use. (Range: 1-65535; Default: 162)
Default Setting
Host Address: None
Notification Type: Traps
SNMP Version: 1
UDP Port: 162
Command Mode
Global Configuration
Command Usage
◆ If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
◆ Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled.
◆ Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic. You should consider these effects when deciding whether to issue notifications as traps or informs.
– 143 –
Chapter 5 | SNMP Commands
SNMP Target Host Commands
To send an inform to a SNMPv2c host, complete these steps:
1.
Enable the SNMP agent ( page 138 ).
2.
Create a view with the required notification messages ( page 148 ).
3.
Create a group that includes the required notify view ( page 146 ).
4.
Allow the switch to send SNMP traps; i.e., notifications ( page 141 ).
5.
Specify the target host that will receive inform messages with the snmp-server host command as described in this section.
To send an inform to a SNMPv3 host, complete these steps:
1.
Enable the SNMP agent ( page 138 ).
2.
Create a remote SNMPv3 user to use in the message exchange process
( page 147 ).
3.
Create a view with the required notification messages ( page 148 ).
4.
Create a group that includes the required notify view ( page 146 ).
5.
Allow the switch to send SNMP traps; i.e., notifications ( page 141 ).
6.
Specify the target host that will receive inform messages with the snmp-server host command as described in this section.
◆ The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station supports. If the snmp-server host command does not specify the SNMP version, the default is to send SNMP version 1 notifications.
◆ If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. The user name must first be defined with the snmpserver user command. Otherwise, an SNMPv3 group will be automatically created by the snmp-server host command using the name of the specified community string, and default settings for the read, write, and notify view.
Example
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#
Related Commands snmp-server enable traps (141)
– 144 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
SNMPv3 Commands
snmp-server engine-id
This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Syntax snmp-server engine-id { local | remote { ip-address }} engineid-string no snmp-server engine-id { local | remote { ip-address }} local - Specifies the SNMP engine on this switch.
remote - Specifies an SNMP engine on a remote device.
ip-address - The Internet address of the remote device.
engineid-string - String identifying the engine ID. (Range: 9-64 hexadecimal characters)
Default Setting
A unique engine ID is automatically generated by the switch based on its MAC address.
Command Mode
Global Configuration
Command Usage
◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting
SNMPv3 packets.
◆ A remote engine ID is required when using SNMPv3 informs. (See the snmpserver host command.) The remote engine ID is used to compute the security digest for authentication and encryption of packets passed between the switch and a user on the remote host. SNMP passwords are localized using the engine
ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID.
◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users
( page 147 ).
– 145 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
Example
Console(config)#snmp-server engine-id local 1234567890
Console(config)#snmp-server engineID remote 9876543210 192.168.1.19
Console(config)#
Related Commands snmp-server host ( 142 )
snmp-server group
This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
Syntax snmp-server group groupname
{ v1 | v2c | v3 { auth | noauth | priv }}
[ read readview ] [ write writeview ] [ notify notifyview ] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network
Management Protocol” in the System Reference Guide for further information about these authentication and encryption options.
readview - Defines the view for read access. (1-32 characters) writeview - Defines the view for write access. (1-32 characters) notifyview - Defines the view for notifications. (1-32 characters)
Default Setting
Default groups: public 1 (read only), private 2 (read/write) readview - Every object belonging to the Internet OID space (1).
writeview - Nothing is defined.
notifyview - Nothing is defined.
Command Mode
Global Configuration
Command Usage
◆ A group sets the access policy for the assigned users.
◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
1. No view is defined.
2. Maps to the defaultview.
– 146 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
◆ For additional information on the notification messages supported by this switch, see the table for “Supported Notification Messages” in the System
Reference Guide . Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
Example
Console(config)#snmp-server group r&d v3 auth write daily
Console(config)#
snmp-server user
This command adds a user to an SNMP group, restricting the user to a specific
SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Syntax snmp-server user username groupname [ remote ip-address ]
{ v1 | v2c | v3 [ encrypted ] [ auth { md5 | sha } auth-password
[ priv des56 priv-password ]] no snmp-server user username { v1 | v2c | v3 | remote } username - Name of user connecting to the SNMP agent.
(Range: 1-32 characters) groupname - Name of an SNMP group to which the user is assigned.
(Range: 1-32 characters) remote - Specifies an SNMP engine on a remote device.
ip-address - The Internet address of the remote device.
v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
encrypted - Accepts the password as encrypted input.
auth - Uses SNMPv3 with authentication.
md5 | sha - Uses MD5 or SHA authentication.
auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password.
(Range: 8-32 characters) priv des56 - Uses SNMPv3 with privacy with DES56 encryption.
priv-password - Privacy password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password.
(Range: 8-32 characters)
Default Setting
None
– 147 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
Command Mode
Global Configuration
Command Usage
◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch.
◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
◆ The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command.
◆ Before you configure a remote user, use the snmp-server engine-id command to specify the engine ID for the remote device where the user resides. Then use the snmp-server user command to specify the user and the IP address for the remote device where the user resides. The remote agent’s SNMP engine ID is used to compute authentication/privacy digests from the user’s password. If the remote engine ID is not first configured, the snmp-server user command specifying a remote user will fail.
◆ SNMP passwords are localized using the engine ID of the authoritative agent.
For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it.
Example
Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien
Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien
Console(config)#
snmp-server view
This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view.
Syntax snmp-server view view-name oid-tree { included | excluded } no snmp-server view view-name view-name - Name of an SNMP view. (Range: 1-32 characters) oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) included - Defines an included view.
– 148 –
Chapter 5 | SNMP Commands
SNMPv3 Commands excluded - Defines an excluded view.
Default Setting defaultview (includes access to the entire MIB tree)
Command Mode
Global Configuration
Command Usage
◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree.
◆ The predefined view “defaultview” includes access to the entire MIB tree.
Examples
This view includes MIB-2.
Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included
Console(config)#
This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table.
Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included
Console(config)#
This view includes the MIB-2 interfaces table, and the mask selects all index entries.
Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included
Console(config)#
show snmp engine-id
This command shows the SNMP engine ID.
Command Mode
Privileged Exec
Example
This example shows the default engine ID.
Console#show snmp engine-id
Local SNMP EngineID: 8000002a8000000000e8666672
Local SNMP EngineBoots: 1
Remote SNMP EngineID IP address
– 149 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
80000000030004e2b316c54321 192.168.1.19
Console#
Table 26: show snmp engine-id - display description
Field
Local SNMP engineID
Description
String identifying the engine ID.
Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp
EngineID was last configured.
Remote SNMP engineID
IP address
String identifying an engine ID on a remote device.
IP address of the device containing the corresponding remote SNMP engine.
show snmp group
Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Command Mode
Privileged Exec
Example
Console#show snmp group
Group Name: r&d
Security Model: v3
Read View: defaultview
Write View: daily
Notify View: none
Storage Type: permanent
Row Status: active
Group Name: public
Security Model: v1
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: public
Security Model: v2c
Read View: defaultview
Write View: none
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v1
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Group Name: private
Security Model: v2c
– 150 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
Read View: defaultview
Write View: defaultview
Notify View: none
Storage Type: volatile
Row Status: active
Console#
Table 27: show snmp group - display description
Field
Group Name
Security Model
Read View
Write View
Notify View
Storage Type
Row Status
Description
Name of an SNMP group.
The SNMP version.
The associated read view.
The associated write view.
The associated notify view.
The storage type for this entry.
The row status of this entry.
show snmp user
This command shows information on SNMP users.
Command Mode
Privileged Exec
Example
Console#show snmp user
EngineId: 800000ca030030f1df9ca00000
User Name: steve
Authentication Protocol: md5
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
SNMP remote user
EngineId: 80000000030004e2b316c54321
User Name: mark
Authentication Protocol: mdt
Privacy Protocol: des56
Storage Type: nonvolatile
Row Status: active
Console#
Table 28: show snmp user - display description
Field
EngineId
User Name
Description
String identifying the engine ID.
Name of user connecting to the SNMP agent.
– 151 –
Chapter 5 | SNMP Commands
SNMPv3 Commands
Table 28: show snmp user - display description (Continued)
Field
Authentication Protocol
Privacy Protocol
Storage Type
Row Status
SNMP remote user
Description
The authentication protocol used with SNMPv3.
The privacy protocol used with SNMPv3.
The storage type for this entry.
The row status of this entry.
A user associated with an SNMP engine on a remote device.
show snmp view
This command shows information on the SNMP views.
Command Mode
Privileged Exec
Example
Console#show snmp view
View Name: mib-2
Subtree OID: 1.2.2.3.6.2.1
View Type: included
Storage Type: permanent
Row Status: active
View Name: defaultview
Subtree OID: 1
View Type: included
Storage Type: volatile
Row Status: active
Console#
Table 29: show snmp view - display description
Field
View Name
Subtree OID
View Type
Storage Type
Row Status
Description
Name of an SNMP view.
A branch in the MIB tree.
Indicates if the view is included or excluded.
The storage type for this entry.
The row status of this entry.
– 152 –
Chapter 5 | SNMP Commands
Notification Log Commands
Notification Log Commands
nlm
This command enables or disables the specified notification log.
Syntax
[ no ] nlm filter-name filter-name - Notification log name. (Range: 1-64 characters)
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command.
◆ Disabling logging with this command does not delete the entries stored in the notification log.
Example
This example enables the notification logs A1 and A2.
Console(config)#nlm A1
Console(config)#nlm A2
Console(config)#
snmp-server notify-filter
This command creates an SNMP notification log. Use the no form to remove this log.
Syntax
[ no ] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name. (Range: 1-32 characters) ip-address - The Internet address of a remote device. The specified target host must already have been configured using the snmp-server host command.
Note: The notification log is stored locally. It is not sent to a remote device. This remote host parameter is only required to complete mandatory fields in the SNMP
Notification MIB.
– 153 –
Chapter 5 | SNMP Commands
Notification Log Commands
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether those are Traps or
Informs that exceed retransmission limits. The Notification Log MIB (NLM, RFC
3014) provides an infrastructure in which information from other MIBs may be logged.
◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
◆ If notification logging is not configured and enabled, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
◆ To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and nlm command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged.
◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014). Notification logging is enabled by default
(see the nlm command), but will not start recording information until a logging profile specified with this command is enabled with the nlm command.
◆ Based on the default settings used in RFC 3014, a notification log can contain up to 256 entries, and the entry aging time is 1440 minutes. Information recorded in a notification log, and the entry aging time can only be configured using SNMP from a network management station.
◆ When a trap host is created with the snmp-server host command, a default notify filter will be created as shown in the example under the show snmp notify-filter command.
Example
This example first creates an entry for a remote host, and then instructs the switch to record this device as the remote host for the specified notification log.
Console(config)#snmp-server host 10.1.19.23 batman
Console(config)#snmp-server notify-filter A1 remote 10.1.19.23
Console#
– 154 –
Chapter 5 | SNMP Commands
Notification Log Commands
show nlm oper-status
This command shows the operational status of configured notification logs.
Command Mode
Privileged Exec
Example
Console#show nlm oper-status
Filter Name: A1
Oper-Status: Operational
Filter Name: A2
Oper-Status: Operational
Console#
show snmp notify-filter
This command displays the configured notification logs.
Command Mode
Privileged Exec
Example
This example displays the configured notification logs and associated target hosts.
Note that the last entry is a default filter created when a trap host is initially created.
Console#show snmp notify-filter
Filter profile name IP address
---------------------------- ----------------
A1 10.1.19.23
A2 10.1.19.22
traphost.1.1.1.1.private 1.1.1.1
Console#
– 155 –
Chapter 5 | SNMP Commands
Notification Log Commands
– 156 –
6
Remote Monitoring Commands
Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance. If an event is triggered, it can automatically notify the network administrator of a failure and provide historical information about the event. If it cannot connect to the management agent, it will continue to perform any specified tasks and pass data back to the management station the next time it is contacted.
This switch supports mini-RMON, which consists of the Statistics, History, Event and
Alarm groups. When RMON is enabled, the system gradually builds up information about its physical interfaces, storing this information in the relevant RMON database group. A management agent then periodically communicates with the switch using the SNMP protocol. However, if the switch encounters a critical event, it can automatically send a trap message to the management agent which can then respond to the event if so configured.
Table 30: RMON Commands
Command rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics
Function
Sets threshold bounds for a monitored variable
Creates a response event for an alarm
Periodically samples statistics
Enables statistics collection
Shows the settings for all configured alarms
Shows the settings for all configured events
Shows the sampling parameters for each entry
Shows the collected statistics
IC
PE
PE
PE
PE
Mode
GC
GC
IC
– 157 –
Chapter 6 | Remote Monitoring Commands
rmon alarm
This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm.
Syntax rmon alarm index variable interval { absolute | delta } rising-threshold threshold [ event-index ] falling-threshold threshold
[ event-index ] [ owner name ] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled. Note that etherStatsEntry.n uniquely defines the MIB variable, and etherStatsEntry.n.n defines the MIB variable, plus the etherStatsIndex. For example, 1.3.6.1.2.1.16.1.1.1.6.1 denotes etherStatsBroadcastPkts, plus the etherStatsIndex of 1.
interval – The polling interval. (Range: 1-31622400 seconds) absolute – The variable is compared directly to the thresholds at the end of the sampling period.
delta – The last sample is subtracted from the current value and the difference is then compared to the thresholds.
threshold – An alarm threshold for the sampled variable.
(Range: 0-2147483647) event-index – The index of the event to use if an alarm is triggered. If there is no corresponding entry in the event control table, then no event will be generated. (Range: 0-65535) name – Name of the person who created this entry. (Range: 1-127 characters)
Default Setting
1.3.6.1.2.1.16.1.1.1.6.1 - 1.3.6.1.2.1.16.1.1.1.6.28/52
Taking delta samples every 30 seconds,
Rising threshold is 892800, assigned to event 0
Falling threshold is 446400, assigned to event 0
Command Mode
Global Configuration
Command Usage
◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command.
◆ If the current value is greater than or equal to the rising threshold, and the last sample value was less than this threshold, then an alarm will be generated.
After a rising event has been generated, another such event will not be
– 158 –
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold.
◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
Example
Console(config)#rmon alarm 1 1 1.3.6.1.2.1.16.1.1.1.6.1 15 delta rising-threshold 100 1 falling-threshold 30 1 owner mike
Console(config)#
rmon event
This command creates a response event for an alarm. Use the no form to remove an event.
Syntax rmon event index [ log ] | [ trap community ] | [ description string ] | [ owner name ] no rmon event index index – Index to this entry. (Range: 1-65535) log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see “Event Logging” on page 110 ).
trap – Sends a trap message to all configured trap managers (see “snmpserver host” on page 142 ).
community – A password-like community string sent with the trap operation to SNMP v1 and v2c hosts. Although this string can be set using the rmon event command by itself, it is recommended that the string be defined using the snmp-server community command ( page 139 ) prior to using the rmon event command. (Range: 1-127 characters) string – A comment that describes this event. (Range: 1-127 characters) name – Name of the person who created this entry. (Range: 1-127 characters)
Default Setting
None
Command Mode
Global Configuration
– 159 –
Chapter 6 | Remote Monitoring Commands
Command Usage
◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command.
◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Example
Console(config)#rmon event 2 log description urgent owner mike
Console(config)#
rmon collection history
This command periodically samples statistics on a physical interface. Use the no form to disable periodic sampling.
Syntax rmon collection history controlEntry index
[ buckets number [ interval seconds ]] |
[ interval seconds ] |
[ owner name [ buckets number [ interval seconds ]] no rmon collection history controlEntry index index – Index to this entry. (Range: 1-65535) number – The number of buckets requested for this entry. (Range: 1-65536) seconds – The polling interval. (Range: 1-3600 seconds) name – Name of the person who created this entry. (Range: 1-127 characters)
Default Setting
1.3.6.1.2.1.16.1.1.1.6.1 - 1.3.6.1.2.1.16.1.1.1.6.28/52
Buckets: 8
Interval: 30 seconds for even numbered entries,
1800 seconds for odd numbered entries.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use.
◆ If periodic sampling is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
– 160 –
Chapter 6 | Remote Monitoring Commands
◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization.
◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show runningconfig command will display a message indicating that this index is not available for the port to which is normally assigned.
For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
Console(config)#interface ethernet 1/5
Console(config-if)#rmon collection history controlEntry 15
Console(config-if)#end
Console#show running-config
!
interface ethernet 1/5
rmon collection history controlEntry 15 buckets 50 interval 1800
...
interface ethernet 1/8
no rmon collection history controlEntry 15
Example
Console(config)#interface ethernet 1/1
Console(config-if)#rmon collection history controlentry 21 buckets 24 interval 60 owner mike
Console(config-if)#
rmon collection rmon1
This command enables the collection of statistics on a physical interface. Use the no form to disable statistics collection.
Syntax rmon collection rmon1 controlEntry index [ owner name ] no rmon collection rmon1 controlEntry index index – Index to this entry. (Range: 1-65535) name – Name of the person who created this entry. (Range: 1-127 characters)
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use.
– 161 –
Chapter 6 | Remote Monitoring Commands
◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
◆ The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and packets of specified lengths
Example
Console(config)#interface ethernet 1/1
Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike
Console(config-if)#
show rmon alarms
This command shows the settings for all configured alarms.
Command Mode
Privileged Exec
Example
Console#show rmon alarms
Alarm 1 is valid, owned by
Monitors 1.3.6.1.2.1.16.1.1.1.6.1 every 30 seconds
Taking delta samples, last value was 0
Rising threshold is 892800, assigned to event 0
Falling threshold is 446400, assigned to event 0
.
.
show rmon events
This command shows the settings for all configured events.
Command Mode
Privileged Exec
Example
Console#show rmon events
Event 2 is valid, owned by mike
Description is urgent
Event firing causes log and trap to community , last fired 00:00:00
Console#
show rmon history
This command shows the sampling parameters configured for each entry in the history group.
Command Mode
Privileged Exec
– 162 –
Chapter 6 | Remote Monitoring Commands
Example
Console#show rmon history
Entry 1 is valid, and owned by
Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds
Requested # of time intervals, ie buckets, is 8
Granted # of time intervals, ie buckets, is 8
Sample # 1 began measuring at 00:00:01
Received 77671 octets, 1077 packets,
61 broadcast and 978 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers packets,
0 CRC alignment errors and 0 collisions.
# of dropped packet events is 0
Network utilization is estimated at 0
.
.
show rmon statistics
This command shows the information collected for all configured entries in the statistics group.
Command Mode
Privileged Exec
Example
Console#show rmon statistics
Interface 1 is valid, and owned by
Monitors 1.3.6.1.2.1.2.2.1.1.1 which has
Received 164289 octets, 2372 packets,
120 broadcast and 2211 multicast packets,
0 undersized and 0 oversized packets,
0 fragments and 0 jabbers,
0 CRC alignment errors and 0 collisions.
# of dropped packet events (due to lack of resources): 0
# of packets received of length (in octets):
64: 2245, 65-127: 87, 128-255: 31,
256-511: 5, 512-1023: 2, 1024-1518: 2
.
.
– 163 –
Chapter 6 | Remote Monitoring Commands
– 164 –
7
Authentication Commands
You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access 3 to the data ports.
Table 31: Authentication Commands
Command Group
User Accounts
Function
Configures the basic user names and passwords for management access
Authentication Sequence Defines logon authentication method and precedence
RADIUS Client Configures settings for authentication via a RADIUS server
TACACS+ Client
AAA
Configures settings for authentication via a TACACS+ server
Configures authentication, authorization, and accounting for network access
Web Server
Telnet Server
Enables management access via a web browser
Enables management access via Telnet
Secure Shell Provides secure replacement for Telnet
802.1X Port Authentication Configures host authentication on specific ports using 802.1X
Management IP Filter Configures IP addresses that are allowed management access
User Accounts
The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a
Telnet connection ( page 100 ), user authentication via a remote authentication server ( page 165 ), and host access authentication for specific ports ( page 200 ).
Table 32: User Access Commands
Command enable password username
Function
Sets a password to control access to the Privileged Exec level
Establishes a user name-based authentication system at login
Mode
GC
GC
3. For other methods of controlling client access, see “General Security Measures” on page 219 .
– 165 –
Chapter 7 | Authentication Commands
User Accounts
enable password
After initially logging onto the system, you should set the Privileged Exec password.
Remember to record it in a safe place. This command controls access to the
Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Syntax enable password [ level level ] { 0 | 7 } password no enable password [ level level ] level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.)
{ 0 | 7 } - 0 means plain password, 7 means encrypted password. password - Password for this privilege level. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive)
Default Setting
The default is level 15.
The default password is “super”
Command Mode
Global Configuration
Command Usage
◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command.
◆ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
Example
Console(config)#enable password level 15 0 motorola
Console(config)#
Related Commands enable (75) authentication enable (168)
– 166 –
Chapter 7 | Authentication Commands
User Accounts
username
This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Syntax username name { access-level level | nopassword | password { 0 | 7 } password } no username name name - The name of the user. (Maximum length: 8 characters, case sensitive.
Maximum users: 16) access-level level - Specifies the user level.
The device has two predefined privilege levels:
0 : Normal Exec, 15 : Privileged Exec. nopassword - No password is required for this user to log in.
{ 0 | 7 } - 0 means plain password, 7 means encrypted password. password password - The authentication password for the user.
(Maximum length: 32 characters plain text or encrypted, case sensitive)
Default Setting
The default access level is Normal Exec.
The factory defaults for the user names and passwords are:
Table 33: Default Login Settings username guest motorola access-level
0
15 password guest admin
Command Mode
Global Configuration
Command Usage
The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/TFTP server. There is no need for you to manually configure encrypted passwords.
Example
This example shows how the set the access level and password for a user.
Console(config)#username bob access-level 15
Console(config)#username bob password 0 smith
Console(config)#
– 167 –
Chapter 7 | Authentication Commands
Authentication Sequence
Authentication Sequence
Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Table 34: Authentication Sequence Commands
Command authentication enable authentication login
Function
Defines the authentication method and precedence for command mode change
Defines logon authentication method and precedence
Mode
GC
GC
authentication enable
This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command. Use the no form to restore the default.
Syntax authentication enable {[ local ] [ radius ] [ tacacs ]} no authentication enable local - Use local password only. radius - Use RADIUS server password only. tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server.
◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “ authentication enable radius tacacs local ,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication
– 168 –
Chapter 7 | Authentication Commands
Authentication Sequence is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Example
Console(config)#authentication enable radius
Console(config)#
Related Commands enable password - sets the password for changing command modes ( 166 )
authentication login
This command defines the login authentication method and precedence. Use the no form to restore the default.
Syntax authentication login {[ local ] [ radius ] [ tacacs ]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server.
◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “ authentication login radius tacacs local ,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
– 169 –
Chapter 7 | Authentication Commands
RADIUS Client
Example
Console(config)#authentication login radius
Console(config)#
Related Commands username - for setting the local user names and passwords ( 167 )
RADIUS Client
Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUSaware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Table 35: RADIUS Client Commands
Command radius-server acct-port radius-server auth-port radius-server host radius-server key radius-server retransmit radius-server timeout show radius-server
Function
Sets the RADIUS server network port
Sets the RADIUS server network port
Specifies the RADIUS server
Sets the RADIUS encryption key
Sets the number of retries
GC
GC
Sets the interval between sending authentication requests GC
Shows the current RADIUS settings PE
Mode
GC
GC
GC
radius-server acct-port
This command sets the RADIUS server network port for accounting messages. Use the no form to restore the default.
Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages.
(Range: 1-65535)
Default Setting
1813
Command Mode
Global Configuration
– 170 –
Chapter 7 | Authentication Commands
RADIUS Client
Example
Console(config)#radius-server acct-port 181
Console(config)#
radius-server auth-port
This command sets the RADIUS server network port. Use the no form to restore the default.
Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
(Range: 1-65535)
Default Setting
1812
Command Mode
Global Configuration
Example
Console(config)#radius-server auth-port 181
Console(config)#
radius-server host
This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values.
Syntax
[ no ] radius-server index host host-ip-address [ acct-port acct-port ]
[ auth-port auth-port ] [ key key ] [ retransmit retransmit ] [ timeout timeout ] index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
host-ip-address - IP address of server.
acct-port - RADIUS server UDP port used for accounting messages.
(Range: 1-65535) auth-port - RADIUS server UDP port used for authentication messages.
(Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
– 171 –
Chapter 7 | Authentication Commands
RADIUS Client retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535)
Default Setting auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2
Command Mode
Global Configuration
Example
Console(config)#radius-server 1 host 192.168.1.20 acct-port 181 timeout 10 retransmit 5 key green
Console(config)#
radius-server key
This command sets the RADIUS encryption key. Use the no form to restore the default.
Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client.
Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#radius-server key green
Console(config)#
– 172 –
Chapter 7 | Authentication Commands
RADIUS Client
radius-server retransmit
This command sets the number of retries. Use the no form to restore the default.
Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1 - 30)
Default Setting
2
Command Mode
Global Configuration
Example
Console(config)#radius-server retransmit 5
Console(config)#
radius-server timeout
This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default.
Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535)
Default Setting
5
Command Mode
Global Configuration
Example
Console(config)#radius-server timeout 10
Console(config)#
– 173 –
Chapter 7 | Authentication Commands
TACACS+ Client
show radius-server
This command displays the current settings for the RADIUS server.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show radius-server
Remote RADIUS Server Configuration:
Global Settings:
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
Key :
Server 1:
Server IP Address : 192.168.1.1
Authentication Port Number : 1812
Accounting Port Number : 1813
Retransmit Times : 2
Request Timeout : 5
Key : *
Radius Server Group:
Group Name Member Index
------------------------- ------------radius 1
Console#
TACACS+ Client
Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Table 36: TACACS+ Client Commands
Command tacacs-server host tacacs-server key tacacs-server port show tacacs-server
Function
Specifies the TACACS+ server and optional parameters
Sets the TACACS+ encryption key
Specifies the TACACS+ server network port
Shows the current TACACS+ settings
Mode
GC
GC
GC
GC
– 174 –
Chapter 7 | Authentication Commands
TACACS+ Client
tacacs-server host
This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values.
Syntax tacacs-server index host host-ip-address [ port port-number ] [ timeout timeout ]
[ key key ] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
key - Encryption key used to authenticate logon access for the client.
Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages.
(Range: 1-65535) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-540)
Default Setting authentication port - 49 timeout - 5 seconds
Command Mode
Global Configuration
Example
Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 key green
Console(config)#
tacacs-server key
This command sets the TACACS+ encryption key. Use the no form to restore the default.
Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client.
Enclose any string containing blank spaces in double quotes.
(Maximum length: 48 characters)
Default Setting
None
– 175 –
Chapter 7 | Authentication Commands
TACACS+ Client
Command Mode
Global Configuration
Example
Console(config)#tacacs-server key green
Console(config)#
tacacs-server port
This command specifies the TACACS+ server network port. Use the no form to restore the default.
Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
(Range: 1-65535)
Default Setting
49
Command Mode
Global Configuration
Example
Console(config)#tacacs-server port 181
Console(config)#
show tacacs-server
This command displays the current settings for the TACACS+ server.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show tacacs-server
Remote TACACS+ Server Configuration:
Global Settings:
Server Port Number : 49
Key : *
Server 1:
Server IP Address : 192.168.1.25
– 176 –
Chapter 7 | Authentication Commands
AAA
Server Port Number : 181
Server Time Out : 4
Key : *
Console#
AAA
The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Table 37: AAA Commands
Command aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting
Function
Enables accounting of 802.1X services
Enables accounting of Exec services
Enables periodoc updates to be sent to the accounting server
Enables authorization of Exec sessions
Groups security servers in to defined lists
Configures the IP address of a server in a group list
Applies an accounting method to an interface for 802.1X service requests
Applies an accounting method to local console, Telnet or
SSH connections
Line
GC
GC
SG
IC
Applies an authorization method to local console, Telnet or
SSH connections
Line
Displays all accounting information PE
Mode
GC
GC
GC
aaa accounting dot1x
This command enables the accounting of requested 802.1X services for network access. Use the no form to disable the accounting service.
Syntax aaa accounting dot1x { default | method-name } start-stop group { radius | tacacs+ | server-group } no aaa accounting dot1x { default | method-name } default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters) start-stop - Records accounting from starting point and stopping point.
– 177 –
Chapter 7 | Authentication Commands
AAA group - Specifies the server group to use.
radius - Specifies all RADIUS hosts configure with the radius-server host command.
tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command.
server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters)
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Example
Console(config)#aaa accounting dot1x default start-stop group radius
Console(config)#
aaa accounting exec
This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service.
Syntax aaa accounting exec { default | method-name } start-stop group { radius | tacacs+ | server-group } no aaa accounting exec { default | method-name } default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests.
(Range: 1-255 characters) start-stop - Records accounting from starting point and stopping point.
group - Specifies the server group to use.
radius - Specifies all RADIUS hosts configure with the radius-server host command.
tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command.
server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters)
– 178 –
Chapter 7 | Authentication Commands
AAA
Default Setting
Accounting is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
◆ This command runs accounting for Exec service requests for the local console and Telnet connections.
◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Example
Console(config)#aaa accounting exec default start-stop group tacacs+
Console(config)#
aaa accounting update
This command enables the sending of periodic updates to the accounting server.
Use the no form to restore the default setting.
Syntax aaa accounting update [ periodic interval ] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
(Range: 0-2147483647 minutes; where 0 means disabled)
Default Setting
1 minute
Command Mode
Global Configuration
Command Usage
◆ When accounting updates are enabled, the switch issues periodic interim accounting records for all users on the system.
◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting.
– 179 –
Chapter 7 | Authentication Commands
AAA
Example
Console(config)#aaa accounting update periodic 30
Console(config)#
aaa authorization exec
This command enables the authorization for Exec access. Use the no form to disable the authorization service.
Syntax aaa authorization exec { default | method-name } group { tacacs+ | server-group } no aaa authorization exec { default | method-name } default - Specifies the default authorization method for Exec access. method-name - Specifies an authorization method for Exec access.
(Range: 1-255 characters) group - Specifies the server group to use.
tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command.
server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-255 characters)
Default Setting
Authorization is not enabled
No servers are specified
Command Mode
Global Configuration
Command Usage
◆ This command performs authorization to determine if a user is allowed to run an Exec shell.
◆ AAA authentication must be enabled before authorization is enabled.
◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Example
Console(config)#aaa authorization exec default group tacacs+
Console(config)#
– 180 –
Chapter 7 | Authentication Commands
AAA
aaa group server
Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command.
Syntax
[ no ] aaa group server { radius | tacacs+ } group-name radius - Defines a RADIUS server group.
tacacs+ - Defines a TACACS+ server group.
group-name - A text string that names a security server group.
(Range: 1-7 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#aaa group server radius tps
Console(config-sg-radius)#
server
This command adds a security server to an AAA server group. Use the no form to remove the associated server from the group.
Syntax
[ no ] server { index | ip-address } index - Specifies the server index.
(Range: RADIUS 1-5, TACACS+ 1) ip-address - Specifies the host IP address of a server.
Default Setting
None
Command Mode
Server Group Configuration
Command Usage
◆ When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command.
◆ When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command.
– 181 –
Chapter 7 | Authentication Commands
AAA
Example
Console(config)#aaa group server radius tps
Console(config-sg-radius)#server 10.2.68.120
Console(config-sg-radius)#
accounting dot1x
This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface.
Syntax accounting dot1x { default | list-name } no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
list-name - Specifies a method list created with the aaa accounting dot1x command.
Default Setting
None
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/2
Console(config-if)#accounting dot1x tps
Console(config-if)#
accounting exec
This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line.
Syntax accounting exec { default | list-name } no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
list-name - Specifies a method list created with the aaa accounting exec command.
Default Setting
None
– 182 –
Chapter 7 | Authentication Commands
AAA
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#accounting exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#accounting exec default
Console(config-line)#
authorization exec
This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
Syntax authorization exec { default | list-name } no authorization exec default - Specifies the default method list created with the aaa authorization exec command.
list-name - Specifies a method list created with the aaa authorization exec command.
Default Setting
None
Command Mode
Line Configuration
Example
Console(config)#line console
Console(config-line)#authorization exec tps
Console(config-line)#exit
Console(config)#line vty
Console(config-line)#authorization exec default
Console(config-line)#
show accounting
This command displays the current accounting settings per function and per port.
Syntax show accounting [[ dot1x [ statistics [ username user name | interface interface ]] | exec [ statistics ] | statistics ] level - Displays command accounting information for a specifiable command level.
dot1x - Displays dot1x accounting information.
– 183 –
Chapter 7 | Authentication Commands
Web Server exec - Displays Exec accounting records.
statistics - Displays accounting records.
user name - Displays accounting records for a specifiable username.
interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show accounting
Accounting Type: dot1x
Method List : default
Group List : radius
Interface : Eth 1/1
Method List : tps
Group List : radius
Interface : Eth 1/2
Accounting Type: EXEC
Method List : default
Group List : tacacs+
Interface : vty
Console#
Web Server
This section describes commands used to configure web browser management access to the switch.
Table 38: Web Server Commands
Command ip http port ip http server ip http secure-port ip http secure-server
Function Mode
Specifies the port to be used by the web browser interface GC
Allows the switch to be monitored or configured from a browser
GC
Specifies the UDP port number for HTTPS GC
Enables HTTPS (HTTP/SSL) for encrypted communications GC
– 184 –
Chapter 7 | Authentication Commands
Web Server
Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds.
ip http port
This command specifies the TCP port number used by the web browser interface.
Use the no form to use the default port.
Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
(Range: 1-65535)
Default Setting
80
Command Mode
Global Configuration
Example
Console(config)#ip http port 769
Console(config)#
Related Commands ip http server (185) show system (86)
ip http server
This command allows this device to be monitored or configured from a browser.
Use the no form to disable this function.
Syntax
[ no ] ip http server
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#ip http server
Console(config)#
– 185 –
Chapter 7 | Authentication Commands
Web Server
Related Commands ip http port (185) show system (86)
ip http secure-port
This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port.
Syntax ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS. (Range: 1-65535)
Default Setting
443
Command Mode
Global Configuration
Command Usage
◆ If you change the HTTPS port number, clients attempting to connect to the
HTTPS server must specify the port number in the URL, in this format: https:// device : port_number
Example
Console(config)#ip http secure-port 1000
Console(config)#
Related Commands ip http secure-server (186) show system (86)
ip http secure-server
This command enables the secure hypertext transfer protocol (HTTPS) over the
Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
Syntax
[ no ] ip http secure-server
Default Setting
Disabled
Command Mode
Global Configuration
– 186 –
Chapter 7 | Authentication Commands
Web Server
Command Usage
◆ HTTP and HTTPS are implemented as mutually exclusive services on the switch.
◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https :// device [: port_number ]
◆ When you start HTTPS, the connection is established in this way:
■ The client authenticates the server using the server’s digital certificate.
■ The client and server negotiate a set of security protocols to use for the connection.
■ The client and server generate session keys for encrypting and decrypting data.
◆ The client and server establish a secure encrypted connection.
A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla
Firefox 4, or Google Chrome 29, or more recent versions.
The following web browsers and operating systems currently support HTTPS:
Table 39: HTTPS System Support
Web Browser
Internet Explorer 6.x or later
Mozilla Firefox 4 or later
Google Chrome 29 or later
Operating System
Windows 98,Windows NT (with service pack 6a), Windows
2000, XP, Vista, 7, 8
Windows 2000, XP, Vista, 7, 8, Linux
Windows XP, Vista, 7, 8
◆ To specify a secure-site certificate, see “Replacing the Default Secure-site
Certificate” in the System Reference Guide . Also refer to the copy tftp httpscertificate command.
◆ Connection to the web interface is not supported for HTTPS using an IPv6 link local address.
Example
Console(config)#ip http secure-server
Console(config)#
Related Commands ip http secure-port (186) copy tftp https-certificate ( 92 ) show system (86)
– 187 –
Chapter 7 | Authentication Commands
Telnet Server
Telnet Server
This section describes commands used to configure Telnet management access to the switch.
Table 40: Telnet Server Commands
Command ip telnet max-sessions ip telnet port ip telnet server show ip telnet
Function Mode
Specifies the maximum number of Telnet sessions that can simultaneously connect to this system
GC
Specifies the port to be used by the Telnet interface
Allows the switch to be monitored or configured from
Telnet
Displays configuration settings for the Telnet server
GC
GC
PE
Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the
Privileged Exec configuration level.
ip telnet max-sessions
This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting.
Syntax ip telnet max-sessions session-count no ip telnet max-sessions session-count - The maximum number of allowed Telnet session.
(Range: 0-4)
Default Setting
4 sessions
Command Mode
Global Configuration
Command Usage
A maximum of four sessions can be concurrently opened for Telnet and Secure
Shell (i.e., both Telnet and SSH share a maximum number or four sessions).
Example
Console(config)#ip telnet max-sessions 1
Console(config)#
– 188 –
Chapter 7 | Authentication Commands
Telnet Server
ip telnet port
This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
(Range: 1-65535)
Default Setting
23
Command Mode
Global Configuration
Example
Console(config)#ip telnet port 123
Console(config)#
ip telnet server
This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function.
Syntax
[ no ] ip telnet server
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#ip telnet server
Console(config)#
– 189 –
Chapter 7 | Authentication Commands
Secure Shell
show ip telnet
This command displays the configuration settings for the Telnet server.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show ip telnet
IP Telnet Configuration:
Telnet Status: Enabled
Telnet Service Port: 23
Telnet Max Session: 4
Console#
Secure Shell
This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Table 41: Secure Shell Commands
Command ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout copy tftp public-key delete public-key disconnect ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key
Function
Specifies the number of retries allowed by a client
Enables the SSH server on the switch
Sets the SSH server key size
Specifies the authentication timeout for the SSH server
Copies the user’s public key from a TFTP server to the switch
Deletes the public key for the specified user
Terminates a line connection
Generates the host key
Mode
GC
Clear the host key from RAM PE
Saves the host key from RAM to flash memory
Displays the status of the SSH server and the configured values for authentication timeout and retries
PE
PE
Shows the public key for the specified user or for the host PE
PE
PE
PE
GC
GC
GC
PE
– 190 –
Chapter 7 | Authentication Commands
Secure Shell
Table 41: Secure Shell Commands (Continued)
Command show ssh show users
Function Mode
Displays the status of current SSH sessions
Shows SSH users, including privilege level and public key type
PE
PE
Configuration Guidelines
The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command. If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server.
To use the SSH server, complete these steps:
1.
Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair.
2.
Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it. An entry for a public key in the known hosts file would appear similar to the following example:
10.1.0.54 1024 35 15684995401867669259333946775054617325313674890836547254
15020245593199868544358361651999923329781766065830956
108259132128902337654680172627257141342876294130119619556678259566410486957427
888146206519417467729848654686157177393901647793559423035774130980227370877945
4524083971752646358058176716709574804776117
3.
Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch with the username command.) The clients are subsequently authenticated using these keys. The current firmware only accepts public key files based on standard UNIX format as shown in the following example for an RSA key:
1024 35
134108168560989392104094492015542534763164192187295892114317388005553616163105
177594083868631109291232226828519254374603100937187721199696317813662774141689
851320491172048303392543241016379975923714490119380060902539484084827178194372
288402533115952134861022902978982721353267131629432532818915045306393916643 [email protected]
– 191 –
Chapter 7 | Authentication Commands
Secure Shell
4.
Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size.
5.
Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
6.
Authentication – One of the following authentication methods is employed:
Password Authentication (for SSH v1.5 or V2 Clients) a.
The client sends its password to the server.
b.
The switch compares the client's password to those stored in memory. c.
If a match is found, the connection is allowed.
Note: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file. However, you do not need to configure the client's keys.
Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process:
Authenticating SSH v1.5 Clients a.
The client sends its RSA public key to the switch. b.
The switch compares the client's public key to those stored in memory. c.
If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d.
The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e.
The switch compares the checksum sent from the client against that computed for the original string it sent. If the two check sums match, this means that the client's private key corresponds to an authorized public key, and the client is authenticated.
Authenticating SSH v2 Clients a.
The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b.
If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c.
The client sends a signature generated using the private key to the switch.
– 192 –
Chapter 7 | Authentication Commands
Secure Shell d.
When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
Note: The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Note: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
ip ssh authentication-retries
This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting.
Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset. (Range: 1-5)
Default Setting
3
Command Mode
Global Configuration
Example
Console(config)#ip ssh authentication-retires 2
Console(config)#
Related Commands show ip ssh (198)
ip ssh server
This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service.
Syntax
[ no ] ip ssh server
Default Setting
Disabled
– 193 –
Chapter 7 | Authentication Commands
Secure Shell
Command Mode
Global Configuration
Command Usage
◆ The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
◆ You must generate DSA and RSA host keys before enabling the SSH server.
Example
Console#ip ssh crypto host-key generate dsa
Console#configure
Console(config)#ip ssh server
Console(config)#
Related Commands ip ssh crypto host-key generate (196) show ssh (199)
ip ssh server-key size
This command sets the SSH server key size. Use the no form to restore the default setting.
Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-1024 bits)
Default Setting
768 bits
Command Mode
Global Configuration
Command Usage
The server key is a private key that is never shared outside the switch.
The host key is shared with the SSH client, and is fixed at 1024 bits.
Example
Console(config)#ip ssh server-key size 512
Console(config)#
– 194 –
Chapter 7 | Authentication Commands
Secure Shell
ip ssh timeout
This command configures the timeout for the SSH server. Use the no form to restore the default setting.
Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation.
(Range: 1-120)
Default Setting
10 seconds
Command Mode
Global Configuration
Command Usage
The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Example
Console(config)#ip ssh timeout 60
Console(config)#
Related Commands exec-timeout (102) show ip ssh (198)
delete public-key
This command deletes the specified user’s public key.
Syntax delete public-key username [ dsa | rsa ] username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa – RSA public key type.
Default Setting
Deletes both the DSA and RSA key.
Command Mode
Privileged Exec
– 195 –
Chapter 7 | Authentication Commands
Secure Shell
Example
Console#delete public-key motorola dsa
Console#
ip ssh crypto host-key generate
This command generates the host key pair (i.e., public and private).
Syntax ip ssh crypto host-key generate [ dsa | rsa ] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type.
Default Setting
Generates both the DSA and RSA key pairs.
Command Mode
Privileged Exec
Command Usage
◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for
SSHv2 clients.
◆ This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it.
◆ The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it.
Example
Console#ip ssh crypto host-key generate dsa
Console#
Related Commands ip ssh crypto zeroize (197) ip ssh save host-key (197)
– 196 –
Chapter 7 | Authentication Commands
Secure Shell
ip ssh crypto zeroize
This command clears the host key from memory (i.e. RAM).
Syntax ip ssh crypto zeroize [ dsa | rsa ] dsa – DSA key type. rsa – RSA key type.
Default Setting
Clears both the DSA and RSA key.
Command Mode
Privileged Exec
Command Usage
◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
◆ The SSH server must be disabled before you can execute this command.
Example
Console#ip ssh crypto zeroize dsa
Console#
Related Commands ip ssh crypto host-key generate (196) ip ssh save host-key (197) no ip ssh server (193)
ip ssh save host-key
This command saves the host key from RAM to flash memory.
Syntax ip ssh save host-key
Default Setting
Saves both the DSA and RSA key.
Command Mode
Privileged Exec
Example
Console#ip ssh save host-key dsa
Console#
– 197 –
Chapter 7 | Authentication Commands
Secure Shell
Related Commands ip ssh crypto host-key generate (196)
show ip ssh
This command displays the connection settings used when authenticating client access to the SSH server.
Command Mode
Privileged Exec
Example
Console#show ip ssh
SSH Enabled - Version 2.0
Negotiation Timeout : 120 seconds; Authentication Retries : 3
Server Key Size : 768 bits
Console#
show public-key
This command shows the public key for the specified user or for the host.
Syntax show public-key [ user [ username ]| host ] username – Name of an SSH user. (Range: 1-8 characters)
Default Setting
Shows all public keys.
Command Mode
Privileged Exec
Command Usage
◆ If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
◆ When an RSA key is displayed, the first field indicates the size of the host key
(e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus. When a DSA key is displayed, the first field indicates that the encryption method used by SSH is based on the Digital
Signature Standard (DSS), and the last string is the encoded modulus.
Example
Console#show public-key host
Host:
RSA:
1024 65537 13236940658254764031382795526536375927835525327972629521130241
071942106165575942459093923609695405036277525755625100386613098939383452310
332802149888661921595568598879891919505883940181387440468908779160305837768
– 198 –
Chapter 7 | Authentication Commands
Secure Shell
185490002831341625008348718449522087429212255691665655296328163516964040831
5547660664151657116381
DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc
YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv
JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR
2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7YKBw/Kjw6Bm iFq7O+jAhf1Dg45loAc27s6TLdtny1wRq/ow2eTCD5nekAAACBAJ8rMccXTxHLFAczWS7EjOy
DbsloBfPuSAb4oAsyjKXKVYNLQkTLZfcFRu41bS2KV5LAwecsigF/+DjKGWtPNIQqabKgYCw2 o/dVzX4Gg+yqdTlYmGA7fHGm8ARGeiG4ssFKy4Z6DmYPXFum1Yg0fhLwuHpOSKdxT3kk475S7 w0W
Console#
show ssh
This command displays the current SSH server connections.
Command Mode
Privileged Exec
Example
Console#show ssh
Connection Version State Username Encryption
0 2.0 Session-Started motorola ctos aes128-cbc-hmac-md5
stoc aes128-cbc-hmac-md5
Console#
Table 42: show ssh - display description
Field
Connection
Version
State
Username
Description
The session number. (Range: 0-3)
The Secure Shell version number.
The authentication negotiation state.
(Values: Negotiation-Started, Authentication-Started, Session-Started)
The user name of the client.
– 199 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
802.1X Port Authentication
The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Table 43: 802.1X Port Authentication Commands
Command
General Commands dot1x default dot1x eapol-pass-through
Function
Resets all dot1x parameters to their default values
Passes EAPOL frames to all ports in STP forwarding state when dot1x is globally disabled
Enables dot1x globally on the switch.
Mode
GC
GC dot1x system-auth-control
Authenticator Commands dot1x intrusion-action
GC dot1x max-req
Sets the port response to intrusion when authentication fails
Sets the maximum number of times that the switch retransmits an EAP request/identity packet to the client before it times out the authentication session
Allows single or multiple hosts on an dot1x port
Sets dot1x mode for a port interface
IC
IC dot1x operation-mode dot1x port-control
IC
IC dot1x re-authentication Enables re-authentication for all ports dot1x timeout re-authperiod Sets the time period after which a connected client must be re-authenticated
IC dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request
Count has been exceeded before attempting to acquire a new client
IC
IC dot1x timeout supp-timeout Sets the interval for a supplicant to respond dot1x timeout tx-period Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet
IC
IC dot1x re-authenticate
Supplicant Commands
Forces re-authentication on specific ports PE dot1x identity profile dot1x max-start dot1x pae supplicant dot1x timeout auth-period dot1x timeout held-period
Configures dot1x supplicant user name and password GC
Sets the maximum number of times that a port supplicant will send an EAP start frame to the client
IC
Enables dot1x supplicant mode on an interface
Sets the time that a supplicant port waits for a response from the authenticator
Sets the time a port waits after the maximum start count has been exceeded before attempting to find another authenticator
IC
IC
IC
– 200 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Table 43: 802.1X Port Authentication Commands (Continued)
Command dot1x timeout start-period
Function Mode
Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator
IC
Information Display Commands show dot1x Shows all dot1x related information PE
General Commands
dot1x default
This command sets all configurable dot1x authenticator global and port settings to their default values.
Command Mode
Global Configuration
Command Usage
This command resets the following commands to their default settings:
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
◆
dot1x system-auth-control
dot1x eapol-pass-through dot1x port-control dot1x port-control multi-host max-count dot1x operation-mode dot1x max-req dot1x timeout quiet-period dot1x timeout tx-period dot1x timeout re-authperiod dot1x timeout sup-timeout dot1x re-authentication dot1x intrusion-action
Example
Console(config)#dot1x default
Console(config)#
– 201 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
dot1x eapol-pass-through
This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default.
Syntax
[ no ] dot1x eapol-pass-through
Default Setting
Discards all EAPOL frames when dot1x is globally disabled
Command Mode
Global Configuration
Command Usage
◆ When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, the dot1x eapol pass-through command can be used to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
◆ When this device is functioning as an edge switch but does not require any attached clients to be authenticated, the no dot1x eapol-pass-through command can be used to discard unnecessary EAPOL traffic.
Example
This example instructs the switch to pass all EAPOL frame through to any ports in
STP forwarding state.
Console(config)#dot1x eapol-pass-through
Console(config)#
dot1x system-auth-control
This command enables IEEE 802.1X port authentication globally on the switch.
Use the no form to restore the default.
Syntax
[ no ] dot1x system-auth-control
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#dot1x system-auth-control
Console(config)#
– 202 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Authenticator Commands
dot1x intrusion-action
This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Syntax dot1x intrusion-action { block-traffic | guest-vlan } no dot1x intrusion-action block-traffic - Blocks traffic on this port.
guest-vlan - Assigns the user to the Guest VLAN.
Default block-traffic
Command Mode
Interface Configuration
Command Usage
For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x intrusion-action guest-vlan
Console(config-if)#
dot1x max-req
This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Syntax dot1x max-req count no dot1x max-req count – The maximum number of requests (Range: 1-10)
Default
2
Command Mode
Interface Configuration
– 203 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-req 2
Console(config-if)#
dot1x operation-mode
This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Syntax dot1x operation-mode { single-host | multi-host [ max-count count ] | mac-based-auth } no dot1x operation-mode [ multi-host max-count ] single-host – Allows only a single host to connect to this port.
multi-host – Allows multiple host to connect to this port.
max-count – Keyword for the maximum number of hosts.
count – The maximum number of hosts that can connect to a port.
(Range: 1-1024; Default: 5) mac-based – Allows multiple hosts to connect to this port, with each host needing to be authenticated.
Default
Single-host
Command Mode
Interface Configuration
Command Usage
◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command.
◆ In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails reauthentication or sends an EAPOL logoff message.
◆ In “mac-based-auth” mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
– 204 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x operation-mode multi-host max-count 10
Console(config-if)#
dot1x port-control
This command sets the dot1x mode on a port interface. Use the no form to restore the default.
Syntax dot1x port-control { auto | force-authorized | force-unauthorized } no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the
RADIUS server. Clients that are not dot1x-aware will be denied access.
force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise. force-unauthorized – Configures the port to deny access to all clients, either dot1x-aware or otherwise.
Default force-authorized
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x port-control auto
Console(config-if)#
dot1x re-authentication
This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication.
Syntax
[ no ] dot1x re-authentication
Command Mode
Interface Configuration
Command Usage
◆ The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains
– 205 –
Chapter 7 | Authentication Commands
802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked.
◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x re-authentication
Console(config-if)#
Related Commands dot1x timeout re-authperiod (206)
dot1x timeout quiet-period
This command sets the time that a switch port waits after the maximum request count (see page 203 ) has been exceeded before attempting to acquire a new client.
Use the no form to reset the default.
Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds. (Range: 1-65535)
Default
60 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout quiet-period 350
Console(config-if)#
dot1x timeout re-authperiod
This command sets the time period after which a connected client must be reauthenticated. Use the no form of this command to reset the default.
Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds. (Range: 1-65535)
– 206 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Default
3600 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout re-authperiod 300
Console(config-if)#
dot1x timeout supp-timeout
This command sets the time that an interface on the switch waits for a response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Command Usage
This command sets the timeout for EAP-request frames other than EAP-request/ identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information. It may also send other EAP-request frames to the client during an active connection as required for reauthentication.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout supp-timeout 300
Console(config-if)#
– 207 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
dot1x timeout tx-period
This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value.
Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout tx-period 300
Console(config-if)#
dot1x re-authenticate
This command forces re-authentication on all ports or a specific interface.
Syntax dot1x re-authenticate [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Command Usage
The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
Only if re-authentication fails is the port blocked.
Example
Console#dot1x re-authenticate
Console#
– 208 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Supplicant Commands
dot1x identity profile
This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings.
Syntax dot1x identity profile { username username | password password } no dot1x identity profile { username | password } username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password. (Range: 1-32 characters)
Default
No user name or password
Command Mode
Global Configuration
Command Usage
The global supplicant user name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator. These parameters must be set when this switch passes client authentication requests to another authenticator on the network (see the dot1x pae supplicant command on page 210 ).
Example
Console(config)#dot1x identity profile username steve
Console(config)#dot1x identity profile password excess
Console(config)#
dot1x max-start
This command sets the maximum number of times that a port supplicant will send an EAP start frame to the client before assuming that the client is 802.1X unaware.
Use the no form to restore the default value.
Syntax dot1x max-start count no dot1x max-start count - Specifies the maximum number of EAP start frames.
(Range: 1-65535)
Default
3
– 209 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x max-start 10
Console(config-if)#
dot1x pae supplicant
This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
Syntax
[ no ] dot1x pae supplicant
Default
Disabled
Command Mode
Interface Configuration
Command Usage
◆ When devices attached to a port must submit requests to another authenticator on the network, configure the identity profile parameters (see dot1x identity profile command on page 209 ) which identify this switch as a supplicant, and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator using this command. In this mode the port will not respond to dot1x messages meant for an authenticator.
◆ This switch can be configured to serve as the authenticator on selected ports by setting the control mode to “auto” (see the dot1x port-control command on page 205 ), and as a supplicant on other ports by the setting the control mode to “force-authorized” and enabling dot1x supplicant mode with this command.
◆ A port cannot be configured as a dot1x supplicant if it is a member of a trunk or
LACP is enabled on the port.
Example
Console(config)#interface ethernet 1/2
Console(config-if)#dot1x pae supplicant
Console(config-if)#
– 210 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
dot1x timeout auth-period
This command sets the time that a supplicant port waits for a response from the authenticator. Use the no form to restore the default setting.
Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Command Usage
This command sets the time that the supplicant waits for a response from the authenticator for packets other than EAPOL-Start.
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout auth-period 60
Console(config-if)#
dot1x timeout held-period
This command sets the time that a supplicant port waits before resending its credentials to find a new an authenticator. Use the no form to reset the default.
Syntax dot1x timeout held-period seconds no dot1x timeout held-period seconds - The number of seconds. (Range: 1-65535)
Default
60 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout held-period 120
Console(config-if)#
– 211 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
dot1x timeout start-period
This command sets the time that a supplicant port waits before resending an
EAPOL start frame to the authenticator. Use the no form to restore the default setting.
Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds. (Range: 1-65535)
Default
30 seconds
Command Mode
Interface Configuration
Example
Console(config)#interface eth 1/2
Console(config-if)#dot1x timeout start-period 60
Console(config-if)#
Information Display Commands
show dot1x
This command shows general port authentication related settings on the switch or a specific interface.
Syntax show dot1x [ statistics ] [ interface interface ] statistics - Displays dot1x status for each port.
interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Command Usage
This command displays the following information:
◆ Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch ( page 202 ).
– 212 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled ( page 202 ).
◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator ( page 209 ).
◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items:
■
■
■
■ Type – Administrative state for port access control (Enabled, Authenticator, or Supplicant).
Operation Mode–Allows single or multiple hosts ( page 204 ).
Control Mode – Dot1x port control mode ( page 205 ).
Authorized– Authorization status (yes or n/a - not authorized).
◆ 802.1X Port Details – Displays the port access control parameters for each interface, including the following items:
■
■
■
■
■
■
■
■
■
■
■
■
Reauthentication – Periodic re-authentication ( page 205 ).
Reauth Period – Time after which a connected client must be reauthenticated ( page 206 ).
Quiet Period – Time a port waits after Max Request Count is exceeded before attempting to acquire a new client ( page 206 ).
TX Period – Time a port waits during authentication session before retransmitting EAP packet ( page 208 ).
Supplicant Timeout – Supplicant timeout.
Server Timeout – Server timeout. A RADIUS server must be set before the correct operational value of 10 seconds will be displayed in this field.
Reauth Max Retries – Maximum number of reauthentication attempts.
Max Request – Maximum number of times a port will retransmit an EAP request/identity packet to the client before it times out the authentication session ( page 203 ).
Operation Mode– Shows if single or multiple hosts (clients) can connect to an 802.1X-authorized port.
Port Control–Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized ( page 205 ).
Intrusion Action– Shows the port response to intrusion when authentication fails ( page 203 ).
Supplicant– MAC address of authorized client.
◆ Authenticator PAE State Machine
■
■
■ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized).
Reauth Count– Number of times connecting state is re-entered.
Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
– 213 –
Chapter 7 | Authentication Commands
802.1X Port Authentication
◆ Backend State Machine
■
■
■
State – Current state (including request, response, success, fail, timeout, idle, initialize).
Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response.
Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
◆ Reauthentication State Machine
State – Current state (including initialize, reauthenticate).
Example
Console#show dot1x interface ethernet 1/1
Global 802.1X Parameters
System Auth Control : Enabled
Authenticator Parameters:
EAPOL Pass Through : Disabled
Supplicant Parameters:
Identity Profile Username : steve
802.1X Port Summary
Port Type Operation Mode Control Mode Authorized
-------- ------------- -------------- ------------------ ----------
Eth 1/ 1 Disabled Single-Host Force-Authorized Yes
Eth 1/ 2 Disabled Single-Host Force-Authorized Yes
.
.
.
Eth 1/27 Disabled Single-Host Force-Authorized Yes
Eth 1/28 Enabled Single-Host Auto Yes
.
.
.
Console#show dot1x interface ethernet 1/50
802.1X Authenticator is enabled on port 50
Reauthentication : Enabled
Reauth Period : 3600
Quiet Period : 60
TX Period : 30
Supplicant Timeout : 30
Server Timeout : 10
Reauth Max Retries : 2
Max Request : 2
Operation Mode : Multi-host
Port Control : Auto
Intrusion Action : Block traffic
Supplicant : 00-e0-29-94-34-65
Authenticator PAE State Machine
State : Authenticated
Reauth Count : 0
Current Identifier : 3
– 214 –
Chapter 7 | Authentication Commands
Management IP Filter
Backend State Machine
State : Idle
Request Count : 0
Identifier(Server) : 2
Reauthentication State Machine
State : Initialize
802.1X Supplicant is disabled on port 1/50
Console#
Management IP Filter
This section describes commands used to configure IP management access to the switch.
Table 44: Management IP Filter Commands
Command management show management
Function
Configures IP addresses that are allowed management access
Mode
GC
Displays the switch to be monitored or configured from a browser
PE
management
This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting.
Syntax
[ no ] management { all-client | http-client | snmp-client | telnet-client } start-address [ end-address ] all-client - Adds IP address(es) to all groups.
http-client - Adds IP address(es) to the web group.
snmp-client - Adds IP address(es) to the SNMP group.
telnet-client - Adds IP address(es) to the Telnet group.
start-address - A single IP address, or the starting address of a range.
end-address - The end address of a range.
Default Setting
All addresses
Command Mode
Global Configuration
– 215 –
Chapter 7 | Authentication Commands
Management IP Filter
Command Usage
◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
◆ IP address can be configured for SNMP, web, and Telnet access respectively.
Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges.
◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
◆ You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.
◆ You can delete an address range just by specifying the start address, or by specifying both the start address and end address.
Example
This example restricts management access to the indicated addresses.
Console(config)#management all-client 192.168.1.19
Console(config)#management all-client 192.168.1.25 192.168.1.30
Console#
show management
This command displays the client IP addresses that are allowed management access to the switch through various protocols.
Syntax show management { all-client | http-client | snmp-client | telnet-client } all-client - Displays IP addresses for all groups.
http-client - Displays IP addresses for the web group.
snmp-client - Displays IP addresses for the SNMP group.
telnet-client - Displays IP addresses for the Telnet group.
Command Mode
Privileged Exec
Example
Console#show management all-client
Management Ip Filter
HTTP-Client:
Start IP address End IP address
-----------------------------------------------
1. 192.168.1.19 192.168.1.19
– 216 –
Chapter 7 | Authentication Commands
Management IP Filter
2. 192.168.1.25 192.168.1.30
SNMP-Client:
Start IP address End IP address
-----------------------------------------------
1. 192.168.1.19 192.168.1.19
2. 192.168.1.25 192.168.1.30
TELNET-Client:
Start IP address End IP address
-----------------------------------------------
1. 192.168.1.19 192.168.1.19
2. 192.168.1.25 192.168.1.30
Console#
– 217 –
Chapter 7 | Authentication Commands
Management IP Filter
– 218 –
8
General Security Measures
This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter. These include port-based authentication, which can be configured to allow network client access by specifying a fixed set of MAC addresses. The addresses assigned to DHCP clients can also be carefully controlled with IP Source Guard and DHCP Snooping commands.
Table 45: General Security Commands
Command Group
Port Security *
802.1X Port
Authentication *
Network Access
Web Authentication
Access Control Lists
DHCP Snooping
IP Source Guard
*
*
*
ARP Inspection
DoS Protection
Port-based Traffic
Segmentation
*
*
Function
Configures secure addresses for a port
Configures host authentication on specific ports using 802.1X
Configures MAC authentication and dynamic VLAN assignment
Configures Web authentication
Provides filtering for IP frames (based on address, protocol, TCP/UDP port number or TCP control code) or non-IP frames (based on MAC address or Ethernet type)
Filters untrusted DHCP messages on unsecure ports by building and maintaining a DHCP snooping binding table
Filters IP traffic on insecure ports for which the source address cannot be identified via DHCP snooping nor static source bindings
Validates the MAC-to-IP address bindings in ARP packets
Protects against Denial-of-Service attacks
Configures traffic segmentation for different client sessions based on specified downlink and uplink ports
* The priority of execution for these filtering commands is Port Security, Port Authentication,
Network Access, Web Authentication, Access Control Lists, DHCP Snooping, and then IP Source
Guard.
– 219 –
Chapter 8 | General Security Measures
Port Security
Port Security
These commands can be used to enable port security on a port.
When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. The port will drop any incoming frames with a source MAC address that is unknown or has been previously learned from another port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.
Table 46: Management IP Filter Commands
Command mac-address-table static port security show mac-address-table
Function
Maps a static address to a port in a VLAN
Configures a secure port
Displays entries in the bridge-forwarding database
Mode
GC
IC
PE
port security
This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to a security violation or for the maximum number of allowed addresses.
Syntax port security
[[ action { shutdown | trap | trap-and-shutdown }] |
[ max-mac-count address-count ]] no port security [ action | max-mac-count ] action - Response to take when port security is violated. shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable port.
max-mac-count address-count - The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled)
Default Setting
Status: Disabled
Action: None
Maximum Addresses: 0
– 220 –
Chapter 8 | General Security Measures
Port Security
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
◆ When port security is enabled using the port security command, or the maximum number or allowed addresses is set to value lower than the limit after port security has been enabled, the switch first clears all dynamically learned entries from the address table. It then starts learning new MAC addresses on the specified port, and stops learning addresses when it reaches a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
◆ To configure the maximum number of address entries which can be learned on a port, first disable port security on a port using the no port security command, and then specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs <source MAC address, VLAN> for frames received on the port. (The specified maximum address count is effective when port security is enabled or disabled.) Note that you can manually add additional secure addresses to a port using the mac-address-table static command. When the port has reached the maximum number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out.
◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
◆ If a port is disabled due to a security violation, it must be manually re-enabled using the no shutdown command.
◆ A secure port has the following restrictions:
■ Cannot be connected to a network interconnection device.
■ Cannot be a trunk port.
■ RSPAN and port security are mutually exclusive functions. If port security is enabled on a port, that port cannot be set as an RSPAN uplink port, source port, or destination port. Also, when a port is configured as an RSPAN uplink port, source port, or destination port, port security cannot be enabled on that port.
– 221 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Example
The following example enables port security for port 5, and sets the response to a security violation to issue a trap message:
Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap
Related Commands show interfaces status (304) shutdown (300) mac-address-table static (362)
Network Access (MAC Address Authentication)
Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source
MAC address is successfully authenticated by a central RADIUS server. While authentication for a MAC address is in progress, all traffic is blocked until authentication is completed. Once successfully authenticated, the RADIUS server may optionally assign VLAN and QoS settings for the switch port.
Table 47: Network Access Commands
Command network-access aging
Function
Enables MAC address aging network-access mac-filter Adds a MAC address to a filter table mac-authentication reauth-time Sets the time period after which a connected MAC address must be re-authenticated network-access dynamic-qos Enables the dynamic quality of service feature IC network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN network-access link-detection Enables the link detection feature
IC
IC
Mode
GC
GC
GC network-access link-detection link-down network-access link-detection link-up network-access link-detection link-up-down
Configures the link detection feature to detect and act upon link-down events
Configures the link detection feature to detect and act upon link-up events
Configures the link detection feature to detect and act upon both link-up and link-down events
IC
IC
IC network-access max-mac-count Sets the maximum number of MAC addresses that can be authenticated on a port via all forms of authentication
IC
IC network-access mode mac-authentication
Enables MAC authentication on an interface network-access port-mac-filter Enables the specified MAC address filter IC
– 222 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Table 47: Network Access Commands (Continued)
Command mac-authentication intrusion-action mac-authentication max-mac-count clear network-access show network-access
Function
Determines the port response when a connected host fails MAC authentication.
Mode
IC
Sets the maximum number of MAC addresses that can be authenticated on a port via MAC authentication
IC
PE Clears authenticated MAC addresses from the address table
Displays the MAC authentication settings for port interfaces
PE show network-access mac-address-table
Displays information for entries in the secure MAC address table
PE show network-access mac-filter Displays information for entries in the MAC filter tables PE
network-access aging
Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to disable address aging.
Syntax
[ no ] network-access aging
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
◆ This parameter applies to authenticated MAC addresses configured by the MAC
Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X
Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 204 ).
◆ The maximum number of secure MAC addresses supported for the switch system is 1024.
Example
Console(config-if)#network-access aging
Console(config-if)#
– 223 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
network-access mac-filter
Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address.
Syntax
[ no ] network-access mac-filter filter-id mac-address mac-address [ mask mask-address ] filter-id - Specifies a MAC address filter table. (Range: 1-64) mac-address - Specifies a MAC address entry.
(Format: xx-xx-xx-xx-xx-xx) mask - Specifies a MAC address bit mask for a range of addresses.
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Specified addresses are exempt from network access authentication.
◆ This command is different from configuring static addresses with the macaddress-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command.
◆ Up to 64 filter tables can be defined.
◆ There is no limitation on the number of entries that can entered in a filter table.
Example
Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66
Console(config)#
mac-authentication reauth-time
Use this command to set the time period after which a connected MAC address must be re-authenticated. Use the no form of this command to restore the default value.
Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period. (Range: 120-1000000 seconds)
Default Setting
1800
– 224 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Command Mode
Global Configuration
Command Usage
◆ The reauthentication time is a global setting and applies to all ports.
◆ When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server. During the reauthentication process traffic through the port remains unaffected.
Example
Console(config)#mac-authentication reauth-time 300
Console(config)#
network-access dynamic-qos
Use this command to enable the dynamic QoS feature for an authenticated port.
Use the no form to restore the default.
Syntax
[ no ] network-access dynamic-qos
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user. The “Filter-ID” attribute
(attribute 11) can be configured on the RADIUS server to pass the following
QoS information:
Table 48: Dynamic QoS Profiles
Profile
DiffServ
Rate Limit
802.1p
IP ACL
IPv6 ACL
MAC ACL
Attribute Syntax service-policy-in = policy-map-name rate-limit-input = rate (Kbps) rate-limit-output = rate (Kbps) switchport-priority-default = value ip-access-group-in = ip-acl-name ipv6-access-group-in = ipv6-acl-name mac-access-group-in = mac-acl-name
Example service-policy-in=p1 rate-limit-input=100 (Kbps) rate-limit-output=200 (Kbps) switchport-priority-default=2 ip-access-group-in=ipv4acl ipv6-access-group-in=ipv6acl mac-access-group-in=macAcl
– 225 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
◆ When the last user logs off of a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port.
◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
◆ While a port has an assigned dynamic QoS profile, any manual QoS configuration changes only take effect after all users have logged off of the port.
Note: Any configuration changes for dynamic QoS are not saved to the switch configuration file.
Example
The following example enables the dynamic QoS feature on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-qos
Console(config-if)#
network-access dynamic-vlan
Use this command to enable dynamic VLAN assignment for an authenticated port.
Use the no form to disable dynamic VLAN assignment.
Syntax
[ no ] network-access dynamic-vlan
Default Setting
Enabled
Command Mode
Interface Configuration
Command Usage
◆ When enabled, the VLAN identifiers returned by the RADIUS server through the
802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs.
◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port. Other authenticated MAC addresses on the port must have same VLAN configuration, or they are treated as an authentication failure.
◆ If dynamic VLAN assignment is enabled on a port and the RADIUS server returns no VLAN configuration, the authentication is still treated as a success, and the host assigned to the default untagged VLAN.
– 226 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
◆ When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table.
Example
The following example enables dynamic VLAN assignment on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#network-access dynamic-vlan
Console(config-if)#
network-access guest-vlan
Use this command to assign all traffic on a port to a guest VLAN when 802.1x authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Syntax network-access guest-vlan vlan-id no network-access guest-vlan vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ The VLAN to be used as the guest VLAN must be defined and set as active (See the vlan database command).
◆ When used with 802.1X authentication, the intrusion-action must be set for
“guest-vlan” to be effective (see the dot1x intrusion-action command).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access guest-vlan 25
Console(config-if)#
– 227 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
network-access link-detection
Use this command to enable link detection for the selected port. Use the no form of this command to restore the default.
Syntax
[ no ] network-access link-detection
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection
Console(config-if)#
network-access link-detection link-down
Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Syntax network-access link-detection link-down action [ shutdown | trap | trap-and-shutdown ] no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable the port.
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-down action trap
Console(config-if)#
– 228 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
network-access link-detection link-up
Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Syntax network-access link-detection link-up action [ shutdown | trap | trap-and-shutdown ] no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable the port.
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up action trap
Console(config-if)#
network-access link-detection link-up-down
Use this command to detect link-up and link-down events. When either event is detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Syntax network-access link-detection link-up-down action [ shutdown | trap | trap-and-shutdown ] no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only.
trap - Issue SNMP trap message only.
trap-and-shutdown - Issue SNMP trap message and disable the port.
Default Setting
Disabled
Command Mode
Interface Configuration
– 229 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access link-detection link-up-down action trap
Console(config-if)#
network-access max-mac-count
Use this command to set the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.
Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed. (Range: 1-1024)
Default Setting
1024
Command Mode
Interface Configuration
Command Usage
The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Example
Console(config-if)#network-access max-mac-count 5
Console(config-if)#
network-access mode mac-authentication
Use this command to enable network access authentication on a port. Use the no form of this command to disable network access authentication.
Syntax
[ no ] network-access mode mac-authentication
Default Setting
Disabled
Command Mode
Interface Configuration
– 230 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Command Usage
◆ When enabled on a port, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated.
◆ On the RADIUS server, PAP user name and passwords must be configured in the
MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is
1024.
◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
◆ MAC authentication, 802.1X, and port security cannot be configured together on the same port. Only one security mechanism can be applied.
◆ MAC authentication cannot be configured on trunk ports.
◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored.
◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.”
Example
Console(config-if)#network-access mode mac-authentication
Console(config-if)#
network-access port-mac-filter
Use this command to enable the specified MAC address filter. Use the no form of this command to disable the specified MAC address filter.
Syntax network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table. (Range: 1-64)
Default Setting
None
– 231 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Command Mode
Interface Configuration
Command Mode
◆ Entries in the MAC address filter table can be configured with the networkaccess mac-filter command.
◆ Only one filter table can be assigned to a port.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#network-access port-mac-filter 1
Console(config-if)#
mac-authentication intrusion-action
Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default.
Syntax mac-authentication intrusion-action { block traffic | pass traffic } no mac-authentication intrusion-action
Default Setting
Block Traffic
Command Mode
Interface Con figuration
Example
Console(config-if)#mac-authentication intrusion-action block-traffic
Console(config-if)#
mac-authentication max-mac-count
Use this command to set the maximum number of MAC addresses that can be authenticated on a port via MAC authentication. Use the no form of this command to restore the default.
Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count count The maximum number of MAC-authenticated MAC addresses allowed. (Range: 1-1024)
Default Setting
1024
– 232 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Command Mode
Interface Configuration
Example
Console(config-if)#mac-authentication max-mac-count 32
Console(config-if)#
clear network-access
Use this command to clear entries from the secure MAC addresses table.
Syntax clear network-access mac-address-table [ static | dynamic ]
[ address mac-address ] [ interface interface ] static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
ethernet unit / port unit - (Range: 1) port - Port number. (Range: Range: 1-28/52)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#clear network-access mac-address-table interface ethernet 1/1
Console#
show network-access
Use this command to display the MAC authentication settings for port interfaces.
Syntax show network-access [ interface interface ] interface - Specifies a port interface.
ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
– 233 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Default Setting
Displays the settings for all interfaces.
Command Mode
Privileged Exec
Example
Console#show network-access interface ethernet 1/1
Global secure port information
Reauthentication Time : 1800
MAC address Aging : Disabled
Port : 1/1
MAC Authentication : Disabled
MAC Authentication Intrusion action : Block traffic
MAC Authentication Maximum MAC Counts : 1024
Maximum MAC Counts : 2048
Dynamic VLAN Assignment : Enabled
Dynamic QoS Assignment : Disabled
MAC Filter ID : Disabled
Guest VLAN : Disabled
Link Detection : Disabled
Detection Mode : Link-down
Detection Action : Trap
Console#
show network-access mac-address-table
Use this command to display secure MAC address table entries.
Syntax show network-access mac-address-table [ static | dynamic ]
[ address mac-address [ mask ]] [ interface interface ] [ sort { address | interface }] static - Specifies static address entries.
dynamic - Specifies dynamic address entries.
mac-address - Specifies a MAC address entry.
(Format: xx-xx-xx-xx-xx-xx) mask - Specifies a MAC address bit mask for filtering displayed addresses.
interface - Specifies a port interface.
ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) sort - Sorts displayed entries by either MAC address or interface.
Default Setting
Displays all filters.
– 234 –
Chapter 8 | General Security Measures
Network Access (MAC Address Authentication)
Command Mode
Privileged Exec
Command Usage
When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF-
00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF-
FF-FF to be displayed. All other MACs would be filtered out.
Example
Console#show network-access mac-address-table
---- ----------------- --------------- --------- -------------------------
Port MAC-Address RADIUS-Server Attribute Time
---- ----------------- --------------- --------- -------------------------
1/1 00-00-01-02-03-04 172.155.120.17 Static 00d06h32m50s
1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 00d06h33m20s
1/1 00-00-01-02-03-06 172.155.120.17 Static 00d06h35m10s
1/3 00-00-01-02-03-07 172.155.120.17 Dynamic 00d06h34m20s
Console#
show network-access mac-filter
Use this command to display information for entries in the MAC filter tables.
Syntax show network-access mac-filter [ filter-id ] filter-id - Specifies a MAC address filter table. (Range: 1-64)
Default Setting
Displays all filters.
Command Mode
Privileged Exec
Example
Console#show network-access mac-filter
Filter ID MAC Address MAC Mask
--------- ----------------- -----------------
1 00-00-01-02-03-08 FF-FF-FF-FF-FF-FF
Console#
– 235 –
Chapter 8 | General Security Measures
Web Authentication
Web Authentication
Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked. The switch intercepts HTTP protocol traffic and redirects it to a switch-generated web page that facilitates user name and password authentication via RADIUS. Once authentication is successful, the web browser is forwarded on to the originally requested web page. Successful authentication is valid for all hosts connected to the port.
Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 168 ).
Note: Web authentication cannot be configured on trunk ports.
Table 49: Web Authentication
Command web-auth login-attempts
Function
Defines the limit for failed web authentication login attempts web-auth quiet-period Defines the amount of time to wait after the limit for failed login attempts is exceeded.
web-auth session-timeout Defines the amount of time a session remains valid web-auth system-auth-control Enables web authentication globally for the switch web-auth Enables web authentication for an interface web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate
Mode
GC
GC
GC
GC
IC
PE web-auth re-authenticate (IP) Ends the web authentication session associated with the designated IP address and forces the user to reauthenticate
PE show web-auth show web-auth interface show web-auth summary
Displays global web authentication parameters
Displays interface-specific web authentication parameters and statistics
Displays a summary of web authentication port parameters and statistics
PE
PE
PE
– 236 –
Chapter 8 | General Security Measures
Web Authentication
web-auth login-attempts
This command defines the limit for failed web authentication login attempts. After the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default.
Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts. (Range: 1-3)
Default Setting
3 login attempts
Command Mode
Global Configuration
Example
Console(config)#web-auth login-attempts 2
Console(config)#
web-auth quiet-period
This command defines the amount of time a host must wait after exceeding the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again. (Range: 1-180 seconds)
Default Setting
60 seconds
Command Mode
Global Configuration
Example
Console(config)#web-auth quiet-period 120
Console(config)#
– 237 –
Chapter 8 | General Security Measures
Web Authentication
web-auth session-timeout
This command defines the amount of time a web-authentication session remains valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.
Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
(Range: 300-3600 seconds, or 0 for disabled)
Default Setting
3600 seconds
Command Mode
Global Configuration
Example
Console(config)#web-auth session-timeout 1800
Console(config)#
web-auth system-auth-control
This command globally enables web authentication for the switch. Use the no form to restore the default.
Syntax
[ no ] web-auth system-auth-control
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Example
Console(config)#web-auth system-auth-control
Console(config)#
– 238 –
Chapter 8 | General Security Measures
Web Authentication
web-auth
This command enables web authentication for an interface. Use the no form to restore the default.
Syntax
[ no ] web-auth
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Example
Console(config-if)#web-auth
Console(config-if)#
web-auth re-authenticate
(Port)
This command ends all web authentication sessions connected to the port and forces the users to re-authenticate.
Syntax web-auth re-authenticate interface interface interface - Specifies a port interface.
ethernet unit / port unit - This is unit 1.
port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#web-auth re-authenticate interface ethernet 1/2
Console#
– 239 –
Chapter 8 | General Security Measures
Web Authentication
web-auth re-authenticate
(IP)
This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate.
Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface.
ethernet unit / port unit - This is unit 1.
port - Port number. (Range: 1-28/52) ip - IPv4 formatted IP address
Default Setting
None
Command Mode
Privileged Exec
Example
Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5
Console#
show web-auth
This command displays global web authentication parameters.
Command Mode
Privileged Exec
Example
Console#show web-auth
Global Web-Auth Parameters
System Auth Control : Enabled
Session Timeout : 3600
Quiet Period : 60
Max Login Attempts : 3
Console#
– 240 –
Chapter 8 | General Security Measures
Web Authentication
show web-auth interface
This command displays interface-specific web authentication parameters and statistics.
Syntax show web-auth interface interface interface - Specifies a port interface.
ethernet unit / port unit - This is unit 1.
port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show web-auth interface ethernet 1/2
Web Auth Status : Enabled
Host Summary
IP address Web-Auth-State Remaining-Session-Time
--------------- -------------- ----------------------
1.1.1.1 Authenticated 295
1.1.1.2 Authenticated 111
Console#
show web-auth summary
This command displays a summary of web authentication port parameters and statistics.
Command Mode
Privileged Exec
Example
Console#show web-auth summary
Global Web-Auth Parameters
System Auth Control : Enabled
Port Status Authenticated Host Count
---- ------ ------------------------
1/ 1 Disabled 0
1/ 2 Enabled 8
1/ 3 Disabled 0
1/ 4 Disabled 0
1/ 5 Disabled 0
.
.
– 241 –
Chapter 8 | General Security Measures
DHCP Snooping
DHCP Snooping
DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Table 50: DHCP Snooping Commands
Command ip dhcp snooping
Function
Enables DHCP snooping globally
Mode
GC ip dhcp snooping information option
Enables or disables DHCP Option 82 information relay GC ip dhcp snooping information policy
Sets the information option policy for DHCP client packets that include Option 82 information ip dhcp snooping verify mac-address
Verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header
GC
GC ip dhcp snooping vlan ip dhcp snooping trust clear ip dhcp snooping database flash
Enables DHCP snooping on the specified VLAN
Configures the specified interface as trusted
Removes all dynamically learned snooping entries from flash memory.
GC
IC
PE
Writes all dynamically learned snooping entries to flash memory
PE ip dhcp snooping database flash show ip dhcp snooping show ip dhcp snooping binding
Shows the DHCP snooping configuration settings
Shows the DHCP snooping binding table entries
PE
PE
ip dhcp snooping
This command enables DHCP snooping globally. Use the no form to restore the default setting.
Syntax
[ no ] ip dhcp snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall. When
DHCP snooping is enabled globally by this command, and enabled on a VLAN interface by the ip dhcp snooping vlan command, DHCP messages received on
– 242 –
Chapter 8 | General Security Measures
DHCP Snooping an untrusted interface (as specified by the no ip dhcp snooping trust command) from a device not listed in the DHCP snooping table will be dropped.
◆ When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
◆ Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IP address, lease time, VLAN identifier, and port identifier.
◆ Filtering rules are implemented as follows:
■ If global DHCP snooping is disabled, all DHCP packets are forwarded.
■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted , it is processed as follows:
■ If the DHCP packet is a reply packet from a DHCP server (including
OFFER, ACK or NAK messages), the packet is dropped.
■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table.
■
■
If the DHCP packet is from client, such as a DISCOVER, REQUEST,
INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command). However, if MAC address verification is enabled, then the packet will only be forwarded if the client’s hardware address stored in the DHCP packet is the same as the source MAC address in the Ethernet header.
If the DHCP packet is not a recognizable type, it is dropped.
■ If a DHCP packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN.
■ If a DHCP packet is from server is received on a trusted port, it will be forwarded to both trusted and untrusted ports in the same VLAN.
◆ If DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table.
– 243 –
Chapter 8 | General Security Measures
DHCP Snooping
◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (using the ip dhcp snooping trust command). Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out
DHCP client packets for itself, no filtering takes place. However, when the switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped.
Example
This example enables DHCP snooping globally for the switch.
Console(config)#ip dhcp snooping
Console(config)#
Related Commands ip dhcp snooping vlan (246) ip dhcp snooping trust (247)
ip dhcp snooping information option
This command enables the DHCP Option 82 information relay for the switch. Use the no form to disable this function.
Syntax
[ no ] ip dhcp snooping information option
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
◆ When the DHCP Snooping Information Option is enabled, the requesting client
(or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server by the switch port to which they are connected rather than just their MAC address. DHCP clientserver exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN.
◆ DHCP snooping must be enabled on the switch for the DHCP Option 82 information to be inserted into packets.
– 244 –
Chapter 8 | General Security Measures
DHCP Snooping
◆ Use the ip dhcp snooping information option command to specify how to handle DHCP client request packets which already contain Option 82 information.
Example
This example enables the DHCP Snooping Information Option.
Console(config)#ip dhcp snooping information option
Console(config)#
ip dhcp snooping information policy
This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Use the no form to restore the default setting.
Syntax ip dhcp snooping information policy { drop | keep | replace } no ip dhcp snooping information policy drop - Drops the client’s request packet instead of relaying it.
keep - Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
replace - Replaces the Option 82 information circuit-id and remote-id fields in the client’s request with information about the relay agent itself, inserts the relay agent’s address (when DHCP snooping is enabled), and forwards the packets to trusted ports.
Default Setting replace
Command Mode
Global Configuration
Command Usage
When the switch receives DHCP packets from clients that already include DHCP
Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Example
Console(config)#ip dhcp snooping information policy drop
Console(config)#
– 245 –
Chapter 8 | General Security Measures
DHCP Snooping
ip dhcp snooping verify mac-address
This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
Syntax
[ no ] ip dhcp snooping verify mac-address
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped.
Example
This example enables MAC address verification.
Console(config)#ip dhcp snooping verify mac-address
Console(config)#
Related Commands ip dhcp snooping (242) ip dhcp snooping vlan (246) ip dhcp snooping trust (247)
ip dhcp snooping vlan
This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Syntax
[ no ] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4093)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When DHCP snooping is enabled globally using the ip dhcp snooping command, and enabled on a VLAN with this command, DHCP packet filtering
– 246 –
Chapter 8 | General Security Measures
DHCP Snooping will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command.
◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
◆ When DHCP snooping is globally enabled, and DHCP snooping is then disabled on a specific VLAN, all dynamic bindings learned for this VLAN are removed from the binding table.
Example
This example enables DHCP snooping for VLAN 1.
Console(config)#ip dhcp snooping vlan 1
Console(config)#
Related Commands ip dhcp snooping (242) ip dhcp snooping trust (247)
ip dhcp snooping trust
This command configures the specified interface as trusted. Use the no form to restore the default setting.
Syntax
[ no ] ip dhcp snooping trust
Default Setting
All interfaces are untrusted
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
◆ Set all ports connected to DHCP servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
◆ When DHCP snooping is enabled globally using the ip dhcp snooping command, and enabled on a VLAN with ip dhcp snooping vlan command,
DHCP packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command.
– 247 –
Chapter 8 | General Security Measures
DHCP Snooping
◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed.
◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ip dhcp snooping trust
Console(config-if)#
Related Commands ip dhcp snooping (242) ip dhcp snooping vlan (246)
clear ip dhcp snooping database flash
This command removes all dynamically learned snooping entries from flash memory.
Command Mode
Privileged Exec
Example
Console#clear ip dhcp snooping database flash
Console#
ip dhcp snooping database flash
This command writes all dynamically learned snooping entries to flash memory.
Command Mode
Privileged Exec
Command Usage
This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Example
Console#ip dhcp snooping database flash
Console#
– 248 –
Chapter 8 | General Security Measures
DHCP Snooping
show ip dhcp snooping
This command shows the DHCP snooping configuration settings.
Command Mode
Privileged Exec
Example
Console#show ip dhcp snooping
Global DHCP Snooping status: disable
DHCP Snooping Information Option Status: disable
DHCP Snooping Information Policy: replace
DHCP Snooping is configured on the following VLANs:
1
Verify Source Mac-Address: enable
Interface Trusted
---------- ----------
Eth 1/1 No
Eth 1/2 No
Eth 1/3 No
Eth 1/4 No
Eth 1/5 Yes
.
.
.
show ip dhcp snooping binding
This command shows the DHCP snooping binding table entries.
Command Mode
Privileged Exec
Example
Console#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- ------
11-22-33-44-55-66 192.168.0.99 0 Dynamic-DHCPSNP 1 Eth 1/5
Console#
– 249 –
Chapter 8 | General Security Measures
IP Source Guard
IP Source Guard
IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping” on page 242 ). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network. This section describes commands used to configure IP Source Guard.
Table 51: IP Source Guard Commands
Command ip source-guard binding ip source-guard
Function Mode
Adds a static address to the source-guard binding table GC
Configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address
IC ip source-guard max-binding Sets the maximum number of entries that can be bound to an interface
IC show ip source-guard show ip source-guard binding
Shows whether source guard is enabled or disabled on each interface
Shows the source guard binding table
PE
PE
ip source-guard binding
This command adds a static address to the source-guard binding table. Use the no form to remove a static entry.
Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4093) ip-address - A valid unicast IP address, including classful types A, B or C. unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Default Setting
No configured entries
Command Mode
Global Configuration
– 250 –
Chapter 8 | General Security Measures
IP Source Guard
Command Usage
◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-
SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier.
◆ All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command ( page 254 ).
◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command.
◆ Static bindings are processed as follows:
■ If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding.
■ If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
■ If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Example
This example configures a static source-guard binding on port 5.
Console(config)#ip source-guard binding 00-ab-cd-11-22-33 vlan 1 192.168.0.99 interface ethernet 1/5
Console(config-if)#
Related Commands ip source-guard (252) ip dhcp snooping (242) ip dhcp snooping vlan (246)
– 251 –
Chapter 8 | General Security Measures
IP Source Guard
ip source-guard
This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function.
Syntax ip source-guard { sip | sip-mac } no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table.
sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
◆ Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port. Use the “sip” option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the “sip-mac” option to check these same parameters, plus the source MAC address. Use the no ip source guard command to disable this function on the selected port.
◆ When enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table.
◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP-
SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.
◆ Static addresses entered in the source guard binding table with the ip sourceguard binding command ( page 250 ) are automatically configured with an infinite lease time. Dynamic entries learned via DHCP snooping are configured by the DHCP server itself.
◆ If the IP source guard is enabled, an inbound packet’s IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) will be checked against the binding table. If no matching entry is found, the packet will be dropped.
◆ Filtering rules are implemented as follows:
■ If DHCP snooping is disabled (see page 242 ), IP source guard will check the
VLAN ID, source IP address, port number, and source MAC address (for the
– 252 –
Chapter 8 | General Security Measures
IP Source Guard sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded.
■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, or dynamic DHCP snooping binding, the packet will be forwarded.
■ If IP source guard if enabled on an interface for which IP source bindings
(dynamically learned via DHCP snooping or manually configured) are not yet configured, the switch will drop all IP traffic on that port, except for
DHCP packets.
■ Only unicast addresses are accepted for static bindings.
Example
This example enables IP source guard on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard sip
Console(config-if)#
Related Commands ip source-guard binding (250) ip dhcp snooping (242) ip dhcp snooping vlan (246)
ip source-guard max-binding
This command sets the maximum number of entries that can be bound to an interface. Use the no form to restore the default setting.
Syntax ip source-guard max-binding number no ip source-guard max-binding number - The maximum number of IP addresses that can be mapped to an interface in the binding table. (Range: 1-5)
Default Setting
5
Command Mode
Interface Configuration (Ethernet)
– 253 –
Chapter 8 | General Security Measures
IP Source Guard
Command Usage
This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by
DHCP snooping and static entries set by the ip source-guard command.
Example
This example sets the maximum number of allowed entries in the binding table for port 5 to one entry.
Console(config)#interface ethernet 1/5
Console(config-if)#ip source-guard max-binding 1
Console(config-if)#
show ip source-guard
This command shows whether source guard is enabled or disabled on each interface.
Command Mode
Privileged Exec
Example
Console#show ip source-guard
Interface Filter-type Max-binding
--------- ----------- -----------
Eth 1/1 DISABLED 5
Eth 1/2 DISABLED 5
Eth 1/3 DISABLED 5
Eth 1/4 DISABLED 5
Eth 1/5 SIP 1
Eth 1/6 DISABLED 5
.
.
show ip source-guard binding
This command shows the source guard binding table.
Syntax show ip source-guard binding [ dhcp-snooping | static ] dhcp-snooping - Shows dynamic entries configured with DHCP Snooping commands (see page 242 ) static - Shows static entries configured with the ip source-guard binding command (see page 250 ).
Command Mode
Privileged Exec
– 254 –
Chapter 8 | General Security Measures
ARP Inspection
Example
Console#show ip source-guard binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- --------------- ---------- -------------------- ---- --------
11-22-33-44-55-66 192.168.0.99 0 Static 1 Eth 1/5
Console#
ARP Inspection
ARP Inspection validates the MAC-to-IP address bindings in Address Resolution
Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database – the DHCP snooping binding database. ARP Inspection can also validate ARP packets against user-configured
ARP access control lists (ACLs) for hosts with statically configured IP addresses.
This section describes commands used to configure ARP Inspection.
Table 52: ARP Inspection Commands
Command ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration show ip arp inspection interface show ip arp inspection log
Function
Enables ARP Inspection globally on the switch
Specifies an ARP ACL to apply to one or more VLANs
Sets the maximum number of entries saved in a log message, and the rate at these messages are sent
Specifies additional validation of address components in an ARP packet
GC
Enables ARP Inspection for a specified VLAN or range of
VLANs
GC
Mode
GC
GC
GC
Sets a rate limit for the ARP packets received on a port IC
Sets a port as trusted, and thus exempted from ARP
Inspection
IC
Displays the global configuration settings for ARP
Inspection
PE
Shows the trust status and inspection rate limit for ports PE
Shows information about entries stored in the log, including the associated VLAN, port, and address components
PE
– 255 –
Chapter 8 | General Security Measures
ARP Inspection
Table 52: ARP Inspection Commands (Continued)
Command show ip arp inspection statistics
Function
Shows statistics about the number of ARP packets processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP
Inspection status, the ARP ACL name, and if the DHCP
Snooping database is used after ACL validation is completed
Mode
PE
PE
ip arp inspection
This command enables ARP Inspection globally on the switch. Use the no form to disable this function.
Syntax
[ no ] ip arp inspection
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command.
◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all
ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the
ARP Inspection engine and their manner of switching matches that of all other packets.
◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration for any VLANs.
◆ When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again.
– 256 –
Chapter 8 | General Security Measures
ARP Inspection
Example
Console(config)#ip arp inspection
Console(config)#
ip arp inspection filter
This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding.
Syntax ip arp inspection filter arp-acl-name vlan { vlan-id | vlan-range } [ static ] no ip arp inspection filter arp-acl-name vlan { vlan-id | vlan-range } arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
static - ARP packets are only validated against the specified ACL, address bindings in the DHCP snooping database is not checked.
Default Setting
ARP ACLs are not bound to any VLAN
Static mode is not enabled
Command Mode
Global Configuration
Command Usage
◆ ARP ACL configuration commands are described under “ARP ACLs” on page 288 .
◆ If static mode is enabled, the switch compares ARP packets to the specified ARP
ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked.
◆ If static mode is not enabled, packets are first validated against the specified
ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database.
Example
Console(config)#ip arp inspection filter sales vlan 1
Console(config)#
– 257 –
Chapter 8 | General Security Measures
ARP Inspection
ip arp inspection log-buffer logs
This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default settings.
Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
(Range: 0-256, where 0 means no events are saved and no messages sent) seconds - The interval at which log messages are sent. (Range: 0-86400)
Default Setting
Message Number: 5
Interval: 1 second
Command Mode
Global Configuration
Command Usage
◆ ARP Inspection must be enabled with the ip arp inspection command before this command will be accepted by the switch.
◆ By default, logging is active for ARP Inspection, and cannot be disabled.
◆ When the switch drops a packet, it places an entry in the log buffer. Each entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message.
◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
◆ The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer.
Example
Console(config)#ip arp inspection log-buffer logs 1 interval 10
Console(config)#
– 258 –
Chapter 8 | General Security Measures
ARP Inspection
ip arp inspection validate
This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting.
Syntax ip arp inspection validate { dst-mac [ ip ] [ src-mac ] | ip [ src-mac ] | src-mac } no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
ip - Checks the ARP body for invalid and unexpected IP addresses.
Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
src-mac - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both
ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
Default Setting
No additional validation is performed
Command Mode
Global Configuration
Command Usage
By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database.
Example
Console(config)#ip arp inspection validate dst-mac
Console(config)#
ip arp inspection vlan
This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function.
Syntax
[ no ] ip arp inspection vlan { vlan-id | vlan-range } vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
– 259 –
Chapter 8 | General Security Measures
ARP Inspection
Default Setting
Disabled on all VLANs
Command Mode
Global Configuration
Command Usage
◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all
ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the
ARP Inspection engine and their manner of switching matches that of all other packets.
◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP
Inspection configuration for any VLANs.
◆ When ARP Inspection is disabled globally, it is still possible to configure ARP
Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again.
Example
Console(config)#ip arp inspection vlan 1,2
Console(config)#
ip arp inspection limit
This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting.
Syntax ip arp inspection limit { rate pps | none } no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the
CPU per second on trusted or untrusted ports. (Range: 0-2048, where 0 means that no ARP packets can be forwarded) none - There is no limit on the number of ARP packets that can be processed by the CPU.
– 260 –
Chapter 8 | General Security Measures
ARP Inspection
Default Setting
15
Command Mode
Interface Configuration (Port)
Command Usage
◆ This command only applies to trusted or untrusted ports.
◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection limit rate 150
Console(config-if)#
ip arp inspection trust
This command sets a port as trusted, and thus exempted from ARP Inspection. Use the no form to restore the default setting.
Syntax
[ no ] ip arp inspection trust
Default Setting
Untrusted
Command Mode
Interface Configuration (Port)
Command Usage
Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection trust
Console(config-if)#
– 261 –
Chapter 8 | General Security Measures
ARP Inspection
show ip arp inspection configuration
This command displays the global configuration settings for ARP Inspection.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection configuration
ARP inspection global information:
Global IP ARP Inspection status : disabled
Log Message Interval : 10 s
Log Message Number : 1
Need Additional Validation(s) : Yes
Additional Validation Type : Destination MAC address
Console#
show ip arp inspection interface
This command shows the trust status and ARP Inspection rate limit for ports.
Syntax show ip arp inspection interface [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show ip arp inspection interface ethernet 1/1
Port Number Trust Status Limit Rate (pps)
------------- -------------------- ------------------------------
Eth 1/1 trusted 150
Console#
– 262 –
Chapter 8 | General Security Measures
ARP Inspection
show ip arp inspection log
This command shows information about entries stored in the log, including the associated VLAN, port, and address components.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection log
Total log entries number is 1
Num VLAN Port Src IP Address Dst IP Address Src MAC Address Dst MAC Address
--- ---- ---- -------------- -------------- --------------- --------------
1 1 11 192.168.2.2 192.168.2.1 00-04-E2-A0-E2-7C FF-FF-FF-FF-FF-FF
Console#
show ip arp inspection statistics
This command shows statistics about the number of ARP packets processed, or dropped for various reasons.
Command Mode
Privileged Exec
Example
Console#show ip arp inspection statistics
ARP packets received before rate limit : 150
ARP packets dropped due to rate limt : 5
Total ARP packets processed by ARP Inspection : 150
ARP packets dropped by additional validation (source MAC address) : 0
ARP packets dropped by additional validation (destination MAC address): 0
ARP packets dropped by additional validation (IP address) : 0
ARP packets dropped by ARP ACLs : 0
ARP packets dropped by DHCP snooping : 0
Console#
show ip arp inspection vlan
This command shows the configuration settings for VLANs, including ARP
Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed.
Syntax show ip arp inspection vlan [ vlan-id | vlan-range ] vlan-id - VLAN ID. (Range: 1-4093) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Command Mode
Privileged Exec
– 263 –
Chapter 8 | General Security Measures
Denial of Service Protection
Example
Console#show ip arp inspection vlan 1
VLAN ID DAI Status ACL Name ACL Status
-------- --------------- -------------------- --------------------
1 disabled sales static
Console#
Denial of Service Protection
A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all. In general, DoS attacks are implemented by either forcing the target to reset, to consume most of its resources so that it can no longer provide its intended service, or to obstruct the communication media between the intended users and the target so that they can no longer communicate adequately.
This section describes commands used to protect against DoS attacks.
Table 53: DoS Protection Commands
Command flow tcp-udp-port-zero show flow
Function
Shows the action taken against attacks which set the Layer 4 source or destination port to zero
Mode
Protects against attacks which set the Layer 4 source or destination port to zero
GC
PE
flow tcp-udp-port-zero
This command protects against DoS attacks in which the UDP or TCP source port or destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device. Use the no form to restore the default setting.
Syntax flow tcp-udp-port-zero { drop | forward } no flow tcp-udp-port-zero drop – Drops all packets with the Layer 4 source port or destination port set to zero.
forward – Forwards all packets with the Layer 4 source port or destination port set to zero.
Default Setting
Drop
– 264 –
Chapter 8 | General Security Measures
Port-based Traffic Segmentation
Command Mode
Global Configuration
Note: This switch cannot trap packets where both the source port and destination port are set to zero.
Example
Console(config)#flow tcp-udp-port-zero forward
Console(config)#
show flow
This command shows the action taken against attacks which set the Layer 4 source or destination port to zero.
Command Mode
Privileged Exec
Example
Console#show flow
TCP/UDP port-zero action : drop
Console#
Port-based Traffic Segmentation
If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Table 54: Commands for Configuring Traffic Segmentation
Command traffic-segmentation
Function
Enables and configures traffic segmentation show traffic-segmentation Displays the configured traffic segments
Mode
GC
PE
– 265 –
Chapter 8 | General Security Measures
Port-based Traffic Segmentation
traffic-segmentation
This command enables traffic segmentation globally, or configures the uplink and down-link ports for a segmented group of ports. Use the no form to disable traffic segmentation globally.
Syntax
[ no ] traffic-segmentation [ uplink interface-list downlink interface-list ] uplink – Specifies an uplink interface.
downlink – Specifies a downlink interface.
interface-list – One or more ports. Use a hyphen to indicate a consecutive list of ports or a comma between non-consecutive ports.
Default Setting
Disabled globally
No segmented port groups are defined.
Command Mode
Global Configuration
Command Usage
◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group.
◆ Any port can be defined as an uplink port or downlink port, but cannot be configured to serve both roles.
◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs.
◆ Enter the traffic-segmentation command without any parameters to enable traffic segmentation. Then set the interface members for segmented groups.
◆ Enter no traffic-segmentation to disable traffic segmentation and clear the configuration settings for segmented groups.
Example
This example enables traffic segmentation, and then sets port 12 as the uplink and ports 5-8 as downlinks.
Console(config)#traffic-segmentation
Console(config)#traffic-segmentation uplink ethernet 1/12 downlink ethernet 1/5-8
Console(config)#
– 266 –
Chapter 8 | General Security Measures
Port-based Traffic Segmentation
show traffic-segmentation
This command displays the configured traffic segments.
Command Mode
Privileged Exec
Example
Console#show traffic-segmentation
Private VLAN status: Disabled
Up-link Port:
Ethernet 1/12
Down-link Port:
Ethernet 1/5
Ethernet 1/6
Ethernet 1/7
Ethernet 1/8
Console#
– 267 –
Chapter 8 | General Security Measures
Port-based Traffic Segmentation
– 268 –
9
Access Control Lists
IPv4 ACLs
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, DSCP traffic class, next header type, or any frames (based on
MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the
Access Control List commands.
Table 55: Access Control List Commands
Command Group
IPv4 ACLs
IPv6 ACLs
MAC ACLs
ARP ACLs
ACL Information
Function
Configures ACLs based on IPv4 addresses, TCP/UDP port number, protocol type, and TCP control code
Configures ACLs based on IPv6 addresses, DSCP traffic class, or next header type
Configures ACLs based on hardware addresses, packet format, and
Ethernet type
Configures ACLs based on ARP messages addresses
Displays ACLs and associated rules; shows ACLs assigned to each port
The commands in this section configure ACLs based on IPv4 addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IPv4 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Table 56: IPv4 ACL Commands
Command access-list ip
Function
Creates an IP ACL and enters configuration mode for standard or extended IPv4 ACLs permit, deny, redirect-to Filters packets matching a specified source IPv4 address permit, deny, redirect-to Filters packets meeting the specified criteria, including source and destination IPv4 address, TCP/UDP port number, protocol type, and TCP control code ip access-group show ip access-group show ip access-list
Binds an IPv4 ACL to a port
Shows port assignments for IPv4 ACLs
Displays the rules for configured IPv4 ACLs
Mode
GC
IPv4-STD-ACL
IPv4-EXT-ACL
IC
PE
PE
– 269 –
Chapter 9 | Access Control Lists
IPv4 ACLs
access-list ip
This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL.
Syntax
[ no ] access-list ip { standard | extended } acl-name standard – Specifies an ACL that filters packets based on the source IP address.
extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria.
acl-name – Name of the ACL. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 128 rules.
Example
Console(config)#access-list ip standard david
Console(config-std-acl)#
Related Commands permit, deny, redirect-to (271) ip access-group (274) show ip access-list (275)
– 270 –
Chapter 9 | Access Control Lists
IPv4 ACLs
permit, deny, redirect-to
(Standard IP ACL)
This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
Syntax
{ permit | deny | redirect-to interface }
{ any | source bitmask | host source }
[ time-range time-range-name ] no { permit | deny | redirect-to interface }
{ any | source bitmask | host source } interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) any – Any source IP address.
source – Source IP address.
bitmask – Dotted decimal number representing the address bits to match.
host – Keyword followed by a specific IP address.
time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
Standard IPv4 ACL
Command Usage
◆ New rules are appended to the end of the list.
◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The bitmask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Example
This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.
Console(config-std-acl)#permit host 10.1.1.21
Console(config-std-acl)#permit 168.92.16.0 255.255.240.0
Console(config-std-acl)#
– 271 –
Chapter 9 | Access Control Lists
IPv4 ACLs
Related Commands access-list ip (270)
Time Range (128)
permit, deny, redirect-to
(Extended IPv4 ACL)
This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Syntax
{ permit | deny | redirect-to interface } [ protocol number | udp ]
{ any | source address-bitmask | host source }
{ any | destination address-bitmask | host destination }
[ precedence precedence ] [ tos tos ] [ dscp dscp ]
[ source -port sport [ bitmask ]]
[ destination -port dport [ port bitmask ]]
[ time-range time-range-name ] no { permit | deny | redirect-to interface } [ protocol number | udp ]
{ any | source address-bitmask | host source }
{ any | destination address-bitmask | host destination }
[ precedence precedence ] [ tos tos ] [ dscp dscp ]
[ source -port sport [ bitmask ]]
[ destination -port dport [ port bitmask ]]
{ permit | deny | redirect-to interface } tcp
{ any | source address-bitmask | host source }
{ any | destination address-bitmask | host destination }
[ precedence precedence ] [ tos tos ] [ dscp dscp ]
[ source-port sport [ bitmask ]]
[ destination-port dport [ port bitmask ]]
[ control-flag control-flags flag-bitmask ]
[ time-range time-range-name ] no { permit | deny | redirect-to interface } tcp
{ any | source address-bitmask | host source }
{ any | destination address-bitmask | host destination }
[ precedence precedence ] [ tos tos ] [ dscp dscp ]
[ source-port sport [ bitmask ]]
[ destination-port dport [ port bitmask ]]
[ control-flag control-flags flag-bitmask ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) protocol-number – A specific protocol number. (Range: 0-255) source – Source IP address.
– 272 –
Chapter 9 | Access Control Lists
IPv4 ACLs destination – Destination IP address.
address-bitmask – Decimal number representing the address bits to match.
host – Keyword followed by a specific IP address.
precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp – DSCP priority level. (Range: 0-63) sport – Protocol 4 source port number. (Range: 0-65535) dport – Protocol 4 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match.
(Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match.
time-range-name - Name of the time range.
(Range: 1-30 characters)
Default Setting
None
Command Mode
Extended IPv4 ACL
Command Usage
◆ All new rules are appended to the end of the list.
◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
“match” and 0 bits to indicate “ignore.” The bit mask is bitwise ANDed with the specified source IP address, and then compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
◆ You can specify both Precedence and ToS in the same rule. However, if DSCP is used, then neither Precedence nor ToS can be specified.
◆
■
■
■
■
■
The control-code bitmask is a decimal number (representing an equivalent bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit.
The following bits may be specified:
1 (fin) – Finish
2 (syn) – Synchronize
4 (rst) – Reset
8 (psh) – Push
16 (ack) – Acknowledgement
4. Includes TCP, UDP or other protocol types.
– 273 –
Chapter 9 | Access Control Lists
IPv4 ACLs
■ 32 (urg) – Urgent pointer
■
■
■
For example, use the code value and mask below to catch packets with the following flags set:
SYN flag valid, use “control-code 2 2”
Both SYN and ACK valid, use “control-code 18 18”
SYN valid and ACK invalid, use “control-code 2 18”
Example
This example accepts any incoming packets if the source address is within subnet
10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through.
Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any
Console(config-ext-acl)#
This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any destination-port
80
Console(config-ext-acl)#
This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.”
Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2
Console(config-ext-acl)#
Related Commands access-list ip (270)
Time Range (128)
ip access-group
This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Syntax ip access-group acl-name in [ time-range time-range-name ] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets.
time-range-name - Name of the time range. (Range: 1-30 characters)
– 274 –
Chapter 9 | Access Control Lists
IPv4 ACLs
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Only one ACL can be bound to a port.
◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Example
Console(config)#int eth 1/2
Console(config-if)#ip access-group david in
Console(config-if)#
Related Commands show ip access-list (275)
Time Range (128)
show ip access-group
This command shows the ports assigned to IP ACLs.
Command Mode
Privileged Exec
Example
Console#show ip access-group
Interface ethernet 1/2
IP access-list david in
Console#
Related Commands ip access-group (274)
show ip access-list
This command displays the rules for configured IPv4 ACLs.
Syntax show ip access-list { standard | extended } [ acl-name ] standard – Specifies a standard IP ACL.
extended – Specifies an extended IP ACL.
acl-name – Name of the ACL. (Maximum length: 32 characters)
– 275 –
Chapter 9 | Access Control Lists
IPv4 ACLs
Command Mode
Privileged Exec
Example
Console#show ip access-list standard
IP standard access-list david:
permit host 10.1.1.21
permit 168.92.0.0 255.255.15.0
Console#
Related Commands permit, deny, redirect-to (271) ip access-group (274)
– 276 –
Chapter 9 | Access Control Lists
IPv6 ACLs
IPv6 ACLs
The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Table 57: IPv4 ACL Commands
Command access-list ipv6 permit, deny, redirect to permit, deny, redirect to show ipv6 access-list ipv6 access-group show ipv6 access-group
Function
Creates an IPv6 ACL and enters configuration mode for standard or extended IPv6 ACLs
Mode
GC
Filters packets matching a specified source IPv6 address IPv6- STD-
ACL
Filters packets meeting the specified criteria, including destination IPv6 address, DSCP traffic class, or next header type
IPv6- EXT-
ACL
Displays the rules for configured IPv6 ACLs
Adds a port to an IPv6 ACL
Shows port assignments for IPv6 ACLs
PE
IC
PE
access-list ipv6
This command adds an IP access list and enters configuration mode for standard or extended IPv6 ACLs. Use the no form to remove the specified ACL.
Syntax
[ no ] access-list ipv6 { standard | extended } acl-name standard – Specifies an ACL that filters packets based on the source IP address.
extended – Specifies an ACL that filters packets based on the destination IP address, and other more specific criteria.
acl-name – Name of the ACL. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
– 277 –
Chapter 9 | Access Control Lists
IPv6 ACLs
◆ An ACL can contain up to 64 rules.
Example
Console(config)#access-list ipv6 standard david
Console(config-std-ipv6-acl)#
Related Commands permit, deny, redirect-to (Standard IPv6 ACL) (278) permit, deny, redirect-to (Extended IPv6 ACL) (279) ipv6 access-group (282) show ipv6 access-list (281)
permit, deny, redirect-to
(Standard IPv6 ACL)
This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule.
Syntax
{ permit | deny | redirect-to interface }
{ any | host source-ipv6-address | source-ipv6-address/prefix-length }
[ time-range time-range-name ] no { permit | deny } { any | host source-ipv6-address | source-ipv6-address/prefix-length } interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) any – Any source IP address.
host – Keyword followed by a specific IP address.
source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128) time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
Standard IPv6 ACL
– 278 –
Chapter 9 | Access Control Lists
IPv6 ACLs
Command Usage
New rules are appended to the end of the list.
Example
This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79
Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64
Console(config-std-ipv6-acl)#
Related Commands access-list ipv6 (277)
Time Range (128)
permit, deny, redirect-to
(Extended IPv6 ACL)
This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, or next header type.
Use the no form to remove a rule.
Syntax
{ permit | deny | redirect-to interface }
{ any | host source-ipv6-address | source-ipv6-address [ /prefix-length ]}
{ any | destination-ipv6-address/prefix-length }
[ dscp dscp ] [ next-header next-header ]
[ time-range time-range-name ] no { permit | deny } { any | host source-ipv6-address | source-ipv6-address [ /prefix-length ]}
{ any | destination-ipv6-address/prefix-length }
[ dscp dscp ] [ next-header next-header ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) any – Any IP address (an abbreviation for the IPv6 prefix ::/0).
host – Keyword followed by a specific source IP address.
source-ipv6-address - An IPv6 source address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing
– 279 –
Chapter 9 | Access Control Lists
IPv6 ACLs
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (The switch only checks the first 64 bits of the destination address.) prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-8 for destination prefix) dscp – DSCP traffic class. (Range: 0-63) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
Extended IPv6 ACL
Command Usage
◆ All new rules are appended to the end of the list.
◆ Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next
Header value. IPv6 supports the values defined for the IPv4 Protocol field in RFC
1700, including these commonly used headers:
0 : Hop-by-Hop Options
6 : TCP Upper-layer Header
17 : UDP Upper-layer Header
43 : Routing
44 : Fragment
51 : Authentication
50 : Encapsulating Security Payload
60 : Destination Options
(RFC 2460)
(RFC 1700)
(RFC 1700)
(RFC 2460)
(RFC 2460)
(RFC 2402)
(RFC 2406)
(RFC 2460)
Example
This example accepts any incoming packets if the destination address is
2009:DB9:2229::79/8.
Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8
Console(config-ext-ipv6-acl)#
– 280 –
Chapter 9 | Access Control Lists
IPv6 ACLs
This allows packets to any destination address when the DSCP value is 5.
Console(config-ext-ipv6-acl)#permit any dscp 5
Console(config-ext-ipv6-acl)#
This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.”
Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43
Console(config-ext-ipv6-acl)#
Related Commands access-list ipv6 (277)
Time Range (128)
show ipv6 access-list
This command displays the rules for configured IPv6 ACLs.
Syntax show ipv6 access-list { standard | extended } [ acl-name ] standard – Specifies a standard IPv6 ACL.
extended – Specifies an extended IPv6 ACL.
acl-name – Name of the ACL. (Maximum length: 16 characters)
Command Mode
Privileged Exec
Example
Console#show ipv6 access-list standard
IPv6 standard access-list david:
permit host 2009:DB9:2229::79
permit 2009:DB9:2229:5::/64
Console#
Related Commands permit, deny, redirect-to (Standard IPv6 ACL) (278) permit, deny, redirect-to (Extended IPv6 ACL) (279) ipv6 access-group (282)
– 281 –
Chapter 9 | Access Control Lists
IPv6 ACLs
ipv6 access-group
This command binds a port to an IPv6 ACL. Use the no form to remove the port.
Syntax ipv6 access-group acl-name in [ time-range time-range-name ] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in – Indicates that this list applies to ingress packets.
time-range-name - Name of the time range.
(Range: 1-30 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ A port can only be bound to one ACL.
◆ If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one.
◆ IPv6 ACLs can only be applied to ingress packets.
Example
Console(config)#interface ethernet 1/2
Console(config-if)#ipv6 access-group standard david in
Console(config-if)#
Related Commands show ipv6 access-list (281)
Time Range (128)
show ipv6 access-group
This command shows the ports assigned to IPv6 ACLs.
Command Mode
Privileged Exec
Example
Console#show ipv6 access-group
Interface ethernet 1/2
IPv6 standard access-list david in
Console#
– 282 –
Chapter 9 | Access Control Lists
MAC ACLs
Related Commands ipv6 access-group (282)
MAC ACLs
The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Table 58: MAC ACL Commands
Command access-list mac permit, deny, redirect-to mac access-group show mac access-group show mac access-list
Function
Creates a MAC ACL and enters configuration mode
Mode
GC
Filters packets matching a specified source and destination address, packet format, and Ethernet type
MAC-ACL
Binds a MAC ACL to a port
Shows port assignments for MAC ACLs
Displays the rules for configured MAC ACLs
IC
PE
PE
access-list mac
This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL.
Syntax
[ no ] access-list mac acl-name acl-name – Name of the ACL. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 128 rules.
– 283 –
Chapter 9 | Access Control Lists
MAC ACLs
Example
Console(config)#access-list mac jerry
Console(config-mac-acl)#
Related Commands permit, deny, redirect-to (284) mac access-group (286) show mac access-list (287)
permit, deny, redirect-to
(MAC ACL)
This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or
Ethernet protocol type. Use the no form to remove a rule.
Syntax
{ permit | deny | redirect-to interface }
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ vid vid vid-bitmask ] [ ethertype protocol [ protocol bitmask ]]
[ time-range time-range-name ] no { permit | deny | redirect-to interface }
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ vid vid vid-bitmask ] [ ethertype protocol [ protocol bitmask ]]
Note: The default is for Ethernet II packets.
{ permit | deny | redirect-to interface } tagged-eth2
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ vid vid vid-bitmask ] [ ethertype protocol [ protocol bitmask ]]
[ time-range time-range-name ] no { permit | deny | redirect-to interface } tagged-eth2
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ vid vid vid-bitmask ] [ ethertype protocol [ protocol bitmask ]]
{ permit | deny | redirect-to interface } untagged-eth2
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ ethertype protocol [ protocol bitmask ]]
[ time-range time-range-name ] no { permit | deny | redirect-to interface } untagged-eth2
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ ethertype protocol [ protocol bitmask ]]
– 284 –
Chapter 9 | Access Control Lists
MAC ACLs
{ permit | deny | redirect-to interface } tagged-802.3
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ vid vid vid-bitmask ] [ time-range time-range-name ] no { permit | deny | redirect-to interface } tagged-802.3
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ vid vid vid-bitmask ]
{ permit | deny | redirect-to interface } untagged-802.3
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask }
[ time-range time-range-name ] no { permit | deny | redirect-to interface } untagged-802.3
{ any | host source | source address-bitmask }
{ any | host destination | destination address-bitmask } interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) tagged-eth2 – Tagged Ethernet II packets.
untagged-eth2 – Untagged Ethernet II packets.
tagged-802.3 – Tagged Ethernet 802.3 packets.
untagged-802.3 – Untagged Ethernet 802.3 packets.
any – Any MAC source or destination address. host – A specific MAC address.
source – Source MAC address.
destination – Destination MAC address range with bitmask.
address-bitmask 5 – Bitmask for MAC address (in hexadecimal format).
vid – VLAN ID. (Range: 1-4095) vid-bitmask 5 – VLAN bitmask. (Range: 1-4095) protocol – A specific Ethernet protocol number. (Range: 600-ffff hex.) protocol bitmask 5 – Protocol bitmask. (Range: 600-ffff hex.) time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
MAC ACL
5. For all bitmasks, “1” means care and “0” means ignore.
– 285 –
Chapter 9 | Access Control Lists
MAC ACLs
Command Usage
◆ New rules are added to the end of the list.
◆ The ethertype option can only be used to filter Ethernet II formatted packets.
◆
■
■
■
A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following:
0800 - IP
0806 - ARP
8137 - IPX
Example
This rule permits packets from any source MAC address to the destination address
00-e0-29-94-34-de where the Ethernet type is 0800.
Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800
Console(config-mac-acl)#
Related Commands access-list mac (283)
Time Range (128)
mac access-group
This command binds a MAC ACL to a port. Use the no form to remove the port.
Syntax mac access-group acl-name in [ time-range time-range-name ] acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets.
time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Only one ACL can be bound to a port.
◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
– 286 –
Chapter 9 | Access Control Lists
MAC ACLs
Example
Console(config)#interface ethernet 1/2
Console(config-if)#mac access-group jerry in
Console(config-if)#
Related Commands show mac access-list (287)
Time Range (128)
show mac access-group
This command shows the ports assigned to MAC ACLs.
Command Mode
Privileged Exec
Example
Console#show mac access-group
Interface ethernet 1/5
MAC access-list M5 in
Console#
Related Commands mac access-group (286)
show mac access-list
This command displays the rules for configured MAC ACLs.
Syntax show mac access-list [ acl-name ] acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show mac access-list
MAC access-list jerry:
permit any 00-e0-29-94-34-de ethertype 0800
Console#
Related Commands permit, deny, redirect-to (284) mac access-group (286)
– 287 –
Chapter 9 | Access Control Lists
ARP ACLs
ARP ACLs
The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command ( page 259 ).
Table 59: ARP ACL Commands
Command access-list arp permit, deny show arp access-list
Function
Creates a ARP ACL and enters configuration mode
Mode
GC
Filters packets matching a specified source or destination address in ARP messages
ARP-ACL
Displays the rules for configured ARP ACLs PE
access-list arp
This command adds an ARP access list and enters ARP ACL configuration mode. Use the no form to remove the specified ACL.
Syntax
[ no ] access-list arp acl-name acl-name – Name of the ACL. (Maximum length: 32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
◆ An ACL can contain up to 128 rules.
Example
Console(config)#access-list arp factory
Console(config-arp-acl)#
Related Commands permit, deny (289) show arp access-list (290)
– 288 –
Chapter 9 | Access Control Lists
ARP ACLs
permit, deny
(ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Syntax
[ no ] { permit | deny } ip { any | host source-ip | source-ip ip-address-bitmask } mac { any | host source-ip | source-ip ip-address-bitmask }
This form indicates either request or response packets.
[ no ] { permit | deny } request ip { any | host source-ip | source-ip ip-address-bitmask } mac { any | host source-mac | source-mac mac-address-bitmask }
[ no ] { permit | deny } response ip { any | host source-ip | source-ip ip-address-bitmask }
{ any | host destination-ip | destination-ip ip-address-bitmask } mac { any | host source-mac | source-mac mac-address-bitmask }
[ any | host destination-mac | destination-mac mac-address-bitmask ] source-ip – Source IP address.
destination-ip – Destination IP address with bitmask.
ip-address-bitmask 6 – IPv4 number representing the address bits to match.
source-mac – Source MAC address.
destination-mac – Destination MAC address range with bitmask.
mac-address-bitmask 6 – Bitmask for MAC address (in hexadecimal format).
Default Setting
None
Command Mode
ARP ACL
Command Usage
New rules are added to the end of the list.
Example
This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0.
Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any
Console(config-mac-acl)#
6. For all bitmasks, binary “1” means care and “0” means ignore.
– 289 –
Chapter 9 | Access Control Lists
ACL Information
Related Commands access-list arp (288)
show arp access-list
This command displays the rules for configured ARP ACLs.
Syntax show arp access-list [ acl-name ] acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show arp access-list
ARP access-list factory:
permit response ip any 192.168.0.0 255.255.0.0 mac any any
Console#
Related Commands permit, deny (289)
ACL Information
This section describes commands used to display ACL information.
Table 60: ACL Information Commands
Command show access-group show access-list
Function
Shows the ACLs assigned to each port
Show all ACLs and associated rules
Mode
PE
PE
show access-group
This command shows the port assignments of ACLs.
Command Mode
Privileged Executive
Example
Console#show access-group
Interface ethernet 1/2
IP access-list david
MAC access-list jerry
Console#
– 290 –
Chapter 9 | Access Control Lists
ACL Information
show access-list
This command shows all ACLs and associated rules.
Syntax show access-list
[[ arp [ acl-name ]] |
[ ip [ extended [ acl-name ] | standard [ acl-name ]] |
[ ipv6 [ extended [ acl-name ] | standard [ acl-name ]] |
[ mac [ acl-name ]] | [ tcam-utilization ]] arp – Shows ingress or egress rules for ARP ACLs.
ip extended – Shows ingress rules for Extended IPv4 ACLs.
ip standard – Shows ingress rules for Standard IPv4 ACLs.
ipv6 extended – Shows ingress rules for Extended IPv6 ACLs.
ipv6 standard – Shows ingress rules for Standard IPv6 ACLs.
mac – Shows ingress rules for MAC ACLs.
tcam-utilization – Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl-name – Name of the ACL. (Maximum length: 32 characters)
Command Mode
Privileged Exec
Example
Console#show access-list
IP standard access-list david:
permit host 10.1.1.21
permit 168.92.0.0 255.255.15.0
IP extended access-list bob:
permit 10.7.1.1 255.255.255.0 any
permit 192.168.1.0 255.255.255.0 any destination-port 80 80
permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2
MAC access-list jerry:
permit any host 00-30-29-94-34-de ethertype 800 800
IP extended access-list A6:
deny tcp any any control-flag 2 2
permit any any
Console#
– 291 –
Chapter 9 | Access Control Lists
ACL Information
– 292 –
10
Interface Commands
These commands are used to display or set communication parameters for an
Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Table 61: Interface Commands
Command
Interface Configuration interface
Function Mode alias capabilities
Configures an interface type and enters interface configuration mode
Configures an alias name for the interface
Advertises the capabilities of a given interface for use in autonegotiation description flowcontrol giga-phy-mode negotiation speed-duplex
Enables autonegotiation of a given interface shutdown interface
Configures the speed and duplex operation of a given interface when autonegotiation is disabled clear counters show interfaces brief
Clears statistics on an interface PE
Displays a summary of key information, including operational status, native VLAN ID, default priority, speed/ duplex mode, and port type
PE
IC
IC
IC show interfaces counters show interfaces status
Adds a description to an interface configuration
Enables flow control on a given interface
Forces two connected ports in to a master/slave configuration to enable 1000BASE-T full duplex
Displays statistics for the specified interfaces
Displays status for the specified interface show interfaces switchport Displays the administrative and operational status of an interface show interfaces transceiver Displays the temperature, voltage, bias current, transmit power, and receive power
IC
IC
IC
NE, PE
NE, PE
NE, PE
PE
Cable Diagnostics test cable-diagnostics show cable-diagnostics
Performs cable diagnostics on the specified port
Shows the results of a cable diagnostics test
GC
IC
IC
PE
PE
– 293 –
Chapter 10 | Interface Commands
Interface Configuration
Table 61: Interface Commands (Continued)
Function Command
Power Savings power-save show power-save
Enables power savings mode on the specified port
Shows the configuration settings for power savings
Mode
IC
PE
Interface Configuration
interface
This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface.
Syntax
[ no ] interface interface-list interface-list – One or more ports. Use a hyphen to indicate a consecutive list of ports or a comma between non-consecutive ports. ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093)
Default Setting
None
Command Mode
Global Configuration
Example
To specify several different ports, enter the following command:
Console(config)#interface ethernet 1/17-20,23
Console(config-if)#shutdown
– 294 –
Chapter 10 | Interface Commands
Interface Configuration
alias
This command configures an alias name for the interface. Use the no form to remove the alias name.
Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface. (Range: 1-64 characters)
Default Setting
None
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The alias is displayed in the running-configuration file. An example of the value which a network manager might store in this object for a WAN interface is the
(Telco's) circuit number/identifier of the interface.
Example
The following example adds an alias to port 4.
Console(config)#interface ethernet 1/4
Console(config-if)#alias finance
Console(config-if)#
capabilities
This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Syntax
[ no ] capabilities { 1000full | 100full | 100half | 10full | 10half | flowcontrol | symmetric }
1000full - Supports 1 Gbps full-duplex operation
100full - Supports 100 Mbps full-duplex operation
100half - Supports 100 Mbps half-duplex operation
10full - Supports 10 Mbps full-duplex operation
10half - Supports 10 Mbps half-duplex operation flowcontrol Supports flow control symmetric - When specified, the port transmits and receives symmetric pause frames.
– 295 –
Chapter 10 | Interface Commands
Interface Configuration
Default Setting
100BASE-FX: 100full (SFP)
1000BASE-T: 10half, 10full, 100half, 100full, 1000full
1000BASE-SX/LX/LH (SFP): 1000full
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
◆ When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilities command.
When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
Example
The following example configures Ethernet port 5 capabilities to include 100half and 100full.
Console(config)#interface ethernet 1/5
Console(config-if)#capabilities 100half
Console(config-if)#capabilities 100full
Console(config-if)#capabilities flowcontrol
Console(config-if)#
Related Commands negotiation (299) speed-duplex (300) flowcontrol (297)
description
This command adds a description to an interface. Use the no form to remove the description.
Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters)
Default Setting
None
– 296 –
Chapter 10 | Interface Commands
Interface Configuration
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Example
The following example adds a description to port 4.
Console(config)#interface ethernet 1/4
Console(config-if)#description RD-SW#3
Console(config-if)#
flowcontrol
This command enables flow control. Use the no form to disable flow control.
Syntax
[ no ] flowcontrol
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
◆ Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally
IEEE 802.3x) for full-duplex operation.
◆ To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface.
◆ When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To enable flow control under auto-negotiation, “flowcontrol” must be included in the capabilities list for any port
– 297 –
Chapter 10 | Interface Commands
Interface Configuration
Example
The following example enables flow control on port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#flowcontrol
Console(config-if)#no negotiation
Console(config-if)#
Related Commands negotiation (299) capabilities (flowcontrol, symmetric) ( 295 )
giga-phy-mode
This command forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports. Use the no form to restore the default mode.
Syntax giga-phy-mode mode no giga-phy-mode mode master - Sets the selected port as master.
slave - Sets the selected port as slave.
Default Setting master
Command Mode
Interface Configuration (Ethernet: Ports 1-24)
Command Usage
◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of forcing a link to operate at 1000 Mbps, full-duplex using the gigaphy-mode command.
◆ To force 1000full operation requires the ports at both ends of a link to establish their role in the connection process as a master or slave. Before using this feature, auto-negotiation must first be disabled, and the Speed/Duplex attribute set to 1000full. Then select compatible Giga PHY modes at both ends of the link.
– 298 –
Chapter 10 | Interface Commands
Interface Configuration
◆ If auto-negotiation is enabled at the far end of a link, and disabled on the local end, a link should eventually be established regardless of the selected giga-phy mode.
Example
This forces the switch port to master mode on port 24.
Console(config)#interface ethernet 1/50
Console(config-if)#no negotiation
Console(config-if)#speed-duplex 1000full
Console(config-if)#giga-phy-mode master
Console(config-if)#
negotiation
This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation.
Syntax
[ no ] negotiation
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
◆ When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
◆ If auto-negotiation is disabled, auto-MDI/MDI-X pin signal configuration will also be disabled for the RJ-45 ports.
Example
The following example configures port 11 to use auto-negotiation.
Console(config)#interface ethernet 1/11
Console(config-if)#negotiation
Console(config-if)#
– 299 –
Chapter 10 | Interface Commands
Interface Configuration
Related Commands capabilities (295) speed-duplex (300)
shutdown
This command disables an interface. To restart a disabled interface, use the no form.
Syntax
[ no ] shutdown
Default Setting
All interfaces are enabled.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This command allows you to disable a port due to abnormal behavior
(e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons.
Example
The following example disables port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#shutdown
Console(config-if)#
speed-duplex
This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
Syntax speed-duplex { 1000full | 100full | 100half | 10full | 10half } no speed-duplex
1000full - Forces 1000 Mbps full-duplex operation
100full - Forces 100 Mbps full-duplex operation
100half - Forces 100 Mbps half-duplex operation
10full - Forces 10 Mbps full-duplex operation
10half - Forces 10 Mbps half-duplex operation
Default Setting
◆ Auto-negotiation is enabled by default.
– 300 –
Chapter 10 | Interface Commands
Interface Configuration
◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. However, this switch does provide a means of safely forcing a link to operate at 1000 Mbps, full-duplex using the giga-phy-mode command.
◆ To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
◆ When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To set the speed/ duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface.
Example
The following example configures port 5 to 100 Mbps, half-duplex operation.
Console(config)#interface ethernet 1/5
Console(config-if)#speed-duplex 100half
Console(config-if)#no negotiation
Console(config-if)#
Related Commands negotiation (299) capabilities (295)
clear counters
This command clears statistics on an interface.
Syntax clear counters interface interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
– 301 –
Chapter 10 | Interface Commands
Interface Configuration
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Example
The following example clears statistics on port 5.
Console#clear counters ethernet 1/5
Console#
show interfaces brief
This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
Command Mode
Privileged Exec
Example
Console#show interfaces brief
Interface Name Status PVID Pri Speed/Duplex Type Trunk
--------- ------------------ ------- ---- --- ------------- ----------- -----
Eth 1/ 1 Up 1 0 Auto-100full 1000T None
Eth 1/ 2 Down 1 0 Auto 1000T None
Eth 1/ 3 Down 1 0 Auto 1000T None
Eth 1/ 4 Down 1 0 Auto 1000T None
Eth 1/ 5 Down 1 0 Auto 1000T None
Eth 1/ 6 Down 1 0 Auto 1000T None
.
show interfaces counters
This command displays interface statistics.
Syntax show interfaces counters [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
– 302 –
Chapter 10 | Interface Commands
Interface Configuration port-channel channel-id (Range: 1-12)
Default Setting
Shows the counters for all interfaces.
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk
Statistics” in the System Reference Guide .
Example
Console#show interfaces counters ethernet 1/17
Ethernet 1/ 17
===== IF table Stats =====
2166458 Octets Input
14734059 Octets Output
14707 Unicast Input
19806 Unicast Output
0 Discard Input
0 Discard Output
0 Error Input
0 Error Output
0 Unknown Protocols Input
0 QLen Output
===== Extended Iftable Stats =====
23 Multi-cast Input
5525 Multi-cast Output
170 Broadcast Input
11 Broadcast Output
===== Ether-like Stats =====
0 Alignment Errors
0 FCS Errors
0 Single Collision Frames
0 Multiple Collision Frames
0 SQE Test Errors
0 Deferred Transmissions
0 Late Collisions
0 Excessive Collisions
0 Internal Mac Transmit Errors
0 Internal Mac Receive Errors
0 Frames Too Long
0 Carrier Sense Errors
0 Symbol Errors
===== RMON Stats =====
0 Drop Events
16900558 Octets
40243 Packets
170 Broadcast PKTS
23 Multi-cast PKTS
0 Undersize PKTS
0 Oversize PKTS
0 Fragments
0 Jabbers
0 CRC Align Errors
0 Collisions
21065 Packet Size <= 64 Octets
– 303 –
Chapter 10 | Interface Commands
Interface Configuration
3805 Packet Size 65 to 127 Octets
2448 Packet Size 128 to 255 Octets
797 Packet Size 256 to 511 Octets
2941 Packet Size 512 to 1023 Octets
9187 Packet Size 1024 to 1518 Octets
===== Port Utilization (recent 300 seconds) =====
0 Octets input per second
0 Packets input per second
0.00 % Input utilization
0 Octets output per second
0 Packets output per second
0.00 % Output utilization
Console#
show interfaces status
This command displays the status for an interface.
Syntax show interfaces status [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4093)
Default Setting
Shows the status for all interfaces.
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed.
Example
Console#show interfaces status ethernet 1/21
Information of Eth 1/21
Port Type : 1000T
MAC Address : B4-0E-DC-34-E6-3D
Configuration:
Name :
Port Admin : Up
Speed-Duplex : Auto
Capabilities : 10half, 10full, 100half, 100full, 1000full
Flow Control : Disabled
VLAN Trunking : Disabled
LACP : Disabled
Port Security : Disabled
Max MAC Count : 0
Port Security Action : None
– 304 –
Media Type (Combo Forced Mode) : None
Giga PHY Mode : Master
Current Status:
Link Status : Up
Port Operational Status : Up
Operational Speed-Duplex : 100full
Flow Control Type : None
Console#
Chapter 10 | Interface Commands
Interface Configuration
show interfaces switchport
This command displays the administrative and operational status of the specified interfaces.
Syntax show interfaces switchport [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
Shows all interfaces.
Command Mode
Normal Exec, Privileged Exec
Command Usage
If no interface is specified, information on all interfaces is displayed.
Example
This example shows the configuration setting for port 21.
Console#show interfaces switchport ethernet 1/21
Information of Eth 1/21
Broadcast Threshold : Enabled, 500 packets/second
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
LACP Status : Disabled
Ingress Rate Limit : Disabled, 1000M bits per second
Egress Rate Limit : Disabled, 1000M bits per second
VLAN Membership Mode : Hybrid
Ingress Rule : Disabled
Acceptable Frame Type : All frames
Native VLAN : 1
Priority for Untagged Traffic : 0
GVRP Status : Disabled
Allowed VLAN : 1(u)
Forbidden VLAN :
802.1Q-tunnel Status : Disable
802.1Q-tunnel Mode : NORMAL
– 305 –
Chapter 10 | Interface Commands
Interface Configuration
802.1Q-tunnel TPID : 8100(Hex)
Console#
Table 62: show interfaces switchport - display description
Field
Broadcast
Threshold
Description
Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level ( page 345 ).
Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level ( page 345 ).
Unknown Unicast
Threshold
LACP Status
Shows if unknown unicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (
( page 315 ).
page 345 ).
Shows if Link Aggregation Control Protocol has been enabled or disabled
Ingress/Egress Rate
Limit
Shows if rate limiting is enabled, and the current rate limit ( page 765 ).
VLAN Membership
Mode
Indicates membership mode as Trunk or Hybrid ( page 405 ).
Ingress Rule
Acceptable Frame
Type
Native VLAN
Priority for
Untagged Traffic
GVRP Status
Allowed VLAN
Forbidden VLAN
802.1Q-tunnel
Status
Shows if ingress filtering is enabled or disabled ( page 404 ).
Shows if acceptable VLAN frames include all types or tagged frames only
( page 403 ).
Indicates the default Port VLAN ID ( page 406 ).
Indicates the default priority for untagged frames ( page 432 ).
Shows if GARP VLAN Registration Protocol is enabled or disabled ( page 397 ).
Shows the VLANs this interface has joined, where “(u)” indicates untagged and
“(t)” indicates tagged ( page 403 ).
Shows the VLANs this interface can not dynamically join via GVRP (
Shows if 802.1Q tunnel is enabled on this interface ( page 410 ).
page 396
802.1Q-tunnel
Mode (
Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink page 412 ).
802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets
( page 411 ).
).
– 306 –
Chapter 10 | Interface Commands
Interface Configuration
show interfaces transceiver
This command displays identifying information for the specified transceiver, including connector type and vendor-related parameters, as well as the temperature, voltage, bias current, transmit power, and receive power.
Syntax show interfaces transceiver [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 25-28/49-52)
Default Setting
Shows all SFP interfaces.
Command Mode
Privileged Exec
Command Usage
The switch can display diagnostic information for SFP modules which support the
SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers.
This information allows administrators to remotely diagnose problems with optical devices.
Example
Console#show interfaces transceiver ethernet 1/25
SFP Information of Ethernet 1/25
Identifier : Unknown or unspecified
Connector : LC
Transceiver:
Gigabit Ethernet Compliance Codes:
1000BASE-SX
Fibre Channel link length:
intermediate distance(I)
Fibre Channel transmitter technology:
Shortwave laser w/o OFC(SN)
Fibre Channel transmission media:
Multimode, 50um(M5, M5E)
Multimode, 62.5um(M6)
Fibre Channel Speed:
100 MBytes/sec
Encoding : 8B/10B
BR.Norminal: 13MBits/sec
BR.MAX : 0
BR.MIN : 0
Length :
Link length supported for OM2 fiber, 550m
Link length supported for OM1 fiber, 280m
Vendor Name: SMC Networks
Vendor OUI : 0
Vendor PN : SMC1GSFP-SX
Vendor Rev : V1.1
Vendor SN : V1.1
Date code : 2009.5.19
– 307 –
Chapter 10 | Interface Commands
Cable Diagnostics
Options :
Console#
Cable Diagnostics
test cable-diagnostics
This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length.
Syntax test cable-diagnostics interface interface interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Command Usage
◆ Cable diagnostics are performed using Digital Signal Processing (DSP) test methods. DSP analyses the cable by sending a pulsed signal into the cable, and then examining the reflection of that pulse.
◆ This cable test is only accurate for Gigabit Ethernet cables 0 - 250 meters long.
◆ The test takes approximately 5 seconds. The switch displays the results of the test immediately upon completion, including common cable failures, as well as the status and approximate length of each cable pair.
◆
■
■
■
■
Potential conditions which may be listed by the diagnostics include:
■
OK: Correctly terminated pair
Open: Open pair, no link partner
Short: Shorted pair
Not Supported: This message is displayed for Gigabit Ethernet ports linked up at a speed lower than 1000 Mbps.
Impedance mismatch: Terminating impedance is not in the reference range.
◆ Ports are linked down while running cable diagnostics.
◆ To ensure more accurate measurement of the length to a fault, first disable power-saving mode (using the no power-save command) on the link partner before running cable diagnostics.
– 308 –
Chapter 10 | Interface Commands
Cable Diagnostics
Example
Console#test cable-diagnostics interface ethernet 1/23
Console#show cable-diagnostics interface ethernet 1/23
Port Type Link Status Pair A (meters) Pair B (meters) Last Update
-------- ---- ----------- ---------------- ---------------- -----------------
Eth 1/23 GE Up OK (21) OK (21) 2009-11-13 09:44:19
Console#
show cable-diagnostics
This command shows the results of a cable diagnostics test.
Syntax show cable-diagnostics interface [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Command Usage
◆ The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
◆ To ensure more accurate measurement of the length to a fault, first disable power-saving mode on the link partner before running cable diagnostics.
◆ For link-down ports, the reported distance to a fault is accurate to within +/- 2 meters. For link-up ports, the accuracy is +/- 10 meters.
Example
Console#show cable-diagnostics interface ethernet 1/23
Port Type Link Status Pair A (meters) Pair B (meters) Last Update
-------- ---- ----------- ---------------- ---------------- -----------------
Eth 1/23 GE Up OK (21) OK (21) 2009-11-13 09:44:19
Console#
– 309 –
Chapter 10 | Interface Commands
Power Savings
Power Savings
power-save
This command enables power savings mode on the specified port.
Syntax
[ no ] power-save
Command Mode
Interface Configuration (Ethernet, Ports 1-24)
Command Usage
◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
◆ Power saving mode only applies to the Gigabit Ethernet ports using copper media.
◆ Power savings can be enabled on Gigabit Ethernet RJ-45 ports.
◆ The power-saving methods provided by this switch include:
■ Power saving when there is no link partner:
Under normal operation, the switch continuously auto-negotiates to find a link partner, keeping the MAC interface powered up even if no link connection exists. When using power-savings mode, the switch checks for energy on the circuit to determine if there is a link partner. If none is detected, the switch automatically turns off the transmitter, and most of the receive circuitry (entering Sleep Mode). In this mode, the low-power energy-detection circuit continuously checks for energy on the cable. If none is detected, the MAC interface is also powered down to save additional energy. If energy is detected, the switch immediately turns on both the transmitter and receiver functions, and powers up the MAC interface.
■ Power saving when there is a link partner:
Traditional Ethernet connections typically operate with enough power to support at least 100 meters of cable even though average network cable length is shorter. When cable length is shorter, power consumption can be reduced since signal attenuation is proportional to cable length. When power-savings mode is enabled, the switch analyzes cable length to determine whether or not it can reduce the signal amplitude used on a particular link.
– 310 –
Chapter 10 | Interface Commands
Power Savings
Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power-save
Console(config-if)#
show power-save
This command shows the configuration settings for power savings.
Syntax show power-save [ interface interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Example
Console#show power-save interface ethernet 1/4
Power Saving Status:
Ethernet 1/1 : Enabled
Console#
– 311 –
Chapter 10 | Interface Commands
Power Savings
– 312 –
11
Link Aggregation Commands
Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the
Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.
Table 63: Link Aggregation Commands
Command Function
Manual Configuration Commands interface port-channel Configures a trunk and enters interface configuration mode for the trunk channel-group Adds a port to a trunk
Dynamic Configuration Commands lacp lacp admin-key
Configures LACP for the current interface
Configures a port's administration key lacp port-priority lacp system-priority
Configures a port's LACP port priority
Configures a port's LACP system priority lacp admin-key Configures an port channel’s administration key
Trunk Status Display Commands
Shows trunk information show interfaces status port-channel show lacp Shows LACP information
Mode
GC
IC (Ethernet)
IC (Ethernet)
IC (Ethernet)
IC (Ethernet)
IC (Ethernet)
IC (Port Channel)
NE, PE
PE
◆
◆
◆
Guidelines for Creating Trunks
General Guidelines –
◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop.
A trunk can have up to 8 ports.
The ports at both ends of a connection must be configured as trunk ports.
All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and
CoS settings.
– 313 –
Chapter 11 | Link Aggregation Commands
Manual Configuration Commands
◆
◆
◆
Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
STP, VLAN, and IGMP settings can only be made for the entire trunk via the specified port-channel.
Dynamically Creating a Port Channel –
Ports assigned to a common port channel must meet the following criteria:
◆
◆
◆
◆
◆
Ports must have the same LACP system priority.
Ports must have the same port admin key (Ethernet Interface).
If the port channel admin key ( lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key ( lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
However, if the port channel admin key is set, then the port admin key must be set to the same value for a port to be allowed to join a channel group.
If a link goes down, LACP port priority is used to select the backup link.
Manual Configuration Commands
channel-group
This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-12)
Default Setting
The current port will be added to this trunk.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ When configuring static trunks, the switches must comply with the Cisco
EtherChannel standard.
◆ Use no channel-group to remove a port group from a trunk.
◆ Use no interface port-channel to remove a trunk from the switch.
– 314 –
Chapter 11 | Link Aggregation Commands
Dynamic Configuration Commands
Example
The following example creates trunk 1 and then adds port 11:
Console(config)#interface port-channel 1
Console(config-if)#exit
Console(config)#interface ethernet 1/11
Console(config-if)#channel-group 1
Console(config-if)#
Dynamic Configuration Commands
lacp
This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Syntax
[ no ] lacp
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID.
◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
◆ If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Example
The following shows LACP enabled on ports 10-12. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status portchannel 1 command shows that Trunk1 has been established.
Console(config)#interface ethernet 1/10
Console(config-if)#lacp
Console(config-if)#interface ethernet 1/11
Console(config-if)#lacp
Console(config-if)#interface ethernet 1/12
Console(config-if)#lacp
Console(config-if)#end
– 315 –
Chapter 11 | Link Aggregation Commands
Dynamic Configuration Commands
Console#show interfaces status port-channel 1
Information of Trunk 1
Port Type : 1000T
MAC Address : B4-0E-DC-39-F4-4D
Configuration:
Name :
Port Admin : Up
Speed-Duplex : Auto
Capabilities : 10half, 10full, 100half, 100full, 1000full
Flow Control : Disabled
VLAN Trunking : Disabled
Port Security : Disabled
Max MAC Count : 0
Port Security Action : None
Media Type (Combo Forced Mode) : None
Giga PHY Mode : Master
Current Status:
Created By : LACP
Link Status : Up
Port Operational Status : Up
Operational Speed-Duplex : 1000full
Flow Control Type : None
Member Ports : Eth1/10, Eth1/11, Eth1/12,
Console#
lacp admin-key
(Ethernet Interface)
This command configures a port's LACP administration key. Use the no form to restore the default setting.
Syntax lacp { actor | partner } admin-key key no lacp { actor | partner } admin-key actor - The local side an aggregate link.
partner - The remote side of an aggregate link.
key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG). (Range: 0-65535)
Default Setting
Actor: 1, Partner: 0
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
◆ If the port channel admin key ( lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key ( lacp admin key - Ethernet Interface) used by the interfaces that joined the group.
– 316 –
Chapter 11 | Link Aggregation Commands
Dynamic Configuration Commands
◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state.
◆ By default, the actor’s operational key is determined by port's link speed
(1000f - 4, 100f - 3, 10f - 2), and copied to the admin key.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#lacp actor admin-key 120
Console(config-if)#
lacp port-priority
This command configures LACP port priority. Use the no form to restore the default setting.
Syntax lacp { actor | partner } port-priority priority no lacp { actor | partner } port-priority actor - The local side an aggregate link.
partner - The remote side of an aggregate link.
priority - LACP port priority is used to select a backup link. (Range: 0-65535)
Default Setting
32768
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Setting a lower value indicates a higher effective priority.
◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
◆ If an LAG already exists with the maximum number of allowed port members, and LACP is subsequently enabled on another port using a higher priority than an existing member, the newly configured port will replace an existing port member that has a lower priority.
◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
– 317 –
Chapter 11 | Link Aggregation Commands
Dynamic Configuration Commands
Example
Console(config)#interface ethernet 1/5
Console(config-if)#lacp actor port-priority 128
lacp system-priority
This command configures a port's LACP system priority. Use the no form to restore the default setting.
Syntax lacp { actor | partner } system-priority priority no lacp { actor | partner } system-priority actor - The local side an aggregate link.
partner - The remote side of an aggregate link.
priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations. (Range: 0-65535)
Default Setting
32768
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Port must be configured with the same system priority to join the same LAG.
◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#lacp actor system-priority 3
Console(config-if)#
– 318 –
Chapter 11 | Link Aggregation Commands
Dynamic Configuration Commands
lacp admin-key
(Port Channel)
This command configures a port channel's LACP administration key string. Use the no form to restore the default setting.
Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
(Range: 0-65535)
Default Setting
0
Command Mode
Interface Configuration (Port Channel)
Command Usage
◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
◆ If the port channel admin key ( lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key ( lacp admin key - Ethernet Interface) used by the interfaces that joined the group. Note that when the LAG is no longer used, the port channel admin key is reset to 0.
◆ If the port channel admin key is set to a non-default value, the operational key is based upon LACP PDUs received from the partner, and the channel admin key is reset to the default value. The trunk identifier will also be changed by this process.
Example
Console(config)#interface port-channel 1
Console(config-if)#lacp admin-key 3
Console(config-if)#
– 319 –
Chapter 11 | Link Aggregation Commands
Trunk Status Display Commands
Trunk Status Display Commands
show lacp
This command displays LACP information.
Syntax show lacp [ port-channel ] { counters | internal | neighbors | sys-id } port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side.
neighbors - Configuration settings and operational state for remote side.
sys-id - Summary of system priority and MAC address for all channel groups.
Default Setting
Port Channel: all
Command Mode
Privileged Exec
Example
Console#show lacp 1 counters
Port Channel: 1
-------------------------------------------------------------------------
Eth 1/ 2
-------------------------------------------------------------------------
LACPDUs Sent : 12
LACPDUs Received : 6
Marker Sent : 0
Marker Received : 0
LACPDUs Unknown Pkts : 0
LACPDUs Illegal Pkts : 0
.
Table 64: show lacp counters - display description
Field
LACPDUs Sent
Description
Number of valid LACPDUs transmitted from this channel group.
LACPDUs Received Number of valid LACPDUs received on this channel group.
Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Marker Received Number of valid Marker PDUs received by this channel group.
LACPDUs Unknown
Pkts
Number of frames received that either (1) Carry the Slow Protocols Ethernet
Type value, but contain an unknown PDU, or (2) are addressed to the Slow
Protocols group MAC Address, but do not carry the Slow Protocols Ethernet
Type.
LACPDUs Illegal
Pkts
Number of frames that carry the Slow Protocols Ethernet Type value, but contain a badly formed PDU or an illegal value of Protocol Subtype.
– 320 –
Chapter 11 | Link Aggregation Commands
Trunk Status Display Commands
Console#show lacp 1 internal
Port Channel : 1
-------------------------------------------------------------------------
Oper Key : 3
Admin Key : 0
Eth 1/ 1
-------------------------------------------------------------------------
LACPDUs Internal : 30 seconds
LACP System Priority : 32768
LACP Port Priority : 32768
Admin Key : 3
Oper Key : 3
Admin State : defaulted, aggregation, long timeout, LACP-activity
Oper State : distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
Table 65: show lacp internal - display description
Field
Oper Key
Description
Current operational value of the key for the aggregation port.
Admin Key Current administrative value of the key for the aggregation port.
LACPDUs Internal Number of seconds before invalidating received LACPDU information.
LACP System
Priority
LACP system priority assigned to this port channel.
LACP Port Priority LACP port priority assigned to this interface within the channel group.
Admin State,
Oper State
Administrative or operational values of the actor’s state parameters:
◆ Expired – The actor’s receive machine is in the expired state;
◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
◆ Distributing – If false, distribution of outgoing frames on this link is disabled; i.e., distribution is currently disabled and is not expected to be enabled in the absence of administrative changes or changes in received protocol information.
◆ Collecting – Collection of incoming frames on this link is enabled; i.e., collection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information.
◆ Synchronization – The System considers this link to be IN_SYNC; i.e., it has been allocated to the correct Link Aggregation Group, the group has been associated with a compatible Aggregator, and the identity of the Link
Aggregation Group is consistent with the System ID and operational Key information transmitted.
◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation.
◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate.
◆ LACP-Activity – Activity control value with regard to this link.
(0: Passive; 1: Active)
Console#show lacp 1 neighbors
Port Channel 1 neighbors
-------------------------------------------------------------------------
Eth 1/ 1
-------------------------------------------------------------------------
Partner Admin System ID : 32768, 00-00-00-00-00-00
– 321 –
Chapter 11 | Link Aggregation Commands
Trunk Status Display Commands
Partner Oper System ID : 32768, 00-12-CF-61-24-2F
Partner Admin Port Number : 1
Partner Oper Port Number : 1
Port Admin Priority : 32768
Port Oper Priority : 32768
Admin Key : 0
Oper Key : 3
Admin State: defaulted, distributing, collecting,
synchronization, long timeout,
Oper State: distributing, collecting, synchronization,
aggregation, long timeout, LACP-activity
.
Table 66: show lacp neighbors - display description
Field
Partner Admin
System ID
Partner Oper
System ID
Description
LAG partner’s system ID assigned by the user.
LAG partner’s system ID assigned by the LACP protocol.
Partner Admin
Port Number
Partner Oper
Port Number
Current administrative value of the port number for the protocol Partner.
Operational port number assigned to this aggregation port by the port’s protocol partner.
Port Admin Priority Current administrative value of the port priority for the protocol partner.
Port Oper Priority Priority value assigned to this aggregation port by the partner.
Admin Key
Oper Key
Admin State
Oper State
Current administrative value of the Key for the protocol partner.
Current operational value of the Key for the protocol partner.
Administrative values of the partner’s state parameters. (See preceding table.)
Operational values of the partner’s state parameters. (See preceding table.)
Console#show lacp sysid
Port Channel System Priority System MAC Address
-------------------------------------------------------------------------
1 32768 00-30-F1-8F-2C-A7
2 32768 00-30-F1-8F-2C-A7
3 32768 00-30-F1-8F-2C-A7
4 32768 00-30-F1-8F-2C-A7
5 32768 00-30-F1-8F-2C-A7
6 32768 00-30-F1-8F-2C-A7
7 32768 00-30-F1-D4-73-A0
8 32768 00-30-F1-D4-73-A0
9 32768 00-30-F1-D4-73-A0
10 32768 00-30-F1-D4-73-A0
11 32768 00-30-F1-D4-73-A0
12 32768 00-30-F1-D4-73-A0
.
– 322 –
Chapter 11 | Link Aggregation Commands
Trunk Status Display Commands
Table 67: show lacp sysid - display description
Field
Channel group
System Priority *
System MAC
Address*
Description
A link aggregation group configured on this switch.
LACP system priority for this channel group.
System MAC address.
* The LACP system priority and system MAC address are concatenated to form the LAG system ID.
– 323 –
Chapter 11 | Link Aggregation Commands
Trunk Status Display Commands
– 324 –
12
Power over Ethernet Commands
The commands in this group control the power that can be delivered to attached
PoE devices through RJ-45 ports 1-24.
The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
When a device is connected to a switch port, its power requirements are detected by the switch before power is supplied. If the power required by a device exceeds the power budget of the port or the whole switch, power is not supplied.
Table 68: PoE Commands
Command Function power inline compatible Provides power to pre-standard PoE devices power inline power inline maximum allocation
Turns power on and off for specific ports
Sets the maximum power available to specific switch ports power inline priority Sets the priority for power supplied to specific ports power inline time-range Binds a time-range to a port during which PoE is supplied
IC
IC show power inline status Displays the current status of power management on specific ports or all ports
PE show power inline time-range show power poe
Shows the time-range and current status for specific ports or for all ports
PE
Displays the current status of power management for switch PE
Mode
GC
IC
IC
power inline compatible
This command allows the switch to detect and provide power to powered devices that were designed prior to the IEEE 802.3af PoE standard. Use the no form to disable this feature.
Syntax
[ no ] power inline compatible
Default Setting
Enabled
Command Mode
Global Configuration
– 325 –
Chapter 12 | Power over Ethernet Commands
Command Usage
◆ The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Ethernet copper-media ports.
When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device. When the power inline compatible command is used, this switch can detect IEEE 802.3af or 802.3at compliant devices and the more recent 802.3af non-compliant devices that also reflect the test voltages back to the switch. It cannot detect other legacy devices that do not reflect back the test voltages.
◆ For legacy devices to be supported by this switch, they must be able to accept power over the data pairs connected to the 1000BASE-T ports.
Example
ConsoleP(config)#power inline compatible
ConsoleP(config)#end
ConsoleP#show power inline status
Unit: 1
Compatible mode : Enabled
Time Max Used
Interface Admin Range Oper Power Power Priority
--------- -------- -------- ---- -------- -------- --------
Eth 1/ 1 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 2 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 3 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 4 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 5 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 6 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 7 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 8 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 9 Enabled -- Off 34200 mW 0 mW Low
Eth 1/10 Enabled -- Off 34200 mW 0 mW Low
Eth 1/11 Enabled -- Off 34200 mW 0 mW Low
Eth 1/12 Enabled -- Off 34200 mW 0 mW Low
.
.
power inline
This command instructs the switch to automatically detect if a PoE-compliant device is connected to the specified port, and turn power on or off accordingly. Use the no form to turn off power for a port, or the no form with the time-range keyword to remove the time range settings.
Syntax power inline [ time-range time-range-name ] no power inline [ time-range ] time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
Detection is enabled for PoE-compliant devices.
– 326 –
Chapter 12 | Power over Ethernet Commands
Command Mode
Interface Configuration (Ethernet ports 1-24/48)
Command Usage
◆ The switch only provides power to the Fast Ethernet or Gigabit Ethernet copper-media ports.
◆ When detection is enabled for PoE-compliant devices, power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the port’s power budget or the switch’s power budget.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline
Console(config-if)#exit
Console(config)#interface ethernet 1/2
Console(config-if)#no power inline
Console(config-if)#
Related Commands time-range (128)
power inline maximum allocation
This command limits the power allocated to specific ports. Use the no form to restore the default setting.
Syntax power inline maximum allocation milliwatts no power inline maximum allocation milliwatts - The maximum power budget for the port.
(Range: 3000 - 34200 milliwatts)
Default Setting
34200 milliwatts
Command Mode
Interface Configuration (Ethernet ports 1-24/48)
Command Usage
◆ All the RJ-45 ports support the IEEE802.3at-2009 PoE standard. The total PoE power delivered by all ports cannot exceed the 390/779 7 Watts power budget.
This means that up to 11/22
7
ports can supply a maximum 34.2W of power simultaneously to connected devices (802.3at), up to 24/48
7
ports can supply up to 15.4W (802.3af ).
7.
Values for EX-3524 and EX-3548.
– 327 –
Chapter 12 | Power over Ethernet Commands
◆ If a device is connected to a switch port and the switch detects that it requires more than the maximum power allocated to the port or to the overall switch, no power is supplied to the device (i.e., port power remains off ).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline maximum allocation 8000
Console(config-if)#
power inline priority
This command sets the power priority for specific ports. Use the no form to restore the default setting.
Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Options: 1 (critical), 2 (high), or 3 (low)
Default Setting
3 (low)
Command Mode
Interface Configuration
Command Usage
◆ If the power demand from devices connected to the switch exceeds the power budget setting as determined during bootup, the switch uses port power priority settings to control the supplied power. For example:
■ A device connected to a low-priority port that causes the switch to exceed its budget is not supplied power.
■ If a device is connected to a critical or high-priority port and causes the switch to exceed its budget, port power is still be turned on if the switch can drop power to one or more lower-priority ports and keep within its budget.
Power will be dropped from low-priority ports in sequence starting from port number 1.
■ If sufficient power cannot be freed up for a critical or high-priority port by turning off power to lower-priority ports, power will not be supplied to the newly connected device.
◆ If a device is connected to a port after the switch has finished booting up and would cause the switch to exceed its budget, power will not be provided to that port regardless of its priority setting.
– 328 –
Chapter 12 | Power over Ethernet Commands
Note (EX-3524) : If power priority is not set for any ports, and there is not sufficient power to supply all of the ports during bootup, available power is provided to the ports based on the PSE chips in following order:
PSE#1: 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1
PSE#2: 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13
N OTE (EX-3548) : If priority is not set for any ports, and there is not sufficient power to supply all of the ports, power is denied sequentially to PSE chip sets 1-4:
PSE#1 | PSE#2
1,0,3,2,5,4,7,6,9,8,11,10 | 13,12,15,14,17,16 19,18,21,20,23,22,25
PSE#3 | PSE#4
24,27,26,29,28,31,30,33,32,35,34,37 | 36,39,38,41,40,43,42,45,44,47,46
Note: For more information on using the PoE provided by this switch refer to the
Installation Guide .
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline priority 2
Console(config-if)#
power inline time-range
This command binds a time-range to a port during which PoE is supplied to the attached device. Use the no form to remove this binding.
Syntax power inline time-range time-range-name no power inline time-range time-range-name - Name of the time range. (Range: 1-30 characters)
Default Setting
None
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#power inline time-range rd
Console(config-if)#
Related Commands time-range (128)
– 329 –
Chapter 12 | Power over Ethernet Commands
show power inline status
This command displays the current power status for all ports or for specific ports.
Syntax show power inline status [ interface ] interface ethernet unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Example
Console#show power inline status
Unit: 1
Compatible mode : Enabled
Time Max Used
Interface Admin Range Oper Power Power Priority
--------- -------- -------- ---- -------- -------- --------
Eth 1/ 1 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 2 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 3 Enabled -- Off 34200 mW 7505 mW Low
Eth 1/ 4 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 5 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 6 Enabled -- Off 34200 mW 0 mW Low
Eth 1/ 7 Enabled -- Off 15400 mW 8597 mW Low
Eth 1/ 8 Enabled -- Off 15400 mW 0 mW Low
Eth 1/ 9 Enabled -- Off 15400 mW 0 mW Low
Eth 1/10 Enabled -- Off 15400 mW 0 mW Low
Eth 1/11 Enabled -- Off 15400 mW 0 mW Low
Eth 1/12 Enabled -- Off 15400 mW 0 mW Low
.
.
Table 69: show power inline status - display description
Field
Admin
Oper
Power (mWatt)
Power (used)
Priority
Description
The power mode set on the port (see power inline )
The current operating power status (displays on or off )
The maximum power allocated to this port (see power inline maximum allocation )
The current power consumption on the port in milliwatts
The port’s power priority setting (see power inline priority )
– 330 –
Chapter 12 | Power over Ethernet Commands
show power inline time-range
This command displays the time-range and current status for specific ports or for all ports.
Syntax show power inline time-range time-range-name [ interface ] time-range-name - Name of the time range.
(Range: 1-30 characters) interface ethernet unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48)
Command Mode
Privileged Exec
Example
Console#show power inline time-range ethernet 1/5
Interface Time Range Name Status
--------- ---------------- --------
Eth 1/ 5 r&d Inactive
Console#
Related Commands power inline (326)
show power poe
Use this command to display the current power status for the switch.
Command Mode
Privileged Exec
Example
Console#show power poe
Unit 1 PoE Status
PoE Maximum Available Power : 390 Watts
System Operation Status : On
PoE Power Consumption : 0 Watts
Software Version : Microsemi SDK V1.0.4
Console#
– 331 –
Chapter 12 | Power over Ethernet Commands
Table 70: show power mainpower - display description
Field
PoE Maximum
Available Power
System Operation
Status
Description
The available power budget for the switch
The current operating power status (displays on or off )
PoE Power
Consumption
The current power consumption on the switch in watts
Software Version The version of software running on the PoE controller subsystem in the switch.
– 332 –
13
Port Mirroring Commands
Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Table 71: Port Mirroring Commands
Command
Local Port Mirroring
RSPAN Mirroring
Function
Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port
Mirrors data from remote switches over a dedicated VLAN
Local Port Mirroring Commands
This section describes how to mirror traffic from a source port to a target port.
Table 72: Mirror Port Commands
Command port monitor show port monitor
Function
Configures a mirror session
Shows the configuration for a mirror port
Mode
IC
PE
port monitor
This command configures a mirror session. Use the no form to clear a mirror session.
Syntax port monitor [ interface [ rx | tx | both ] | vlan vlan-id | mac-address mac-address ] no port monitor { interface | vlan vlan-id | mac-address mac-address } interface ethernet unit / port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) rx - Mirror received packets. tx - Mirror transmitted packets.
– 333 –
Chapter 13 | Port Mirroring Commands
Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Default Setting
◆ No mirror session is defined.
◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Command Mode
Interface Configuration (Ethernet, destination port)
Command Usage
◆ You can mirror traffic from any source port or trunk to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port or trunk in a completely unobtrusive manner.
◆ Set the destination port by specifying an Ethernet interface with the interface configuration command, and then use the port monitor command to specify the source of the traffic to mirror. Note that the destination port cannot be a trunk or trunk member port.
◆ When mirroring traffic from a port or trunk, the mirror port/trunk and monitor port speeds should match, otherwise traffic may be dropped from the monitor port. When mirroring traffic from a VLAN, traffic may also be dropped under heavy loads.
◆ When VLAN mirroring and port or trunk mirroring are both enabled, the target port can receive a mirrored packet twice; once from the source mirror port or trunk and again from the source mirror VLAN.
◆ When mirroring traffic from a MAC address, ingress traffic with the specified source address entering any port in the switch, other than the target port, will be mirrored to the destination port.
◆ When traffic matches the rules for both port mirroring, and for mirroring of
VLAN traffic or packets based on a MAC address, the matching packets will not be sent to target port specified for port mirroring.
◆ Spanning Tree BPDU packets are not mirrored to the target port.
◆ You can create multiple mirror sessions, but all sessions must share the same destination port.
– 334 –
Chapter 13 | Port Mirroring Commands
Local Port Mirroring Commands
◆ The destination port cannot be a trunk or trunk member port.
◆ RSPAN and 802.1X are mutual exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source ports and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. Also, RSPAN uplink ports cannot be configured to use IEEE802.1X Port Authentication, but
RSPAN source ports and destination ports can be configured to use it.
Example
The following example configures the switch to mirror all packets from port 6 to 11:
Console(config)#interface ethernet 1/11
Console(config-if)#port monitor ethernet 1/6 both
Console(config-if)#
show port monitor
This command displays mirror information.
Syntax show port monitor [ interface | vlan vlan-id | mac-address mac-address ] interface - ethernet unit / port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Default Setting
Shows all sessions.
Command Mode
Privileged Exec
Command Usage
This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Example
The following shows mirroring configured from port 6 to port 11:
Console(config)#interface ethernet 1/11
Console(config-if)#port monitor ethernet 1/6
Console(config-if)#end
– 335 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands
Console#show port monitor
Port Mirroring
-------------------------------------
Destination Port (listen port): Eth1/11
Source Port (monitored port) : Eth1/ 6
Mode :RX/TX
Console#
RSPAN Mirroring Commands
Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
Table 73: RSPAN Commands
Command vlan rspan rspan source rspan destination rspan remote vlan no rspan session show rspan
Function Mode
Creates a VLAN dedicated to carrying RSPAN traffic VC
GC Specifies the source port and traffic type to be mirrored
Specifies the destination port to monitor the mirrored traffic
GC
GC Specifies the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports
Deletes a configured RSPAN session
Displays the configuration settings for an RSPAN session
GC
PE
Configuration Guidelines
Take the following steps to configure an RSPAN session:
1.
Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default
VLAN 1 and switch cluster VLAN 4093 are prohibited.)
2.
Use the rspan source command to specify the interfaces and the traffic type
(RX, TX or both) to be monitored.
3.
Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session.
4.
Use the rspan remote vlan command to specify the VLAN to be used for an
RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
– 336 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands
RSPAN Limitations
The following limitations apply to the use of RSPAN on this switch:
◆ RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface – source, destination, or uplink. Also, note that the source port and destination port cannot be configured on the same switch.
Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an
RSPAN uplink or destination port – access ports are not allowed (see switchport mode ).
◆ Local/Remote Mirror – The destination of a local mirror session (created with the port monitor command) cannot be used as the destination for RSPAN traffic.
Only two mirror sessions are allowed. Both sessions can be allocated to remote mirroring, unless local mirroring is enabled (which is limited to a single session).
◆ Spanning Tree – If the spanning tree is disabled, BPDUs will not be flooded onto the RSPAN VLAN.
MAC address learning is not supported on RSPAN uplink ports when RSPAN is enabled on the switch. Therefore, even if spanning tree is enabled after RSPAN has been configured, MAC address learning will still not be re-started on the
RSPAN uplink ports.
◆ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though
RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
RSPAN uplink ports cannot be configured to use IEEE 802.1X Port
Authentication, but RSPAN source ports and destination ports can be configured to use it
◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, source port, or destination port. Also, when a port is configured as an RSPAN uplink port, source port, or destination port, port security cannot be enabled on that port.
– 337 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands
rspan source
Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.
Syntax
[ no ] rspan session session-id source interface interface-list [ rx | tx | both ] session-id – A number identifying this RSPAN session. (Range: 1-2)
Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then there is only one session available for RSPAN.
interface-list – One or more source ports. Use a hyphen to indicate a consecutive list of ports or a comma between non-consecutive ports. ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) rx - Mirror received packets. tx - Mirror transmitted packets. both - Mirror both received and transmitted packets.
Default Setting
Both TX and RX traffic is mirrored
Command Mode
Global Configuration
Command Usage
◆ One or more source ports can be assigned to the same RSPAN session, either on the same switch or on different switches.
◆ Only ports can be configured as an RSPAN source – static and dynamic trunks are not allowed.
◆ The source port and destination port cannot be configured on the same switch.
Example
The following example configures the switch to mirror received packets from port 2 and 3:
Console(config)#rspan session 1 source interface ethernet 1/2
Console(config)#rspan session 1 source interface ethernet 1/3
Console(config)#
– 338 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands
rspan destination
Use this command to specify the destination port to monitor the mirrored traffic.
Use the no form to disable RSPAN on the specified port.
Syntax rspan session session-id destination interface interface [ tagged | untagged ] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session. (Range: 1-2)
Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then there is only one session available for RSPAN.
interface - ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) tagged - Traffic exiting the destination port carries the RSPAN VLAN tag. untagged - Traffic exiting the destination port is untagged.
Default Setting
Traffic exiting the destination port is untagged.
Command Mode
Global Configuration
Command Usage
◆ Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an
RSPAN destination port – access ports are not allowed (see switchport mode ).
◆ Only ports can be configured as an RSPAN destination – static and dynamic trunks are not allowed.
◆ The source port and destination port cannot be configured on the same switch.
◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Example
The following example configures port 4 to receive mirrored RSPAN traffic:
Console(config)#rspan session 1 destination interface ethernet 1/2
Console(config)#
– 339 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands
rspan remote vlan
Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
Syntax
[ no ] rspan session session-id remote vlan vlan-id
{ source | intermediate | destination } uplink interface session-id – A number identifying this RSPAN session. (Range: 1-2)
Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then there is only one session available for RSPAN.
vlan-id - ID of configured RSPAN VLAN. (Range: 2-4092)
Use the vlan rspan command to reserve a VLAN for RSPAN mirroring before enabling RSPAN with this command.
source - Specifies this device as the source of remotely mirrored traffic.
intermediate - Specifies this device as an intermediate switch, transparently passing mirrored traffic from one or more sources to one or more destinations.
destination - Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session.
uplink - A port configured to receive or transmit remotely mirrored traffic.
interface - ethernet unit / port ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an
RSPAN uplink port – access ports are not allowed (see switchport mode ).
◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch.
◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN. Ports cannot be manually assigned to an RSPAN VLAN with the switchport allowed vlan command. Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note that the show vlan command will not
– 340 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands display any members for an RSPAN VLAN, but will only show configured RSPAN
VLAN identifiers.
Example
The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3:
Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3
Console(config)#
no rspan session
Use this command to delete a configured RSPAN session.
Syntax no rspan session session-id session-id – A number identifying this RSPAN session. (Range: 1-2)
Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then there is only one session available for RSPAN.
Command Mode
Global Configuration
Command Usage
The no rspan session command must be used to disable an RSPAN VLAN before it can be deleted from the VLAN database (see the vlan command).
Example
Console(config)#no rspan session 1
Console(config)#
show rspan
Use this command to displays the configuration settings for an RSPAN session.
Syntax show rspan session [ session-id ] session-id – A number identifying this RSPAN session. (Range: 1-2)
Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then there is only one session available for RSPAN.
Command Mode
Privileged Exec
– 341 –
Chapter 13 | Port Mirroring Commands
RSPAN Mirroring Commands
Example
Console#show rspan session
RSPAN Session ID : 1
Source Ports (mirrored ports) : None
RX Only : None
TX Only : None
BOTH : None
Destination Port (monitor port) : Eth 1/2
Destination Tagged Mode : Untagged
Switch Role : Destination
RSPAN VLAN : 2
RSPAN Uplink Ports : Eth 1/3
Operation Status : Up
Console#
– 342 –
14
Congestion Control Commands
The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Table 74: Congestion Control Commands
Command Group
Rate Limiting
Function
Sets the input and output rate limits for a port.
Storm Control Sets the traffic storm threshold for each port.
Automatic Traffic Control Sets thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
Rate Limit Commands
Rate limit commands allow the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network.
Packets that exceed the acceptable amount of traffic are dropped.
Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity. Non-conforming traffic is dropped.
Table 75: Rate Limit Commands
Command rate-limit
Function Mode
Configures the maximum input or output rate for an interface
IC
– 343 –
Chapter 14 | Congestion Control Commands
Rate Limit Commands
rate-limit
This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled.
Syntax rate-limit { input | output } [ rate ] no rate-limit { input | output } input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps. (Range: 64-1000000 Kbps)
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Note: Due to a chip limitation, the switch supports only one limit for both ingress rate limiting and storm control (including broadcast unknown unicast, multicast, and broadcast storms).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#rate-limit input 64
Console(config-if)#
Related Command show interfaces switchport (305)
– 344 –
Chapter 14 | Congestion Control Commands
Storm Control Commands
Storm Control Commands
Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
You can protect your network from traffic storms by setting a threshold for broadcast, multicast or unknown unicast traffic. Any packets exceeding the specified threshold will then be dropped.
Table 76: Rate Limit Commands
Command switchport packet-rate show interfaces switchport
*
Function
Configures broadcast, multicast, and unknown unicast storm control thresholds
Displays the administrative and operational status of an interface
Mode
IC
NE, PE
* Enabling hardware-level storm control with this command on a port will disable software-level automatic storm control on the same port if configured by the auto-traffic-control command.
switchport packet-rate
This command configures broadcast, multicast and unknown unicast storm control. Use the no form to restore the default setting.
Syntax switchport { broadcast | multicast | unknown-unicast } packet-rate rate no switchport { broadcast | multicast | unknown-unicast } broadcast - Specifies storm control for broadcast traffic.
multicast - Specifies storm control for multicast traffic.
unknown-unicast - Specifies storm control for unknown unicast traffic.
rate - Threshold level as a rate; i.e., kilobits per second.
(Range: 64-1000000 kbps)
Default Setting
Broadcast Storm Control: Enabled, 64 kbps
Multicast Storm Control: Disabled
Unknown Unicast Storm Control: Disabled
Command Mode
Interface Configuration (Ethernet)
– 345 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Command Usage
◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold.
◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
◆ The rate limits set by this command are also used by automatic storm control when the control response is set to rate limiting by the auto-traffic-control action command.
◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Example
The following shows how to configure broadcast storm control at 600 kbits per second:
Console(config)#interface ethernet 1/5
Console(config-if)#switchport broadcast packet-rate 600
Console(config-if)#
Automatic Traffic Control Commands
Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
Table 77: ATC Commands
Function Command
Threshold Commands auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control * auto-traffic-control action auto-traffic-control alarm-clear-threshold
Mode
Sets the time at which to apply the control response after ingress traffic has exceeded the upper threshold
GC
Sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold
GC
Enables automatic traffic control for broadcast or multicast storms
IC (Port)
Sets the control action to limit ingress traffic or shut down the offending port
IC (Port)
Sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent
IC (Port)
– 346 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Table 77: ATC Commands (Continued)
Command auto-traffic-control alarm-fire-threshold
Function Mode
Sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires
IC (Port)
IC (Port) auto-traffic-control autocontrol-release
Automatically releases a control response
Manually releases a control response auto-traffic-control control-release
SNMP Trap Commands
IC (Port) snmp-server enable port-traps atc broadcast-alarm-clear snmp-server enable port-traps atc broadcast-alarm-fire
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control
IC (Port)
IC (Port) snmp-server enable port-traps atc broadcast-control-apply
Sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires snmp-server enable port-traps atc broadcast-controlrelease snmp-server enable port-traps atc multicast-alarm-clear
Sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port)
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control
IC (Port)
IC (Port)
IC (Port) snmp-server enable port-traps atc multicast-alarm-fire snmp-server enable port-traps atc multicast-control-apply snmp-server enable port-traps atc multicast-controlrelease
Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires
IC (Port)
Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires
IC (Port)
ATC Display Commands show auto-traffic-control Shows global configuration settings for automatic storm control
PE show auto-traffic-control interface
Shows interface configuration settings and storm control status for the specified port
PE
* Enabling automatic storm control on a port will disable hardware-level storm control on the same port if configured by the switchport packet-rate command.
– 347 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Usage Guidelines
ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Figure 1: Storm Control by Limiting the Traffic Rate
The key elements of this diagram are described below:
◆ Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it.
◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged.
◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it.
◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control
Release Trap sent and logged. Note that if the control action has shut down a port, it can only be manually re-enabled using the auto-traffic-control controlrelease command).
◆ The traffic control response of rate limiting can be released automatically or manually. The control response of shutting down a port can only be released manually.
– 348 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Figure 2: Storm Control by Shutting Down a Port
The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided.
When traffic control is applied, you must manually re-enable the port.
Functional Limitations
Automatic storm control is a software level control function. Traffic storms can also be controlled at the hardware level using the switchport packet-rate command.
However, only one of these control types can be applied to a port. Enabling automatic storm control on a port will disable hardware-level storm control on that port.
Threshold Commands
auto-traffic-control apply-timer
This command sets the time at which to apply the control response after ingress traffic has exceeded the upper threshold. Use the no form to restore the default setting.
Syntax auto-traffic-control { broadcast | multicast } apply-timer seconds no auto-traffic-control { broadcast | multicast } apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
seconds - The interval after the upper threshold has been exceeded at which to apply the control response. (Range: 1-300 seconds)
Default Setting
300 seconds
Command Mode
Global Configuration
– 349 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Command Usage
After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command.
Example
This example sets the apply timer to 200 seconds for all ports.
Console(config)#auto-traffic-control broadcast apply-timer 200
Console(config)#
auto-traffic-control release-timer
This command sets the time at which to release the control response after ingress traffic has fallen beneath the lower threshold. Use the no form to restore the default setting.
Syntax auto-traffic-control { broadcast | multicast } release-timer seconds no auto-traffic-control { broadcast | multicast } release-timer broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds)
Default Setting
900 seconds
Command Mode
Global Configuration
Command Usage
This command sets the delay after which the control response can be terminated.
The auto-traffic-control auto-control-release command must be used to enable or disable the automatic release of a control response of rate-limiting. To re-enable a port which has been shut down by automatic traffic control, you must manually reenable the port using the auto-traffic-control control-release command.
Example
This example sets the release timer to 800 seconds for all ports.
Console(config)#auto-traffic-control broadcast release-timer 800
Console(config)#
– 350 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
auto-traffic-control
This command enables automatic traffic control for broadcast or multicast storms.
Use the no form to disable this feature.
Syntax
[ no ] auto-traffic-control { broadcast | multicast } broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Automatic storm control can be enabled for either broadcast or multicast traffic. It cannot be enabled for both of these traffic types at the same time.
◆ Automatic storm control is a software level control function. Traffic storms can also be controlled at the hardware level using the switchport packet-rate command. However, only one of these control types can be applied to a port.
Enabling automatic storm control on a port will disable hardware-level storm control on that port.
Example
This example enables automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast
Console(config-if)#
auto-traffic-control action
This command sets the control action to limit ingress traffic or shut down the offending port. Use the no form to restore the default setting.
Syntax auto-traffic-control { broadcast | multicast } action { rate-control | shutdown } no auto-traffic-control { broadcast | multicast } action broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
rate-control - If a control response is triggered, the rate of ingress traffic is limited based on the threshold configured by the auto-traffic-control alarm-clear-threshold command.
– 351 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled.
Default Setting rate-control
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
◆ When the control response is set to rate limiting by this command, the rate limits are determined by the auto-traffic-control alarm-clear-threshold command.
◆ If the control response is to limit the rate of ingress traffic, it can be automatically terminated once the traffic rate has fallen beneath the lower threshold and the release timer has expired.
◆ If a port has been shut down by a control response, it will not be re-enabled by automatic traffic control. It can only be manually re-enabled using the autotraffic-control control-release command.
Example
This example sets the control response for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast action shutdown
Console(config-if)#
auto-traffic-control alarm-clear-threshold
This command sets the lower threshold for ingress traffic beneath which a control response for rate limiting will be released after the Release Timer expires, if so configured by the auto-traffic-control auto-control-release command. Use the no form to restore the default setting.
Syntax auto-traffic-control { broadcast | multicast } alarm-clear-threshold threshold no auto-traffic-control { broadcast | multicast } alarm-clear-threshold broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
threshold - The lower threshold for ingress traffic beneath which a cleared storm control trap is sent. (Range: 1-255 kilo-packets per second)
– 352 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Default Setting
128 kilo-packets per second
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
◆ If rate limiting has been configured as a control response, it will be discontinued after the traffic rate has fallen beneath the lower threshold, and the release timer has expired. Note that if a port has been shut down by a control response, it will not be re-enabled by automatic traffic control. It can only be manually re-enabled using the auto-traffic-control control-release command.
Example
This example sets the clear threshold for automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155
Console(config-if)#
auto-traffic-control alarm-fire-threshold
This command sets the upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. Use the no form to restore the default setting.
Syntax auto-traffic-control { broadcast | multicast } alarm-fire-threshold threshold no auto-traffic-control { broadcast | multicast } alarm-fire-threshold broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
threshold - The upper threshold for ingress traffic beyond which a storm control response is triggered after the apply timer expires. (Range: 1-255 kilo-packets per second)
Default Setting
128 kilo-packets per second
Command Mode
Interface Configuration (Ethernet)
– 353 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
Command Usage
◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
◆ After the upper threshold is exceeded, the control timer must first expire as configured by the auto-traffic-control apply-timer command before a control response is triggered if configured by the auto-traffic-control action command.
Example
This example sets the trigger threshold for automatic storm control for broadcast traffic on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast alarm-fire-threshold 255
Console(config-if)#
auto-traffic-control auto-control-release
This command automatically releases a control response of rate-limiting after the time specified in the auto-traffic-control release-timer command has expired.
Syntax auto-traffic-control { broadcast | multicast } auto-control-release broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ This command can be used to automatically stop a control response of ratelimiting after the specified action has been triggered and the release timer has expired.
◆ To release a control response which has shut down a port after the specified action has been triggered and the release timer has expired, use the autotraffic-control control-release command.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast auto-control-release
Console(config-if)#
– 354 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
auto-traffic-control control-release
This command manually releases a control response.
Syntax auto-traffic-control { broadcast | multicast } control-release broadcast - Specifies automatic storm control for broadcast traffic.
multicast - Specifies automatic storm control for multicast traffic.
Command Mode
Interface Configuration (Ethernet)
Command Usage
This command can be used to manually stop a control response of rate-limiting or port shutdown any time after the specified action has been triggered.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#auto-traffic-control broadcast control-release
Console(config-if)#
SNMP Trap Commands
snmp-server enable port-traps atc broadcast-alarm-clear
This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc broadcast-alarm-clear
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear
Console(config-if)#
Related Commands auto-traffic-control action (351) auto-traffic-control alarm-clear-threshold (352)
– 355 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
snmp-server enable port-traps atc broadcast-alarm-fire
This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc broadcast-alarm-fire
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire
Console(config-if)#
Related Commands auto-traffic-control alarm-fire-threshold (353)
snmp-server enable port-traps atc broadcast-controlapply
This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc broadcast-control-apply
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply
Console(config-if)#
Related Commands auto-traffic-control alarm-fire-threshold (353) auto-traffic-control apply-timer (349)
– 356 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
snmp-server enable port-traps atc broadcast-controlrelease
This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc broadcast-control-release
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc broadcast-controlrelease
Console(config-if)#
Related Commands auto-traffic-control alarm-clear-threshold (352) auto-traffic-control action (351) auto-traffic-control release-timer (350)
snmp-server enable port-traps atc multicast-alarm-clear
This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc multicast-alarm-clear
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear
Console(config-if)#
Related Commands auto-traffic-control action (351) auto-traffic-control alarm-clear-threshold (352)
– 357 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
snmp-server enable port-traps atc multicast-alarm-fire
This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc multicast-alarm-fire
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire
Console(config-if)#
Related Commands auto-traffic-control alarm-fire-threshold (353)
snmp-server enable port-traps atc multicast-controlapply
This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires. Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc multicast-control-apply
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-control-apply
Console(config-if)#
Related Commands auto-traffic-control alarm-fire-threshold (353) auto-traffic-control apply-timer (349)
– 358 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
snmp-server enable port-traps atc multicast-controlrelease
This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires.
Use the no form to disable this trap.
Syntax
[ no ] snmp-server enable port-traps atc multicast-control-release
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#snmp-server enable port-traps atc multicast-controlrelease
Console(config-if)#
Related Commands auto-traffic-control alarm-clear-threshold (352) auto-traffic-control action (351) auto-traffic-control release-timer (350)
ATC Display Commands
show auto-trafficcontrol
This command shows global configuration settings for automatic storm control.
Command Mode
Privileged Exec
Example
Console#show auto-traffic-control
Storm-control: Broadcast
Apply-timer (sec) : 300
release-timer (sec) : 900
Storm-control: Multicast
Apply-timer(sec) : 300
release-timer(sec) : 900
Console#
– 359 –
Chapter 14 | Congestion Control Commands
Automatic Traffic Control Commands
show auto-trafficcontrol interface
This command shows interface configuration settings and storm control status for the specified port.
Syntax show auto-traffic-control interface [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show auto-traffic-control interface ethernet 1/1
Eth 1/1 Information
------------------------------------------------------------------------
Storm Control: Broadcast Multicast
State: Disabled Disabled
Action: rate-control rate-control
Auto Release Control: Disabled Disabled
Alarm Fire Threshold(Kpps): 128 128
Alarm Clear Threshold(Kpps):128 128
Trap Storm Fire: Disabled Disabled
Trap Storm Clear: Disabled Disabled
Trap Traffic Apply: Disabled Disabled
Trap Traffic Release: Disabled Disabled
Console#
– 360 –
15
Address Table Commands
These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Table 78: Address Table Commands
Command mac-address-table aging-time
Function
Sets the aging time of the address table mac-address-table static Maps a static address to a port in a VLAN
Mode
GC clear mac-address-table dynamic
Removes any learned entries from the forwarding database
GC
PE show mac-address-table Displays entries in the bridge-forwarding database PE show mac-address-table aging-time
Shows the aging time for the address table PE show mac-address-table count
Shows the number of MAC addresses used and the number of available MAC addresses
PE
mac-address-table aging-time
This command sets the aging time for entries in the address table. Use the no form to restore the default aging time.
Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time. (Range: 10-844/672 8 seconds; 0 to disable aging)
Default Setting
300 seconds
Command Mode
Global Configuration
Command Usage
The aging time is used to age out dynamically learned forwarding information.
8.
Values for EX-3524 and EX-3548.
– 361 –
Chapter 15 | Address Table Commands
Example
Console(config)#mac-address-table aging-time 100
Console(config)#
mac-address-table static
This command maps a static address to a destination port in a VLAN. Use the no form to remove an address.
Syntax mac-address-table static mac-address interface interface vlan vlan-id [ action ] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) vlan-id - VLAN ID (Range: 1-4093) action - delete-on-reset - Assignment lasts until the switch is reset. permanent - Assignment is permanent.
Default Setting
No static addresses are defined. The default mode is permanent .
Command Mode
Global Configuration
Command Usage
The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.
Static addresses have the following characteristics:
◆ Static addresses will not be removed from the address table when a given interface link is down.
◆ Static addresses are bound to the assigned interface and will not be moved.
When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
◆ A static address cannot be learned on another port until the address is removed with the no form of this command.
– 362 –
Chapter 15 | Address Table Commands
Example
Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet
1/1 vlan 1 delete-on-reset
Console(config)#
clear mac-address-table dynamic
This command removes any learned entries from the forwarding database.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#clear mac-address-table dynamic
Console#
show mac-address-table
This command shows classes of entries in the bridge-forwarding database.
Syntax show mac-address-table [ address mac-address [ bit-mask ]]
[ interface interface ] [ vlan vlan-id ] [ sort { address | vlan | interface }] mac-address - MAC address.
bit-mask - Bits to match in the address. interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) vlan-id - VLAN ID (Range: 1-4093) sort - Sort by address, vlan or interface.
Default Setting
None
Command Mode
Privileged Exec
– 363 –
Chapter 15 | Address Table Commands
Command Usage
◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types:
■
■
Learn - Dynamic address entries
Config - Static entry
◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address. Enter hexadecimal numbers, where an equivalent binary bit “0” means to match a bit and “1” means to ignore a bit. For example, a mask of 00-00-00-
00-00-00 means an exact match, and a mask of FF-FF-FF-FF-FF-FF means “any.”
◆ The maximum number of address entries is 8K.
Example
Console#show mac-address-table
Interface MAC Address VLAN Type Life Time
--------- ----------------- ---- -------- -----------------
Eth 1/ 1 00-E0-29-94-34-DE 1 Config Delete on Reset
Eth 1/21 00-01-EC-F8-D8-D9 1 Learn Delete on Timeout
Console#
show mac-address-table aging-time
This command shows the aging time for entries in the address table.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show mac-address-table aging-time
Aging Status : Enabled
Aging Time: 300 sec.
Console#
– 364 –
Chapter 15 | Address Table Commands
show mac-address-table count
This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface.
Syntax show mac-address-table count interface interface interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show mac-address-table count interface ethernet 1/1
MAC Entries for Port ID : 1
Dynamic Address Count : 2
Total MAC Addresses : 2
Total MAC Address Space Available : 8192
Console#
– 365 –
Chapter 15 | Address Table Commands
– 366 –
16
Spanning Tree Commands
This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Table 79: Spanning Tree Commands
Command spanning-tree spanning-tree cisco-prestandard
Function
Enables the spanning tree protocol
Mode
GC
Configures spanning tree operation to be compatible with
Cisco prestandard versions
GC spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time Configures the spanning tree bridge hello time spanning-tree max-age spanning-tree mode
Configures the spanning tree bridge maximum age
Configures STP, RSTP or MSTP mode
Configures the path cost method for RSTP/MSTP spanning-tree pathcost method spanning-tree priority spanning-tree mst configuration
Configures the spanning tree bridge priority
Changes to MSTP configuration mode
GC
GC
GC
GC
GC
GC
GC spanning-tree transmission-limit max-hops
Configures the transmission limit for RSTP/MSTP GC mst priority mst vlan name revision
Configures the maximum number of hops allowed in the region before a BPDU is discarded
Configures the priority of a spanning tree instance
Adds VLANs to a spanning tree instance
MST
MST
MST
Configures the name for the multiple spanning tree MST
Configures the revision number for the multiple spanning tree
MST spanning-tree bpdu-filter spanning-tree bpdu-guard spanning-tree cost spanning-tree edge-port spanning-tree link-type spanning-tree loopback-detection spanning-tree loopback-detection action
Filters BPDUs for edge ports
Shuts down an edge port if it receives a BPDU
Configures the spanning tree path cost of an interface
Enables fast forwarding for edge ports
Configures the link type for RSTP/MSTP
Enables BPDU loopback detection for a port
Configures the response for loopback detection to block user traffic or shut down the interface
IC
IC
IC
IC
IC
IC
IC
– 367 –
Chapter 16 | Spanning Tree Commands
Table 79: Spanning Tree Commands (Continued)
Command spanning-tree loopback-detection release-mode
Function
Configures loopback release mode for a port
Mode
IC spanning-tree loopback-detection trap spanning-tree mst cost spanning-tree mst port-priority
Configures the path cost of an interface in the MST instance IC
Configures the priority of an interface in the MST instance IC spanning-tree port-priority Configures the spanning tree priority of an interface spanning-tree root-guard Prevents a designated port from passing superior BPDUs
IC
IC
Disables spanning tree for an interface IC spanning-tree spanning-disabled spanning-tree loopback-detection release
Enables BPDU loopback SNMP trap notification for a port
Manually releases a port placed in discarding state by loopback-detection
Re-checks the appropriate BPDU format
IC
PE
PE spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration
Shows spanning tree configuration for the common spanning tree (i.e., overall bridge), a selected interface, or an instance within the multiple spanning tree
Shows the multiple spanning tree configuration
PE
PE
spanning-tree
This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it.
Syntax
[ no ] spanning-tree
Default Setting
Spanning tree is enabled.
Command Mode
Global Configuration
Command Usage
The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
– 368 –
Chapter 16 | Spanning Tree Commands
Example
This example shows how to enable the Spanning Tree Algorithm for the switch:
Console(config)#spanning-tree
Console(config)#
spanning-tree cisco-prestandard
This command configures spanning tree operation to be compatible with Cisco prestandard versions. Use the no form to restore the default setting.
[ no ] spanning-tree cisco-prestandard
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Cisco prestandard versions prior to Cisco IOS Release 12.2(25)SEC do not fully follow the IEEE standard, causing some state machine procedures to function incorrectly. The command forces the spanning tree protocol to function in a manner compatible with Cisco prestandard versions.
Example
Console(config)#spanning-tree cisco-prestandard
Console(config)#
spanning-tree forward-time
This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default.
Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds)
The minimum value is the higher of 4 or [(max-age / 2) + 1].
Default Setting
15 seconds
Command Mode
Global Configuration
– 369 –
Chapter 16 | Spanning Tree Commands
Command Usage
This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
Example
Console(config)#spanning-tree forward-time 20
Console(config)#
spanning-tree hello-time
This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default.
Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds).
The maximum value is the lower of 10 or [(max-age / 2) - 1].
Default Setting
2 seconds
Command Mode
Global Configuration
Command Usage
This command sets the time interval (in seconds) at which the root device transmits a configuration message.
Example
Console(config)#spanning-tree hello-time 5
Console(config)#
Related Commands spanning-tree forward-time (369) spanning-tree max-age (371)
– 370 –
Chapter 16 | Spanning Tree Commands
spanning-tree max-age
This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default.
Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds)
The minimum value is the higher of 6 or [2 x (hello-time + 1)].
The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Default Setting
20 seconds
Command Mode
Global Configuration
Command Usage
This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Example
Console(config)#spanning-tree max-age 40
Console(config)#
Related Commands spanning-tree forward-time (369) spanning-tree hello-time (370)
spanning-tree mode
This command selects the spanning tree mode for this switch. Use the no form to restore the default.
Syntax spanning-tree mode { stp | rstp | mstp } no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s)
– 371 –
Chapter 16 | Spanning Tree Commands
Default Setting rstp
Command Mode
Global Configuration
Command Usage
◆ Spanning Tree Protocol
This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members. When operating multiple VLANs, we recommend selecting the MSTP option.
◆ Rapid Spanning Tree Protocol
RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below:
■ STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
■ RSTP Mode – If RSTP is using 802.1D BPDUs on a port and receives an RSTP
BPDU after the migration delay expires, RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port.
◆ Multiple Spanning Tree Protocol
■ To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances.
■ A spanning tree instance can exist only on bridges that have compatible
VLAN instance assignments.
■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Example
The following example configures the switch to use Rapid Spanning Tree:
Console(config)#spanning-tree mode rstp
Console(config)#
– 372 –
Chapter 16 | Spanning Tree Commands
spanning-tree pathcost method
This command configures the path cost method used for Rapid Spanning Tree and
Multiple Spanning Tree. Use the no form to restore the default.
Syntax spanning-tree pathcost method { long | short } no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
This method is based on the IEEE 802.1 Spanning Tree Protocol.
Default Setting
Long method
Command Mode
Global Configuration
Command Usage
◆ The path cost method is used to determine the best path between devices.
Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost
( page 380 ) takes precedence over port priority ( page 387 ).
◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP).
Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP.
Example
Console(config)#spanning-tree pathcost method long
Console(config)#
spanning-tree priority
This command configures the spanning tree priority globally for this switch. Use the no form to restore the default.
Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096;
Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864,
40960, 45056, 49152, 53248, 57344, 61440)
Default Setting
32768
– 373 –
Chapter 16 | Spanning Tree Commands
Command Mode
Global Configuration
Command Usage
Bridge priority is used in selecting the root device, root port, and designated port.
The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Example
Console(config)#spanning-tree priority 40960
Console(config)#
spanning-tree mst configuration
This command changes to Multiple Spanning Tree (MST) configuration mode.
Default Setting
No VLANs are mapped to any MST instance.
The region name is set the switch’s MAC address.
Command Mode
Global Configuration
Example
Console(config)#spanning-tree mst configuration
Console(config-mstp)#
Related Commands mst vlan (376) mst priority (376) name (377) revision (378) max-hops (375)
spanning-tree transmission-limit
This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default.
Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10)
Default Setting
3
– 374 –
Chapter 16 | Spanning Tree Commands
Command Mode
Global Configuration
Command Usage
This command limits the maximum transmission rate for BPDUs.
Example
Console(config)#spanning-tree transmission-limit 4
Console(config)#
max-hops
This command configures the maximum number of hops in the region before a
BPDU is discarded. Use the no form to restore the default.
Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
(Range: 1-40)
Default Setting
20
Command Mode
MST Configuration
Command Usage
An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU. When the hop count reaches zero, the message is dropped.
Example
Console(config-mstp)#max-hops 30
Console(config-mstp)#
– 375 –
Chapter 16 | Spanning Tree Commands
mst priority
This command configures the priority of a spanning tree instance. Use the no form to restore the default.
Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
(Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384,
20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344,
61440)
Default Setting
32768
Command Mode
MST Configuration
Command Usage
◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
◆ You can set this switch to act as the MSTI root device by specifying a priority of
0, or as the MSTI alternate device by specifying a priority of 16384.
Example
Console(config-mstp)#mst 1 priority 4096
Console(config-mstp)#
mst vlan
This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all
VLANs.
Syntax
[ no ] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree. (Range: 0-4094) vlan-range - Range of VLANs. (Range: 1-4093)
Default Setting none
– 376 –
Chapter 16 | Spanning Tree Commands
Command Mode
MST Configuration
Command Usage
◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
◆ By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 32 instances. You should try to group VLANs which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region ( page 377 ) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that
RSTP treats each MSTI region as a single node, connecting all regions to the
Common Spanning Tree.
Example
Console(config-mstp)#mst 1 vlan 2-5
Console(config-mstp)#
name
This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name.
Syntax name name name - Name of the spanning tree.
Default Setting
Switch’s MAC address
Command Mode
MST Configuration
Command Usage
The MST region name and revision number ( page 378 ) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Example
Console(config-mstp)#name R&D
Console(config-mstp)#
– 377 –
Chapter 16 | Spanning Tree Commands
Related Commands revision (378)
revision
This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default.
Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535)
Default Setting
0
Command Mode
MST Configuration
Command Usage
The MST region name ( page 377 ) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Example
Console(config-mstp)#revision 1
Console(config-mstp)#
Related Commands name (377)
spanning-tree bpdu-filter
This command filters all BPDUs received on an edge port. Use the no form to disable this feature.
Syntax
[ no ] spanning-tree bpdu-filter
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time. This function is designed to work in
– 378 –
Chapter 16 | Spanning Tree Commands conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs. However, note that if a trunking port connected to another switch or bridging device is mistakenly configured as an edge port, and BPDU filtering is enabled on this port, this might cause a loop in the spanning tree.
◆ Before enabling BPDU Filter, the interface must first be configured as an edge port with the spanning-tree edge-port command.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree bpdu-filter
Console(config-if)#
Related Commands spanning-tree edge-port (381)
spanning-tree bpdu-guard
This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form to disable this feature.
Syntax
[ no ] spanning-tree bpdu-guard
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ An edge port should only be connected to end nodes which do not generate
BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker. If an interface is shut down by BPDU Guard, it must be manually re-enabled using the no spanning-tree spanning-disabled command.
◆ Before enabling BPDU Guard, the interface must be configured as an edge port with the spanning-tree edge-port command. Also note that if the edge port attribute is disabled on an interface, BPDU Guard will also be disabled on that interface.
– 379 –
Chapter 16 | Spanning Tree Commands
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree bpdu-guard
Console(config-if)#
Related Commands spanning-tree edge-port (381) spanning-tree spanning-disabled (389)
spanning-tree cost
This command configures the spanning tree path cost for the specified interface.
Use the no form to restore the default auto-configuration mode.
Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method, 1-200,000,000 for long path cost method) 9
Table 80: Recommended STA Path Cost Range
Port Type
Ethernet
Fast Ethernet
Gigabit Ethernet
Short Path Cost
(IEEE 802.1D-1998)
50-600
10-60
3-10
Long Path Cost
(802.1D-2004)
200,000-20,000,000
20,000-2,000,000
2,000-200,000
Default Setting
By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Table 81: Default STA Path Costs
Port Type Short Path Cost (IEEE
802.1D-1998)
Ethernet 65,535
Fast Ethernet 65,535
Gigabit Ethernet 10,000
Long Path Cost
(802.1D-2004)
1,000,000
100,000
10,000
9. Use the spanning-tree pathcost method command on page 373 to set the path cost method. The range dsiplayed in the CLI prompt message shows the maximum value for path cost. However, note that the switch still enforces the rules for path cost based on the specified path cost method (long or short).
– 380 –
Chapter 16 | Spanning Tree Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
◆ Path cost takes precedence over port priority.
◆ When the path cost method ( page 373 ) is set to short, the maximum value for path cost is 65,535.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree cost 50
Console(config-if)#
spanning-tree edge-port
This command specifies an interface as an edge port. Use the no form to restore the default.
Syntax spanning-tree edge-port [ auto ] no spanning-tree edge-port auto - Automatically determines if an interface is an edge port.
Default Setting
Auto
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Specifying Edge Ports provides quicker convergence for devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related time out problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
– 381 –
Chapter 16 | Spanning Tree Commands
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#
spanning-tree link-type
This command configures the link type for Rapid Spanning Tree and Multiple
Spanning Tree. Use the no form to restore the default.
Syntax spanning-tree link-type { auto | point-to-point | shared } no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link.
shared - Shared medium.
Default Setting auto
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Specify a point-to-point link if the interface can only be connected to exactly one other bridge, or a shared link if it can be connected to two or more bridges.
◆ When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree link-type point-to-point
spanning-tree loopback-detection
This command enables the detection and response to Spanning Tree loopback
BPDU packets on the port. Use the no form to disable this feature.
Syntax
[ no ] spanning-tree loopback-detection
Default Setting
Enabled
– 382 –
Chapter 16 | Spanning Tree Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-
2001 9.3.4 (Note 1).
◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection
spanning-tree loopback-detection action
This command configures the response for loopback detection to block user traffic or shut down the interface. Use the no form to restore the default.
Syntax spanning-tree loopback-detection action shutdown duration no spanning-tree loopback-detection action shutdown - Shuts down the interface. duration - The duration to shut down the interface.
(Range: 30-86400 seconds)
Default Setting block
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ If an interface is shut down by this command, and the release mode is set to
“auto” with the spanning-tree loopback-detection release-mode command, the selected interface will be automatically enabled when the shutdown interval has expired.
◆ If an interface is shut down by this command, and the release mode is set to
“manual,” the interface can be re-enabled using the spanning-tree loopback-detection release command.
– 383 –
Chapter 16 | Spanning Tree Commands
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection action shutdown 600
Console(config-if)#
spanning-tree loopback-detection release-mode
This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore the default.
Syntax spanning-tree loopback-detection release-mode { auto | manual } no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
manual - The port can only be released from the discarding state manually.
Default Setting auto
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied:
■
■
■
The port receives any other BPDU except for it’s own, or;
The port’s link status changes to link down and then link up again, or;
The port ceases to receive it’s own BPDUs in a forward delay interval.
◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-
2001 9.3.4 (Note 1).
◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command.
– 384 –
Chapter 16 | Spanning Tree Commands
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection release-mode manual
Console(config-if)#
spanning-tree loopback-detection trap
This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default.
Syntax
[ no ] spanning-tree loopback-detection trap
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree loopback-detection trap
spanning-tree mst cost
This command configures the path cost of an interface in the Multiple Spanning
Tree instance. Use the no form to restore the default auto-configuration mode.
Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface. (Range: 0 for auto-configuration, 1-65535 for short path cost method 10 , 1-200,000,000 for long path cost method)
The recommended path cost range is listed in Table 80 on page 380 .
Default Setting
By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. The default path costs are listed in Table 81 on page 380 .
10. Use the spanning-tree pathcost method command to set the path cost method.
– 385 –
Chapter 16 | Spanning Tree Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Each spanning-tree instance is associated with a unique set of VLAN IDs.
◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media.
◆ Use the no spanning-tree mst cost command to specify auto-configuration mode.
◆ Path cost takes precedence over interface priority.
Example
Console(config)#interface Ethernet 1/5
Console(config-if)#spanning-tree mst 1 cost 50
Console(config-if)#
Related Commands spanning-tree mst port-priority (386)
spanning-tree mst port-priority
This command configures the priority of an interface in the Multiple Spanning Tree instance. Use the no form to restore the default.
Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface. (Range: 0-240 in steps of 16)
Default Setting
128
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
– 386 –
Chapter 16 | Spanning Tree Commands
◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
Example
Console(config)#interface Ethernet 1/5
Console(config-if)#spanning-tree mst 1 port-priority 0
Console(config-if)#
Related Commands spanning-tree mst cost (385)
spanning-tree port-priority
This command configures the priority for the specified interface. Use the no form to restore the default.
Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16)
Default Setting
128
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command defines the priority for the use of a port in the Spanning Tree
Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree port-priority 0
Related Commands spanning-tree cost (380)
– 387 –
Chapter 16 | Spanning Tree Commands
spanning-tree root-guard
This command prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable this feature.
Syntax
[ no ] spanning-tree root-guard
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time.
◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
◆ Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location. Root Guard should be enabled on any designated port connected to low-speed bridges which could potentially overload a slower link by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed.
◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Example
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree edge-port
Console(config-if)#spanning-tree root-guard
Console(config-if)#
– 388 –
Chapter 16 | Spanning Tree Commands
spanning-tree spanning-disabled
This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the specified interface.
Syntax
[ no ] spanning-tree spanning-disabled
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
This example disables the spanning tree algorithm for port 5.
Console(config)#interface ethernet 1/5
Console(config-if)#spanning-tree spanning-disabled
Console(config-if)#
spanning-tree loopback-detection release
This command manually releases a port placed in discarding state by loopbackdetection.
Syntax spanning-tree loopback-detection release interface interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
Command Usage
Use this command to release an interface from discarding state if loopback detection release mode is set to “manual” by the spanning-tree loopback-detection release-mode command and BPDU loopback occurs.
Example
Console#spanning-tree loopback-detection release ethernet 1/1
Console#
– 389 –
Chapter 16 | Spanning Tree Commands
spanning-tree protocol-migration
This command re-checks the appropriate BPDU format to send on the selected interface.
Syntax spanning-tree protocol-migration interface interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
Command Usage
If at any time the switch detects STP BPDUs, including Configuration or Topology
Change Notification BPDUs, it will automatically set the selected interface to forced
STP-compatible mode. However, you can also use the spanning-tree protocolmigration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Example
Console#spanning-tree protocol-migration eth 1/5
Console#
show spanning-tree
This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST).
Syntax show spanning-tree [ interface | mst [ instance-id ]] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) instance-id - Instance identifier of the multiple spanning tree.
(Range: 0-4094, no leading zeroes)
Default Setting
None
– 390 –
Chapter 16 | Spanning Tree Commands
Command Mode
Privileged Exec
Command Usage
◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree
(CST) and for every interface in the tree.
◆ Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces.
◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree
(MST), including global settings and settings for all interfaces.
Example
Console#show spanning-tree
Spanning Tree Information
---------------------------------------------------------------
Spanning Tree Mode : MSTP
Spanning Tree Enabled/Disabled : Enabled
Instance : 0
VLANs Configured : 1-4093
Priority : 32768
Bridge Hello Time (sec.) : 2
Bridge Max. Age (sec.) : 20
Bridge Forward Delay (sec.) : 15
Root Hello Time (sec.) : 2
Root Max. Age (sec.) : 20
Root Forward Delay (sec.) : 15
Max. Hops : 20
Remaining Hops : 20
Designated Root : 32768.0.0001ECF8D8C6
Current Root Port : 21
Current Root Cost : 100000
Number of Topology Changes : 5
Last Topology Change Time (sec.): 11409
Transmission Limit : 3
Path Cost Method : Long
Cisco Prestandard : Disabled
---------------------------------------------------------------
Eth 1/ 1 information
---------------------------------------------------------------
Admin Status : Enabled
Role : Disabled
State : Discarding
External Admin Path Cost : 0
Internal Admin Path Cost : 0
External Oper Path Cost : 100000
Internal Oper Path Cost : 100000
Priority : 128
Designated Cost : 100000
Designated Port : 128.1
Designated Root : 32768.0.0001ECF8D8C6
– 391 –
Chapter 16 | Spanning Tree Commands
.
.
.
Designated Bridge : 32768.0.123412341234
Fast Forwarding : Disabled
Forward Transitions : 4
Admin Edge Port : Disabled
Oper Edge Port : Disabled
Admin Link Type : Auto
Oper Link Type : Point-to-point
Spanning-Tree Status : Enabled
Loopback Detection Status : Enabled
Loopback Detection Release Mode : Auto
Loopback Detection Trap : Disabled
Loopback Detection Action : Shutdown, 300 seconds
Root Guard Status : Disabled
BPDU Guard Status : Disabled
BPDU Filter Status : Disabled
Tx BPDUs : 11320
Rx BPDUs : 0
show spanning-tree mst configuration
This command shows the configuration of the multiple spanning tree.
Command Mode
Privileged Exec
Example
Console#show spanning-tree mst configuration
Mstp Configuration Information
--------------------------------------------------------------
Configuration Name : R&D
Revision Level :0
Instance VLANs
--------------------------------------------------------------
0 1-4093
Console#
– 392 –
17
VLAN Commands
A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how
VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Table 82: VLAN Commands
Command Group Function
GVRP and Bridge Extension
Commands
Configures GVRP settings that permit automatic VLAN learning; shows the configuration for bridge extension MIB
Editing VLAN Groups
Configuring VLAN
Interfaces
Displaying VLAN
Information
Configuring IEEE 802.1Q
Tunneling
Sets up VLAN groups, including name, VID and state
Configures VLAN interface parameters, including ingress and egress tagging mode, ingress filtering, PVID, and GVRP
Displays VLAN groups, status, port members, and MAC addresses
Configures 802.1Q Tunneling (QinQ Tunneling)
Configuring Protocol-based
VLANs *
Configures protocol-based VLANs based on frame type and protocol
Configuring IP Subnet
VLANs
*
Configuring MAC Based
VLANs
*
Configures IP Subnet-based VLANs
Configures MAC-based VLANs
Configuring Voice VLANs Configures VoIP traffic detection and enables a Voice VLAN
* If a packet matches the rules defined by more than one of these functions, only one of them is applied, with the precedence being MAC-based, IP subnet-based, protocol-based, and then native port-based (see the switchport priority default command).
– 393 –
Chapter 17 | VLAN Commands
GVRP and Bridge Extension Commands
GVRP and Bridge Extension Commands
GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Table 83: GVRP and Bridge Extension Commands
Command bridge-ext gvrp
Function
Enables GVRP globally for the switch garp timer Sets the GARP timer for the selected function switchport forbidden vlan Configures forbidden VLANs for an interface switchport gvrp show bridge-ext
Enables GVRP for an interface
Shows the global bridge extension configuration show garp timer Shows the GARP timer for the selected function show gvrp configuration Displays GVRP configuration for the selected interface
IC
IC
Mode
GC
IC
PE
NE, PE
NE, PE
bridge-ext gvrp
This command enables GVRP globally for the switch. Use the no form to disable it.
Syntax
[ no ] bridge-ext gvrp
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
GVRP defines a way for switches to exchange VLAN information in order to register
VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch.
Example
Console(config)#bridge-ext gvrp
Console(config)#
– 394 –
Chapter 17 | VLAN Commands
GVRP and Bridge Extension Commands
garp timer
This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values.
Syntax garp timer { join | leave | leaveall } timer-value no garp timer { join | leave | leaveall }
{ join | leave | leaveall } - Timer to set. timer-value - Value of timer.
Ranges: join: 20-1000 centiseconds leave: 60-3000 centiseconds leaveall: 500-18000 centiseconds
Default Setting join: 20 centiseconds leave: 60 centiseconds leaveall: 1000 centiseconds
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN. The default values for the GARP timers are independent of the media access method or data rate. These values should not be changed unless you are experiencing difficulties with GMRP or GVRP registration/deregistration.
◆ Timer values are applied to GVRP for all the ports on all VLANs.
◆ Timer values must meet the following restrictions:
■
■ leave > (2 x join) leaveall > leave
Note: Set GVRP timers on all Layer 2 devices connected in the same network to the same values. Otherwise, GVRP may not operate successfully.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#garp timer join 100
Console(config-if)#
– 395 –
Chapter 17 | VLAN Commands
GVRP and Bridge Extension Commands
Related Commands show garp timer (398)
switchport forbidden vlan
This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs.
Syntax switchport forbidden vlan { add vlan-list | remove vlan-list } no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
remove vlan-list - List of VLAN identifiers to remove.
vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4093).
Default Setting
No VLANs are included in the forbidden list.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This command prevents a VLAN from being automatically added to the specified interface via GVRP.
◆ If a VLAN has been added to the set of allowed VLANs for an interface, then you cannot add it to the set of forbidden VLANs for that same interface.
◆ GVRP cannot be enabled for ports set to Access mode (see the switchport mode command).
Example
The following example shows how to prevent port 1 from being added to VLAN 3:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport forbidden vlan add 3
Console(config-if)#
– 396 –
Chapter 17 | VLAN Commands
GVRP and Bridge Extension Commands
switchport gvrp
This command enables GVRP for a port. Use the no form to disable it.
Syntax
[ no ] switchport gvrp
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
GVRP cannot be enabled for ports set to Access mode using the switchport mode command.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#switchport gvrp
Console(config-if)#
show bridge-ext
This command shows the configuration for bridge extension commands.
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show bridge-ext
Maximum Supported VLAN Numbers : 256
Maximum Supported VLAN ID : 4093
Extended Multicast Filtering Services : No
Static Entry Individual Port : Yes
VLAN Version Number : 2
VLAN Learning : IVL
Configurable PVID Tagging : Yes
Local VLAN Capable : No
Traffic Classes : Enabled
Global GVRP Status : Disabled
GMRP : Disabled
Console#
– 397 –
Chapter 17 | VLAN Commands
GVRP and Bridge Extension Commands
Table 84: show bridge-ext - display description
Field
Maximum
Supported VLAN
Numbers
Static Entry
Individual Port
VLAN Learning
Configurable PVID
Tagging
Description
The maximum number of VLANs supported on this switch.
Maximum
Supported VLAN ID
The maximum configurable VLAN identifier supported on this switch.
Extended Multicast
Filtering Services
This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
This switch allows static filtering for unicast and multicast addresses. (Refer to the mac-address-table static
This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database.
command.)
This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to the switchport allowed vlan command.)
Local VLAN Capable This switch does not support multiple local bridges outside of the scope of
802.1Q defined VLANs.
Traffic Classes This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service Commands” on page 429 .)
Global GVRP Status GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This field shows if GVRP is globally enabled or disabled.
(Refer to the bridge-ext gvrp command.)
show garp timer
This command shows the GARP timers for the selected interface.
Syntax show garp timer [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
Shows all GARP timers.
Command Mode
Normal Exec, Privileged Exec
– 398 –
Chapter 17 | VLAN Commands
Editing VLAN Groups
Example
Console#show garp timer ethernet 1/1
Eth 1/ 1 GARP timer status:
Join Timer: 20 centiseconds
Leave Timer: 60 centiseconds
Leaveall Timer: 1000 centiseconds
Console#
Related Commands garp timer (395)
show gvrp configuration
This command shows if GVRP is enabled.
Syntax show gvrp configuration [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
Shows both global and interface-specific configuration.
Command Mode
Normal Exec, Privileged Exec
Example
Console#show gvrp configuration ethernet 1/7
Eth 1/ 7:
GVRP Configuration : Disabled
Console#
Editing VLAN Groups
Table 85: Commands for Editing VLAN Groups
Command vlan database vlan
Function
Enters VLAN database mode to add, change, and delete
VLANs
Configures a VLAN, including VID, name and state
Mode
GC
VC
– 399 –
Chapter 17 | VLAN Commands
Editing VLAN Groups
vlan database
This command enters VLAN database mode. All commands in this mode will take effect immediately.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Use the VLAN database command mode to add, change, and delete VLANs.
After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
◆ Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN. The results of these commands are written to the running-configuration file, and you can display this file by entering the show running-config command.
Example
Console(config)#vlan database
Console(config-vlan)#
Related Commands show vlan (408)
vlan
This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN.
Syntax vlan vlan-id [ name vlan-name ] media ethernet [ state { active | suspend }]
[ rspan ] no vlan vlan-id [ name | state ] vlan-id - VLAN ID. (Range: 1-4093) name - Keyword to be followed by the VLAN name. vlan-name - ASCII string from 1 to 32 characters. media ethernet - Ethernet media type. state - Keyword to be followed by the VLAN state. active - VLAN is operational. suspend - VLAN is suspended. Suspended VLANs do not pass packets. rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the
– 400 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 336 .
Default Setting
By default only VLAN 1 exists and is active.
Command Mode
VLAN Database Configuration
◆
◆
Command Usage
◆ no vlan vlan-id deletes the VLAN.
◆ no vlan vlan-id name removes the VLAN name. no vlan vlan-id state returns the VLAN to the default state (i.e., active).
You can configure up to 256 VLANs on the switch.
Note: The switch allows 256 user-manageable VLANs.
Example
The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
Console(config)#vlan database
Console(config-vlan)#vlan 105 name RD5 media ethernet
Console(config-vlan)#
Related Commands show vlan (408)
Configuring VLAN Interfaces
Table 86: Commands for Configuring VLAN Interfaces
Command interface vlan switchport acceptableframe-types
Function
Enters interface configuration mode for a specified VLAN
Configures frame types to be accepted by an interface switchport allowed vlan Configures the VLANs associated with an interface switchport forbidden vlan Configures forbidden VLANs for an interface switchport gvrp Enables GVRP for an interface
Mode
IC
IC
IC
IC
IC
– 401 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces
Table 86: Commands for Configuring VLAN Interfaces (Continued)
Command Function switchport ingress-filtering Enables ingress filtering on an interface switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames vlan-trunking Allows unknown VLANs to cross the switch
IC
IC
IC
Mode
IC
IC
interface vlan
This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Use the no form to change a
Layer 3 normal VLAN back to a Layer 2 interface.
Syntax
[ no ] interface vlan vlan-id vlan-id - ID of the configured VLAN. (Range: 1-4093)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Creating a “normal” VLAN with the vlan command initializes it as a Layer 2 interface. To change it to a Layer 3 interface, use the interface command to enter interface configuration for the desired VLAN, enter any Layer 3 configuration commands, and save the configuration settings.
◆ To change a Layer 3 normal VLAN back to a Layer 2 VLAN, use the no interface command.
Example
The following example shows how to set the interface configuration mode to
VLAN 1, and then assign an IP address to the VLAN:
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.254 255.255.255.0
Console(config-if)#
Related Commands shutdown (300) interface (294) vlan (400)
– 402 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces
switchport acceptable-frametypes
This command configures the acceptable frame types for a port. Use the no form to restore the default.
Syntax switchport acceptable-frame-types { all | tagged } no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Default Setting
All frame types
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
When set to receive all frame types, any received frames that are untagged are assigned to the default VLAN.
Example
The following example shows how to restrict the traffic received on port 1 to tagged frames:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport acceptable-frame-types tagged
Console(config-if)#
Related Commands switchport mode (405)
switchport allowed vlan
This command configures VLAN groups on the selected interface. Use the no form to restore the default.
Syntax switchport allowed vlan { add vlan-list [ tagged | untagged ] | remove vlan-list } no switchport allowed vlan add vlan-list - List of VLAN identifiers to add.
remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4093).
– 403 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces
Default Setting
All ports are assigned to VLAN 1 by default.
The default frame type is untagged.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ If a port or trunk has switchport mode set to access , then only one VLAN can be added with this command. If a VLAN list is specified, only the last VLAN in the list will be added to the interface.
◆ A port, or a trunk with switchport mode set to hybrid , must be assigned to at least one VLAN as untagged.
◆ If a trunk has switchport mode set to trunk (i.e., 1Q Trunk), then you can only assign an interface to VLAN groups as a tagged member.
◆ Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.
◆ If none of the intermediate network devices nor the host at the other end of the connection supports VLANs, the interface should be added to these VLANs as an untagged member. Otherwise, it is only necessary to add at most one VLAN as untagged, and this should correspond to the native VLAN for the interface.
◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
Example
The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged
Console(config-if)#
switchport ingress-filtering
This command enables ingress filtering for an interface. Use the no form to restore the default.
Syntax
[ no ] switchport ingress-filtering
Default Setting
Disabled
– 404 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Ingress filtering only affects tagged frames.
◆ If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
◆ If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded.
◆ Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STA. However, they do affect VLAN dependent BPDU frames, such as GMRP.
Example
The following example shows how to set the interface to port 1 and then enable ingress filtering:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport ingress-filtering
Console(config-if)#
switchport mode
This command configures the VLAN membership mode for a port. Use the no form to restore the default.
Syntax switchport mode { access | hybrid | trunk } no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only.
hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default
VLAN (i.e., associated with the PVID) are also transmitted as tagged frames.
Default Setting
Hybrid mode, with the PVID set to VLAN 1.
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 405 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces
Command Usage
Access mode is mutually exclusive with VLAN trunking (see the vlan-trunking command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
Example
The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport mode hybrid
Console(config-if)#
Related Commands switchport acceptable-frame-types (403)
switchport native vlan
This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default.
Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093)
Default Setting
VLAN 1
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN. When using Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member.
◆ If acceptable frame types is set to all or switchport mode is set to hybrid , the
PVID will be inserted into all untagged frames entering the ingress port.
Example
The following example shows how to set the PVID for port 1 to VLAN 3:
Console(config)#interface ethernet 1/1
Console(config-if)#switchport native vlan 3
Console(config-if)#
– 406 –
Chapter 17 | VLAN Commands
Configuring VLAN Interfaces
vlan-trunking
This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature.
Syntax
[ no ] vlan-trunking
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Use this command to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong.
The following figure shows VLANs 1 and 2 configured on switches A and B, with
VLAN trunking being used to pass traffic for these VLAN groups across switches
C, D and E.
Figure 3: Configuring VLAN Trunking
Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports.
◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see the switchport mode command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
◆ To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
◆ If both VLAN trunking and ingress filtering are disabled on an interface, packets with unknown VLAN tags will still be allowed to enter this interface and will be
– 407 –
Chapter 17 | VLAN Commands
Displaying VLAN Information flooded to all other ports where VLAN trunking is enabled. (In other words,
VLAN trunking will still be effectively enabled for the unknown VLAN).
Example
The following example enables VLAN trunking on ports 27 and 28 to establish a path across the switch for unknown VLAN groups:
Console(config)#interface ethernet 1/27
Console(config-if)#vlan-trunking
Console(config-if)#interface ethernet 1/28
Console(config-if)#vlan-trunking
Console(config-if)#
Displaying VLAN Information
This section describes commands used to display VLAN information.
Table 87: Commands for Displaying VLAN Information
Command Function show interfaces status vlan Displays status for the specified VLAN interface show interfaces switchport Displays the administrative and operational status of an interface show vlan Shows VLAN information
Mode
NE, PE
NE, PE
NE, PE
show vlan
This command shows VLAN information.
Syntax show vlan [ id vlan-id | name vlan-name ] id - Keyword to be followed by the VLAN ID. vlan-id - ID of the configured VLAN. (Range: 1-4093) name - Keyword to be followed by the VLAN name. vlan-name - ASCII string from 1 to 32 characters.
Default Setting
Shows all VLANs.
Command Mode
Normal Exec, Privileged Exec
– 408 –
Chapter 17 | VLAN Commands
Configuring IEEE 802.1Q Tunneling
Example
The following example shows how to display information for VLAN 1:
Console#show vlan id 1
VLAN ID: 1
Type: Static
Name: DefaultVlan
Status: Active
Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S)
Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S)
Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S)
Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S)
Eth1/21(S) Eth1/22(S) Eth1/23(S) Eth1/24(S) Eth1/25(S)
Eth1/26(S) Eth1/27(S) Eth1/28(S)
Console#
Configuring IEEE 802.1Q Tunneling
IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN
(SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs. QinQ tunneling expands VLAN space by using a VLAN-in-VLAN hierarchy, preserving the customer’s original tagged packets, and adding SPVLAN tags to each frame (also called double tagging).
This section describes commands used to configure QinQ tunneling.
Table 88: 802.1Q Tunneling Commands
Command dot1q-tunnel system-tunnel-control dot1q-tunnel tpid
Function
Configures the switch to operate in normal mode or QinQ mode
Mode
GC switchport dot1q-tunnel mode
Sets the Tag Protocol Identifier (TPID) value of a tunnel port GC
Configures an interface as a QinQ tunnel port show dot1q-tunnel Displays the configuration of QinQ tunnel ports show interfaces switchport Displays port QinQ operational status
IC
PE
PE
General Configuration Guidelines for QinQ
1.
Configure the switch to QinQ mode ( dot1q-tunnel system-tunnel-control ).
2.
Create a SPVLAN ( vlan ).
3.
Configure the QinQ tunnel access port to dot1Q-tunnel access mode
( switchport dot1q-tunnel mode ).
– 409 –
Chapter 17 | VLAN Commands
Configuring IEEE 802.1Q Tunneling
4.
Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See dot1q-tunnel tpid .)
5.
Configure the QinQ tunnel access port to join the SPVLAN as an untagged member ( switchport allowed vlan ).
6.
Configure the SPVLAN ID as the native VID on the QinQ tunnel access port
( switchport native vlan ).
7.
Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode
( switchport dot1q-tunnel mode ).
8.
Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member
( switchport allowed vlan ).
Limitations for QinQ
◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types.
◆ IGMP Snooping should not be enabled on a tunnel access port.
◆ If the spanning tree protocol is enabled, be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree. It is therefore advisable to disable spanning tree on these ports.
dot1q-tunnel system-tunnel-control
This command sets the switch to operate in QinQ mode. Use the no form to disable
QinQ operating mode.
Syntax
[ no ] dot1q-tunnel system-tunnel-control
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional.
– 410 –
Chapter 17 | VLAN Commands
Configuring IEEE 802.1Q Tunneling
Example
Console(config)#dot1q-tunnel system-tunnel-control
Console(config)#
Related Commands show dot1q-tunnel ( 413 ) show interfaces switchport (305)
dot1q-tunnel tpid
This command sets the Tag Protocol Identifier (TPID) value for all ports. Use the no form to restore the default setting.
Syntax dot1q-tunnel tpid tpid no dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (Range: 0800-FFFF hexadecimal)
Default Setting
0x8100
Command Mode
Global Configuration
Command Usage
◆ Use the dot1q-tunnel tpid command to set a custom 802.1Q ethertype value on all ports. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Qtagged frames. For example, 0x1234 is set as the custom 802.1Q ethertype on a trunk port, incoming frames containing that ethertype are assigned to the
VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native
VLAN of that port.
◆ The specified ethertype is set for all ports, including Uplink and Access tunnel ports (using the switchport dot1q-tunnel mode command), as well as normal ports that are not participating in any tunnel. However, the specified ethertype is only processed for ports configured in Uplink mode. If the port is in Access tunnel mode, received packets are processed as untagged packets.
◆ Avoid using well-known ethertypes for the TPID unless you can eliminate all side effects. For example, setting the TPID to 0800 hexadecimal (which is used for IPv4) will interfere with management access through the web interface.
– 411 –
Chapter 17 | VLAN Commands
Configuring IEEE 802.1Q Tunneling
Example
Console(config)#dot1q-tunnel tpid 9100
Console(config)#
Related Commands show interfaces switchport (305)
switchport dot1q-tunnel mode
This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface.
Syntax switchport dot1q-tunnel mode { access | uplink } no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port.
uplink – Sets the port as an 802.1Q tunnel uplink port.
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ QinQ tunneling must be enabled on the switch using the dot1q-tunnel system-tunnel-control command before the switchport dot1q-tunnel mode interface command can take effect.
◆ When a tunnel uplink port receives a packet from a customer, the customer tag
(regardless of whether there are one or more tag layers) is retained in the inner tag, and the service provider’s tag added to the outer tag.
◆ When a tunnel uplink port receives a packet from the service provider, the outer service provider’s tag is stripped off, and the packet passed on to the
VLAN indicated by the inner tag. If no inner tag is found, the packet is passed onto the native VLAN defined for the uplink port.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#switchport dot1q-tunnel mode access
Console(config-if)#
Related Commands show dot1q-tunnel ( 413 ) show interfaces switchport (305)
– 412 –
Chapter 17 | VLAN Commands
Configuring Protocol-based VLANs
show dot1q-tunnel
This command displays information about QinQ tunnel ports.
Command Mode
Privileged Exec
Example
Console(config)#dot1q-tunnel system-tunnel-control
Console(config)#interface ethernet 1/1
Console(config-if)#switchport dot1q-tunnel mode access
Console(config-if)#interface ethernet 1/2
Console(config-if)#switchport dot1q-tunnel mode uplink
Console(config-if)#end
Console#show dot1q-tunnel
Current double-tagged status of the system is Enabled
The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
The dot1q-tunnel mode of the set interface 1/2 is Uplink mode, TPID is 0x8100.
The dot1q-tunnel mode of the set interface 1/3 is Normal mode, TPID is 0x8100.
Related Commands switchport dot1q-tunnel mode ( 412 )
Configuring Protocol-based VLANs
The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
To avoid these problems, you can configure this switch with protocol-based VLANs that divide the physical network into logical VLAN groups for each required protocol. When a frame is received at a port, its VLAN membership can then be determined based on the protocol type in use by the inbound packets.
.
Table 89: Protocol-based VLAN Commands
Command protocol-vlan protocol-group protocol-vlan protocol-group show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group
Function
Create a protocol group, specifying the supported protocols
Maps a protocol group to a VLAN
Shows the configuration of protocol groups
Mode
GC
IC
PE
Shows the interfaces mapped to a protocol group and the corresponding VLAN
PE
– 413 –
Chapter 17 | VLAN Commands
Configuring Protocol-based VLANs
To configure protocol-based VLANs, follow these steps:
1.
First configure VLAN groups for the protocols you want to use ( page 400 ).
Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.
2.
Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol-vlan protocol-group command (Global Configuration mode).
3.
Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode).
protocol-vlan protocol-group
(Configuring Groups)
This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group.
Syntax protocol-vlan protocol-group group-id [{ add | remove } frame-type frame protocol-type protocol ] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame 11 - Frame type used by this protocol. (Options: ethernet, rfc_1042, llc_other) protocol - Protocol type. The only option for the llc_other frame type is ipx_raw. The options for all other frames types include: arp, ip, ipv6, rarp.
Default Setting
No protocol groups are configured.
Command Mode
Global Configuration
Example
The following creates protocol group 1, and specifies Ethernet frames with IP and
ARP protocol types:
Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip
Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp
Console(config)#
11. SNAP frame types are not supported by this switch due to hardware limitations.
– 414 –
Chapter 17 | VLAN Commands
Configuring Protocol-based VLANs
protocol-vlan protocol-group
(Configuring Interfaces)
This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface.
Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group. (Range: 1-2147483647) vlan-id - VLAN to which matching protocol traffic is forwarded.
(Range: 1-4093)
Default Setting
No protocol groups are mapped for any interface.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands
(such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
◆ When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner:
■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames.
■ If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN.
■ If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Example
The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
Console(config)#interface ethernet 1/1
Console(config-if)#protocol-vlan protocol-group 1 vlan 2
Console(config-if)#
– 415 –
Chapter 17 | VLAN Commands
Configuring Protocol-based VLANs
show protocol-vlan protocol-group
This command shows the frame and protocol type associated with protocol groups.
Syntax show protocol-vlan protocol-group [ group-id ] group-id - Group identifier for a protocol group. (Range: 1-2147483647)
Default Setting
All protocol groups are displayed.
Command Mode
Privileged Exec
Example
This shows protocol group 1 configured for IP over Ethernet:
Console#show protocol-vlan protocol-group
Protocol Group ID Frame Type Protocol Type
------------------ ------------- ---------------
1 ethernet 08 00
Console#
show interfaces protocol-vlan protocol-group
This command shows the mapping from protocol groups to VLANs for the selected interfaces.
Syntax show interfaces protocol-vlan protocol-group [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
The mapping for all interfaces is displayed.
Command Mode
Privileged Exec
– 416 –
Chapter 17 | VLAN Commands
Configuring IP Subnet VLANs
Example
This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2:
Console#show interfaces protocol-vlan protocol-group
Port ProtocolGroup ID VLAN ID
---------- ------------------ -----------
Eth 1/1 1 vlan2
Console#
Configuring IP Subnet VLANs
When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table. If an entry is found for that subnet, these frames are assigned to the VLAN indicated in the entry. If no IP subnet is matched, the untagged frames are classified as belonging to the receiving port’s VLAN ID (PVID).
Table 90: IP Subnet VLAN Commands
Command subnet-vlan show subnet-vlan
Function
Defines the IP Subnet VLANs
Displays IP Subnet VLAN settings
Mode
GC
PE
subnet-vlan
This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment.
Syntax subnet-vlan subnet ip-address mask vlan vlan-id [ priority priority ] no subnet-vlan subnet { ip-address mask | all } ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
mask – This mask identifies the host address bits of the IP subnet.
vlan-id – VLAN to which matching IP subnet traffic is forwarded.
(Range: 1-4093) priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority)
– 417 –
Chapter 17 | VLAN Commands
Configuring IP Subnet VLANs
Default Setting
Priority: 0
Command Mode
Global Configuration
Command Usage
◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an
IP address and a subnet mask. The specified VLAN need not be an existing
VLAN.
◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the
PVID of the receiving port is assigned to the frame.
◆ The IP subnet cannot be a broadcast or multicast IP address.
◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Example
The following example assigns traffic for the subnet 192.168.12.192, mask
255.255.255.224, to VLAN 4.
Console(config)#subnet-vlan subnet 192.168.12.192 255.255.255.224 vlan 4
Console(config)#
show subnet-vlan
This command displays IP Subnet VLAN assignments.
Command Mode
Privileged Exec
Command Usage
◆ Use this command to display subnet-to-VLAN mappings.
◆ The last matched entry is used if more than one entry can be matched.
Example
The following example displays all configured IP subnet-based VLANs.
Console#show subnet-vlan
IP Address Mask VLAN ID Priority
--------------- --------------- ------- --------
192.168.12.0 255.255.255.128 1 0
192.168.12.128 255.255.255.192 3 0
192.168.12.192 255.255.255.224 4 0
– 418 –
Chapter 17 | VLAN Commands
Configuring MAC Based VLANs
192.168.12.224 255.255.255.240 5 0
192.168.12.240 255.255.255.248 6 0
192.168.12.248 255.255.255.252 7 0
192.168.12.252 255.255.255.254 8 0
192.168.12.254 255.255.255.255 9 0
192.168.12.255 255.255.255.255 10 0
Console#
Configuring MAC Based VLANs
When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table. If an entry is found for that address, these frames are assigned to the VLAN indicated in the entry. If no MAC address is matched, the untagged frames are classified as belonging to the receiving port’s VLAN ID (PVID).
Table 91: MAC Based VLAN Commands
Command mac-vlan show mac-vlan
Function
Defines the IP Subnet VLANs
Displays IP Subnet VLAN settings
Mode
GC
PE
mac-vlan
This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment.
Syntax mac-vlan mac-address mac-address vlan vlan-id [ priority priority ] no mac-vlan mac-address { mac-address | all } mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
vlan-id – VLAN to which the matching source MAC address traffic is forwarded. (Range: 1-4093) priority – The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority)
Default Setting
None
– 419 –
Chapter 17 | VLAN Commands
Configuring MAC Based VLANs
Command Mode
Global Configuration
Command Usage
◆ The MAC-to-VLAN mapping applies to all ports on the switch.
◆ Source MAC addresses can be mapped to only one VLAN ID.
◆ Configured MAC addresses cannot be broadcast or multicast addresses.
◆ When MAC-based, IP subnet-based, or protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Example
The following example assigns traffic from source MAC address 00-00-00-11-22-33 to VLAN 10.
Console(config)#mac-vlan mac-address 00-00-00-11-22-33 vlan 10
Console(config)#
show mac-vlan
This command displays MAC address-to-VLAN assignments.
Command Mode
Privileged Exec
Command Usage
Use this command to display MAC address-to-VLAN mappings.
Example
The following example displays all configured MAC address-based VLANs.
Console#show mac-vlan
MAC Address VLAN ID Priority
----------------- -------- --------
00-00-00-11-22-33 10 0
Console#
– 420 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
Configuring Voice VLANs
The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source
MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected
VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Table 92: Voice VLAN Commands
Command voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority
Function
Defines the Voice VLAN ID
Configures the aging time for Voice VLAN ports
Configures VoIP device MAC addresses
Sets the Voice VLAN port mode
Sets the VoIP traffic priority for ports switchport voice vlan rule Sets the automatic VoIP traffic detection method for ports IC switchport voice vlan security
Enables Voice VLAN security on ports IC show voice vlan Displays Voice VLAN settings PE
Mode
GC
GC
GC
IC
IC
voice vlan
This command enables VoIP traffic detection and defines the Voice VLAN ID. Use the no form to disable the Voice VLAN.
Syntax voice vlan voice-vlan-id no voice vlan voice-vlan-id - Specifies the voice VLAN ID. (Range: 1-4093)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single VLAN.
– 421 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN.
◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
◆ The Voice VLAN ID cannot be modified when the global auto-detection status is enabled (see the switchport voice vlan command.
Example
The following example enables VoIP traffic detection and specifies the Voice VLAN
ID as 1234.
Console(config)#voice vlan 1234
Console(config)#
voice vlan aging
This command sets the Voice VLAN ID time out. Use the no form to restore the default.
Syntax voice vlan aging minutes no voice vlan minutes - Specifies the port Voice VLAN membership time out.
(Range: 5-43200 minutes)
Default Setting
1440 minutes
Command Mode
Global Configuration
Command Usage
The Voice VLAN aging time is the time after which a port is removed from the Voice
VLAN when VoIP traffic is no longer received on the port.
The VoIP aging time starts to count down when the OUI’s MAC address expires from the MAC address table. Therefore, the MAC address aging time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from the voice VLAN when VoIP traffic is no longer received on the port. Alternatively, if you clear the MAC address table manually, then the switch will also start counting down the voice VLAN aging time.
– 422 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
Example
The following example configures the Voice VLAN aging time as 3000 minutes.
Console(config)#voice vlan aging 3000
Console(config)#
voice vlan mac-address
This command specifies MAC address ranges to add to the OUI Telephony list. Use the no form to remove an entry from the list.
Syntax voice vlan mac-address mac-address mask mask-address
[ description description ] no voice vlan mac-address mac-address mask mask-address mac-address - Defines a MAC address OUI that identifies VoIP devices in the network. (For example, 01-23-45-00-00-00) mask-address - Identifies a range of MAC addresses. (Range: 80-00-00-00-
00-00 to FF-FF-FF-FF-FF-FF) description - User-defined text that identifies the VoIP devices. (Range: 1-32 characters)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ VoIP devices attached to the switch can be identified by the manufacturer’s
Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to manufacturers and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as
VoIP.
◆ Selecting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI
(the first three octets). Other masks restrict the MAC address range. Selecting
FF-FF-FF-FF-FF-FF specifies a single MAC address.
Example
The following example adds a MAC OUI to the OUI Telephony list.
Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00-
00 description A new phone
Console(config)#
– 423 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
switchport voice vlan
This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Syntax switchport voice vlan { manual | auto } no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN. auto - The port will be added as a tagged member to the Voice VLAN when
VoIP traffic is detected on the port.
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ When auto is selected, you must select the method to use for detecting VoIP traffic, either OUI or 802.1ab (LLDP) using the switchport voice vlan rule command. When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac-address command.
◆ All ports are set to VLAN hybrid mode by default. Prior to enabling VoIP for a port (by setting the VoIP mode to Auto or Manual as described below), ensure that VLAN membership is not set to access mode using the switchport mode command.
Example
The following example sets port 1 to Voice VLAN auto mode.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport voice vlan auto
Console(config-if)#
switchport voice vlan priority
This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port.
Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6)
– 424 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
Default Setting
6
Command Mode
Interface Configuration
Command Usage
Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the
Voice VLAN feature is active for the port.
Example
The following example sets the CoS priority to 5 on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport voice vlan priority 5
Console(config-if)#
switchport voice vlan rule
This command selects a method for detecting VoIP traffic on a port. Use the no form to disable the detection method on the port.
Syntax
[ no ] switchport voice vlan rule { oui | lldp } oui - Traffic from VoIP devices is detected by the Organizationally Unique
Identifier (OUI) of the source MAC address. lldp - Uses LLDP to discover VoIP devices attached to the port.
Default Setting
OUI: Enabled
LLDP: Disabled
Command Mode
Interface Configuration
Command Usage
◆ When OUI is selected, be sure to configure the MAC address ranges in the
Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.
◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on.
See “LLDP Commands” on page 493 for more information on LLDP.
– 425 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
Example
The following example enables the OUI method on port 1 for detecting VoIP traffic.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport voice vlan rule oui
Console(config-if)#
switchport voice vlan security
This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port.
Syntax
[ no ] switchport voice vlan security
Default Setting
Disabled
Command Mode
Interface Configuration
Command Usage
◆ Security filtering discards any non-VoIP packets received on the port that are tagged with the voice VLAN ID. VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list, or through LLDP that discovers
VoIP devices attached to the switch. Packets received from non-VoIP sources are dropped.
◆ When enabled, be sure the MAC address ranges for VoIP devices are configured in the Telephony OUI list ( voice vlan mac-address ).
Example
The following example enables security filtering on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#switchport voice vlan security
Console(config-if)#
show voice vlan
This command displays the Voice VLAN settings on the switch and the OUI
Telephony list.
Syntax show voice vlan { oui | status } oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
– 426 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show voice vlan status
Global Voice VLAN Status
Voice VLAN Status : Enabled
Voice VLAN ID : 1234
Voice VLAN aging time : 1440 minutes
Voice VLAN Port Summary
Port Mode Security Rule Priority Remaining Age
(minutes)
-------- -------- -------- --------- -------- -------------
Eth 1/ 1 Auto Enabled OUI 6 100
Eth 1/ 2 Disabled Disabled OUI 6 NA
Eth 1/ 3 Manual Enabled OUI 5 100
Eth 1/ 4 Auto Enabled OUI 6 100
Eth 1/ 5 Disabled Disabled OUI 6 NA
Eth 1/ 6 Disabled Disabled OUI 6 NA
Eth 1/ 7 Disabled Disabled OUI 6 NA
Eth 1/ 8 Disabled Disabled OUI 6 NA
Eth 1/ 9 Disabled Disabled OUI 6 NA
Eth 1/10 Disabled Disabled OUI 6 NA
Console#show voice vlan oui
OUI Address Mask Description
----------------- ----------------- ------------------------------
00-12-34-56-78-9A FF-FF-FF-00-00-00 old phones
00-11-22-33-44-55 FF-FF-FF-00-00-00 new phones
00-98-76-54-32-10 FF-FF-FF-FF-FF-FF Chris' phone
Console#
– 427 –
Chapter 17 | VLAN Commands
Configuring Voice VLANs
– 428 –
18
Class of Service Commands
The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion.
This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. The default priority can be set for each interface, also the queue service mode and the mapping of frame priority tags to the switch's priority queues can be configured.
Table 93: Priority Commands
Command Group
Priority Commands
(Layer 2)
Priority Commands
(Layer 3 and 4)
Function
Configures the queue mode, queue weights, and default priority for untagged frames
Sets the default priority processing method (CoS or DSCP), maps priority tags for internal processing, maps values from internal priority table to CoS values used in tagged egress packets for Layer 2 interfaces, maps internal per hop behavior to hardware queues
Priority Commands (Layer 2)
This section describes commands used to configure Layer 2 traffic priority on the switch.
Table 94: Priority Commands (Layer 2)
Command queue mode
Function
Sets the queue mode to Weighted Round-Robin (WRR), strict priority, or a combination of strict and weighted queuing queue weight Assigns round-robin weights to the priority queues switchport priority default Sets a port priority for incoming untagged frames show interfaces switchport Displays the administrative and operational status of an interface show queue mode show queue weight
Shows the current queue mode
Shows weights assigned to the weighted queues
Mode
GC
GC
IC
PE
PE
PE
– 429 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 2)
queue mode
This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-
Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Syntax queue mode { strict | wrr | strict-wrr [ queue-type-list ]} no queue mode strict - Services the egress queues in sequential order, transmitting all traffic in the higher priority queues before servicing lower priority queues.
This ensures that the highest priority packets are always serviced first, ahead of all other traffic.
wrr - Weighted Round-Robin shares bandwidth at the egress ports by using scheduling weights (based on the queue weight command), and servicing each queue in a round-robin fashion.
strict-wrr - Strict priority is used for the high-priority queues and WRR for the rest of the queues.
queue-type-list - Indicates if the queue is a normal or strict type.
(Options: 0 indicates a normal queue, 1 indicates a strict queue)
Default Setting
Strict and WRR, with Queue 3 using strict mode
Command Mode
Global Configuration
Command Usage
◆ The switch can be set to service the port queues based on strict priority, WRR, or a combination of strict and weighted queueing.
◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced.
◆ Weighted Round Robin (WRR) uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. Use the queue weight command to assign weights for WRR queuing to the eight priority queues.
◆ If Strict and WRR mode is selected, a combination of strict service is used for the high priority queues and weighted service for the remaining queues. The queues assigned to use strict priority should be specified using the queue-typelist parameter.
◆ A weight can be assigned to each of the weighted queues (and thereby to the corresponding traffic priorities). This weight sets the frequency at which each
– 430 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 2)
◆
◆ queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value.
Service time is shared at the egress ports by defining scheduling weights for
WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
The specified queue mode applies to all interfaces.
Example
The following example sets the queue mode to strict priority service mode:
Console(config)#queue mode strict
Console(config)#
Related Commands queue weight (431) show queue mode (433)
queue weight
This command assigns weights to the four class of service (CoS) priority queues when using weighted queuing, or one of the queuing modes that use a combination of strict and weighted queuing. Use the no form to restore the default weights.
Syntax queue weight weight0...weight3
no queue weight weight0...weight3
- The ratio of weights for queues 0 - 3 determines the weights used by the WRR scheduler. (Range: 1-15)
Default Setting
Weights 1, 2, 4, 6 are assigned to queues 0 - 3 respectively.
Command Mode
Global Configuration
Command Usage
◆ This command shares bandwidth at the egress port by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing ( page 430 ).
◆ Bandwidth is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
– 431 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 2)
Example
The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3.
Console(config)#queue weight 1 2 3 4
Console(config)#
Related Commands queue mode (430) show queue weight (433)
switchport priority default
This command sets a priority for incoming untagged frames. Use the no form to restore the default value.
Syntax switchport priority default default-priority-id no switchport priority default default-priority-id - The priority number for untagged ingress traffic. The priority is a number from 0 to 7. Seven is the highest priority.
Default Setting
The priority is not set, and the default value for untagged frames received on the interface is zero.
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The precedence for priority mapping is IP DSCP, and then default switchport priority.
◆ The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
◆ The switch provides four priority queues for each port. It can be configured to use strict priority queuing, Weighted Round Robin (WRR), or a combination of strict and weighted queuing using the queue mode command. Inbound frames that do not have VLAN tags are tagged with the input port's default ingress user priority, and then placed in the appropriate priority queue at the output port. The default priority for all ingress ports is zero. Therefore, any inbound frames that do not have priority tags will be placed in queue 1 of the output port. (Note that if the output port is an untagged member of the associated
VLAN, these frames are stripped of all VLAN tags prior to transmission.)
– 432 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 2)
Example
The following example shows how to set a default priority on port 3 to 5:
Console(config)#interface ethernet 1/3
Console(config-if)#switchport priority default 5
Console(config-if)#
Related Commands show interfaces switchport (305)
show queue mode
This command shows the current queue mode.
Command Mode
Privileged Exec
Example
Console#show queue mode
Queue Mode : Weighted Round Robin Mode
Console#
show queue weight
This command displays the weights used for the weighted queues.
Command Mode
Privileged Exec
Example
Console#show queue weight
Queue ID Weight
-------- ------
0 1
1 2
2 4
3 6
Console#
– 433 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
Priority Commands (Layer 3 and 4)
This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Table 95: Priority Commands (Layer 3 and 4)
Command qos map cos-dscp qos map dscp-mutation qos map phb-queue qos map trust-mode show qos map cos-dscp show qos map dscp-mutation
Function Mode
Maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for internal priority processing
GC
Maps DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing
GC
Maps internal per-hop behavior values to hardware queues GC
Sets QoS mapping to DSCP or CoS
Shows ingress CoS to internal DSCP map
Shows ingress DSCP to internal DSCP map
IC
PE
PE show qos map phb-queue Shows internal per-hop behavior to hardware queue map PE show qos map trust-mode Shows the QoS mapping mode PE
* The default settings used for mapping priority values to internal DSCP values and back to the hardware queues are designed to optimize priority services for the majority of network applications. It should not be necessary to modify any of the default settings unless a queuing problem occurs with a particular application.
qos map cos-dscp
This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Syntax qos map cos-dscp phb drop-precedence from cos0 cfi0 ...
cos7 cfi7 no qos map cos-dscp cos0 cfi0 ...
cos7 cfi7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) drop-precedence - Drop precedence used for Random Early Detection in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) cos - CoS value in ingress packets. (Range: 0-7) cfi - Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format.
(Range: 0-1)
– 434 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
D EFAULT S ETTING
Table 96: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence
CFI 0 1
5
6
3
4
7
CoS
0
1
2
(4,0)
(5,0)
(6,0)
(7,0)
(0,0)
(1,0)
(2,0)
(3,0)
(4,0)
(5,0)
(6,0)
(7,0)
(0,0)
(1,0)
(2,0)
(3,0)
Command Mode
Global Configuration
Command Usage
◆ The default mapping of CoS to PHB values shown in Table 96 is based on the recommended settings in IEEE 802.1p for mapping CoS values to output queues.
◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight CoS/CFI paired values separated by spaces.
◆ If a packet arrives with a 802.1Q header but it is not an IP packet, then the CoS/
CFI-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command.
◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent; and two bits for drop precedence (namely color) which is used by Random Early Detection (RED) to control traffic congestion.
Example
Console(config)#qos map cos-dscp 0 0 from 0 1
Console(config)#
– 435 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
qos map dscp-mutation
This command maps DSCP values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) drop-precedence - Drop precedence used for Random Early Detection in controlling traffic congestion. (Range: 0 - Green, 3 - Yellow, 1 - Red) dscp - DSCP value in ingress packets. (Range: 0-63)
D EFAULT S ETTING
.
Table 97: Default Mapping of DSCP Values to Internal PHB/Drop Values ingressdscp1
0 1 2 3 4 5 6 7 8 9 ingressdscp10
0
1
4
5
2
3
0,0
1,0
2,0
3,0
0,1
1,3
2,1
3,3
0,0
1,0
2,0
4,0
0,3
1,1
2,3
4,1
0,0
1,0
3,0
4,0
0,1
1,3
3,1
4,3
0,0
2,0
3,0
4,0
0,3
2,1
3,3
4,1
1,0
2,0
3.0
4.0
1,1
2,3
3,1
4,3
5,0
6,0
5,1
6,3
5,0 5,3
6,0 6,1
5,0
6,0
5,1
6,3
6,0
7,0
5,3
7,1
6,0
7.0
6,1
7,3
6 7,0 7,1 7,0 7,3
The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column) and ingress-dscp1 (least significant digit in the top row (in other words, ingress-dscp = ingressdscp10 * 10 + ingress-dscp1); and the corresponding internal-dscp is shown at the intersecting cell in the table.
The ingress DSCP is bitwise ANDed with the binary value 11 to determine the drop precedence.
If the resulting value is 10 binary, then the drop precedence is set to 0.
Command Mode
Global Configuration
Command Usage
◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces.
◆ This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
– 436 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/
Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
◆ Random Early Detection starts dropping yellow and red packets when the buffer fills up to 0x60 packets, and then starts dropping any packets regardless of color when the buffer fills up to 0x80 packets.
Example
This example changes the priority for all packets entering port 1 which contain a
DSCP value of 1 to a per-hop behavior of 3 and a drop precedence of 1. Referring to
Table 97 , note that the DSCP value for these packets is now set to 25 (3x2 3 +1) and passed on to the egress interface.
Console(config)#qos map dscp-mutation 3 1 from 1
Console(config)#
qos map phb-queue
This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings.
Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue. (Range: 0-7, where 7 is the highest priority queue)
D
EFAULT
S
ETTING
Table 98: Mapping Internal Per-hop Behavior to Hardware Queues
Per-hop Behavior
Hardware Queues
0
1
1
0
2
0
3
1
4
2
5
2
6
3
7
3
Command Mode
Global Configuration
Command Usage
◆ Enter a queue identifier, followed by the keyword “from” and then up to eight internal per-hop behavior values separated by spaces.
◆ Egress packets are placed into the hardware queues according to the mapping defined by this command.
– 437 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
Example
Console(config)#qos map phb-queue 0 from 1 2 3
Console(config)#
qos map trust-mode
This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.
Syntax qos map trust-mode { dscp | cos } no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP.
cos - Sets the QoS mapping mode to CoS.
Default Setting
DSCP
Command Mode
Interface Configuration (Port, Static Aggregation)
Command Usage
◆ If the QoS mapping mode is set to DSCP with this command, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet.
◆ If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet's CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged. For an untagged packet, the default port priority (see page 432 ) is used for priority processing.
◆ If the QoS mapping mode is set to CoS with this command, and the ingress packet type is IPv4, then priority processing will be based on the CoS and CFI values in the ingress packet.
For an untagged packet, the default port priority (see page 432 ) is used for priority processing.
Example
This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section.
Console(config)#interface ge1/1
Console(config-if)#qos map trust-mode cos
Console(config-if)#
– 438 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
show qos map cos-dscp
This command shows ingress CoS/CFI to internal DSCP map.
Syntax show qos map cos-dscp
Command Mode
Privileged Exec
Example
Console#show qos map cos-dscp
CoS-DSCP Map. (x,y),x: phb,y: drop precedence:
CoS : CFI 0 1
---------------------------------
0 (0,0) (0,0)
1 (1,0) (1,0)
2 (2,0) (2,0)
3 (3,0) (3,0)
4 (4,0) (4,0)
5 (5,0) (5,0)
6 (6,0) (6,0)
7 (7,0) (7,0)
Console#
show qos map dscp-mutation
This command shows the ingress DSCP to internal DSCP map.
Syntax show qos map dscp-mutation
Command Mode
Privileged Exec
Command Usage
This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Example
The ingress DSCP is composed of “d1” (most significant digit in the left column) and
“d2” (least significant digit in the top row (in other words, ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table.
Console#show qos map dscp-mutation dscp mutation map.(x,y),x: phb,y: drop precedence:
d1: d2 0 1 2 3 4 5 6 7 8 9
-----------------------------------------------------------------
0 : (0,0) (0,1) (0,0) (0,3) (0,0) (0,1) (0,0) (0,3) (1,0) (1,1)
1 : (1,0) (1,3) (1,0) (1,1) (1,0) (1,3) (2,0) (2,1) (2,0) (2,3)
2 : (2,0) (2,1) (2,0) (2,3) (3,0) (3,1) (3,0) (3,3) (3,0) (3,1)
3 : (3,0) (3,3) (4,0) (4,1) (4,0) (4,3) (4,0) (4,1) (4,0) (4,3)
4 : (5,0) (5,1) (5,0) (5,3) (5,0) (5,1) (6,0) (5,3) (6,0) (6,1)
– 439 –
Chapter 18 | Class of Service Commands
Priority Commands (Layer 3 and 4)
5 : (6,0) (6,3) (6,0) (6,1) (6,0) (6,3) (7,0) (7,1) (7,0) (7,3)
6 : (7,0) (7,1) (7,0) (7,3)
Console#
show qos map phb-queue
This command shows internal per-hop behavior to hardware queue map.
Syntax show qos map phb-queue
Command Mode
Privileged Exec
Example
Console#show qos map phb-queue
phb-queue map:
phb: 0 1 2 3 4 5 6 7
-------------------------------------------------------
Queue: 1 0 0 1 2 2 3 3
Console#
show qos map trust-mode
This command shows the QoS mapping mode.
Syntax show qos map trust-mode interface interface interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
Example
The following shows that the trust mode is set to CoS:
Console#show qos map trust-mode interface ethernet 1/5
Information of Eth 1/5
COS map mode: cos mode
Console#
– 440 –
19
Quality of Service Commands
The commands described in this section are used to configure Differentiated
Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Table 99: Quality of Service Commands
Command class-map description match rename policy-map description class rename police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface
Function
Creates a class map for a type of traffic
Specifies the description of a class map
Defines the criteria used to classify traffic
Redefines the name of a class map
Creates a policy map for multiple interfaces
Specifies the description of a policy map
Defines a traffic classification for the policy to act on
Redefines the name of a policy map
Defines an enforcer for classified traffic based on a single rate three color meter
PM
Defines an enforcer for classified traffic based on a metered flow rate
PM-C
PM-C
Defines an enforcer for classified traffic based on a two rate three color meter
PM-C
Services IP traffic by setting a class of service value for matching packets for internal processing
PM-C
Services IP traffic by setting an IP DSCP value for matching packets for internal processing
PM-C
Services IP traffic by setting a per-hop behavior value for matching packets for internal processing
PM-C
Applies a policy map defined by the policy-map command to the input of a particular interface
IC
Displays the QoS class maps which define matching criteria used for classifying traffic
PE
PE Displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations
Displays the configuration of all classes configured for all service policies on the specified interface
PE
CM
GC
PM
PM
Mode
GC
CM
CM
– 441 –
Chapter 19 | Quality of Service Commands
To create a service policy for a specific category of ingress traffic, follow these steps:
1.
Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode.
2.
Use the match command to select a specific type of traffic based on an access list, a DSCP or IP Precedence value, or a VLAN.
3.
Use the policy-map command to designate a policy name for a specific manner in which ingress traffic will be handled, and enter the Policy Map configuration mode.
4.
Use the class command to identify the class map, and enter Policy Map Class configuration mode. A policy map can contain up to 16 class maps.
5.
Use the set phb , set cos or set ip dscp command to modify the per-hop behavior, the class of service value in the VLAN tag, or the priority bits in the IP header (IP DSCP value) for the matching traffic class, and use one of the police commands to monitor parameters such as the average flow and burst rate, and drop any traffic that exceeds the specified rate, or just reduce the DSCP service level for traffic exceeding the specified rate.
6.
Use the service-policy command to assign a policy map to a specific interface.
Note: Create a Class Map before creating a Policy Map.
class-map
This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode. Use the no form to delete a class map.
Syntax
[ no ] class-map class-map-name [ match-any ] class-map-name - Name of the class map. (Range: 1-32 characters) match-any - Match any condition within a class map.
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map.
– 442 –
Chapter 19 | Quality of Service Commands
◆ One or more class maps can be assigned to a policy map ( page 445 ). The policy map is then bound by a service policy to an interface ( page 456 ). A service policy defines packet classification, service tagging, and bandwidth policing.
Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the match or set commands.
Example
This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3:
Console(config)#class-map rd-class match-any
Console(config-cmap)#match ip dscp 3
Console(config-cmap)#
Related Commands show class-map (457)
description
This command specifies the description of a class map or policy map.
Syntax description string string - Description of the class map or policy map. (Range: 1-64 characters)
Command Mode
Class Map Configuration
Policy Map Configuration
Example
Console(config)#class-map rd-class#1
Console(config-cmap)#description “matches packets marked for DSCP service value 3”
Console(config-cmap)#
– 443 –
Chapter 19 | Quality of Service Commands
match
This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria.
Syntax
[ no ] match { access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan-id } acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs.
(Range: 1-16 characters) dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan-id - A VLAN. (Range:1-4093)
Default Setting
None
Command Mode
Class Map Configuration
Command Usage
◆ First enter the class-map command to designate a class map and enter the
Class Map configuration mode. Then use match commands to specify the fields within ingress packets that must match to qualify for this class map.
◆ If an ingress packet matches an ACL specified by this command, any deny rules included in the ACL will be ignored.
◆ If match criteria includes an IP ACL or IP priority rule, then a VLAN rule cannot be included in the same class map.
◆ If match criteria includes a MAC ACL or VLAN rule, then neither an IP ACL nor IP priority rule can be included in the same class map.
◆ Up to 16 match entries can be included in a class map.
Example
This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3.
Console(config)#class-map rd-class#1 match-any
Console(config-cmap)#match ip dscp 3
Console(config-cmap)#
– 444 –
Chapter 19 | Quality of Service Commands
This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
Console(config)#class-map rd-class#2 match-any
Console(config-cmap)#match ip precedence 5
Console(config-cmap)#
This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Console(config)#class-map rd-class#3 match-any
Console(config-cmap)#match vlan 1
Console(config-cmap)#
rename
This command redefines the name of a class map or policy map.
Syntax rename map-name map-name - Name of the class map or policy map. (Range: 1-32 characters)
Command Mode
Class Map Configuration
Policy Map Configuration
Example
Console(config)#class-map rd-class#1
Console(config-cmap)#rename rd-class#9
Console(config-cmap)#
policy-map
This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map.
Syntax
[ no ] policy-map policy-map-name policy-map-name - Name of the policy map. (Range: 1-32 characters)
Default Setting
None
Command Mode
Global Configuration
– 445 –
Chapter 19 | Quality of Service Commands
Command Usage
◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map.
◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command.
◆ Create a Class Map ( page 445 ) before assigning it to a Policy Map.
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set ip dscp 3
Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop
Console(config-pmap-c)#
class
This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map.
Syntax
[ no ] class class-map-name class-map-name - Name of the class map. (Range: 1-32 characters)
Default Setting
None
Command Mode
Policy Map Configuration
Command Usage
◆ Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the:
■ set phb command sets the per-hop behavior value in matching packets.
(This modifies packet priority for internal processing only.)
– 446 –
Chapter 19 | Quality of Service Commands
■ set cos command sets the class of service value in matching packets.
(This modifies packet priority in the VLAN tag.)
■ set ip dscp command sets the IP DSCP value in matching packets.
(This modifies packet priority in the IP header.)
■ police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic.
◆ Up to 16 classes can be included in a policy map.
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and configure the response to drop any violating packets.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set phb 3
Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop
Console(config-pmap-c)#
police flow
This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer.
Syntax
[ no ] police flow committed-rate committed-burst conform-action transmit violate-action { drop | new-dscp } committed-rate - Committed information rate (CIR) in kilobits per second.
(Range: 64-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
(Range: 4000-16000000 at a granularity of 4k bytes) conform-action - Action to take when packet is within the CIR and BC.
(There are enough tokens to service the packet, the packet is set green).
violate-action - Action to take when packet exceeds the CIR or BC. (There are not enough tokens to service the packet, the packet is set red).
transmit - Transmits without taking any action.
drop - Drops packet as required by violate-action.
new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63)
– 447 –
Chapter 19 | Quality of Service Commands
Default Setting
None
Command Mode
Policy Map Class Configuration
Command Usage
◆ You can configure up to 16 policers (i.e., class maps) for ingress ports.
◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes.
◆ Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698.
◆ The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented (CIR – Committed Information Rate), and the maximum size of the token bucket (BC – Committed Burst Size).
■
■
The token bucket C is initially full, that is, the token count Tc(0) = BC. Thereafter, the token count Tc is updated CIR times per second as follows:
If Tc is less than BC, Tc is incremented by one, else
Tc is not incremented.
When a packet of size B bytes arrives at time t, the following happens:
■
■
If Tc(t)-B
≥
0, the packet is green and Tc is decremented by B down to the minimum value of 0, else else the packet is red and Tc is not decremented.
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set phb 3
Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop
Console(config-pmap-c)#
– 448 –
Chapter 19 | Quality of Service Commands
police srtcm-color
This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer.
Syntax
[ no ] police { srtcm-color-blind | srtcm-color-aware } committed-rate committed-burst excess-burst conform-action transmit exceed-action { drop | new-dscp } violate action { drop | new-dscp } srtcm-color-blind - Single rate three color meter in color-blind mode.
srtcm-color-aware - Single rate three color meter in color-aware mode. committed-rate - Committed information rate (CIR) in kilobits per second.
(Range: 64-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
(Range: 4000-16000000 at a granularity of 4k bytes) excess-burst - Excess burst size (BE) in bytes.
(Range: 4000-1600000 at a granularity of 4k bytes) conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green).
exceed-action - Action to take when rate exceeds the CIR or BC but is within the BE. (There are enough tokens in bucket BE to service the packet, the packet is set yellow.) violate-action - Action to take when rate exceeds the BE. (There are not enough tokens in bucket BE to service the packet, the packet is set red.) transmit - Transmits without taking any action.
drop - Drops packet as required by exceed-action or violate-action.
new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63)
Default Setting
None
Command Mode
Policy Map Class Configuration
Command Usage
◆ You can configure up to 16 policers (i.e., class maps) for ingress ports.
◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst and excess-burst cannot exceed 16 Mbytes.
◆ The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate
(CIR), Committed Burst Size (BC), and Excess Burst Size (BE).
– 449 –
Chapter 19 | Quality of Service Commands
◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green if it doesn't exceed the CIR and BC, yellow if it does exceed the CIR and
BC, but not the BE, and red otherwise.
◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
◆ The behavior of the meter is specified in terms of its mode and two token buckets, C and E, which both share the common rate CIR. The maximum size of the token bucket C is BC and the maximum size of the token bucket E is BE.
■
■
■
The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows:
If Tc is less than BC, Tc is incremented by one, else if Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented.
When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode:
■
■
■
If Tc(t)-B
≥
0, the packet is green and Tc is decremented by B down to the minimum value of 0, else if Te(t)-B
≥
0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
■
■
When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-aware mode:
■ If the packet has been precolored as green and Tc(t)-B
≥
0, the packet is green and Tc is decremented by B down to the minimum value of 0, else
If the packet has been precolored as yellow or green and if
Te(t)-B
≥
0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
The metering policy guarantees a deterministic behavior where the volume of green packets is never smaller than what has been determined by the CIR and
BC, that is, tokens of a given color are always spent on packets of that color.
Refer to RFC 2697 for more information on other aspects of srTCM.
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind
– 450 –
Chapter 19 | Quality of Service Commands command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the excess burst size.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set phb 3
Console(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conformaction transmit exceed-action 0 violate-action drop
Console(config-pmap-c)#
police trtcm-color
This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer.
Syntax
[ no ] police { trtcm-color-blind | trtcm-color-aware } committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action { drop | new-dscp } violate action { drop | new-dscp } trtcm-color-blind - Two rate three color meter in color-blind mode.
trtcm-color-aware - Two rate three color meter in color-aware mode. committed-rate - Committed information rate (CIR) in kilobits per second.
(Range: 64-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
(Range: 4000-16000000 at a granularity of 4k bytes) peak-rate - Peak information rate (PIR) in kilobits per second.
(Range: 64-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) peak-burst - Peak burst size (BP) in bytes.
(Range: 4000-16000000 at a granularity of 4k bytes) conform-action - Action to take when rate is within the CIR and BP. (Packet size does not exceed BP and there are enough tokens in bucket BC to service the packet, the packet is set green.) exceed-action - Action to take when rate exceeds the CIR but is within the
PIR. (Packet size exceeds BC but there are enough tokens in bucket BP to service the packet, the packet is set yellow.) violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action.
transmit - Transmits without taking any action.
– 451 –
Chapter 19 | Quality of Service Commands new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63)
Default Setting
None
Command Mode
Policy Map Class Configuration
Command Usage
◆ You can configure up to 16 policers (i.e., class maps) for ingress ports.
◆ The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes.
◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak
Information Rate (PIR), and their associated burst sizes - Committed Burst Size
(BC) and Peak Burst Size (BP).
◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR.
The trTCM is useful for ingress policing of a service, where a peak rate needs to be enforced separately from a committed rate.
◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
◆ The behavior of the meter is specified in terms of its mode and two token buckets, P and C, which are based on the rates PIR and CIR, respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC.
◆ The token buckets P and C are initially (at time 0) full, that is, the token count
Tp(0) = BP and the token count Tc(0) = BC. Thereafter, the token count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC.
■
■
■
When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode:
If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
– 452 –
Chapter 19 | Quality of Service Commands
When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode:
■
■
■
If the packet has been precolored as red or if Tp(t)-B < 0, the packet is red, else if the packet has been precolored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
◆ The trTCM can be used to mark a IP packet stream in a service, where different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set phb 3
Console(config-pmap-c)#police trtcm-color-blind 100000 4000 1000000 6000 conform-action transmit exceed-action 0 violate-action drop
Console(config-pmap-c)#
set cos
This command modifies the class of service (CoS) value for a matching packet (as specified by the match command) in the packet’s VLAN tag. Use the no form to remove this setting.
Syntax
[ no ] set cos cos-value cos-value - Class of Service value. (Range: 0-7)
Default Setting
None
Command Mode
Policy Map Class Configuration
Command Usage
◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets.
– 453 –
Chapter 19 | Quality of Service Commands
◆ The set cos and set phb command function at the same level of priority.
Therefore setting either of these commands will overwrite any action already configured by the other command.
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set cos 3
Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop
Console(config-pmap-c)#
set ip dscp
This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification.
Syntax
[ no ] set ip dscp new-dscp new-dscp - New Differentiated Service Code Point (DSCP) value.
(Range: 0-63)
Default Setting
None
Command Mode
Policy Map Class Configuration
Command Usage
The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
– 454 –
Chapter 19 | Quality of Service Commands
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set ip dscp 3
Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop
Console(config-pmap-c)#
set phb
This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting.
Syntax
[ no ] set phb phb-value phb-value - Per-hop behavior value. (Range: 0-7)
Default Setting
None
Command Mode
Policy Map Class Configuration
Command Usage
◆ The set phb command is used to set an internal QoS value in hardware for matching packets (see Table 97, "Default Mapping of DSCP Values to Internal
PHB/Drop Values" ). The QoS label is composed of five bits, three bits for perhop behavior, and two bits for the color scheme used to control queue congestion by the police srtcm-color command and police trtcm-color command.
◆ The set cos and set phb command function at the same level of priority.
Therefore setting either of these commands will overwrite any action already configured by the other command.
– 455 –
Chapter 19 | Quality of Service Commands
Example
This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Console(config)#policy-map rd-policy
Console(config-pmap)#class rd-class
Console(config-pmap-c)#set phb 3
Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop
Console(config-pmap-c)#
service-policy
This command applies a policy map defined by the policy-map command to the ingress side of a particular interface. Use the no form to remove this mapping.
Syntax
[ no ] service-policy input policy-map-name input - Apply to the input traffic.
policy-map-name - Name of the policy map for this interface.
(Range: 1-32 characters)
Default Setting
No policy map is attached to an interface.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ Only one policy map can be assigned to an interface.
◆ First define a class map, then define a policy map, and finally use the servicepolicy command to bind the policy map to the required interface.
◆ The switch does not allow a policy map to be bound to an interface for egress traffic.
Example
This example applies a service policy to an ingress interface.
Console(config)#interface ethernet 1/1
Console(config-if)#service-policy input rd-policy
Console(config-if)#
– 456 –
Chapter 19 | Quality of Service Commands
show class-map
This command displays the QoS class maps which define matching criteria used for classifying traffic.
Syntax show class-map [ class-map-name ] class-map-name - Name of the class map. (Range: 1-32 characters)
Default Setting
Displays all class maps.
Command Mode
Privileged Exec
Example
Console#show class-map
Class Map match-any rd-class#1
Description:
Match ip dscp 10
Match access-list rd-access
Match ip dscp 0
Class Map match-any rd-class#2
Match ip precedence 5
Class Map match-any rd-class#3
Match vlan 1
Console#
show policy-map
This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Syntax show policy-map [ policy-map-name [ class class-map-name ]] policy-map-name - Name of the policy map. (Range: 1-16 characters) class-map-name - Name of the class map. (Range: 1-16 characters)
Default Setting
Displays all policy maps and all classes.
Command Mode
Privileged Exec
– 457 –
Chapter 19 | Quality of Service Commands
Example
Console#show policy-map
Policy Map rd-policy
Description:
class rd-class
set phb 3
Console#show policy-map rd-policy class rd-class
Policy Map rd-policy
class rd-class
set phb 3
Console#
show policy-map interface
This command displays the service policy assigned to the specified interface.
Syntax show policy-map interface interface input interface unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show policy-map interface 1/5 input
Service-policy rd-policy
Console#
– 458 –
20
Multicast Filtering Commands
This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only.
It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Table 100: Multicast Filtering Commands
Command Group
IGMP Snooping
Function
Configures multicast groups via IGMP snooping or static assignment, sets the IGMP version, enables proxy reporting, displays current snooping settings, and displays the multicast service and group members
Static Multicast Routing Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs
Configures IGMP filtering and throttling IGMP Filtering and
Throttling
Multicast VLAN Registration Configures a single network-wide multicast VLAN shared by hosts residing in other standard or private VLAN groups, preserving security and data isolation for normal traffic
IGMP Snooping
This section describes commands used to configure IGMP snooping on the switch.
Table 101: IGMP Snooping Commands
Command ip igmp snooping proxy-reporting
Function ip igmp snooping snooping
Enables IGMP Snooping with Proxy Reporting ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC ip igmp snooping router-alert-option-check
Discards any IGMPv2/v3 packets that do not include the
Router Alert option
GC
GC ip igmp snooping router-port-expire-time
Configures the querier timeout ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs ip igmp snooping tcn-query-solicit
Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs
GC
GC
Mode
GC
GC
– 459 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Table 101: IGMP Snooping Commands (Continued)
Command ip igmp snooping unregistered-data-flood
Function
Floods unregistered multicast traffic into the attached
VLAN
Mode
GC ip igmp snooping unsolicited-report-interval ip igmp snooping version ip igmp snooping version-exclusive
Specifies how often the upstream interface should transmit unsolicited IGMP reports (when proxy reporting is enabled)
GC
Configures the IGMP version for snooping
Discards received IGMP messages which use a version different to that currently configured
GC
GC ip igmp snooping vlan general-query-suppression
Suppresses general queries except for ports attached to downstream multicast hosts ip igmp snooping vlan immediate-leave
GC
Immediately deletes a member port of a multicast service if a leave packet is received at that port and immediateleave is enabled for the parent VLAN
GC ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd Sends multicast router solicitation messages ip igmp snooping vlan proxy-address
Configures a static address for proxy IGMP query and reporting ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl
Configures the interval between sending IGMP proxy general queries
Configures the maximum time the system waits for a response to proxy general queries
Enables IGMP Snooping with Proxy Reporting ip igmp snooping vlan proxy-reporting ip igmp snooping vlan static
Configures the number of IGMP proxy query messages that are sent out before the system assumes there are no local members
GC
Configures the last-member-query interval GC
Adds an interface as a member of a multicast group
GC
GC
GC
GC
GC
GC
Configures the IGMP version for snooping GC ip igmp snooping vlan version ip igmp snooping vlan version-exclusive show ip igmp snooping show ip igmp snooping group show ip igmp snooping mrouter
Discards received IGMP messages which use a version different to that currently configured
GC
Shows the IGMP snooping, proxy, and query configuration PE
Shows known multicast group, source, and host port mapping
Shows multicast router ports
PE
PE
– 460 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
ip igmp snooping
This command enables IGMP snooping globally on the switch or on a selected
VLAN interface. Use the no form to disable it.
Syntax
[ no ] ip igmp snooping [ vlan vlan-id ] vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When IGMP snooping is enabled globally, the per VLAN interface settings for
IGMP snooping take precedence.
◆ When IGMP snooping is disabled globally, snooping can still be configured per
VLAN interface, but the interface settings will not take effect until snooping is re-enabled globally.
Example
The following example enables IGMP snooping globally.
Console(config)#ip igmp snooping
Console(config)#
ip igmp snooping proxy-reporting
This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting.
Syntax ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting { enable | disable } no ip igmp snooping [vlan vlan-id ] proxy-reporting vlan-id - VLAN ID (Range: 1-4093) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Default Setting
Global: Disabled
VLAN: Based on global setting
– 461 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Command Mode
Global Configuration
Command Usage
◆ When proxy reporting is enabled with this command, the switch performs
“IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April
2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
◆ If the IGMP proxy reporting is configured on a VLAN, this setting takes precedence over the global configuration.
Example
Console(config)#ip igmp snooping proxy-reporting
Console(config)#
ip igmp snooping querier
This command enables the switch as an IGMP querier. Use the no form to disable it.
Syntax
[ no ] ip igmp snooping querier
Default Setting
Disabled
Command Mode
Global Configuration
◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Example
Console(config)#ip igmp snooping querier
Console(config)#
ip igmp snooping router-alertoption-check
This command discards any IGMPv2/v3 packets that do not include the Router
Alert option. Use the no form to ignore the Router Alert Option when receiving
IGMP messages.
Syntax
[ no ] ip igmp snooping router-alert-option-check
– 462 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with the Maximum Response Time set to a large value.
To protect against this kind of attack, (1) routers should not forward queries. This is easier to accomplish if the query carries the Router Alert option. (2) Also, when the switch is acting in the role of a multicast host (such as when using proxy routing), it should ignore version 2 or 3 queries that do not contain the Router Alert option.
Example
Console(config)#ip igmp snooping router-alert-option-check
Console(config)#
ip igmp snooping router-portexpire-time
This command configures the querier time out. Use the no form to restore the default.
Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired. (Range: 1-65535;
Recommended Range: 300-500)
Default Setting
300 seconds
Command Mode
Global Configuration
Example
The following shows how to configure the time out to 400 seconds:
Console(config)#ip igmp snooping router-port-expire-time 400
Console(config)#
– 463 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
ip igmp snooping tcn-flood
This command enables flooding of multicast traffic if a spanning tree topology change notification (TCN) occurs. Use the no form to disable flooding.
Syntax
[ no ] ip igmp snooping tcn-flood
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date. For example, a host linked to one port before the topology change (TC) may be moved to another port after the change. To ensure that multicast data is delivered to all receivers, by default, a switch in a VLAN (with IGMP snooping enabled) that receives a
Bridge Protocol Data Unit (BPDU) with the TC bit set (by the root bridge) will enter into “multicast flooding mode” for a period of time until the topology has stabilized and the new locations of all multicast receivers are learned.
◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a time out mechanism is used to delete all of the currently learned multicast channels.
◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
◆ By default, the switch immediately enters into “multicast flooding mode” when a spanning tree topology change occurs. In this mode, multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive loading on the link between the switch and the end host. Flooding may be disabled to avoid this, causing multicast traffic to be delivered only to those ports on which multicast group members have been learned.
◆ When the spanning tree topology changes, the root bridge sends a proxy query to quickly re-learn the host membership/port relations for multicast channels. The root bridge also sends an unsolicited Multicast Router Discover
(MRD) request to quickly locate the multicast routers in this VLAN.
The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets.
– 464 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Example
The following example enables TCN flooding.
Console(config)#ip igmp snooping tcn-flood
Console(config)#
ip igmp snooping tcn-query-solicit
This command instructs the switch to send out an IGMP general query solicitation when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
Syntax
[ no ] ip igmp snooping tcn-query-solicit
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ When the root bridge in a spanning tree receives a topology change notification for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred.
When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query.
◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Example
The following example instructs the switch to issue an IGMP general query whenever it receives a spanning tree topology change notification.
Console(config)#ip igmp snooping tcn query-solicit
Console(config)#
– 465 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
ip igmp snooping unregistered-dataflood
This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic.
Syntax
[ no ] ip igmp snooping unregistered-data-flood
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the
VLAN.
Example
Console(config)#ip igmp snooping unregistered-data-flood
Console(config)#
ip igmp snooping unsolicited-reportinterval
This command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled. Use the no form to restore the default value.
Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping version-exclusive seconds - The interval at which to issue unsolicited reports.
(Range: 1-65535 seconds)
Default Setting
400 seconds
Command Mode
Global Configuration
Command Usage
◆ When a new upstream interface (that is, uplink port) starts up, the switch sends unsolicited reports for all currently learned multicast channels out through the new upstream interface.
◆ This command only applies when proxy reporting is enabled (see page 461 ).
– 466 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Example
Console(config)#ip igmp snooping unsolicited-report-interval 5
Console(config)#
ip igmp snooping version
This command configures the IGMP snooping version. Use the no form to restore the default.
Syntax ip igmp snooping [ vlan vlan-id ] version { 1 | 2 | 3 } no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093)
1 - IGMP Version 1
2 - IGMP Version 2
3 - IGMP Version 3
Default Setting
Global: IGMP Version 2
VLAN: Not configured, based on global setting
Command Mode
Global Configuration
Command Usage
◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Example
The following configures the global setting for IGMP snooping to version 1.
Console(config)#ip igmp snooping version 1
Console(config)#
– 467 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
ip igmp snooping version-exclusive
This command discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the ip igmp snooping version command. Use the no form to disable this feature.
Syntax ip igmp snooping [ vlan vlan-id ] version-exclusive no ip igmp snooping version-exclusive vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Global: Disabled
VLAN: Disabled
Command Mode
Global Configuration
Command Usage
◆ If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting.
◆ When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
Example
Console(config)#ip igmp snooping version-exclusive
Console(config)#
ip igmp snooping vlan general-querysuppression
This command suppresses general queries except for ports attached to downstream multicast hosts. Use the no form to flood general queries to all ports except for the multicast router port.
Syntax
[ no ] ip igmp snooping vlan vlan-id general-query-suppression vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Disabled
Command Mode
Global Configuration
– 468 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Command Usage
◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received.
◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Example
Console(config)#ip igmp snooping vlan 1 general-query-suppression
Console(config)#
ip igmp snooping vlan immediate-leave
This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate-leave is enabled for the parent VLAN.
Use the no form to restore the default.
Syntax
[ no ] ip igmp snooping vlan vlan-id immediate-leave vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ If immediate-leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2/v3 group leave message is received.
The router/querier stops forwarding traffic for that group only if no host replies to the query within the time out period. (The time out for this release is currently defined by Last Member Query Interval (fixed at one second) *
Robustness Variable (fixed at 2) as defined in RFC 2236.
◆ If immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
◆ This command is only effective if IGMP snooping is enabled, and IGMPv2 or
IGMPv3 snooping is used.
– 469 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Example
The following shows how to enable immediate leave.
Console(config)#ip igmp snooping vlan 1 immediate-leave
Console(config)#
ip igmp snooping vlan last-memb-querycount
This command configures the number of IGMP proxy group-specific or group-andsource-specific query messages that are sent out before the system assumes there are no more local members. Use the no form to restore the default.
Syntax ip igmp snooping vlan vlan-id last-memb-query-count count no ip igmp snooping vlan vlan-id last-memb-query-count vlan-id - VLAN ID (Range: 1-4093) count - The number of proxy group-specific or group-and-source-specific query messages to issue before assuming that there are no more group members. (Range: 1-255)
Default Setting
2
Command Mode
Global Configuration
Command Usage
This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled ( page 461 ).
Example
Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7
Console(config)#
ip igmp snooping vlan last-memb-queryintvl
This command configures the last-member-query interval. Use the no form to restore the default.
Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The interval to wait for a response to a group-specific or groupand-source-specific query message. (Range: 1-31744 tenths of a second)
– 470 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Default Setting
10 (1 second)
Command Mode
Global Configuration
Command Usage
◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific query message, and starts a timer. If no reports are received before the timer expires, the group record is deleted, and a report is sent to the upstream multicast router.
◆ A reduced value will result in reduced time to detect the loss of the last member of a group or source, but may generate more bursty traffic.
◆ This command will take effect only if IGMP snooping proxy reporting is enabled
( page 461 ).
Example
Console(config)#ip igmp snooping vlan 1 last-memb-query-intvl 700
Console(config)#
ip igmp snooping vlan mrd
This command enables sending of multicast router solicitation messages. Use the no form to disable these messages.
Syntax
[ no ] ip igmp snooping vlan vlan-id mrd vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers. These messages are used to discover multicast routers on a directly attached link. Solicitation messages are also sent whenever a multicast forwarding interface is initialized or reinitialized. Upon receiving a solicitation on an interface with IP multicast forwarding and MRD enabled, a router will respond with an advertisement.
– 471 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
◆ Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the expiration of a periodic timer, as a part of a router's start up procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message. When the multicast services provided to a VLAN is relatively stable, the use of solicitation messages is not required and may be disabled using the no ip igmp snooping vlan mrd command.
◆ This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a
VLAN.
Example
This example disables sending of multicast router solicitation messages on VLAN 1.
Console(config)#no ip igmp snooping vlan 1 mrd
Console(config)#
ip igmp snooping vlan proxy-address
This command configures a static source address for locally generated query and report messages used by IGMP proxy reporting. Use the no form to restore the default source address.
Syntax
[ no ] ip igmp snooping vlan vlan-id proxy-address source-address vlan-id - VLAN ID (Range: 1-4093) source-address - The source address used for proxied IGMP query and report, and leave messages. (Any valid IP unicast address)
Default Setting
0.0.0.0
Command Mode
Global Configuration
Command Usage
IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541. The switch also uses a null address in IGMP reports sent to upstream ports.
Many hosts do not implement RFC 4541, and therefore do not understand query messages with the source address of 0.0.0.0. These hosts will therefore not reply to the queries, causing the multicast router to stop sending traffic to them.
– 472 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command.
Rules Used for Proxy Reporting
When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
When IGMP Proxy Reporting is enabled, the source address is based on the following criteria:
◆ If a proxy query address is configured, the switch will use that address as the source IP address in general and group-specific query messages sent to downstream hosts, and in report and leave messages sent upstream from the multicast router port.
◆ If a proxy query address is not configured, the switch will use the VLAN’s IP address as the IP source address in general and group-specific query messages sent downstream, and use the source address of the last IGMP message received from a downstream host in report and leave messages sent upstream from the multicast router port.
Example
The following example sets the source address for proxied IGMP query messages to
10.0.1.8.
Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8
Console(config)#
ip igmp snooping vlan query-interval
This command configures the interval between sending IGMP general queries. Use the no form to restore the default.
Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4093) interval - The interval between sending IGMP general queries.
(Range: 2-31744 seconds)
Default Setting
125 seconds
Command Mode
Global Configuration
– 473 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Command Usage
◆ An IGMP general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined.
◆ This command applies when the switch is serving as the querier ( page 462 ), or as a proxy host when IGMP snooping proxy reporting is enabled ( page 461 ).
Example
Console(config)#ip igmp snooping vlan 1 query-interval 150
Console(config)#
ip igmp snooping vlan query-resp-intvl
This command configures the maximum time the system waits for a response to general queries. Use the no form to restore the default.
Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4093) interval - The maximum time the system waits for a response to general queries. (Range: 10-31740 tenths of a second)
Default Setting
10 (1 seconds)
Command Mode
Global Configuration
Command Usage
◆ This command applies when the switch is serving as the querier ( page 462 ), or as a proxy host when IGMP snooping proxy reporting is enabled ( page 461 ).
Example
Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20
Console(config)#
– 474 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
ip igmp snooping vlan static
This command adds a port to a multicast group. Use the no form to remove the port.
Syntax
[ no ] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
None
Command Mode
Global Configuration
Command Usage
◆ Static multicast entries are never aged out.
◆ When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN.
Example
The following shows how to statically configure a multicast group on a port.
Console(config)#ip igmp snooping vlan 1 static 224.0.0.12 ethernet 1/5
Console(config)#
show ip igmp snooping
This command shows the IGMP snooping, proxy, and query configuration settings.
Command Mode
Privileged Exec
Command Usage
This command displays global and VLAN-specific IGMP configuration settings.
– 475 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Example
The following shows the current IGMP snooping configuration:
Console#show ip igmp snooping
IGMP snooping : Disabled
Router port expire time : 300 s
Router alert check : Disabled
Tcn flood : Disabled
Tcn query solicit : Disabled
Unregistered data flood : Disabled
Unsolicited report interval : 400 s
Version exclusive : Disabled
Version : 2
Proxy reporting : Disabled
Querier : Disabled
Vlan 1:
--------
IGMP snooping : Enabled
IGMP snooping running status : Inactive
Version : 2
Version exclusive : Using global status (Disabled)
Immediate leave : Disabled
Last member query interval : 10 (unit: 1/10 s)
Last member query count : 2
General query suppression : Disabled
Query interval : 125
Query response interval : 100 (unit: 1/10 s)
Proxy query address : 0.0.0.0
Proxy reporting : Using global status (Disabled)
Multicast Router Discovery : Enabled
.
show ip igmp snooping group
This command shows known multicast group, source, and host port mappings for the specified VLAN interface, or for all interfaces if none is specified.
Syntax show ip igmp snooping group [ vlan vlan-id [ user | igmpsnp ]]
[ user | igmpsnp ] vlan-id - VLAN ID (1-4093) user - Display only the user-configured multicast entries. igmpsnp - Display only entries learned through IGMP snooping.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Member types displayed include IGMP or USER, depending on selected options.
– 476 –
Chapter 20 | Multicast Filtering Commands
IGMP Snooping
Example
The following shows the multicast entries learned through IGMP snooping for
VLAN 1.
Console#show ip igmp snooping group vlan 1
Bridge Multicast Forwarding Entry Count:0
VLAN Group Source Port List
-------- ---------------- ---------------- ---------------------------------
1 224.1.1.12 * Eth 1/12(S)
1 224.1.1.12 * Eth 1/23(D)
Console#
show ip igmp snooping mrouter
This command displays information on statically configured and dynamically learned multicast router ports.
Syntax show ip igmp snooping mrouter [ vlan vlan-id ] vlan-id - VLAN ID (Range: 1-4093)
Default Setting
Displays multicast router ports for all configured VLANs.
Command Mode
Privileged Exec
Command Usage
Multicast router port types displayed include Static or Dynamic.
Example
The following shows the ports in VLAN 1 which are attached to multicast routers.
Console#show ip igmp snooping mrouter vlan 1
VLAN M'cast Router Ports Type
---- ------------------- -------
1 Eth 1/11 Static
Console#
– 477 –
Chapter 20 | Multicast Filtering Commands
Static Multicast Routing
Static Multicast Routing
This section describes commands used to configure static multicast routing on the switch .
Table 102: Static Multicast Interface Commands
Command ip igmp snooping vlan mrouter show ip igmp snooping mrouter
Function
Adds a multicast router port
Shows multicast router ports
Mode
GC
PE
ip igmp snooping vlan mrouter
This command statically configures a (Layer 2) multicast router port on the specified VLAN. Use the no form to remove the configuration.
Syntax
[ no ] ip igmp snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4093) interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
No static multicast router ports are configured.
Command Mode
Global Configuration
Command Usage
◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
◆ IGMP Snooping must be enabled globally on the switch (using the ip igmp snooping command) before a multicast router port can take effect.
– 478 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
Example
The following shows how to configure port 11 as a multicast router port within VLAN
1.
Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11
Console(config)#
IGMP Filtering and Throttling
In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
Table 103: IGMP Filtering and Throttling Commands
Command ip igmp filter ip igmp profile permit, deny range ip igmp filter ip igmp max-groups
Function
Enables IGMP filtering and throttling on the switch
Sets a profile number and enters IGMP filter profile configuration mode
Sets a profile access mode to permit or deny
Assigns an IGMP filter profile to an interface
Specifies an IGMP throttling number for an interface ip igmp max-groups action Sets the IGMP throttling action for an interface show ip igmp filter Displays the IGMP filtering status show ip igmp profile show ip igmp throttle interface
Displays IGMP profiles and settings
Displays the IGMP throttling setting for interfaces
Mode
GC
GC
IPC
Specifies one or a range of multicast addresses for a profile IPC
IC
IC
IC
PE
PE
PE
ip igmp filter
(Global Configuration)
This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature.
Syntax
[ no ] ip igmp filter
Default Setting
Disabled
Command Mode
Global Configuration
– 479 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
Command Usage
◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, IGMP join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the IGMP join report is forwarded as normal. If a requested multicast group is denied, the IGMP join report is dropped.
◆ IGMP filtering and throttling only applies to dynamically learned multicast groups, it does not apply to statically configured groups.
◆ The IGMP filtering feature operates in the same manner when MVR is used to forward multicast traffic.
Example
Console(config)#ip igmp filter
Console(config)#
ip igmp profile
This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number.
Syntax
[ no ] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny.
Example
Console(config)#ip igmp profile 19
Console(config-igmp-profile)#
– 480 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
permit, deny
This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number.
Syntax
{ permit | deny }
Default Setting
Deny
Command Mode
IGMP Profile Configuration
Command Usage
◆ Each profile has only one access mode; either permit or deny.
◆ When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
Example
Console(config)#ip igmp profile 19
Console(config-igmp-profile)#permit
Console(config-igmp-profile)#
range
This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile.
Syntax
[ no ] range low ip-address [ high ip-address ] low-ip-address - A valid IP address of a multicast group or start of a group range.
high-ip-address - A valid IP address for the end of a multicast group range.
Default Setting
None
Command Mode
IGMP Profile Configuration
Command Usage
Enter this command multiple times to specify more than one multicast address or address range for a profile.
– 481 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
Example
Console(config)#ip igmp profile 19
Console(config-igmp-profile)#range 239.1.1.1
Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100
Console(config-igmp-profile)#
ip igmp filter
(Interface Configuration)
This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface.
Syntax
[ no ] ip igmp filter profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295)
Default Setting
None
Command Mode
Interface Configuration
Command Usage
◆ The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface.
◆ Only one profile can be assigned to an interface.
◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip igmp filter 19
Console(config-if)#
ip igmp max-groups
This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting.
Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time. (Range: 1-255)
– 482 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
Default Setting
255
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
◆ IGMP throttling can also be set on a trunk interface. When ports are configured as trunk members, the trunk uses the throttling settings of the first port member in the trunk.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip igmp max-groups 10
Console(config-if)#
ip igmp max-groups action
This command sets the IGMP throttling action for an interface on the switch.
Syntax ip igmp max-groups action { deny | replace } deny - The new multicast group join report is dropped.
replace - The new multicast group replaces an existing group.
Default Setting
Deny
Command Mode
Interface Configuration (Ethernet)
Command Usage
When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new
IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
– 483 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
Example
Console(config)#interface ethernet 1/1
Console(config-if)#ip igmp max-groups action replace
Console(config-if)#
show ip igmp filter
This command displays the global and interface settings for IGMP filtering.
Syntax show ip igmp filter [ interface interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
None
Command Mode
Privileged Exec
Example
Console#show ip igmp filter
IGMP filter enabled
Console#show ip igmp filter interface ethernet 1/1
Ethernet 1/1 information
---------------------------------
IGMP Profile 19
Deny
Range 239.1.1.1 239.1.1.1
Range 239.2.3.1 239.2.3.100
Console#
show ip igmp profile
This command displays IGMP filtering profiles created on the switch.
Syntax show ip igmp profile [ profile-number ] profile-number - An existing IGMP filter profile number.
(Range: 1-4294967295)
Default Setting
None
– 484 –
Chapter 20 | Multicast Filtering Commands
IGMP Filtering and Throttling
Command Mode
Privileged Exec
Example
Console#show ip igmp profile
IGMP Profile 19
IGMP Profile 50
Console#show ip igmp profile 19
IGMP Profile 19
Deny
Range 239.1.1.1 239.1.1.1
Range 239.2.3.1 239.2.3.100
Console#
show ip igmp throttle interface
This command displays the interface settings for IGMP throttling.
Syntax show ip igmp throttle interface [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Using this command without specifying an interface displays information for all interfaces.
Example
Console#show ip igmp throttle interface ethernet 1/1
Eth 1/1 Information
Status : TRUE
Action : Deny
Max Multicast Groups : 32
Current Multicast Groups : 0
Console#
– 485 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
Multicast VLAN Registration
This section describes commands used to configure Multicast VLAN Registration
(MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers. This can significantly reduce to processing overhead required to dynamically monitor and establish the distribution tree for a normal multicast VLAN. Also note that MVR maintains the user isolation and data security provided by VLAN segregation by passing only multicast traffic into other VLANs to which the subscribers belong.
Table 104: Multicast VLAN Registration Commands
Command mvr mvr immediate-leave mvr type mvr vlan group show mvr
Function
Globally enables MVR, statically configures MVR group address(es), or specifies the MVR VLAN identifier
Mode
GC
Enables immediate leave capability IC
Configures an interface as an MVR receiver or source port IC
Statically binds a multicast group to a port
Shows information about the global MVR configuration settings, interfaces attached to the MVR VLAN, or the multicast groups assigned to the MVR VLAN
IC
PE
mvr
This command enables Multicast VLAN Registration (MVR) globally on the switch, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR. Use the no form with the group keyword to remove a specific address or range of addresses. Or use the no form with the vlan keyword to restore the default MVR VLAN.
Syntax
[ no ] mvr [ group ip-address [ count ] | vlan vlan-id ] group - Defines a multicast service sent to all attached subscribers.
ip-address - IP address for an MVR multicast group.
(Range: 224.0.1.0 - 239.255.255.255) count - The number of contiguous MVR group addresses. (Range: 1-1024) vlan - Specifies the VLAN through which MVR multicast data is received.
This is also the VLAN to which all source ports must be assigned. vlan-id - MVR VLAN ID (Range: 1-4093)
– 486 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
Default Setting
MVR is disabled.
No MVR group address is defined.
MVR VLAN ID is 1.
Command Mode
Global Configuration
Command Usage
◆ Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated with an
MVR group is sent from all source ports, to all receiver ports that have registered to receive data from that multicast group.
◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If
MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
◆ IGMP snooping and MVR share a maximum number of 255 groups. Any multicast streams received in excess of this limitation will be flooded to all ports in the associated VLAN.
◆ MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command, but
MVR receiver ports should not be configured as members of this VLAN.
Example
The following example enables MVR globally, and configures a range of MVR group addresses:
Console(config)#mvr
Console(config)#mvr group 228.1.23.1 10
Console(config)#
mvr immediate-leave
This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings.
Syntax
[ no ] mvr immediate
Default Setting
Disabled
– 487 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
◆ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to only one multicast subscriber to avoid disrupting services to other group members attached to the same interface.
◆ Immediate leave does not apply to multicast groups which have been statically assigned to a port with the mvr vlan group command.
Example
The following enables immediate leave on a receiver port.
Console(config)#interface ethernet 1/5
Console(config-if)#mvr immediate
Console(config-if)#
mvr type
This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings.
Syntax
[ no ] mvr type { receiver | source } receiver - Configures the interface as a subscriber port that can receive multicast data. source - Configures the interface as an uplink port that can send and receive multicast data for the configured multicast groups.
Default Setting
The port type is not defined.
Command Mode
Interface Configuration (Ethernet)
Command Usage
◆ A port which is not configured as an MVR receiver or source port can use IGMP snooping to join or leave multicast groups using the standard rules for multicast filtering.
– 488 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
◆ Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see the switchport mode command).
◆ One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through the MVR protocol or which have been assigned through the mvr vlan group command.
◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If
MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Example
The following configures one source port and several receiver ports on the switch.
Console(config)#interface ethernet 1/5
Console(config-if)#mvr type source
Console(config-if)#exit
Console(config)#interface ethernet 1/6
Console(config-if)#mvr type receiver
Console(config-if)#exit
Console(config)#interface ethernet 1/7
Console(config-if)#mvr type receiver
Console(config-if)#
mvr vlan group
This command statically binds a multicast group to a port which will receive longterm multicast streams associated with a stable set of hosts. Use the no form to restore the default settings.
Syntax
[ no ] mvr vlan vlan-id group ip-address vlan-id - Receiver VLAN to which the specified multicast traffic is flooded.
(Range: 1-4093) group - Defines a multicast service sent to the selected port. ip-address - Statically configures an interface to receive multicast traffic from the IP address specified for an MVR multicast group.
(Range: 224.0.1.0 - 239.255.255.255)
Default Setting
No receiver port is a member of any configured multicast group.
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 489 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
Command Usage
◆ Multicast groups can be statically assigned to a receiver port using this command.
◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If
MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Example
The following statically assigns a multicast group to a receiver port:
Console(config)#interface ethernet 1/7
Console(config-if)#mvr type receiver
Console(config-if)#mvr vlan 3 group 225.0.0.5
Console(config-if)#
show mvr
This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword.
Syntax show mvr [ interface [ interface ] | members [ ip-address ]] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) ip-address - IP address for an MVR multicast group.
(Range: 224.0.1.0 - 239.255.255.255)
Default Setting
Displays global configuration settings for MVR when no keywords are used.
Command Mode
Privileged Exec
Command Usage
Enter this command without any keywords to display the global settings for MVR.
Use the interface keyword to display information about interfaces attached to the
– 490 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN.
Example
The following shows the global MVR settings:
Console#show mvr
MVR Config Status : Enabled
MVR Running Status : Active
MVR Multicast VLAN : 1
MVR Group Address : 225.0.0.5
MVR Group Count : 10
Console#
Table 105: show mvr - display description
Field
MVR Config Status
MVR Running Status
MVR Multicast VLAN
MVR Group Address
MVR Group Count
Description
Shows if MVR is globally enabled on the switch.
Indicates whether or not all necessary conditions in the MVR environment are satisfied. (Running status is true as long as MVR Status is enabled, and the specified MVR VLAN exists.)
Shows the VLAN used to transport all MVR multicast traffic.
A multicast service sent to all attached subscribers
The number of contiguous MVR group addresses.
The following displays information about the interfaces attached to the MVR VLAN:
Console#show mvr interface
Port Type Status Immediate Static Group Address
-------- -------- ------------- --------- --------------------
Eth1/ 2 Source Active/Up
Eth1/ 3 Source Inactive/Down
Eth1/ 1 Receiver Active/Up Disabled 225.0.0.1(VLAN1)
225.0.0.9(VLAN3)
Eth1/ 4 Receiver Active/Down Disabled
Console#
Table 106: show mvr interface - display description
Field
Port
Type
Status
Description
Shows interfaces attached to the MVR.
Shows the MVR port type.
Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
– 491 –
Chapter 20 | Multicast Filtering Commands
Multicast VLAN Registration
Table 106: show mvr interface - display description (Continued)
Field
Immediate Leave
Static Group Address
Description
Shows if immediate leave is enabled or disabled.
Shows any static MVR group assigned to an interface, and the receiver
VLAN.
The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN:
Console#show mvr members
MVR Forwarding Entry Count:1
Group Address Source Address VLAN Forwarding Port
------------- -------------- ---- --------------
225.0.0.9 * 2 Eth1/ 1(VLAN3) Eth1/ 2(VLAN2)
Console#
Table 107: show mvr members - display description
Field
MVR Forwarding Entry
Count
Group Address
Source Address
VLAN
Forwarding Port
Description
The number of multicast services currently being forwarded from the
MVR VLAN.
Multicast groups assigned to the MVR VLAN.
Indicates the source address of the multicast service, or displays an asterisk if the group address has been statically assigned.
Indicates the MVR VLAN receiving the multicast service.
Shows the interfaces with subscribers for multicast services provided through the MVR VLAN. Also shows the VLAN through which the service is received. Note that this may be different from the MVR VLAN if the group address has been statically assigned.
– 492 –
21
LLDP Commands
Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device.
Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings. LLDP also defines how to store and maintain information gathered about the neighboring network nodes it discovers.
Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details. LLDP and LLDP-MED information can be used by SNMP applications to simplify troubleshooting, enhance network management, and maintain an accurate network topology.
Table 108: LLDP Commands
Command lldp
Function
Enables LLDP globally on the switch
Mode
GC lldp holdtime-multiplier Configures the time-to-live (TTL) value sent in LLDP advertisements
GC lldp med-fast-startcount
Configures how many medFastStart packets are transmitted
GC
GC lldp notification-interval Configures the allowed interval for sending SNMP notifications about LLDP changes lldp refresh-interval Configures the periodic transmit interval for LLDP advertisements lldp reinit-delay lldp tx-delay lldp admin-status
Configures the delay before attempting to reinitialize after LLDP ports are disabled or the link goes down
Configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables
Enables LLDP transmit, receive, or transmit and receive mode on the specified port
GC
GC
GC
IC lldp basic-tlv management-ip-address
Configures an LLDP-enabled port to advertise the management address for this device lldp basic-tlv port-description lldp basic-tlv system-capabilities
Configures an LLDP-enabled port to advertise its port description
Configures an LLDP-enabled port to advertise its system capabilities
IC
IC
IC
– 493 –
Chapter 21 | LLDP Commands
Table 108: LLDP Commands (Continued)
Command lldp basic-tlv system-description
Function
Configures an LLDP-enabled port to advertise the system description lldp basic-tlv system-name
Configures an LLDP-enabled port to advertise its system name
IC lldp dot1-tlv proto-ident * Configures an LLDP-enabled port to advertise the supported protocols lldp dot1-tlv proto-vid
*
Configures an LLDP-enabled port to advertise port related VLAN information
IC
IC lldp dot1-tlv pvid
*
Configures an LLDP-enabled port to advertise its default VLAN ID lldp dot1-tlv vlan-name
*
Configures an LLDP-enabled port to advertise its
VLAN name
IC
IC
IC lldp dot3-tlv link-agg lldp dot3-tlv max-frame Configures an LLDP-enabled port to advertise its maximum frame size lldp dot3-tlv poe
Configures an LLDP-enabled port to advertise its link aggregation capabilities
Configures an LLDP-enabled port to advertise its
Power-over-Ethernet capabilities
IC
IC lldp med-location civic-addr lldp med-notification lldp med-tlv ext-poe Configures an LLDP-MED-enabled port to advertise its extended Power over Ethernet configuration and usage information
IC
Mode
IC
Configures an LLDP-MED-enabled port to advertise its location identification details
IC
Enables the transmission of SNMP trap notifications about LLDP-MED changes
IC lldp med-tlv inventory Configures an LLDP-MED-enabled port to advertise its inventory identification details
IC lldp med-tlv location Configures an LLDP-MED-enabled port to advertise its location identification details
IC lldp med-tlv med-cap lldp med-tlv network-policy lldp notification
Configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities
IC
Configures an LLDP-MED-enabled port to advertise its network policy configuration
IC show lldp config show lldp info local-device
Enables the transmission of SNMP trap notifications about LLDP changes
IC
Shows LLDP configuration settings for all ports
Shows LLDP global and interface-specific configuration settings for this device show lldp info remote-device
Shows LLDP global and interface-specific configuration settings for remote devices show lldp info statistics Shows statistical counters for all LLDP-enabled interfaces
PE
PE
PE
PE
* Vendor-specific options may or may not be advertised by neighboring devices.
– 494 –
Chapter 21 | LLDP Commands
lldp
This command enables LLDP globally on the switch. Use the no form to disable
LLDP.
Syntax
[ no ] lldp
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#lldp
Console(config)#
lldp holdtimemultiplier
This command configures the time-to-live (TTL) value sent in LLDP advertisements.
Use the no form to restore the default setting.
Syntax lldp holdtime-multiplier value no lldp holdtime-multiplier value - Calculates the TTL in seconds based on the following rule: minimum of ((Transmission Interval * Holdtime Multiplier), or 65536)
(Range: 2 - 10)
Default Setting
Holdtime multiplier: 4
TTL: 4*30 = 120 seconds
Command Mode
Global Configuration
Command Usage
The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner.
Example
Console(config)#lldp holdtime-multiplier 10
Console(config)#
– 495 –
Chapter 21 | LLDP Commands
lldp med-fast-startcount
This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting.
Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets. (Range: 1-10 packets; Default: 4 packets)
Default Setting
4 packets
Command Mode
Global Configuration
Command Usage
This parameter is part of the timer which ensures that the LLDP-MED Fast Start mechanism is active for the port. LLDP-MED Fast Start is critical to the timely startup of LLDP, and therefore integral to the rapid availability of Emergency Call
Service.
Example
Console(config)#lldp med-fast-start-count 6
Console(config)#
lldp notification-interval
This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes. Use the no form to restore the default setting.
Syntax lldp notification-interval seconds no lldp notification-interval seconds - Specifies the periodic interval at which SNMP notifications are sent. (Range: 5 - 3600 seconds)
Default Setting
5 seconds
Command Mode
Global Configuration
Command Usage
◆ This parameter only applies to SNMP applications which use data stored in the
LLDP MIB for network monitoring or management.
– 496 –
Chapter 21 | LLDP Commands
◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Example
Console(config)#lldp notification-interval 30
Console(config)#
lldp refresh-interval
This command configures the periodic transmit interval for LLDP advertisements.
Use the no form to restore the default setting.
Syntax lldp refresh-interval seconds no lldp refresh-delay seconds - Specifies the periodic interval at which LLDP advertisements are sent. (Range: 5 - 32768 seconds)
Default Setting
30 seconds
Command Mode
Global Configuration
Example
Console(config)#lldp refresh-interval 60
Console(config)#
lldp reinit-delay
This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting.
Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
(Range: 1 - 10 seconds)
Default Setting
2 seconds
– 497 –
Chapter 21 | LLDP Commands
Command Mode
Global Configuration
Command Usage
When LLDP is re-initialized on a port, all information in the remote systems LLDP
MIB associated with this port is deleted.
Example
Console(config)#lldp reinit-delay 10
Console(config)#
lldp tx-delay
This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Syntax lldp tx -delay seconds no lldp tx -delay seconds - Specifies the transmit delay. (Range: 1 - 8192 seconds)
Default Setting
2 seconds
Command Mode
Global Configuration
Command Usage
◆ The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
◆ This attribute must comply with the following rule:
(4 * tx-delay)
≤ refresh-interval
Example
Console(config)#lldp tx-delay 10
Console(config)#
– 498 –
Chapter 21 | LLDP Commands
lldp admin-status
This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature.
Syntax lldp admin-status { rx-only | tx-only | tx-rx } no lldp admin-status rx-only - Only receive LLDP PDUs.
tx-only - Only transmit LLDP PDUs.
tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Default Setting tx-rx
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp admin-status rx-only
Console(config-if)#
lldp basic-tlv management-ipaddress
This command configures an LLDP-enabled port to advertise the management address for this device. Use the no form to disable this feature.
Syntax
[ no ] lldp basic-tlv management-ip-address
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
◆ The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address.
The interface number and OID are included to assist SNMP applications to perform network discovery by indicating enterprise specific or other starting points for the search, such as the Interface or Entity MIB.
– 499 –
Chapter 21 | LLDP Commands
◆ Since there are typically a number of different addresses associated with a
Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp basic-tlv management-ip-address
Console(config-if)#
lldp basic-tlv port-description
This command configures an LLDP-enabled port to advertise its port description.
Use the no form to disable this feature.
Syntax
[ no ] lldp basic-tlv port-description
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The port description is taken from the ifDescr object in RFC 2863, which includes information about the manufacturer, the product name, and the version of the interface hardware/software.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp basic-tlv port-description
Console(config-if)#
lldp basic-tlv system-capabilities
This command configures an LLDP-enabled port to advertise its system capabilities. Use the no form to disable this feature.
Syntax
[ no ] lldp basic-tlv system-capabilities
Default Setting
Enabled
– 500 –
Chapter 21 | LLDP Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp basic-tlv system-capabilities
Console(config-if)#
lldp basic-tlv system-description
This command configures an LLDP-enabled port to advertise the system description. Use the no form to disable this feature.
Syntax
[ no ] lldp basic-tlv system-description
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The system description is taken from the sysDescr object in RFC 3418, which includes the full name and version identification of the system's hardware type, software operating system, and networking software.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp basic-tlv system-description
Console(config-if)#
lldp basic-tlv system-name
This command configures an LLDP-enabled port to advertise the system name. Use the no form to disable this feature.
Syntax
[ no ] lldp basic-tlv system-name
Default Setting
Enabled
– 501 –
Chapter 21 | LLDP Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp basic-tlv system-name
Console(config-if)#
lldp dot1-tlv proto-ident
This command configures an LLDP-enabled port to advertise the supported protocols. Use the no form to disable this feature.
Syntax
[ no ] lldp dot1-tlv proto-ident
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This option advertises the protocols that are accessible through this interface.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp dot1-tlv proto-ident
Console(config-if)#
lldp dot1-tlv proto-vid
This command configures an LLDP-enabled port to advertise port-based protocol
VLAN information. Use the no form to disable this feature.
Syntax
[ no ] lldp dot1-tlv proto-vid
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 502 –
Chapter 21 | LLDP Commands
Command Usage
This option advertises the port-based protocol VLANs configured on this interface
(see “Configuring Protocol-based VLANs” on page 413 ).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp dot1-tlv proto-vid
Console(config-if)#
lldp dot1-tlv pvid
This command configures an LLDP-enabled port to advertise its default VLAN ID.
Use the no form to disable this feature.
Syntax
[ no ] lldp dot1-tlv pvid
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
The port’s default VLAN identifier (PVID) indicates the VLAN with which untagged or priority-tagged frames are associated (see the switchport native vlan command).
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp dot1-tlv pvid
Console(config-if)#
lldp dot1-tlv vlan-name
This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature.
Syntax
[ no ] lldp dot1-tlv vlan-name
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 503 –
Chapter 21 | LLDP Commands
Command Usage
This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 403 and “protocol-vlan protocol-group (Configuring Interfaces)” on page 415 .
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp dot1-tlv vlan-name
Console(config-if)#
lldp dot3-tlv link-agg
This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Syntax
[ no ] lldp dot3-tlv link-agg
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This option advertises link aggregation capabilities, aggregation status of the link, and the 802.3 aggregated port identifier if this interface is currently a link aggregation member.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp dot3-tlv link-agg
Console(config-if)#
lldp dot3-tlv max-frame
This command configures an LLDP-enabled port to advertise its maximum frame size. Use the no form to disable this feature.
Syntax
[ no ] lldp dot3-tlv max-frame
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
– 504 –
Chapter 21 | LLDP Commands
Command Usage
Refer to “Frame Size” on page 89 for information on configuring the maximum frame size for this switch.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp dot3-tlv max-frame
Console(config-if)#
lldp dot3-tlv poe
This command configures an LLDP-enabled port to advertise its Power-over-
Ethernet (PoE) capabilities. Use the no form to disable this feature.
Syntax
[ no ] lldp dot3-tlv poe
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
This option advertises Power-over-Ethernet capabilities, including whether or not
PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp dot3-tlv poe
Console(config-if)#
– 505 –
Chapter 21 | LLDP Commands
lldp med-location civic-addr
This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to restore the default settings.
Syntax lldp med-location civic-addr [[ country country-code ] | [ what device-type ] |
[ ca-type ca-value ]] no lldp med-location civic-addr [[ country ] | [ what ] | [ ca-type ]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
(Example: DK, DE or US) device-type – The type of device to which the location applies.
0 – Location of DHCP server.
1 – Location of network element closest to client.
2 – Location of client.
ca-type – A one-octet descriptor of the data civic address value.
(Range: 0-255) ca-value – Description of a location. (Range: 1-32 characters)
Default Setting
Not advertised
No description
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ Use this command without any keywords to advertise location identification details.
◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776. The following table describes some of the CA type numbers and provides examples.
Table 109: LLDP MED Location CA Types
4
5
2
3
CA Type Description
1 National subdivisions (state, canton, province)
County, parish
City, township
City division, borough, city district
Neighborhood, block
CA Value Example
California
Orange
Irvine
West Irvine
Riverside
– 506 –
Chapter 21 | LLDP Commands
Table 109: LLDP MED Location CA Types (Continued)
19
20
21
26
CA Type Description
6
18
Group of streets below the neighborhood level
Street suffix or type
27
28
House number
House number suffix
Landmark or vanity address
Unit (apartment, suite)
Floor
Room
CA Value Example
Exchange
Avenue
320
A
Tech Center
Apt 519
5
509B
Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
◆ For the location options defined for device-type , normally option 2 is used to specify the location of the client device. In situations where the client device location is not known, 0 and 1 can be used, providing the client device is physically close to the DHCP server or network element.
Example
The following example enables advertising location identification details.
Console(config)#interface ethernet 1/1
Console(config-if)#lldp med-location civic-addr
Console(config-if)#lldp med-location civic-addr 1 California
Console(config-if)#lldp med-location civic-addr 2 Orange
Console(config-if)#lldp med-location civic-addr 3 Irvine
Console(config-if)#lldp med-location civic-addr 4 West Irvine
Console(config-if)#lldp med-location civic-addr 6 Exchange
Console(config-if)#lldp med-location civic-addr 18 Avenue
Console(config-if)#lldp med-location civic-addr 19 320
Console(config-if)#lldp med-location civic-addr 27 5
Console(config-if)#lldp med-location civic-addr 28 509B
Console(config-if)#lldp med-location civic-addr country US
Console(config-if)#lldp med-location civic-addr what 2
Console(config-if)#
lldp med-notification
This command enables the transmission of SNMP trap notifications about LLDP-
MED changes. Use the no form to disable LLDP-MED notifications.
Syntax
[ no ] lldp med-notification
Default Setting
Enabled
– 507 –
Chapter 21 | LLDP Commands
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE
802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP-
EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
◆ SNMP trap destinations are defined using the snmp-server host command.
◆ Information about additional changes in LLDP neighbors that occur between
SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp med-notification
Console(config-if)#
lldp med-tlv ext-poe
This command configures an LLDP-MED-enabled port to advertise and accept
Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature.
Syntax
[ no ] lldp med-tlv ext-poe
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet)
Command Usage
This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint
Device could use this information to decide to enter power conservation mode).
Note that this device does not support PoE capabilities.
– 508 –
Chapter 21 | LLDP Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp med-tlv ext-poe
Console(config-if)#
lldp med-tlv inventory
This command configures an LLDP-MED-enabled port to advertise its inventory identification details. Use the no form to disable this feature.
Syntax
[ no ] lldp med-tlv inventory
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This option advertises device details useful for inventory management, such as manufacturer, model, software version and other pertinent information.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#no lldp med-tlv inventory
Console(config-if)#
lldp med-tlv location
This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature.
Syntax
[ no ] lldp med-tlv location
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This option advertises location identification details.
– 509 –
Chapter 21 | LLDP Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp med-tlv location
Console(config-if)#
lldp med-tlv med-cap
This command configures an LLDP-MED-enabled port to advertise its Media
Endpoint Device capabilities. Use the no form to disable this feature.
Syntax
[ no ] lldp med-tlv med-cap
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This option advertises LLDP-MED TLV capabilities, allowing Media Endpoint and
Connectivity Devices to efficiently discover which LLDP-MED related TLVs are supported on the switch.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp med-tlv med-cap
Console(config-if)#
lldp med-tlv network-policy
This command configures an LLDP-MED-enabled port to advertise its network policy configuration. Use the no form to disable this feature.
Syntax
[ no ] lldp med-tlv network-policy
Default Setting
Enabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
– 510 –
Chapter 21 | LLDP Commands
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp med-tlv network-policy
Console(config-if)#
lldp notification
This command enables the transmission of SNMP trap notifications about LLDP changes. Use the no form to disable LLDP notifications.
Syntax
[ no ] lldp notification
Default Setting
Disabled
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE
802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
◆ SNMP trap destinations are defined using the snmp-server host command.
◆ Information about additional changes in LLDP neighbors that occur between
SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Example
Console(config)#interface ethernet 1/1
Console(config-if)#lldp notification
Console(config-if)#
– 511 –
Chapter 21 | LLDP Commands
show lldp config
This command shows LLDP configuration settings for all ports.
Syntax show lldp config [ detail interface ] detail - Shows configuration summary.
interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
Example
The following example shows all basic LLDP parameters are enabled on Port 1.
Console#show lldp config
LLDP Global Configuration
LLDP Enabled : Yes
LLDP Transmit Interval : 30 sec.
LLDP Hold Time Multiplier : 4
LLDP Delay Interval : 2 sec.
LLDP Re-initialization Delay : 2 sec.
LLDP Notification Interval : 5 sec.
LLDP MED Fast Start Count : 4
LLDP Port Configuration
Port Admin Status Notification Enabled
-------- ------------ --------------------
Eth 1/1 Tx-Rx True
Eth 1/2 Tx-Rx True
Eth 1/3 Tx-Rx True
Eth 1/4 Tx-Rx True
Eth 1/5 Tx-Rx True
.
.
.
Console#show lldp config detail ethernet 1/1
LLDP Port Configuration Detail
Port : Eth 1/1
Admin Status : Tx-Rx
Notification Enabled : True
Basic TLVs Advertised:
port-description
system-name
system-description
system-capabilities
management-ip-address
802.1 specific TLVs Advertised:
*port-vid
*vlan-name
– 512 –
Chapter 21 | LLDP Commands
*proto-vlan
*proto-ident
802.3 specific TLVs Advertised:
*poe
*link-agg
*max-frame
MED Configuration:
MED Notification Status : Enabled
MED Enabled TLVs Advertised:
*med-cap
*network-policy
*location
*ext-poe
*inventory
MED Location Identification:
Location Data Format : Civic Address LCI
Civic Address Status : Enabled
Country Name : US
What : 2
CA-Type : 1
CA-Value : Alabama
CA-Type : 2
CA-Value : Tuscaloosa
Console#
show lldp info local-device
This command shows LLDP global and interface-specific configuration settings for this device.
Syntax show lldp info local-device [ detail interface ] detail - Shows configuration summary.
interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
Example
Console#show lldp info local-device
LLDP Local System Information
Chassis Type : MAC Address
Chassis ID : 00-01-02-03-04-05
System Name :
System Description : EX-3524 Managed POE/POE+ Switch
System Capabilities Support : Bridge
System Capabilities Enabled : Bridge
Management Address : 192.168.0.101 (IPv4)
– 513 –
Chapter 21 | LLDP Commands
LLDP Port Information
Port PortID Type PortID Port Description
-------- ---------------- ----------------- --------------------------------
Eth 1/1 MAC Address 00-1A-7E-AC-2B-13 Ethernet Port on unit 1, port 1
Eth 1/2 MAC Address 00-1A-7E-AC-2B-14 Ethernet Port on unit 1, port 2
Eth 1/3 MAC Address 00-1A-7E-AC-2B-15 Ethernet Port on unit 1, port 3
Eth 1/4 MAC Address 00-1A-7E-AC-2B-16 Ethernet Port on unit 1, port 4
.
.
.
Console#show lldp info local-device detail ethernet 1/1
LLDP Port Information Detail
Port : Eth 1/1
Port Type : MAC Address
Port ID : 00-1A-7E-AC-2B-13
Port Description : Ethernet Port on unit 1, port 1
MED Capability : LLDP-MED Capabilities
Network Policy
Location Identification
Extended Power via MDI - PSE
Extended Power via MDI - PD
Inventory
Console#
show lldp info remote-device
This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port.
Syntax show lldp info remote-device [ detail interface ] detail - Shows configuration summary.
interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
– 514 –
Chapter 21 | LLDP Commands
Example
Note that an IP phone or other end-node device which advertises LLDP-MED capabilities must be connected to the switch for information to be displayed in the
“Device Class” field.
Console#show lldp info remote-device
LLDP Remote Devices Information
Interface Chassis ID Port ID System Name
--------- ----------------- ----------------- ---------------------
Eth 1/1 00-1A-7E-AC-2B-12 00-1A-7E-AC-2B-13
Console#show lldp info remote-device detail ethernet 1/1
LLDP Remote Devices Information Details
---------------------------------------------------------------
Local Port Name : Eth 1/1
Chassis Type : MAC Address
Chassis ID : 70-72-CF-95-DC-46
Port ID Type : MAC Address
Port ID : 70-72-CF-95-DC-48
System Name :
System Description : EX-3524 Managed POE/POE+ Switch
Port Description : Ethernet Port on unit 1, port 2
System Capabilities Supported : Bridge
System Capabilities Enabled : Bridge
Remote Management Address:
192.168.0.2 (IPv4)
Remote Port VID : 1
Remote Port Protocol VLAN:
VLAN 2 : supported, enabled
Remote VLAN Name :
VLAN-1 : DefaultVlan
VLAN 2 : RARP vlan
Remote Protocol Identity (Hex) :
88-CC
Remote Power via MDI:
Remote power class : PSE
Remote power MDI supported : Yes
Remote power MDI enabled : Yes
Remote power pair controllable : No
Remote power pairs : Spare
Remote power classification : Class 1
Remote Link Aggregation:
Remote link aggregation capable : Yes
Remote link aggregation enable : No
Remote link aggregation port ID : 0
Remote Max Frame Size : 1518
Console#
– 515 –
Chapter 21 | LLDP Commands
show lldp info statistics
This command shows statistics based on traffic received through all attached LLDPenabled interfaces.
Syntax show lldp info statistics [ detail interface ] detail - Shows configuration summary.
interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12)
Command Mode
Privileged Exec
Example switch#show lldp info statistics
LLDP Device Statistics
Neighbor Entries List Last Updated : 2450279 seconds
New Neighbor Entries Count : 1
Neighbor Entries Deleted Count : 0
Neighbor Entries Dropped Count : 0
Neighbor Entries Ageout Count : 0
Port NumFramesRecvd NumFramesSent NumFramesDiscarded
-------- -------------- ------------- ------------------
Eth 1/1 0 870 0
Eth 1/2 866 867 0
Eth 1/3 867 868 0
Eth 1/4 0 869 0
Eth 1/5 849 862 0
.
switch#show lldp info statistics detail ethernet 1/1
LLDP Port Statistics Detail
PortName : Eth 1/1
Frames Discarded : 0
Frames Invalid : 0
Frames Received : 12
Frames Sent : 13
TLVs Unrecognized : 0
TLVs Discarded : 0
Neighbor Ageouts : 0 switch#
– 516 –
22
CDP Commands
Cisco Discovery Protocol (CDP) is a proprietary protocol that discovers information about neighboring devices by passing messages across the Data Link Layer. It is used to share information about nearby network equipment. Participating devices send CDP announcements from each connected network interface to the multicast address 01-00-0C-CC-CC-CC. These packets may be received by any networking devices that support CDP. By default, CDP announcements are sent every 60 seconds. Each device that supports CDP stores the information received from other devices in a table that can be viewed using the show cdp neighbors command. This information is refreshed each time an announcement is received, and the holdtime for that entry is reinitialized.
The information contained in CDP announcements may include the CDP version, host name, IP address and port identifier from which the announcement was sent, device type, and other device specific information.
Table 110: CDP Commands
Command cdp cdp hold-time cdp transmit-interval cdp version cdp clear cdp table show cdp show cdp interface show cdp neighbors
Function
Enables CDP globally on the switch
Mode
GC
Specifies the amount of time the receiving device should hold a CDP packet sent from this switch
GC
Specifies the periodic transmission interval for CDP advertisements
GC
Specifies the CDP version to use for transmitting advertisements
GC
Enables CDP on the selected interface
Clears the CDP neighbor table
Shows global CDP configuration settings
Shows whether or not CDP is enabled on an interface
Shows information about neighbors obtained by monitoring CDP advertisements
IC
PE
PE
PE
PE
– 517 –
Chapter 22 | CDP Commands
cdp
(Global Configuration)
This command enables CDP globally on the switch. Use the no form to disable CDP.
Syntax
[ no ] cdp
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#cdp
Console(config)#
cdp hold-time
This command specifies the amount of time the receiving device should hold a CDP packet sent from this switch. Use the no form to restore the default setting.
Syntax cdp hold-time seconds no cdp hold-time seconds - The hold time sent in CDP update packets.
(Range: 10-255 seconds)
Default Setting
180 seconds
Command Mode
Global Configuration
Example
Console(config)#cdp hold-time 100
Console(config)#
– 518 –
Chapter 22 | CDP Commands
cdp transmit-interval
This command specifies the periodic transmission interval for CDP advertisements.
Use the no form to restore the default setting.
Syntax cdp transmit-interval seconds no cdp transmit-interval seconds - The interval at which the switch send CDP updates.
(Range: 5-254 seconds)
Default Setting
60 seconds
Command Mode
Global Configuration
Example
Console(config)#cdp transmit-interval 120
Console(config)#
cdp version
This command specifies the CDP version to use for transmitting advertisements.
Use the no form to restore the default setting.
Syntax cdp version { 1 | 2 } no cdp version
1 - CDP version 1.
2 - CDP version 2.
Default Setting
Version 2
Command Mode
Global Configuration
Example
Console(config)#cdp version 1
Console(config)#
– 519 –
Chapter 22 | CDP Commands
cdp
(Interface Configuration)
This command enables CDP on the selected interface. Use the no form to disable
CDP on the selected interface.
Syntax
[ no ] cdp
Default Setting
Disabled
Command Mode
Interface Configuration
Example
Console(config)#interface ethernet 1/1
Console(config-if)#cdp
Console(config-if)#
clear cdp table
This command clears the CDP neighbor table.
Command Mode
Privileged Exec
Command Usage
When a port link goes down, CDP will also clear the peer information for this port.
Example
Console#clear cdp table
Console#
show cdp
This command shows the global CDP configuration settings.
Command Mode
Privileged Exec
Example
Console#show cdp
CDP Global Configuration
Status : Disabled
Transmit Interval : 60 seconds
Hold Time : 180 seconds
Version : 2
Console#
– 520 –
Chapter 22 | CDP Commands
show cdp interface
This command shows whether or not CDP is enabled on an interface.
Syntax show cdp interface [ interface ] interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
Example
Console#show cdp interface
Interface Status
--------- --------
Eth 1/ 1 Disabled
Eth 1/ 2 Disabled
Eth 1/ 3 Disabled
.
show cdp neighbors
This command shows information about neighbors obtained by monitoring CDP advertisements.
Syntax show cdp neighbors [ detail | [ interface [ detail ]] detail - interface ethernet unit / port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52)
Command Mode
Privileged Exec
– 521 –
Chapter 22 | CDP Commands
Example
Console#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Interface Version Device ID Hold Remain Capability Platform Port ID
Time Time
(sec) (sec)
--------- ------- --------- ----- ------ ---------- -------- ------------------
Eth 1/1 2 lab-7206 160 40 R 7206VXR FastEthernet1/0/1
Eth 1/2 1 lab-as530 150 112 T AS5300 FastEthernet1/0/15
Console#
Table 111: show cdp neighbors - display description
Field
Capability Codes
Interface
Version
Device ID
Hold Time
Remain Time
Capability
Platform
Port ID
Description
The capabilities that define the primary function(s) of the system.
The local port to which a remote CDP-capable device is attached.
The software version running on the neighbor.
The name of the neighbor device, its MAC address or the serial number.
The amount of time to hold CDP messages as advertised in CDP updates received from the neighbor.
The amount of time this switch will continue to hold a CDP advertisement before discarding it.
The device type of the neighbor.
The product number of the device.
The interface type and port number of the neighbor.
This example shows detailed information about CDP neighbors.
Console#show cdp neighbors detail
Interface : Eth 1/1
Version : 2
Device ID : lab-7206
IP Address : 172.19.169.183
Platform : 7206VXR
Capabilities : Router
Port ID : Fas 0/0/0
SW Version : Version 12.1(2)
Hold Time : 160 seconds
Remain Time : 40 seconds
.
– 522 –
23
Domain Name Service
Commands
These commands are used to configure Domain Naming System (DNS) services.
Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Table 112: Address Table Commands
Command ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts
Function
Defines a list of default domain names for incomplete host names
Mode
GC
Enables DNS-based host name-to-address translation GC
Defines a default domain name for incomplete host names GC
Creates a static IPv4 host name-to-address mapping GC
Specifies the address of one or more name servers to use for host name-to-address translation
GC
Creates a static IPv6 host name-to-address mapping
Clears all entries from the DNS cache
Deletes entries from the host name-to-address table
Displays the configuration for DNS services
Displays entries in the DNS cache
Displays the static host name-to-address mapping table
PE
PE
GC
PE
PE
PE
ip domain-list
This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list.
Syntax
[ no ] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters)
Default Setting
None
– 523 –
Chapter 23 | Domain Name Service Commands
Command Mode
Global Configuration
Command Usage
◆ Domain names are added to the end of the list one at a time.
◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
◆ If there is no domain list, the domain name specified with the ip domain-name command is used. If there is a domain list, the default domain name is not used.
Example
This example adds two domain names to the current list and then displays the list.
Console(config)#ip domain-list sample.com.jp
Console(config)#ip domain-list sample.com.uk
Console(config)#end
Console#show dns
Domain Lookup Status:
DNS Disabled
Default Domain Name:
sample.com
Domain Name List:
sample.com.jp
sample.com.uk
Name Server List:
Console#
Related Commands ip domain-name (525)
ip domain-lookup
This command enables DNS host name-to-address translation. Use the no form to disable DNS.
Syntax
[ no ] ip domain-lookup
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ At least one name server must be specified before DNS can be enabled.
◆ If all name servers are deleted, DNS will automatically be disabled.
– 524 –
Chapter 23 | Domain Name Service Commands
Example
This example enables DNS and then displays the configuration.
Console(config)#ip domain-lookup
Console(config)#end
Console#show dns
Domain Lookup Status:
DNS Enabled
Default Domain Name:
sample.com
Domain Name List:
sample.com.jp
sample.com.uk
Name Server List:
192.168.1.55
10.1.0.55
Console#
Related Commands ip domain-name (525) ip name-server (526)
ip domain-name
This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name.
Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters)
Default Setting
None
Command Mode
Global Configuration
Example
Console(config)#ip domain-name sample.com
Console(config)#end
Console#show dns
Domain Lookup Status:
DNS Disabled
Default Domain Name:
sample.com
Domain Name List:
Name Server List:
Console#
– 525 –
Chapter 23 | Domain Name Service Commands
Related Commands ip domain-list (523) ip name-server (526) ip domain-lookup (524)
ip host
This command creates a static entry in the DNS table that maps a host name to an
IPv4 address. Use the no form to remove an entry.
Syntax
[ no ] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
Default Setting
No static entries
Command Mode
Global Configuration
Command Usage
Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries.
Example
This example maps an IPv4 address to a host name.
Console(config)#ip host rd5 192.168.1.55
Console(config)#end
Console#show hosts
No. Flag Type IP Address TTL Domain
---- ---- ------- -------------------- ----- ------------------------------
0 2 Address 192.168.1.55 rd5
Console#
ip name-server
This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list.
Syntax
[ no ] ip name-server server-address1 [ server-address2 … server-address6 ] server-address1 - IPv4 or IPv6 address of domain-name server.
server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
– 526 –
Chapter 23 | Domain Name Service Commands
Default Setting
None
Command Mode
Global Configuration
Command Usage
The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response.
Example
This example adds two domain-name servers to the list and then displays the list.
Console(config)#ip name-server 192.168.1.55 10.1.0.55
Console(config)#end
Console#show dns
Domain Lookup Status:
DNS disabled
Default Domain Name:
sample.com
Domain Name List:
sample.com.jp
sample.com.uk
Name Server List:
192.168.1.55
10.1.0.55
Console#
Related Commands ip domain-name (525) ip domain-lookup (524)
ipv6 host
This command creates a static entry in the DNS table that maps a host name to an
IPv6 address. Use the no form to remove an entry.
Syntax
[ no ] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-100 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Default Setting
No static entries
– 527 –
Chapter 23 | Domain Name Service Commands
Command Mode
Global Configuration
Example
This example maps an IPv6 address to a host name.
Console(config)#ipv6 host rd6 2001:0db8:1::12
Console(config)#end
Console#show hosts
No. Flag Type IP Address TTL Domain
---- ---- ------- -------------------- ----- -------------------------------
0 2 Address 192.168.1.55 rd5
1 2 Address 2001:DB8:1::12 rd6
Console#
clear dns cache
This command clears all entries in the DNS cache.
Command Mode
Privileged Exec
Example
Console#clear dns cache
Console#show dns cache
No. Flag Type IP Address TTL Domain
------- ------- ------- --------------- ------- --------
Console#
clear host
This command deletes dynamic entries from the DNS table.
Syntax clear host { name | * } name - Name of the host. (Range: 1-100 characters)
* - Removes all entries.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries.
– 528 –
Chapter 23 | Domain Name Service Commands
Example
This example clears all dynamic entries from the DNS table.
Console(config)#clear host *
Console(config)#
show dns
This command displays the configuration of the DNS service.
Command Mode
Privileged Exec
Example
Console#show dns
Domain Lookup Status:
DNS enabled
Default Domain Name:
sample.com
Domain Name List:
sample.com.jp
sample.com.uk
Name Server List:
192.168.1.55
10.1.0.55
Console#
show dns cache
This command displays entries in the DNS cache.
Command Mode
Privileged Exec
Example
Console#show dns cache
No. Flag Type IP Address TTL Domain
------- ------- ------- --------------- ------- --------
3 4 Host 209.131.36.158 115 www-real.wa1.b.yahoo.com
4 4 CNAME POINTER TO:3 115 www.yahoo.com
5 4 CNAME POINTER TO:3 115 www.wa1.b.yahoo.com
Console#
Table 113: show dns cache - display description
Field
No.
Flag
Type
Description
The entry number for each resource record.
The flag is always “4” indicating a cache entry and therefore unreliable.
This field includes “Host” which specifies the primary name for the owner, and
“CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
– 529 –
Chapter 23 | Domain Name Service Commands
Table 113: show dns cache - display description (Continued)
Field
IP Address
TTL
Domain
Description
The IP address associated with this record.
The time to live reported by the name server.
The host name associated with this record.
show hosts
This command displays the static host name-to-address mapping table.
Command Mode
Privileged Exec
Example
Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry.
Console#show hosts
No. Flag Type IP Address TTL Domain
---- ---- ------- -------------------- ----- -------------------------------
0 2 Address 192.168.1.55 rd5
1 2 Address 2001:DB8:1::12 rd6
3 4 Address 209.131.36.158 65 www-real.wa1.b.yahoo.com
4 4 CNAME POINTER TO:3 65 www.yahoo.com
5 4 CNAME POINTER TO:3 65 www.wa1.b.yahoo.com
Console#
Table 114: show hosts - display description
Field
No.
Flag
Type
IP Address
TTL
Domain
Description
The entry number for each resource record.
The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache.
This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
The IP address associated with this record.
The time to live reported by the name server. This field is always blank for static entries.
The domain name associated with this record.
– 530 –
24
DHCP Commands
These commands are used to configure Dynamic Host Configuration Protocol
(DHCP) client functions.
Table 115: DHCP Commands
Command Group
DHCP Client
Function
Allows interfaces to dynamically acquire IP address information
DHCP Client
Use the commands in this section to allow the switch’s VLAN interfaces to dynamically acquire IP address information.
Table 116: DHCP Client Commands
Command
DHCP for IPv4 ip dhcp client class-id ip dhcp restart client show ip dhcp client-identifier *
DHCP for IPv6 ipv6 dhcp client rapid-commit vlan ipv6 dhcp restart client vlan show ipv6 dhcp duid show ipv6 dhcp vlan
Function
Specifies the DHCP client identifier for an interface
Submits a BOOTP or DHCP client request
Shows the DHCP client identifier for all interfaces
Mode
IC
PE
PE
Specifies the Rapid Commit option for DHCPv6 message exchange
GC
Submits a DHCPv6 client request
Shows the DHCP Unique Identifier for this switch
Shows DHCPv6 information for specified interface
PE
PE
PE
* This command is only supported by the EX-3548.
– 531 –
Chapter 24 | DHCP Commands
DHCP for IPv4
DHCP for IPv4
ip dhcp client class-id
This command specifies the DCHP client vendor class identifier for the current interface. Use the no form to remove the class identifier from the DHCP packet.
Syntax ip dhcp client class-id [ text text | hex hex ] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value. (Range: 1-64 characters)
Default Setting
Class identifier option enabled, with the name Motorola Solutions Inc.
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ Use this command without a keyword to restore the default setting.
◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
◆ The server should reply with Option 66 attributes, including the TFTP server name and boot file name.
Example
Console(config)#interface vlan 2
Console(config-if)#ip dhcp client class-id hex 0000e8666572
Console(config-if)#
Related Commands ip dhcp restart client (532)
ip dhcp restart client
This command submits a BOOTP or DHCP client request.
Default Setting
None
– 532 –
Chapter 24 | DHCP Commands
DHCP for IPv4
Command Mode
Privileged Exec
Command Usage
◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command.
◆ DHCP requires the server to reassign the client’s last address if available.
◆ If the BOOTP or DHCP server has been moved to a different domain, the network portion of the address provided to the client will be based on this new domain.
Example
In the following example, the device is reassigned the same address.
Console(config)#interface vlan 1
Console(config-if)#ip address dhcp
Console(config-if)#exit
Console#ip dhcp restart client
Console#show ip interface
Vlan 1 is Administrative Up - Link Up
Address is 12-34-12-34-12-34
Index: 1001, MTU: 1500, Bandwidth: 1g
Address Mode is DHCP
IP Address: 192.168.0.9 Mask: 255.255.255.0
Proxy ARP is disabled
Console#
Related Commands ip address (538)
show ip dhcp client-identifier
This command shows the DHCP client identifier for all interfaces.
Command Mode
Privileged Exec
Command Usage
This command is only supported for the EX-3548.
Example
Console#show ip dhcp client-identifier
Interface mode client-identifier
--------- ---- -----------------
VLAN1 TEXT TPS
VLAN2 TEXT bill
VLAN3 TEXT steve
ES-3052G#
– 533 –
Chapter 24 | DHCP Commands
DHCP for IPv6
DHCP for IPv6
ipv6 dhcp client rapid-commit vlan
This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option.
Syntax
[ no ] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4093; Maximum command length: 300 characters)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
◆ DHCPv6 clients can obtain configuration parameters from a server through a normal four-message exchange (solicit, advertise, request, reply), or through a rapid two-message exchange (solicit, reply). The rapid-commit option must be enabled on both client and server for the two-message exchange to be used.
◆ This command allows two-message exchange method for prefix delegation.
When enabled, DCHPv6 client requests submitted from the specified interface will include the rapid commit option in all solicit messages.
Example
Console(config)#ipv6 dhcp client rapid-commit vlan 2
Console(config)#
ipv6 dhcp restart client vlan
This command submits a DHCPv6 client request.
Syntax ipv6 dhcp restart client vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4093; Maximum command length: 300 characters)
Default Setting
None
– 534 –
Chapter 24 | DHCP Commands
DHCP for IPv6
Command Mode
Privileged Exec
Command Usage
◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration. If the router advertisements have the “other stateful configuration” flag set, the switch may also attempt to acquire other non-address configuration information (such as a default gateway or DNS server) when DHCPv6 is restarted.
Prior to submitting a client request to a DHCPv6 server, the switch should be configured with a link-local address using the ipv6 address autoconfig command. The state of the Managed Address Configuration flag (M flag) and
Other Stateful Configuration flag (O flag) received in Router Advertisement messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below.
■ Both M and O flags are set to 1:
DHCPv6 is used for both address and other configuration settings.
This combination is known as DHCPv6 stateful, in which a DHCPv6 server assigns stateful addresses to IPv6 hosts.
■ The M flag is set to 0, and the O flag is set to 1:
DHCPv6 is used only for other configuration settings.
Neighboring routers are configured to advertise non-link-local address prefixes from which IPv6 hosts derive stateless addresses.
This combination is known as DHCPv6 stateless, in which a DHCPv6 server does not assign stateful addresses to IPv6 hosts, but does assign stateless configuration settings.
◆ DHCPv6 clients build a list of servers by sending a solicit message and collecting advertised message replies. These servers are then ranked based on their advertised preference value. If the client needs to acquire prefixes from servers, only servers that have advertised prefixes are considered.
◆ If the rapid commit option has been enabled on the switch using the ipv6 dhcp client rapid-commit vlan command, and on the DHCPv6 server, message exchange can be reduced from the normal four step process to a two-step exchange of only solicit and reply messages.
Example
The following command submits a client request on VLAN 1.
Console#ipv6 dhcp restart client vlan 1
Console#
– 535 –
Chapter 24 | DHCP Commands
DHCP for IPv6
Related Commands ipv6 address (550)
show ipv6 dhcp duid
This command shows the DHCP Unique Identifier for this switch.
Command Mode
Privileged Exec
Command Usage
◆ DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options. Static or dynamic address prefixes may be assigned by a DHCPv6 server based on the client’s
DUID.
◆ To display the DUID assigned to this device, first enter the ipv6 address autoconfig command.
Example
Console#show ipv6 dhcp duid
DHCPv6 Unique Identifier (DUID): 0001-0001-4A8158B4-00E00C0000FD
Console#
show ipv6 dhcp vlan
This command shows DHCPv6 information for the specified interface(s).
Syntax show ipv6 dhcp vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4093; Maximum command length: 300 characters)
Command Mode
Privileged Exec
Example
Console#show ipv6 dhcp vlan 1
VLAN 1 is in DHCP client mode, Rapid-Commit
List of known servers:
Server address : FE80::250:FCFF:FEF9:A494
DUID : 0001-0001-48CFB0D5-F48F2A006801
Server address : FE80::250:FCFF:FEF9:A405
DUID : 0001-0001-38CF5AB0-F48F2A003917
Console#
– 536 –
25
IP Interface Commands
An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
An IPv4 address for this switch is obtained via DHCP by default for VLAN 1. You may also need to a establish an IPv4 or IPv6 default gateway between this device and management stations that exist on another network segment.
Table 117: IP Interface Commands
Command Group
IPv4 Interface
IPv6 Interface
Function
Configures an IPv4 address for the switch
Configures an IPv6 address for the switch
IPv4 Interface
There are no IP addresses assigned to this switch by default. You must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets. You may also need to a establish a default gateway between this device and management stations or other devices that exist on another network segment.
This section includes commands for configuring IP interfaces, the Address
Resolution Protocol (ARP) and Proxy ARP.
Table 118: IPv4 Interface Commands
Command Group
Basic IPv4 Configuration
ARP Configuration
Function
Configures the IP address for interfaces and the gateway router
Configures static, dynamic and proxy ARP service
– 537 –
Chapter 25 | IP Interface Commands
IPv4 Interface
Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Table 119: Basic IP Configuration Commands
Command ip address ip default-gateway show ip interface show ip route show ip traffic traceroute ping
Function
Sets the IP address for the current interface
Mode
IC
Defines the default gateway through which this router can reach other subnetworks
GC
Displays the IP settings for this device
Displays specified entries in the routing table
PE
PE
Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE
Shows the route packets take to the specified host PE
Sends ICMP echo request packets to another node on the network
NE, PE
ip address
This command sets the IPv4 address for the currently selected VLAN interface. Use the no form to remove an IP address.
Syntax ip address { ip-address netmask [ default-gateway ] | bootp | dhcp } [ secondary ] no ip address ip-address netmask ip-address - IP address netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. default-gateway - The default gateway. (Refer to the ip default-gateway command which provides the same function.) bootp - Obtains IP address from BOOTP. dhcp - Obtains IP address from DHCP. secondary - Specifies a secondary IP address.
Default Setting
DHCP
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ If this router is directly connected to end node devices (or connected to end nodes via shared media) that will be assigned to a specific subnet, then you must create a router interface for each VLAN that will support routing. The router interface consists of an IP address and subnet mask. This interface address defines both the network number to which the router interface is
– 538 –
Chapter 25 | IP Interface Commands
IPv4 Interface attached and the router’s host number on that network. In other words, a router interface address defines the network and subnetwork numbers of the segment that is connected to that interface, and allows you to send IP packets to or from the router.
◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs.
◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets. A specific IP address can be manually configured, or the router can be directed to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to
255, separated by periods. Anything other than this format is not be accepted by the configuration program.
◆ An interface can have only one primary IP address, but can have many secondary IP addresses. In other words, secondary addresses need to be specified if more than one IP subnet can be accessed through this interface.
Note that a secondary address cannot be configured prior to setting the primary IP address, and the primary address cannot be removed if a secondary address is still present. Also, if any router/switch in a network segment uses a secondary address, all other routers/switches in that segment must also use a secondary address from the same network or subnet address space.
◆ If bootp or dhcp options are selected, the system will immediately start broadcasting service requests for all VLANs configured to obtain address assignments through BOOTP or DHCP. IP is enabled but will not function until a
BOOTP or DHCP reply has been received. Requests are broadcast periodically by the router in an effort to learn its IP address. (BOOTP and DHCP values can include the IP address, default gateway, and subnet mask). If the DHCP/BOOTP server is slow to respond, you may need to use the ip dhcp restart client command to re-start broadcasting service requests, or reboot the router.
N OTE : Each VLAN group can be assigned its own IP interface address. You can manage the router via any of these IP addresses.
Example
In the following example, the device is assigned an address in VLAN 1.
Console(config)#interface vlan 1
Console(config-if)#ip address 192.168.1.5 255.255.255.0
Console(config-if)#
– 539 –
Chapter 25 | IP Interface Commands
IPv4 Interface
Related Commands ip dhcp restart client (532) ip default-gateway (540) ipv6 address (550)
ip default-gateway
This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway.
Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway
Default Setting
No default gateway is established.
Command Mode
Global Configuration
Command Usage
◆ The default gateway can also be defined using the following Global configuration command: ip route 0.0.0.0 0.0.0.0
gateway-address .
◆ Static routes can also be defined using the ip route command to ensure that traffic to the designated address or subnet passes through a preferred gateway.
◆ A default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the router.
◆ A gateway must be defined if the management station is located in a different
IP segment.
◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address for a default gateway, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
Example
The following example defines a default gateway for this device:
Console(config)#ip default-gateway 10.1.1.254
Console(config)#
– 540 –
Chapter 25 | IP Interface Commands
IPv4 Interface
Related Commands ip address (538) ip route (574) ipv6 default-gateway (549)
show ip interface
This command displays the settings of an IPv4 interface.
Command Mode
Privileged Exec
Example
Console#show ip interface
Vlan 1 is Administrative Up - Link Up
Address is 00-E0-0C-00-00-FD
Index: 1001, MTU: 1500, Bandwidth: 1g
Address Mode is DHCP
IP Address: 192.168.0.3 Mask: 255.255.255.0
Proxy ARP is disabled
Console#
Related Commands ip address (538) show ipv6 interface (558)
show ip traffic
This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Command Mode
Privileged Exec
Example
Console#show ip traffic
IP Statistics:
IP received
7845 total received
header errors
unknown protocols
address errors
discards
7845 delivers
reassembly request datagrams
reassembly succeeded
reassembly failed
IP sent
forwards datagrams
9903 requests
discards
no routes
generated fragments
fragment succeeded
fragment failed
– 541 –
Chapter 25 | IP Interface Commands
IPv4 Interface
ICMP Statistics:
ICMP received
input
errors
destination unreachable messages
time exceeded messages
parameter problem message
echo request messages
echo reply messages
redirect messages
timestamp request messages
timestamp reply messages
source quench messages
address mask request messages
address mask reply messages
ICMP sent
output
errors
destination unreachable messages
time exceeded messages
parameter problem message
echo request messages
echo reply messages
redirect messages
timestamp request messages
timestamp reply messages
source quench messages
address mask request messages
address mask reply messages
UDP Statistics:
input
no port errors
other errors
output
TCP Statistics:
7841 input
input errors
9897 output
Console#
traceroute
This command shows the route packets take to the specified destination.
Syntax traceroute host host - IP address or alias of the host.
Default Setting
None
Command Mode
Privileged Exec
Command Usage
◆ Use the traceroute command to determine the path taken to reach a specified destination.
– 542 –
Chapter 25 | IP Interface Commands
IPv4 Interface
◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded.
◆ The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message. Not all devices respond correctly to probes by returning an “ICMP port unreachable” message. If the timer goes off before a response is returned, the trace function prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device.
◆
■
■
■
■
■
If the target device does not respond or other errors are detected, the switch will indicate this by one of the following messages:
* - No Response
H - Host Unreachable
N - Network Unreachable
P - Protocol Unreachable
O -Other
Example
Console#traceroute 192.168.0.1
Press "ESC" to abort.
Traceroute to 192.168.0.1, 30 hops max, timeout is 3 seconds
Hop Packet 1 Packet 2 Packet 3 IP Address
--- -------- -------- -------- ---------------
1 20 ms <10 ms <10 ms 192.168.0.1
Trace completed.
Console#
ping
This command sends (IPv4) ICMP echo request packets to another node on the network.
Syntax ping host [ count count ] [ size size ] host - IP address or alias of the host. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 32-512)
The actual packet size will be eight bytes larger than the size specified because the router adds header information.
– 543 –
Chapter 25 | IP Interface Commands
IPv4 Interface
Default Setting count: 5 size: 32 bytes
Command Mode
Normal Exec, Privileged Exec
Command Usage
◆ Use the ping command to see if another site on the network can be reached.
◆ The following are some results of the ping command:
■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic.
■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds.
■ Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
■ Network or host unreachable - The gateway found no corresponding entry in the route table.
◆ When pinging a host name, be sure the DNS server has been defined (see page 526 ) and host name-to-address translation enabled (see page 524 ). If necessary, local devices can also be specified in the DNS static host table (see page 526 ).
Example
Console#ping 10.1.0.9
Type ESC to abort.
PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms
Ping statistics for 10.1.0.9:
5 packets transmitted, 5 packets received (100%), 0 packets lost (0%)
Approximate round trip times:
Minimum = 0 ms, Maximum = 10 ms, Average = 8 ms
Console#
Related Commands interface (294)
– 544 –
Chapter 25 | IP Interface Commands
IPv4 Interface
ARP Configuration
This section describes commands used to configure the Address Resolution
Protocol (ARP) on the switch.
Table 120: Address Resolution Protocol Commands
Command arp ip proxy-arp clear arp-cache show arp
Function
Adds a static entry in the ARP cache
Enables proxy ARP service
Deletes all dynamic entries from the ARP cache
Displays entries in the ARP cache
Mode
GC
IC
PE
NE, PE
arp
This command adds a static entry in the Address Resolution Protocol (ARP) cache.
Use the no form to remove an entry from the cache.
Syntax arp ip-address hardware-address no arp ip-address ip-address - IP address to map to a specified hardware address. hardware-address - Hardware address to map to a specified IP address. (The format for this address is xx-xx-xx-xx-xx-xx.)
Default Setting
No default entries
Command Mode
Global Configuration
Command Usage
◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e.,
Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router.
◆ The maximum number of static entries allowed in the ARP cache is 32.
◆ You may need to enter a static entry in the cache if there is no response to an
ARP broadcast message. For example, some applications may not respond to
ARP requests or the response arrives too late, causing network operations to time out.
◆ Static entries will not be aged out nor deleted when power is reset. A static entry can only be removed through the configuration interface.
– 545 –
Chapter 25 | IP Interface Commands
IPv4 Interface
Example
Console(config)#arp 10.1.0.19 01-02-03-04-05-06
Console(config)#
Related Commands clear arp-cache (547) show arp (547)
ip proxy-arp
This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP.
Syntax
[ no ] ip proxy-arp
Default Setting
Disabled
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ Proxy ARP allows a non-routing device to determine the MAC address of a host on another subnet or network.
◆ End stations that require Proxy ARP must view the entire network as a single network. These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices.
◆ Extensive use of Proxy ARP can degrade router performance because it may lead to increased ARP traffic and increased search time for larger ARP address tables.
Example
Console(config)#interface vlan 3
Console(config-if)#ip proxy-arp
Console(config-if)#
– 546 –
Chapter 25 | IP Interface Commands
IPv4 Interface
clear arp-cache
This command deletes all dynamic entries from the Address Resolution Protocol
(ARP) cache.
Command Mode
Privileged Exec
Example
This example clears all dynamic entries in the ARP cache.
Console#clear arp-cache
This operation will delete all the dynamic entries in ARP Cache.
Are you sure to continue this operation (y/n)?y
Console#
show arp
This command displays entries in the Address Resolution Protocol (ARP) cache.
Command Mode
Normal Exec, Privileged Exec
Command Usage
This command displays information about the ARP cache. The first line shows the cache timeout. It also shows each cache entry, including the IP address, MAC address, type (static, dynamic, other), and VLAN interface. Note that entry type
“other” indicates local addresses for this router.
Example
This example displays all entries in the ARP cache.
Console#show arp
ARP Cache Timeout: 1200 (seconds)
IP Address MAC Address Type Interface
--------------- ----------------- --------- -----------
10.1.0.0 FF-FF-FF-FF-FF-FF other VLAN1
10.1.0.254 00-00-AB-CD-00-00 other VLAN1
10.1.0.255 FF-FF-FF-FF-FF-FF other VLAN1
145.30.20.23 09-50-40-30-20-10 dynamic VLAN3
Total entry : 5
Console#
– 547 –
Chapter 25 | IP Interface Commands
IPv6 Interface
IPv6 Interface
This switch supports the following IPv6 interface commands.
Table 121: IPv6 Configuration Commands
Command Function
Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address
Mode
Sets an IPv6 default gateway for traffic with no known next hop
GC
Configures an IPv6 global unicast address, and enables
IPv6 on an interface
IC ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local
Enables automatic configuration of IPv6 global unicast addresses on an interface and enables IPv6 on the interface
IC
Configures an IPv6 global unicast address for an interface using an EUI-64 interface ID in the low order 64 bits, and enables IPv6 on the interface
IC
Configures an IPv6 link-local address for an interface and enables IPv6 on the interface
IC ipv6 enable ipv6 mtu
Enables IPv6 on an interface that has not been configured with an explicit IPv6 address
IC
Sets the size of the maximum transmission unit (MTU) for
IPv6 packets sent on an interface
IC show ipv6 default-gateway Displays the current IPv6 default gateway show ipv6 interface Displays the usability and configured settings for IPv6 interfaces show ipv6 mtu
NE, PE
NE, PE
Displays maximum transmission unit (MTU) information for
IPv6 interfaces
NE, PE show ipv6 traffic clear ipv6 traffic ping6
Displays statistics about IPv6 traffic
Resets IPv6 traffic counters
NE, PE
PE
Sends IPv6 ICMP echo request packets to another node on the network
PE
Neighbor Discovery ipv6 nd dad attempts ipv6 nd ns-interval ipv6 nd reachable-time clear ipv6 neighbors show ipv6 neighbors
Configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection
IC
Configures the interval between IPv6 neighbor solicitation retransmissions on an interface
IC
Configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred
IC
Deletes all dynamic entries in the IPv6 neighbor discovery cache
PE
Displays information in the IPv6 neighbor discovery cache PE
– 548 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Interface Address Configuration and Utilities
ipv6 default-gateway
This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway.
Syntax ipv6 default-gateway ipv6-address no ipv6 address ipv6-address - The IPv6 address of the default next hop router to use for destinations with no known next hop.
Default Setting
No default gateway is defined
Command Mode
Global Configuration
Command Usage
◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
◆ An IPv6 default gateway must be defined if the destination has been assigned an IPv6 address and is located in a different IP segment.
◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Example
The following example defines a default gateway for this device:
Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780
Console(config)#
Related Commands show ipv6 default-gateway (557) ip default-gateway (540)
– 549 –
Chapter 25 | IP Interface Commands
IPv6 Interface
ipv6 address
This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Syntax
[ no ] ipv6 address ipv6-address [/ prefix-length ] ipv6-address - A full IPv6 address including the network prefix and host address bits.
prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Default Setting
No IPv6 addresses are defined
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
◆ To connect to a larger network with multiple subnets, you must configure a global unicast address. This address can be manually configured with this command, or it can be automatically configured using the ipv6 address autoconfig command.
◆ If a link-local address has not yet been assigned to this interface, this command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.)
◆ If a duplicate address is detected, a warning message is sent to the console.
Example
This example specifies a full IPv6 address and prefix length.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address 2001:DB8:2222:7272::72/96
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
Link-Local Address:
FE80::B60E:DCFF:FE34:E63C/64
– 550 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Global Unicast Address(es):
2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96
Joined Group Address(es):
FF02::1:FF00:72
FF02::1:FF34:E63C
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
Related Commands ipv6 address eui-64 (552) ipv6 address autoconfig (551) show ipv6 interface (558) ip address (538)
ipv6 address autoconfig
This command enables stateless autoconfiguration of IPv6 addresses on an interface and enables IPv6 on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages; the host portion is based on the modified EUI-64 form of the interface identifier (i.e., the switch’s
MAC address). Use the no form to remove the address generated by this command.
Syntax
[ no ] ipv6 address autoconfig
Default Setting
No IPv6 addresses are defined
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface.
(The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
◆ If a duplicate address is detected, a warning message is sent to the console.
◆ When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration. If the router advertisements have the “other stateful configuration” flag set, the switch may also attempt to acquire other non-address configuration information (such as a default gateway) from a DHCPv6 server when DHCPv6 is restarted.
– 551 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Example
This example assigns a dynamic global unicast address to the switch.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address autoconfig
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is stale, AUTOCONFIG is enabled
Link-Local Address:
FE80::2E0:CFF:FE00:FD/64
Global Unicast Address(es):
2002:1000:AA22:BB66::1000/64, subnet is 2002:1000:AA22:BB66::/
64[AUTOCONFIG]
valid lifetime -1 preferred lifetime -1
Joined Group Address(es):
FF02::1:FF00:1000
FF02::1:FF00:FD
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
Console#
Related Commands ipv6 address (550) show ipv6 interface (558)
ipv6 address eui-64
This command configures an IPv6 address for an interface using an EUI-64 interface
ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Syntax ipv6 address ipv6-prefix / prefix-length eui -64 no ipv6 address [ ipv6-prefix / prefix-length eui-64 ] ipv6-prefix - The IPv6 network portion of the address assigned to the interface. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Default Setting
No IPv6 addresses are defined
Command Mode
Interface Configuration (VLAN)
– 552 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Command Usage
◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing
Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link-local address for this interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.)
◆ Note that the value specified in the ipv6-prefix may include some of the highorder host bits if the specified prefix length is less than 64 bits. If the specified prefix length exceeds 64 bits, then the network portion of the address will take precedence over the interface identifier.
◆ If a duplicate address is detected, a warning message is sent to the console.
◆ IPv6 addresses are 16 bytes long, of which the bottom 8 bytes typically form a unique host identifier based on the device’s MAC address. The EUI-64 specification is designed for devices that use an extended 8-byte MAC address.
For devices that still use a 6-byte MAC address (also known as EUI-48 format), it must be converted into EUI-64 format by inverting the universal/local bit in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address.
◆ For example, if a device had an EUI-48 address of 28-9F-18-1C-82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to
2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of
2A-9F-18-FF-FE-1C-82-35.
◆ This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
Example
This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the
EUI-64 interface identifier be used in the lower 64 bits of the address.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address 2001:0DB8:0:1::/64 eui-64
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is stale, AUTOCONFIG is disabled
Link-Local Address:
FE80::B60E:DCFF:FE34:E63C/64
Global Unicast Address(es):
2001:DB8::1:B60E:DCFF:FE34:E63C/64, subnet is 2001:DB8:0:1::/64[EUI]
2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96
– 553 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Joined Group Address(es):
FF02::1:FF00:72
FF02::1:FF34:E63C
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
Related Commands ipv6 address autoconfig (551) show ipv6 interface (558)
ipv6 address link-local
This command configures an IPv6 link-local address for an interface and enables
IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Syntax ipv6 address ipv6-address link-local no ipv6 address [ ipv6-address link-local ] ipv6-address - The IPv6 address assigned to the interface.
Default Setting
No IPv6 addresses are defined
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ The specified address must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. And the address prefix must be in the range of FE80~FEBF.
◆ The address specified with this command replaces a link-local address that was automatically generated for the interface.
◆ You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface.
◆ If a duplicate address is detected, a warning message is sent to the console.
– 554 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Example
This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1.
Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269.
Console(config)#interface vlan 1
Console(config-if)#ipv6 address FE80::269:3EF9:FE19:6779 link-local
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
Link-local address:
FE80::269:3EF9:FE19:6779/64
Global unicast address(es):
2001:DB8::1:2E0:CFF:FE00:FD/64, subnet is 2001:DB8::1:0:0:0:0/64[EUI]
2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96[EUI]
Joined group address(es):
FF02::1:FF19:6779
FF02::1:FF00:72
FF02::1:FF00:FD
FF02::1
IPv6 link MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
Related Commands ipv6 enable (555) show ipv6 interface (558)
ipv6 enable
This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address. Use the no form to disable IPv6 on an interface that has not been configured with an explicit IPv6 address.
Syntax
[ no ] ipv6 enable
Default Setting
IPv6 is disabled
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ This command enables IPv6 on the current VLAN interface and automatically generates a link-local unicast address. The address prefix uses FE80, and the host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 552 ). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet.
– 555 –
Chapter 25 | IP Interface Commands
IPv6 Interface
◆ If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console.
◆ The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address.
Example
In this example, IPv6 is enabled on VLAN 1, and the link-local address
FE80::2E0:CFF:FE00:FD/64 is automatically generated by the switch.
Console(config)#interface vlan 1
Console(config-if)#ipv6 enable
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled
Link-local address:
FE80::2E0:CFF:FE00:FD/64
Global unicast address(es):
2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96
Joined group address(es):
FF02::1:FF00:72
FF02::1:FF00:FD
FF02::1
IPv6 link MTU is 1280 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
Related Commands ipv6 address link-local (554) show ipv6 interface (558)
ipv6 mtu
This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting.
Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size. (Range: 1280-65535 bytes)
Default Setting
1500 bytes
Command Mode
Interface Configuration (VLAN)
– 556 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Command Usage
◆ The maximum value set by this command cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes.
◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers.
However, traffic originating from an end-station connected to an IPv6 router may be fragmented.
◆ All devices on the same physical medium must use the same MTU in order to operate correctly.
◆ IPv6 must be enabled on an interface before the MTU can be set.
Example
The following example sets the MTU for VLAN 1 to 1280 bytes:
Console(config)#interface vlan 1
Console(config-if)#ipv6 mtu 1280
Console(config-if)#
Related Commands show ipv6 mtu (559) jumbo frame (89)
show ipv6 default-gateway
This command displays the current IPv6 default gateway.
Command Mode
Normal Exec, Privileged Exec
Example
The following shows the default gateway configured for this device:
Console#show ipv6 default-gateway
IPv6 default gateway 2001:DB8:2222:7272::254
Console#
– 557 –
Chapter 25 | IP Interface Commands
IPv6 Interface
show ipv6 interface
This command displays the usability and configured settings for IPv6 interfaces.
Syntax show ipv6 interface [ brief [ vlan vlan-id [ ipv6-prefix / prefix-length ]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface.
vlan-id - VLAN ID (Range: 1-4093) ipv6-prefix - The IPv6 network portion of the address assigned to the interface. The prefix must be formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
prefix-length - A decimal value indicating how many of the contiguous bits
(from the left) of the address comprise the prefix (i.e., the network portion of the address).
Command Mode
Normal Exec, Privileged Exec
Example
This example displays all the IPv6 addresses configured for the switch.
Console#show ipv6 interface
VLAN 1 is up
IPv6 is enabled.
Link-local address:
FE80::2E0:CFF:FE00:FD/64
Global unicast address(es):
2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96
Joined group address(es):
FF02::1:FF00:72
FF02::1:FF00:FD
FF02::1
IPv6 link MTU is 1280 bytes
ND DAD is enabled, number of DAD attempts: 3.
ND retransmit interval is 1000 milliseconds
ND reachable time is 30000 milliseconds
Console#
Table 122: show ipv6 interface - display description
Field
VLAN
IPv6
Description
A VLAN is marked “up” if the switch can send and receive packets on this interface,
“down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
IPv6 is marked “enable” if the switch can send and receive IP traffic on this interface, “disable” if the switch cannot send and receive IP traffic on this interface, or “stalled” if a duplicate link-local address is detected on the interface.
– 558 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Table 122: show ipv6 interface - display description (Continued)
Field
Link-local address
Global unicast address(es)
Joined group address(es)
Description
Shows the link-local address assigned to this interface
Shows the global unicast address(es) assigned to this interface
ND DAD number of DAD attempts
ND retransmit interval
In addition to the unicast addresses assigned to an interface, a host is also required to listen to all-nodes multicast addresses FF01::1 (interface-local scope) and FF02::1 (link-local scope).
FF01::1/16 is the transient interface-local multicast address for all attached IPv6 nodes, and FF02::1/16 is the link-local multicast address for all attached IPv6 nodes. The interface-local multicast address is only used for loopback transmission of multicast traffic. Link-local multicast addresses cover the same types as used by link-local unicast addresses, including all nodes (FF02::1), all routers (FF02::2), and solicited nodes (FF02::1:FFXX:XXXX) as described below.
A node is also required to compute and join the associated solicited-node multicast addresses for every unicast and anycast address it is assigned. IPv6 addresses that differ only in the high-order bits, e.g. due to multiple high-order prefixes associated with different aggregations, will map to the same solicitednode address, thereby reducing the number of multicast addresses a node must join. In this example, FF02::1:FF90:0/104 is the solicited-node multicast address which is formed by taking the low-order 24 bits of the address and appending those bits to the prefix.
Indicates whether (neighbor discovery) duplicate address detection is enabled.
The number of consecutive neighbor solicitation messages sent on the interface during duplicate address detection.
The interval between IPv6 neighbor solicitation retransmissions sent on an interface during duplicate address detection.
This example displays a brief summary of IPv6 addresses configured on the switch.
Console#show ipv6 interface brief
Interface VLAN IPv6 IPv6 Address
--------------- ---------- ---------- ------------------------------------
VLAN 1 Up Up 2001:DB8:2222:7273::72/96
VLAN 1 Up Up FE80::2E0:CFF:FE00:FD%1/64
Console#
Related Commands show ip interface (541)
show ipv6 mtu
This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Command Mode
Normal Exec, Privileged Exec
– 559 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Example
The following example shows the MTU cache for this device:
Console#show ipv6 mtu
MTU Since Destination Address
1400 00:04:21 5000:1::3
1280 00:04:50 FE80::203:A0FF:FED6:141D
Console#
Table 123: show ipv6 mtu - display description *
Field
MTU
Since
Destination
Address
Description
Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path.
Time since an ICMP packet-too-big message was received from this destination.
Address which sent an ICMP packet-too-big message.
* No information is displayed if an IPv6 address has not been assigned to the switch.
show ipv6 traffic
This command displays statistics about IPv6 traffic passing through this switch.
Command Mode
Normal Exec, Privileged Exec
Example
The following example shows statistics for all IPv6 unicast and multicast traffic, as well as ICMP, UDP and TCP statistics:
Console#show ipv6 traffic
IPv6 Statistics:
IPv6 received
0 total received
0 header errors
0 too big errors
0 no routes
0 address errors
0 unknown protocols
0 truncated packets
0 discards
0 delivers
0 reassembly request datagrams
0 reassembled succeeded
0 reassembled failed
IPv6 sent
0 forwarded datagrams
22 requests
0 discards
0 no routes
0 generated fragments
0 fragment succeeded
0 fragment failed
– 560 –
Chapter 25 | IP Interface Commands
IPv6 Interface
ICMPv6 Statistics:
ICMPv6 received
0 input
0 errors
0 destination unreachable messages
0 packet too big messages
0 time exceeded messages
0 parameter problem message
0 echo request messages
0 echo reply messages
0 redirect messages
0 group membership query messages
0 group membership response messages
0 group membership reduction messages
0 router solicit messages
0 router advertisement messages
0 neighbor solicit messages
0 neighbor advertisement messages
0 redirect messages
ICMPv6 sent
22 output
0 destination unreachable messages
0 packet too big messages
0 time exceeded messages
0 parameter problem message
0 echo request messages
0 echo reply messages
6 router solicit messages
10 neighbor solicit messages
0 neighbor advertisement messages
0 redirect messages
0 group membership response messages
0 group membership reduction messages
UDP Statistics:
0 input
0 no port errors
0 other errors
0 output
Console#
Table 124: show ipv6 traffic - display description
Description Field
IPv6 Statistics
IPv6 recived total received header errors too big errors no routes
The total number of input datagrams received by the interface, including those received in error.
The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
The number of input datagrams that could not be forwarded because their size exceeded the link MTU of outgoing interface.
The number of input datagrams discarded because no route could be found to transmit them to their destination.
– 561 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Table 124: show ipv6 traffic - display description (Continued)
Field address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed
Description
The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity. This count includes invalid addresses (e.g., ::0) and unsupported addresses (e.g., addresses with unallocated prefixes).
For entities which are not IPv6 routers and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address.
The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
The number of input datagrams discarded because datagram frame didn't carry enough data.
The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly.
The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
The number of IPv6 fragments received which needed to be reassembled at this interface. Note that this counter is incremented at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments.
The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. This counter is incremented at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments.
IPv6 sent forwards datagrams requests discards no routes
The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-
Routed via this entity, and the Source-Route processing was successful.
Note that for a successfully forwarded datagram the counter of the outgoing interface is incremented.
The total number of IPv6 datagrams which local IPv6 user-protocols
(including ICMP) supplied to IPv6 in requests for transmission. Note that this counter does not include any datagrams counted in ipv6IfStatsOutForwDatagrams.
The number of output IPv6 datagrams for which no problem was encountered to prevent their transmission to their destination, but which were discarded (e.g., for lack of buffer space). Note that this counter would include datagrams counted in ipv6IfStatsOutForwDatagrams if any such packets met this
(discretionary) discard criterion.
The number of input datagrams discarded because no route could be found to transmit them to their destination.
– 562 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Table 124: show ipv6 traffic - display description (Continued)
Field generated fragments fragment succeeded fragment failed
Description
The number of output datagram fragments that have been generated as a result of fragmentation at this output interface.
The number of IPv6 datagrams that have been successfully fragmented at this output interface.
The number of IPv6 datagrams that have been discarded because they needed to be fragmented at this output interface but could not be.
ICMPv6 Statistics
ICMPv6 received input errors
The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
The number of ICMP messages which the interface received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.).
destination unreachable messages packet too big messages
The number of ICMP Destination Unreachable messages received by the interface.
The number of ICMP Packet Too Big messages received by the interface.
time exceeded messages The number of ICMP Time Exceeded messages received by the interface.
parameter problem message
The number of ICMP Parameter Problem messages received by the interface.
echo request messages echo reply messages
The number of ICMP Echo (request) messages received by the interface.
The number of ICMP Echo Reply messages received by the interface.
redirect messages group membership query messages group membership response messages group membership reduction messages router solicit messages router advertisement messages
The number of Redirect messages received by the interface.
The number of ICMPv6 Group Membership Query messages received by the interface.
The number of ICMPv6 Group Membership Response messages received by the interface.
The number of ICMPv6 Group Membership Reduction messages received by the interface.
The number of ICMP Router Solicit messages received by the interface.
The number of ICMP Router Advertisement messages received by the interface.
neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface.
neighbor advertisement messages redirect messages
ICMPv6 sent
The number of ICMP Neighbor Advertisement messages received by the interface.
The number of Redirect messages received by the interface.
output The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors.
– 563 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Table 124: show ipv6 traffic - display description (Continued)
Field destination unreachable messages
Description
The number of ICMP Destination Unreachable messages sent by the interface.
packet too big messages The number of ICMP Packet Too Big messages sent by the interface.
time exceeded messages The number of ICMP Time Exceeded messages sent by the interface.
parameter problem message
The number of ICMP Parameter Problem messages sent by the interface.
echo request messages echo reply messages router solicit messages neighbor advertisement messages redirect messages
The number of ICMP Echo (request) messages sent by the interface.
The number of ICMP Echo Reply messages sent by the interface.
The number of ICMP Router Solicitation messages sent by the interface.
The number of ICMP Router Advertisement messages sent by the interface.
The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects.
The number of ICMPv6 Group Membership Response messages sent.
group membership response messages group membership reduction messages
UDP Statistics input no port errors other errors output
The number of ICMPv6 Group Membership Reduction messages sent.
The total number of UDP datagrams delivered to UDP users.
The total number of received UDP datagrams for which there was no application at the destination port.
The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
The total number of UDP datagrams sent from this entity.
clear ipv6 traffic
This command resets IPv6 traffic counters.
Command Mode
Privileged Exec
Command Usage
This command resets all of the counters displayed by the show ipv6 traffic command.
Example
Console#clear ipv6 traffic
Console#
– 564 –
Chapter 25 | IP Interface Commands
IPv6 Interface
ping6
This command sends (IPv6) ICMP echo request packets to another node on the network.
Syntax ping6 { ipv6-address | host-name } [ count count ] [ size size ] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. host-name - A host name string which can be resolved into an IPv6 address through a domain name server. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 48-18024 bytes)
The actual packet size will be eight bytes larger than the size specified because the router adds header information.
Default Setting count: 5 size: 100 bytes
Command Mode
Privileged Exec
Command Usage
◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path.
◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
◆ When pinging a host name, be sure the DNS server has been enabled (see page 524 ). If necessary, local devices can also be specified in the DNS static host table (see page 526 ).
◆ When using ping6 with a host name, the router first attempts to resolve the alias into an IPv6 address before trying to resolve it into an IPv4 address.
Example
Console#ping6 FE80::2E0:CFF:FE00:FC%1/64
Type ESC to abort.
PING to FE80::2E0:CFF:FE00:FC%1/64, by 5 32-byte payload ICMP packets, timeout is 3 seconds response time: 20 ms [FE80::2E0:CFF:FE00:FC] seq_no: 1 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 2
– 565 –
Chapter 25 | IP Interface Commands
IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 3 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5
Ping statistics for FE80::2E0:CFF:FE00:FC%1/64:
5 packets transmitted, 5 packets received (100%), 0 packets lost (0%)
Approximate round trip times:
Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms
Console#
Neighbor Discovery
ipv6 hop-limit
This command configures the maximum number of hops used in router advertisements that are originated by this router. Use the no form to restore the default setting.
Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets. (Range: 1-255)
Default Setting
1
Command Mode
Interface Configuration (VLAN)
Example
The following sets the hop limit for router advertisements to 64:
Console(config-if)#interface vlan 1
Console(config)#ipv6 hop-limit 64
Console(config)#
ipv6 nd dad attempts
This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting.
Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface. (Range: 0-600)
– 566 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Default Setting
3
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ Configuring a value of 0 disables duplicate address detection.
◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface.
◆ Duplicate address detection is stopped on any interface that has been suspended (see the vlan command). While an interface is suspended, all unicast
IPv6 addresses assigned to that interface are placed in a “pending” state.
Duplicate address detection is automatically restarted when the interface is administratively re-activated.
◆ An interface that is re-activated restarts duplicate address detection for all unicast IPv6 addresses on the interface. While duplicate address detection is performed on the interface’s link-local address, the other IPv6 addresses remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses.
◆ If a duplicate address is detected, it is set to “duplicate” state, and a warning message is sent to the console. If a duplicate link-local address is detected, IPv6 processes are disabled on the interface. If a duplicate global unicast address is detected, it is not used. All configuration commands associated with a duplicate address remain configured while the address is in “duplicate” state.
◆ If the link-local address for an interface is changed, duplicate address detection is performed on the new link-local address, but not for any of the IPv6 global unicast addresses already associated with the interface.
Example
The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going.
Console(config)#interface vlan 1
Console(config-if)#ipv6 nd dad attempts 5
Console(config-if)#end
Console#show ipv6 interface
VLAN 1 is up
IPv6 is stalled.
Link-local address:
FE80::200:E8FF:FE90:0/64 [TENTATIVE]
Global unicast address(es):
2009:DB9:2229::79, subnet is 2009:DB9:2229:0::/64 [TENTATIVE]
Joined group address(es):
FF01::1/16
FF02::1/16
– 567 –
Chapter 25 | IP Interface Commands
IPv6 Interface
FF02::1:FF00:79/104
FF02::1:FF90:0/104
MTU is 1500 bytes.
ND DAD is enabled, number of DAD attempts: 5.
ND retransmit interval is 1000 milliseconds
Console#
Related Commands ipv6 nd ns-interval (568) show ipv6 neighbors (570)
ipv6 nd ns-interval
This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value.
Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages. (Range: 1000-3600000)
Default Setting
1000 milliseconds is used for neighbor discovery operations
0 milliseconds is advertised in router advertisements
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself.
◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal
IPv6 operations.
◆ Setting the neighbor solicitation interval to 0 means that the configured time is unspecified by this router.
Example
The following sets the interval between sending neighbor solicitation messages to
30000 milliseconds:
Console(config)#interface vlan 1
Console(config)#pv6 nd ns-interval 30000
Console(config)#end
Console#show ipv6 interface
VLAN 1 is up
– 568 –
Chapter 25 | IP Interface Commands
IPv6 Interface
IPv6 is enabled.
Link-local address:
FE80::200:E8FF:FE90:0/64
Global unicast address(es):
2009:DB9:2229::79, subnet is 2009:DB9:2229:0::/64
Joined group address(es):
FF01::1/16
FF02::1/16
FF02::1:FF00:79/104
FF02::1:FF90:0/104
MTU is 1500 bytes.
ND DAD is enabled, number of DAD attempts: 5.
ND retransmit interval is 30000 milliseconds
ND router advertisements are sent every 30 seconds
Console#
Related Commands show running-config (84)
ipv6 nd reachable-time
This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred.
Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability. (Range: 1000-3600000)
Default Setting
30000 milliseconds is used for neighbor discovery operations
0 milliseconds is advertised in router advertisements
Command Mode
Interface Configuration (VLAN)
Command Usage
◆ The time limit configured by this parameter allows the router to detect unavailable neighbors. During the neighbor discover process, an IPv6 node will multicast neighbor solicitation messages to search for neighbor nodes. For a neighbor node to be considered reachable, it must respond to the neighbor soliciting node with a neighbor advertisement message to become a confirmed neighbor, after which the reachable timer will be considered in effect for subsequent unicast IPv6 layer communications.
◆ This time limit is included in all router advertisements sent out through an interface, ensuring that nodes on the same link use the same time value.
◆ Setting the time limit to 0 means that the configured time is unspecified by this router.
– 569 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Example
The following sets the reachable time for a remote node to 1000 milliseconds:
Console(config)#interface vlan 1
Console(config)#pv6 nd reachable-time 1000
Console(config)#
clear ipv6 neighbors
This command deletes all dynamic entries in the IPv6 neighbor discovery cache.
Command Mode
Privileged Exec
Example
The following deletes all dynamic entries in the IPv6 neighbor cache:
Console#clear ipv6 neighbors
Console#
show ipv6 neighbors
This command displays information in the IPv6 neighbor discovery cache.
Syntax show ipv6 neighbors [ vlan vlan-id | ipv6-address ] vlan-id - VLAN ID (Range: 1-4093) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6
Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Default Setting
All IPv6 neighbor discovery cache entries are displayed.
Command Mode
Privileged Exec
Example
The following shows all known IPv6 neighbors for this switch:
Console#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State VLAN
======================================= ========== ================= ===== ====
2001:DB8:2222:7272::73 17 b4-0e-dc-34-96-08 REACH 1
FE80::B60E:DCFF:FE34:9608 7 b4-0e-dc-34-96-08 REACH 1
Console#
– 570 –
Chapter 25 | IP Interface Commands
IPv6 Interface
Table 125: show ipv6 neighbors - display description
Field
IPv6 Address
Age
Description
IPv6 address of neighbor
The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent.”
Link-layer Addr Physical layer MAC address.
State The following states are used for dynamic entries:
INCMP (Incomplete) - Address resolution is being carried out on the entry.
A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
REACH (Reachable) - Positive confirmation was received within the last
ReachableTime interval that the forward path to the neighbor was functioning.
While in REACH state, the device takes no special action when sending packets.
STALE - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. While in STALE state, the device takes no action until a packet is sent.
DELAY - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. A packet was sent within the last DELAY_FIRST_PROBE_TIME interval. If no reachability confirmation is received within this interval after entering the DELAY state, the switch will send a neighbor solicitation message and change the state to PROBE.
PROBE - A reachability confirmation is actively sought by resending neighbor solicitation messages every RetransTimer interval until confirmation of reachability is received.
UNKNO - Unknown state.
The following states are used for static entries:
INCMP (Incomplete)-The interface for this entry is down.
REACH (Reachable) - The interface for this entry is up. Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache.
VLAN VLAN interface from which the address was reached.
Related Commands show mac-address-table (363)
– 571 –
Chapter 25 | IP Interface Commands
IPv6 Interface
– 572 –
26
IP Routing Commands
After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
However, to forward traffic to devices on other subnetworks, either configure fixed paths with static routing commands, or enable a dynamic routing protocol that exchanges information with other routers on the network to automatically determine the best path to any subnetwork.
This section includes commands for both static and dynamic routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Table 203: IP Routing Commands
Command Group Function
Global Routing Configuration Configures global parameters for static and dynamic routing, displays the routing table and statistics for protocols used to exchange routing information
Global Routing Configuration
.
Table 204: Global Routing Configuration Commands
Command ip route show ip route show ip route database show ip route summary
Function
Configures static routes
Mode
GC
Displays specified entries in the routing table PE
Displays static or dynamically learned entries in the routing table
PE
Displays summary information for the routing table PE
– 573 –
Chapter 26 | IP Routing Commands
Global Routing Configuration
IPv4 Commands
ip route
This command configures static routes. Use the no form to remove static routes.
Syntax ip route destination-ip netmask next-hop [ distance ] no ip route { destination-ip netmask next-hop | * } destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. next-hop – IP address of the next hop router used for this route. distance – An administrative distance indicating that this route can be overridden by other routing information. (Range: 1-255, Default: 1)
* – Removes all static routing table entries.
Default Setting
No static routes are configured.
Command Mode
Global Configuration
Command Usage
◆ Up to 24 static routes can be configured.
◆ If an administrative distance is defined for a static route, and the same destination can be reached through a dynamic route at a lower administration distance, then the dynamic route will be used.
◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used.
Example
This example forwards all