How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections Configuring the Switch for Remote Management Setting an IP Address Enabling SNMP Management Access Managing System Files...
Page 6
Contents Configuring NTP Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 7
Contents 4 System Management Commands Device Designation hostname System Status show access-list tcam-utilization show memory show process cpu show running-config show startup-config show system show users show version Frame Size jumbo frame File Management General Commands boot system copy delete whichboot Automatic Code Upgrade Commands upgrade opcode auto...
Page 8
Contents stopbits timeout login response disconnect show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands...
Page 9
Contents periodic show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 5 SNMP Commands General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host SNMPv3 Commands...
Page 10
Contents show snmp notify-filter 6 Remote Monitoring Commands rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Authentication Commands User Accounts enable password username Authentication Sequence authentication enable authentication login RADIUS Client...
Page 11
Contents aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting Web Server ip http port ip http server ip http secure-port ip http secure-server Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries...
Page 14
Contents IP Source Guard ip source-guard binding ip source-guard ip source-guard max-binding show ip source-guard show ip source-guard binding ARP Inspection ip arp inspection ip arp inspection filter ip arp inspection log-buffer logs ip arp inspection validate ip arp inspection vlan ip arp inspection limit ip arp inspection trust show ip arp inspection configuration...
Page 15
Contents IPv6 ACLs access-list ipv6 permit, deny, redirect-to (Standard IPv6 ACL) permit, deny, redirect-to (Extended IPv6 ACL) show ipv6 access-list ipv6 access-group show ipv6 access-group MAC ACLs access-list mac permit, deny, redirect-to (MAC ACL) mac access-group show mac access-group show mac access-list ARP ACLs access-list arp permit, deny (ARP ACL)
Page 16
Contents show interfaces counters show interfaces status show interfaces switchport show interfaces transceiver Cable Diagnostics test cable-diagnostics show cable-diagnostics Power Savings power-save show power-save 11 Link Aggregation Commands Manual Configuration Commands channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel)
Page 17
Contents show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 14 Congestion Control Commands Rate Limit Commands rate-limit Storm Control Commands switchport packet-rate Automatic Traffic Control Commands Threshold Commands auto-traffic-control apply-timer auto-traffic-control release-timer auto-traffic-control auto-traffic-control action...
Page 19
Contents spanning-tree port-priority spanning-tree root-guard spanning-tree spanning-disabled spanning-tree loopback-detection release spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 17 VLAN Commands GVRP and Bridge Extension Commands bridge-ext gvrp garp timer switchport forbidden vlan switchport gvrp show bridge-ext show garp timer show gvrp configuration Editing VLAN Groups vlan database...
Page 20
Contents Configuring Protocol-based VLANs protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group Configuring IP Subnet VLANs subnet-vlan show subnet-vlan Configuring MAC Based VLANs mac-vlan show mac-vlan Configuring Voice VLANs voice vlan voice vlan aging voice vlan mac-address switchport voice vlan switchport voice vlan priority...
Page 21
Contents show qos map phb-queue show qos map trust-mode 19 Quality of Service Commands class-map description match rename policy-map class police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface 20 Multicast Filtering Commands IGMP Snooping ip igmp snooping...
Page 22
Contents ip igmp snooping vlan last-memb-query-count ip igmp snooping vlan last-memb-query-intvl ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static show ip igmp snooping show ip igmp snooping group show ip igmp snooping mrouter Static Multicast Routing...
Page 24
Contents clear cdp table show cdp show cdp interface show cdp neighbors 23 Domain Name Service Commands ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache show hosts 24 DHCP Commands DHCP Client DHCP for IPv4...
Page 25
Contents show ip traffic traceroute ping ARP Configuration ip proxy-arp clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu show ipv6 default-gateway show ipv6 interface show ipv6 mtu show ipv6 traffic...
Page 26
The GNU General Public License GNU Lesser General Public License, version 3.0 The BSD License Open Source Software Used ISC License C Customer Support Motorola Solutions Enterprise Mobility Support Center Customer Support Web Site Manuals Glossary Index of CLI Commands Index...
Figures Figure 1: Storm Control by Limiting the Traffic Rate Figure 2: Storm Control by Shutting Down a Port Figure 3: Configuring VLAN Trunking – 27 –...
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP. This section includes these chapters: ◆ "Initial Switch Configuration" on page 35 – 33 –...
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Passwords can consist of up to 32 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: Open the console interface with the default user name “motorola” and password “admin” to access the Privileged Exec level.
Console(config)#username motorola password 0 [password] Console(config)# * This manual covers both the EX-3524 and EX-3548 Gigabit Ethernet PoE/PoE+ switches. Other than the difference in the number of ports, there are no other significant differences. Therefore nearly all of the screen display examples are based on the EX-3524.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: ◆...
Page 40
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway, ”...
Page 41
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Joined Group Address(es): FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Address for Multi-segment Network —...
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Link-Local Address: FE80::260:3EFF:FE11:6700/64 Global Unicast Address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined Group Address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console#show ipv6 default-gateway...
Page 43
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup- config.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages.
“mode” is rw (read/write) or ro (read only). Press <Enter>. (Note that the default mode is read only.) To remove an existing string, simply type “no snmp-server community string, ” where “string” is the community access string to remove. Press <Enter>. Console(config)#snmp-server community motorola rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings.
Page 46
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command. From the Privileged Exec level global configuration mode prompt, type: “snmp-server host host-address community-string [version {1 | 2c | 3 {auth | noauth | priv}}]”...
Chapter 1 | Initial Switch Configuration Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Chapter 1 | Initial Switch Configuration Managing System Files Upgrading the The following example shows how to download new firmware to the switch and activate it. The TFTP server could be any standards-compliant server running on Operation Code Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server.
Page 49
Chapter 1 | Initial Switch Configuration Managing System Files The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy running-config startup- config”...
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Configuring Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file server.
Page 51
(“”) will be used for the connection. This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://motorola:billy@192.168.0.1/sm24/ Console(config)# – 51 –...
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# Set the switch to automatically upgrade the current operational code when a new version is detected on the server.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings To successfully transmit a bootup configuration file to the switch the DHCP daemon (using a Linux based system for this example) must be configured with the following information: ◆...
Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 Console(config)# To display the clock configuration settings, enter the following command. Console#show calendar Current Time : Apr...
Page 57
Chapter 1 | Initial Switch Configuration Setting the System Clock Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time : Apr 29 13:57:32 2011 Polling : 1024 seconds Current Mode : unicast NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server...
Page 58
Chapter 1 | Initial Switch Configuration Setting the System Clock – 58 –...
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ “General Commands” on page 73 ◆ “System Management Commands” on page 81 ◆...
Section II | Command Line Interface ◆ “Quality of Service Commands” on page 441 ◆ “Multicast Filtering Commands” on page 459 ◆ “LLDP Commands” on page 493 ◆ “CDP Commands” on page 517 ◆ “Domain Name Service Commands” on page 523 ◆...
To access the switch through the console port, perform these steps: At the console prompt, enter the user name and password. (The default user names are “motorola” and “guest” with corresponding passwords of “admin” and “guest. ” ) When the administrator user name and password is entered, the CLI displays the “Console#”...
When finished, exit the session with the “quit” or “exit” command. After entering the Telnet command, the login screen displays: Username: motorola Password: CLI session with the EX-3524 is opened. To end the CLI session, enter [Exit]. Vty-0# – 62 –...
To enter commands that require parameters, enter the required parameters after the command keyword. For example, to set a password for the administrator, enter: Console(config)#username motorola password 0 smith Minimum The CLI will accept a minimum number of characters that uniquely identify a Abbreviation command.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list Commands keywords or parameters.
Chapter 2 | Using the Command Line Interface Entering Commands running-config Information on the running configuration snmp Simple Network Management Protocol configuration and statistics sntp Simple Network Time Protocol configuration spanning-tree Spanning-tree configuration Secure shell server connections startup-config Startup system configuration subnet-vlan IP subnet-based VLAN information system...
You can access all commands only from the Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name “motorola” and password “admin. ” The system will now display the “Console#” command prompt. You can...
“super. ” To enter Privileged Exec mode, enter the following user names and passwords: Username: motorola Password: [admin login password] CLI session with the EX-3524 is opened. To end the CLI session, enter [Exit]. Console# Username: guest Password: [guest login password] CLI session with the EX-3524 is opened.
Chapter 2 | Using the Command Line Interface Entering Commands ◆ Policy Map Configuration - Creates a DiffServ policy map for multiple interfaces. ◆ Time Range - Sets a time range for use by other functions, such as Access Control Lists. ◆...
Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other Processing currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?”...
Chapter 2 | Using the Command Line Interface CLI Command Groups Note that the output modifier begin can only be used as the first modifier if more than one modifier is used in a command. CLI Command Groups The system commands can be broken down into the functional groups shown below Table 6: Command Group Index Command Group...
Page 71
Chapter 2 | Using the Command Line Interface CLI Command Groups (Continued) Table 6: Command Group Index Command Group Description Page VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling Class of Service Sets port priority for untagged frames, selects strict priority or weighted round robin, relative weight for each priority queue,...
Page 72
Chapter 2 | Using the Command Line Interface CLI Command Groups – 72 –...
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 7: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. ◆...
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (78) enable password (166) quit This command exits the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console#...
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 80
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 80 –...
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 8: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch System Status Displays system configuration, active managers, and version information...
Chapter 4 | System Management Commands System Status hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Chapter 4 | System Management Commands System Status Table 10: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show access-list...
Chapter 4 | System Management Commands System Status Console# show process cpu This command shows the CPU utilization parameters. Command Mode Normal Exec, Privileged Exec Example Console#show process cpu CPU Utilization in the past 5 seconds : 3.98% Console# show running-config This command displays the configuration information currently in use.
The POST results should all display “PASS. ” If any POST test indicates “FAIL, ” contact your distributor for assistance. ◆ The number of fans provided: EX-3524 - 2, EX-3548 - 3 Example Console#show system System Description : EX-3524 Managed POE/POE+ Switch System OID String : 1.3.6.1.4.1.388.19.101...
Web Online Users: Line Remote IP Addr User Name Idle time (h:m:s) ----------- --------------- --------- ------------------ HTTP 192.168.1.19 motorola 0:00:0 Console# show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec...
Chapter 4 | System Management Commands Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 13: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames jumbo frame This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports.
Chapter 4 | System Management Commands File Management File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation.
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 93
Chapter 4 | System Management Commands File Management ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
Page 94
Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
| System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: motorola Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX...
Chapter 4 | System Management Commands File Management This command displays a list of files in flash memory. Syntax dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://motorola:billy@192.168.0.1/sm24/ Console(config)# show upgrade This command shows the opcode upgrade configuration settings.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 16: Line Commands Command Function...
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity...
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the...
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands silent-time (106) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Chapter 4 | System Management Commands Line Default Setting 1 stop bit Command Mode Line Configuration Example To specify 2 stop bits, enter this command: Console(config-line)#stopbits 2 Console(config-line)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting.
Chapter 4 | System Management Commands Line disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0”...
Chapter 4 | System Management Commands Event Logging Baud Rate : 115200 Data Bits Parity : None Stop Bits VTY Configuration: Password Threshold : 3 times Inactive Timeout : 600 sec. Login Timeout : 300 sec. Silent Time : 30 sec. Console# Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Chapter 4 | System Management Commands Event Logging Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages.
Chapter 4 | System Management Commands Event Logging Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands SMTP Alerts Table 19: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command.
Chapter 4 | System Management Commands SMTP Alerts Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
Chapter 4 | System Management Commands SMTP Alerts Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.
Chapter 4 | System Management Commands Time Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec...
Chapter 4 | System Management Commands Time Table 22: Time Commands (Continued) Command Function Mode Manual Configuration Commands clock summer-time Configures summer time for the switch’s internal clock clock timezone Sets the time zone for the switch’s internal clock clock timezone-predefined Sets the time zone for the switch’s internal clock using predefined time zone configurations calendar set...
Chapter 4 | System Management Commands Time Current Server: 137.92.140.80 Console# Related Commands sntp server (122) sntp poll (122) show sntp (123) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll...
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received.
Chapter 4 | System Management Commands Time Manual Configuration Commands clock summer-time This command sets the start, end, and offset times of summer time (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time.
Chapter 4 | System Management Commands Time time is in effect, you must indicate the number of minutes your summer-time zone deviates from your regular time zone. Example Console(config)#clock summer-time DEST date april 1 2007 23 23 april 23 2007 23 23 60 Console(config)# Related Commands...
Chapter 4 | System Management Commands Time clock timezone- This command uses predefined time zone configurations to set the time zone for the switch’s internal clock. Use the no form to restore the default. predefined Syntax clock timezone-predefined offset-city no clock timezone-predefined offset - Select the offset from GMT.
Chapter 4 | System Management Commands Time month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit). (Range: 1970-2037) Default Setting None Command Mode Privileged Exec...
Chapter 4 | System Management Commands Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 23: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute...
Chapter 4 | System Management Commands Time Range absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format.
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range. Syntax [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend | hour minute}...
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range. (Range: 1-30 characters) Default Setting None Command Mode Privileged Exec Example Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic...
Chapter 4 | System Management Commands Switch Clustering Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
◆ There is no need to enter the username and password for access to the Member switch CLI. Example Console#rcommand id 1 CLI session with the EX-3524 is opened. To end the CLI session, enter [Exit]. Vty-0## – 135 –...
Console#show cluster members Cluster Members: Role : Active member IP Address : 10.254.254.2 MAC Address : 00-E0-0C-00-00-FE Description : EX-3524 Managed POE/POE+ Switch Console# show cluster This command shows the discovered Candidate switches in the network. candidates Command Mode Privileged Exec...
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community community string. Syntax snmp-server community string [ro | rw] no snmp-server community string...
Chapter 5 | SNMP Commands General SNMP Commands Default Setting None Command Mode Global Configuration Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (140) snmp-server location This command sets the system location string. Use the no form to remove the location string.
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command. Example Console#show snmp SNMP Agent : Enabled...
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Mode Global Configuration Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Page 143
Chapter 5 | SNMP Commands SNMP Target Host Commands community-string - Password-like community string sent with the notification operation to SNMP V1 and V2c hosts. Although you can set this string using the snmp-server host command by itself, we recommend defining it with the snmp-server community command prior to using the...
Page 144
Chapter 5 | SNMP Commands SNMP Target Host Commands To send an inform to a SNMPv2c host, complete these steps: Enable the SNMP agent (page 138). Create a view with the required notification messages (page 148). Create a group that includes the required notify view (page 146).
Chapter 5 | SNMP Commands SNMPv3 Commands SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch.
Chapter 5 | SNMP Commands SNMPv3 Commands Example Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engineID remote 9876543210 192.168.1.19 Console(config)# Related Commands snmp-server host (142) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}}...
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ For additional information on the notification messages supported by this switch, see the table for “Supported Notification Messages” in the System Reference Guide. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆...
Chapter 5 | SNMP Commands SNMPv3 Commands excluded - Defines an excluded view. Default Setting defaultview (includes access to the entire MIB tree) Command Mode Global Configuration Command Usage ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree.
Chapter 5 | SNMP Commands SNMPv3 Commands 80000000030004e2b316c54321 192.168.1.19 Console# Table 26: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured.
Chapter 5 | SNMP Commands SNMPv3 Commands Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 27: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 28: show snmp user - display description (Continued) Field Description Authentication Protocol The authentication protocol used with SNMPv3. Privacy Protocol The privacy protocol used with SNMPv3. Storage Type The storage type for this entry. Row Status The row status of this entry.
Page 154
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether those are Traps or Informs that exceed retransmission limits.
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running- config...
Chapter 6 | Remote Monitoring Commands ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command. ◆ The information collected for each entry includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and packets of specified lengths Example...
Chapter 6 | Remote Monitoring Commands Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01 Received 77671 octets, 1077 packets, 61 broadcast and 978 multicast packets,...
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
(i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config)#enable password level 15 0 motorola Console(config)# Related Commands enable (75) authentication enable (168) –...
Table 33: Default Login Settings username access-level password guest guest motorola admin Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/TFTP server.
Chapter 7 | Authentication Commands Authentication Sequence Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 34: Authentication Sequence Commands Command Function...
Chapter 7 | Authentication Commands Authentication Sequence is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked. Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (166) authentication login This command defines the login authentication method and precedence.
Chapter 7 | Authentication Commands RADIUS Client Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (167) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS- aware devices on the network.
Chapter 7 | Authentication Commands RADIUS Client Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812...
Chapter 7 | Authentication Commands RADIUS Client retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting auth-port - 1812 acct-port - 1813...
Chapter 7 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 7 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times...
Chapter 7 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [port port-number] [timeout timeout] [key key] no tacacs-server index index - The index for this server.
Chapter 7 | Authentication Commands TACACS+ Client Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 7 | Authentication Commands Server Port Number : 181 Server Time Out : 4 Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 37: AAA Commands Command Function...
Chapter 7 | Authentication Commands group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 7 | Authentication Commands Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Chapter 7 | Authentication Commands Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Chapter 7 | Authentication Commands aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Chapter 7 | Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the...
Chapter 7 | Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec...
Chapter 7 | Authentication Commands Web Server exec - Displays Exec accounting records. statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) Default Setting None Command Mode...
Chapter 7 | Authentication Commands Web Server Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 600 seconds. ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port.
Chapter 7 | Authentication Commands Web Server Related Commands ip http port (185) show system (86) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port...
Chapter 7 | Authentication Commands Web Server Command Usage ◆ HTTP and HTTPS are implemented as mutually exclusive services on the switch. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆...
Chapter 7 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch. Table 40: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Chapter 7 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...
Chapter 7 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell...
Page 191
Chapter 7 | Authentication Commands Secure Shell Table 41: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions show users Shows SSH users, including privilege level and public key type Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Page 192
Chapter 7 | Authentication Commands Secure Shell Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch.
Chapter 7 | Authentication Commands Secure Shell When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated.
Chapter 7 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage ◆ The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 7 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...
Chapter 7 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (196) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started motorola ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 42: show ssh - display description Field Description Connection The session number. (Range: 0-3) Version The Secure Shell version number.
Chapter 7 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Chapter 7 | Authentication Commands 802.1X Port Authentication Table 43: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x timeout start-period Sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator Information Display Commands show dot1x Shows all dot1x related information General Commands...
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled. Use the no form to restore the default. eapol-pass-through Syntax [no] dot1x eapol-pass-through Default Setting Discards all EAPOL frames when dot1x is globally disabled Command Mode...
Chapter 7 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Chapter 7 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 7 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto –...
Chapter 7 | Authentication Commands 802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command.
Chapter 7 | Authentication Commands 802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to tx-period reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period...
Chapter 7 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port. Syntax [no] dot1x pae supplicant Default...
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response from the authenticator. Use the no form to restore the default setting. auth-period Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending an EAPOL start frame to the authenticator. Use the no form to restore the default start-period setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Page 213
Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 202). ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 209).
Page 214
Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Backend State Machine State – Current state (including request, response, success, fail, timeout, ■ idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant ■ without receiving a response. Identifier (Server)–...
Chapter 7 | Authentication Commands Management IP Filter Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize 802.1X Supplicant is disabled on port 1/50 Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 7 | Authentication Commands Management IP Filter Command Usage ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. ◆...
Page 217
Chapter 7 | Authentication Commands Management IP Filter 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 TELNET-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# –...
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes.
Chapter 8 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 221
Chapter 8 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (304) shutdown (300)
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Table 47: Network Access Commands (Continued) Command Function Mode mac-authentication Determines the port response when a connected host intrusion-action fails MAC authentication. mac-authentication Sets the maximum number of MAC addresses that can be max-mac-count authenticated on a port via MAC authentication clear network-access...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address. mac-filter Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage ◆ The reauthentication time is a global setting and applies to all ports. ◆ When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the last user logs off of a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port. ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table. Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)#...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable link detection for the selected port. Use the no form of this command to restore the default. link-detection Syntax [no] network-access link-detection Default Setting Disabled Command Mode Interface Configuration...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to link-detection link-up disable this feature.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# network-access Use this command to set the maximum number of MAC addresses that can be max-mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. ◆...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Mode ◆ Entries in the MAC address filter table can be configured with the network- access mac-filter command. ◆ Only one filter table can be assigned to a port. Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC address Aging : Disabled Port : 1/1 MAC Authentication...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF- 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF- FF-FF to be displayed.
Chapter 8 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries.
Chapter 8 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After the limit is reached, the switch refuses further login attempts until the quiet time login-attempts expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts...
Chapter 8 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains valid. When the session timeout has been reached, the host is logged off and must session-timeout re-authenticate itself the next time data transmission takes place. Use the no form to restore the default.
Chapter 8 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Chapter 8 | General Security Measures Web Authentication web-auth This command ends the web authentication session associated with the designated IP address and forces the user to re-authenticate. re-authenticate (IP) Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - This is unit 1.
Chapter 8 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and statistics. interface Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...
Chapter 8 | General Security Measures DHCP Snooping DHCP Snooping DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
Page 243
Chapter 8 | General Security Measures DHCP Snooping an untrusted interface (as specified by the no ip dhcp snooping trust command) from a device not listed in the DHCP snooping table will be dropped. ◆ When enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping.
Chapter 8 | General Security Measures DHCP Snooping ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (using the ip dhcp snooping trust command).
Chapter 8 | General Security Measures DHCP Snooping ◆ Use the ip dhcp snooping information option command to specify how to handle DHCP client request packets which already contain Option 82 information. Example This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping...
Chapter 8 | General Security Measures DHCP Snooping ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable verify mac-address this function.
Chapter 8 | General Security Measures DHCP Snooping will be performed on any untrusted ports within the VLAN as specified by the dhcp snooping trust command. ◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
Chapter 8 | General Security Measures DHCP Snooping ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
Chapter 8 | General Security Measures DHCP Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disable DHCP Snooping Information Option Status: disable DHCP Snooping Information Policy: replace DHCP Snooping is configured on the following VLANs: Verify Source Mac-Address: enable...
Chapter 8 | General Security Measures IP Source Guard IP Source Guard IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping”...
Page 251
Chapter 8 | General Security Measures IP Source Guard Command Usage ◆ Table entries include a MAC address, IP address, lease time, entry type (Static-IP- SG-Binding, Dynamic-DHCP-Binding), VLAN identifier, and port identifier. ◆ All static entries are configured with an infinite lease time, which is indicated with a value of zero by the show ip source-guard command...
Chapter 8 | General Security Measures IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...
Chapter 8 | General Security Measures IP Source Guard sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. If the DHCP snooping is enabled, IP source guard will check the VLAN ID, ■...
Chapter 8 | General Security Measures IP Source Guard Command Usage This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command.
Chapter 8 | General Security Measures ARP Inspection Table 52: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is...
Chapter 8 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default log-buffer logs settings.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate Syntax ip arp inspection validate {dst-mac [ip] [src-mac] | ip [src-mac] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header...
Chapter 8 | General Security Measures ARP Inspection Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
Chapter 8 | General Security Measures ARP Inspection Default Setting Command Mode Interface Configuration (Port) Command Usage ◆ This command only applies to trusted or untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection. configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP inspection global information: Global IP ARP Inspection status : disabled Log Message Interval : 10 s Log Message Number...
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Chapter 8 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Chapter 8 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Note: This switch cannot trap packets where both the source port and destination port are set to zero. Example Console(config)#flow tcp-udp-port-zero forward Console(config)# show flow This command shows the action taken against attacks which set the Layer 4 source or destination port to zero.
Chapter 8 | General Security Measures Port-based Traffic Segmentation traffic-segmentation This command enables traffic segmentation globally, or configures the uplink and down-link ports for a segmented group of ports. Use the no form to disable traffic segmentation globally. Syntax [no] traffic-segmentation [uplink interface-list downlink interface-list] uplink –...
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or any frames (based on MAC address or Ethernet type).
Chapter 9 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny, This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. redirect-to (Standard IP ACL) Syntax...
Chapter 9 | Access Control Lists IPv4 ACLs Related Commands access-list ip (270) Time Range (128) permit, deny, This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source redirect-to or destination protocol ports, or TCP control codes.
Page 273
Chapter 9 | Access Control Lists IPv4 ACLs destination – Destination IP address. address-bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address. precedence – IP precedence level. (Range: 0-7) tos – Type of Service level. (Range: 0-15) dscp –...
Chapter 9 | Access Control Lists IPv4 ACLs 32 (urg) – Urgent pointer ■ For example, use the code value and mask below to catch packets with the following flags set: SYN flag valid, use “control-code 2 2” ■ Both SYN and ACK valid, use “control-code 18 18” ■...
Chapter 9 | Access Control Lists IPv4 ACLs Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage ◆ Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Page 276
Chapter 9 | Access Control Lists IPv4 ACLs Command Mode Privileged Exec Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny, redirect-to (271) ip access-group (274) – 276 –...
Chapter 9 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 9 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny, redirect-to (Standard IPv6 ACL) (278) permit, deny, redirect-to (Extended IPv6 ACL) (279) ipv6 access-group (282) show ipv6 access-list (281) permit, deny, This command adds a rule to a Standard IPv6 ACL.
Chapter 9 | Access Control Lists IPv6 ACLs Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)#...
Page 280
Chapter 9 | Access Control Lists IPv6 ACLs Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (The switch only checks the first 64 bits of the destination address.) prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix;...
Chapter 9 | Access Control Lists IPv6 ACLs This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43. ” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# Related Commands...
Chapter 9 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name in [time-range time-range-name] no ipv6 access-group acl-name in acl-name – Name of the ACL. (Maximum length: 16 characters) in –...
Chapter 9 | Access Control Lists MAC ACLs Related Commands ipv6 access-group (282) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 9 | Access Control Lists MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny, redirect-to (284) mac access-group (286) show mac access-list (287) permit, deny, This command adds a rule to a MAC ACL. The rule filters packets matching a redirect-to specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Chapter 9 | Access Control Lists MAC ACLs Command Usage ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP ■...
Chapter 9 | Access Control Lists MAC ACLs Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (287) Time Range (128) show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group...
Chapter 9 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command...
Chapter 9 | Access Control Lists ARP ACLs permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching a (ARP ACL) specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 9 | Access Control Lists ACL Information Related Commands access-list arp (288) show arp access-list This command displays the rules for configured ARP ACLs. Syntax show arp access-list [acl-name] acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example...
Chapter 9 | Access Control Lists ACL Information show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization]] arp –...
Page 292
Chapter 9 | Access Control Lists ACL Information – 292 –...
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 61: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Chapter 10 | Interface Commands Interface Configuration Table 61: Interface Commands (Continued) Command Function Mode Power Savings power-save Enables power savings mode on the specified port show power-save Shows the configuration settings for power savings Interface Configuration interface This command configures an interface type and enters interface configuration mode.
Chapter 10 | Interface Commands Interface Configuration alias This command configures an alias name for the interface. Use the no form to remove the alias name. Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Chapter 10 | Interface Commands Interface Configuration Default Setting 100BASE-FX: 100full (SFP) 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 10 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Chapter 10 | Interface Commands Interface Configuration Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (299) capabilities (flowcontrol, symmetric) (295) giga-phy-mode This command forces two connected ports into a master/slave configuration to enable 1000BASE-T full duplex for Gigabit ports.
Chapter 10 | Interface Commands Interface Configuration ◆ If auto-negotiation is enabled at the far end of a link, and disabled on the local end, a link should eventually be established regardless of the selected giga-phy mode. Example This forces the switch port to master mode on port 24. Console(config)#interface ethernet 1/50 Console(config-if)#no negotiation Console(config-if)#speed-duplex 1000full...
Chapter 10 | Interface Commands Interface Configuration Related Commands capabilities (295) speed-duplex (300) shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been...
Chapter 10 | Interface Commands Interface Configuration ◆ When auto-negotiation is disabled, the default speed-duplex setting is 100full for 1000BASE-T ports. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 10 | Interface Commands Interface Configuration Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset.
Page 303
Chapter 10 | Interface Commands Interface Configuration port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port or Trunk Statistics”...
Chapter 10 | Interface Commands Interface Configuration Media Type (Combo Forced Mode) : None Giga PHY Mode : Master Current Status: Link Status : Up Port Operational Status : Up Operational Speed-Duplex : 100full Flow Control Type : None Console# show interfaces This command displays the administrative and operational status of the specified switchport...
Chapter 10 | Interface Commands Interface Configuration 802.1Q-tunnel TPID : 8100(Hex) Console# Table 62: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it also Threshold shows the threshold level (page 345).
Chapter 10 | Interface Commands Interface Configuration show interfaces This command displays identifying information for the specified transceiver, including connector type and vendor-related parameters, as well as the transceiver temperature, voltage, bias current, transmit power, and receive power. Syntax show interfaces transceiver [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 10 | Interface Commands Cable Diagnostics Options Console# Cable Diagnostics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.) and report the cable length. Syntax test cable-diagnostics interface interface interface ethernet unit/port unit - Unit identifier.
Chapter 10 | Interface Commands Cable Diagnostics Example Console#test cable-diagnostics interface ethernet 1/23 Console#show cable-diagnostics interface ethernet 1/23 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ----------------- Eth 1/23 OK (21) OK (21) 2009-11-13 09:44:19 Console#...
Chapter 10 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Syntax [no] power-save Command Mode Interface Configuration (Ethernet, Ports 1-24) Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Chapter 10 | Interface Commands Power Savings Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. Example Console(config)#interface ethernet 1/1 Console(config-if)#power-save...
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Chapter 11 | Link Aggregation Commands Manual Configuration Commands ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. ◆ All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN via the specified port-channel.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Console#show interfaces status port-channel 1 Information of Trunk 1 Port Type : 1000T MAC Address : B4-0E-DC-39-F4-4D Configuration: Name Port Admin : Up Speed-Duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Flow Control : Disabled VLAN Trunking...
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. ◆...
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. (Port Channel) Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-12) counters - Statistics for LACP protocol messages.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number Port Admin Priority : 32768 Port Oper Priority : 32768 Admin Key Oper Key Admin State: defaulted, distributing, collecting, synchronization, long timeout,...
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 67: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC System MAC address.
Page 324
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands – 324 –...
Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-24. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Chapter 12 | Power over Ethernet Commands Command Usage ◆ The switch automatically detects attached PoE devices by periodically transmitting test voltages that over the Gigabit Ethernet copper-media ports. When an IEEE 802.3af or 802.3at compatible device is plugged into one of these ports, the powered device reflects the test voltage back to the switch, which may then turn on the power to this device.
Watts power budget. This means that up to 11/22 ports can supply a maximum 34.2W of power simultaneously to connected devices (802.3at), up to 24/48 ports can supply up to 15.4W (802.3af ). Values for EX-3524 and EX-3548. – 327 –...
Chapter 12 | Power over Ethernet Commands ◆ If a device is connected to a switch port and the switch detects that it requires more than the maximum power allocated to the port or to the overall switch, no power is supplied to the device (i.e., port power remains off ). Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline maximum allocation 8000...
| Power over Ethernet Commands Note (EX-3524): If power priority is not set for any ports, and there is not sufficient power to supply all of the ports during bootup, available power is provided to the ports based on the PSE chips in following order:...
Chapter 12 | Power over Ethernet Commands show power inline This command displays the current power status for all ports or for specific ports. status Syntax show power inline status [interface] interface ethernet unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-24/48) Command Mode Privileged Exec Example...
Chapter 12 | Power over Ethernet Commands show power inline This command displays the time-range and current status for specific ports or for all ports. time-range Syntax show power inline time-range time-range-name [interface] time-range-name - Name of the time range. (Range: 1-30 characters) interface ethernet...
Chapter 12 | Power over Ethernet Commands Table 70: show power mainpower - display description Field Description PoE Maximum The available power budget for the switch Available Power System Operation The current operating power status (displays on or off ) Status PoE Power The current power consumption on the switch in watts...
Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 71: Port Mirroring Commands Command Function...
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4093) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. Default Setting ◆ No mirror session is defined. ◆...
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands ◆ The destination port cannot be a trunk or trunk member port. ◆ RSPAN and 802.1X are mutual exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source ports and destination ports can still be configured.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Console#show port monitor Port Mirroring ------------------------------------- Destination Port (listen port): Eth1/11 Source Port (monitored port) : Eth1/ 6 Mode :RX/TX Console# RSPAN Mirroring Commands Remote Switched Port Analyzer (RSPAN) allows you to mirror traffic from remote switches for analysis on a local destination port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN Limitations The following limitations apply to the use of RSPAN on this switch: ◆ RSPAN Ports – Only ports can be configured as an RSPAN source, destination, or uplink; static and dynamic trunks are not allowed. A port can only be configured as one type of RSPAN interface –...
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. Syntax rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id –...
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session...
Page 342
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None BOTH : None Destination Port (monitor port) : Eth 1/2 Destination Tagged Mode : Untagged Switch Role...
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output} [rate] no rate-limit {input | output}...
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆...
Page 347
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 77: ATC Commands (Continued) Command Function Mode auto-traffic-control Sets the upper threshold for ingress traffic beyond IC (Port) alarm-fire-threshold which a storm control response is triggered after the apply timer expires auto-traffic-control auto- Automatically releases a control response IC (Port)
Page 348
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams. Figure 1: Storm Control by Limiting the Traffic Rate Traffic without storm control Traffic without storm control TrafficControl...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp- server enable port-traps atc multicast-control-apply...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Page 352
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage ◆...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm- clear command or...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. enable port-traps atc broadcast-alarm-fire Syntax [no] snmp-server enable port-traps atc broadcast-alarm-fire Default Setting Disabled...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when broadcast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer enable port-traps atc expires. Use the no form to disable this trap. broadcast-control- release Syntax...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for automatic storm control. Use the no form to disable this trap. enable port-traps atc multicast-alarm-fire Syntax [no] snmp-server enable port-traps atc multicast-alarm-fire Default Setting Disabled...
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and the release timer expires. enable port-traps atc Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands show auto-traffic- This command shows interface configuration settings and storm control status for the specified port. control interface Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
- Aging time. (Range: 10-844/672 seconds; 0 to disable aging) Default Setting 300 seconds Command Mode Global Configuration Command Usage The aging time is used to age out dynamically learned forwarding information. Values for EX-3524 and EX-3548. – 361 –...
Chapter 15 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address.
Chapter 15 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear This command removes any learned entries from the forwarding database. mac-address-table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show This command shows classes of entries in the bridge-forwarding database.
Chapter 15 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...
Chapter 15 | Address Table Commands show This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. mac-address-table count Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 79: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree Configures spanning tree operation to be compatible with cisco-prestandard...
Chapter 16 | Spanning Tree Commands Table 79: Spanning Tree Commands (Continued) Command Function Mode spanning-tree Configures loopback release mode for a port loopback-detection release-mode spanning-tree Enables BPDU loopback SNMP trap notification for a port loopback-detection trap spanning-tree mst cost Configures the path cost of an interface in the MST instance IC spanning-tree Configures the priority of an interface in the MST instance...
Chapter 16 | Spanning Tree Commands Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with Cisco cisco-prestandard prestandard versions. Use the no form to restore the default setting. [no] spanning-tree cisco-prestandard Default Setting Disabled...
Chapter 16 | Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 16 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. max-age Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 372
Chapter 16 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network.
Chapter 16 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. pathcost method Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000.
Chapter 16 | Spanning Tree Commands Command Mode Global Configuration Command Usage Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 16 | Spanning Tree Commands Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded.
Chapter 16 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
Chapter 16 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Chapter 16 | Spanning Tree Commands Related Commands revision (378) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...
Chapter 16 | Spanning Tree Commands conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs. However, note that if a trunking port connected to another switch or bridging device is mistakenly configured as an edge port, and BPDU filtering is enabled on this port, this might cause a loop in the spanning tree.
Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-guard Console(config-if)# Related Commands spanning-tree edge-port (381) spanning-tree spanning-disabled (389) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost...
Chapter 16 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Chapter 16 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W- 2001 9.3.4 (Note 1).
Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection action shutdown 600 Console(config-if)# spanning-tree This command configures the release mode for a port that was placed in the loopback-detection discarding state because a loopback BPDU was received. Use the no form to restore the default.
Chapter 16 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections. Use the no form to restore the default. trap Syntax [no] spanning-tree loopback-detection trap Default Setting Disabled Command Mode...
Chapter 16 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Each spanning-tree instance is associated with a unique set of VLAN IDs. ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices.
Chapter 16 | Spanning Tree Commands ◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (385) spanning-tree This command configures the priority for the specified interface.
Chapter 16 | Spanning Tree Commands spanning-tree This command prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected. Use the no form to disable root-guard this feature. Syntax [no] spanning-tree root-guard Default Setting Disabled Command Mode...
Chapter 16 | Spanning Tree Commands spanning-tree This command disables the spanning tree algorithm for the specified interface. Use the no form to re-enable the spanning tree algorithm for the specified interface. spanning-disabled Syntax [no] spanning-tree spanning-disabled Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Example...
Chapter 16 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-12) Command Mode Privileged Exec...
Page 391
Chapter 16 | Spanning Tree Commands Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. ◆...
Chapter 16 | Spanning Tree Commands Designated Bridge : 32768.0.123412341234 Fast Forwarding : Disabled Forward Transitions Admin Edge Port : Disabled Oper Edge Port : Disabled Admin Link Type : Auto Oper Link Type : Point-to-point Spanning-Tree Status : Enabled Loopback Detection Status : Enabled Loopback Detection Release Mode : Auto...
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (398) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode...
Chapter 17 | VLAN Commands GVRP and Bridge Extension Commands Table 84: show bridge-ext - display description Field Description Maximum The maximum number of VLANs supported on this switch. Supported VLAN Numbers Maximum The maximum configurable VLAN identifier supported on this switch. Supported VLAN ID Extended Multicast This switch does not support the filtering of individual multicast addresses...
Chapter 17 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan...
Chapter 17 | VLAN Commands Configuring VLAN Interfaces switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands”...
Chapter 17 | VLAN Commands Configuring VLAN Interfaces Table 86: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport ingress-filtering Enables ingress filtering on an interface switchport mode Configures VLAN membership mode for an interface switchport native vlan Configures the PVID (native VLAN) of an interface switchport priority default Sets a port priority for incoming untagged frames vlan-trunking...
Chapter 17 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 17 | VLAN Commands Configuring VLAN Interfaces Default Setting All ports are assigned to VLAN 1 by default. The default frame type is untagged. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If a port or trunk has switchport mode set to access, then only one VLAN can be added with this command.
Chapter 17 | VLAN Commands Configuring VLAN Interfaces Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Ingress filtering only affects tagged frames. ◆ If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port).
Chapter 17 | VLAN Commands Configuring VLAN Interfaces Command Usage Access mode is mutually exclusive with VLAN trunking (see the vlan-trunking command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa. Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid:...
Chapter 17 | VLAN Commands Configuring VLAN Interfaces vlan-trunking This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature. Syntax [no] vlan-trunking Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Chapter 17 | VLAN Commands Displaying VLAN Information flooded to all other ports where VLAN trunking is enabled. (In other words, VLAN trunking will still be effectively enabled for the unknown VLAN). Example The following example enables VLAN trunking on ports 27 and 28 to establish a path across the switch for unknown VLAN groups: Console(config)#interface ethernet 1/27 Console(config-if)#vlan-trunking...
Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Static Name: DefaultVlan Status: Active Ports/Port Channels : Eth1/ 1(S) Eth1/ 2(S) Eth1/ 3(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/ 8(S) Eth1/ 9(S) Eth1/10(S) Eth1/11(S) Eth1/12(S) Eth1/13(S) Eth1/14(S) Eth1/15(S) Eth1/16(S) Eth1/17(S) Eth1/18(S) Eth1/19(S) Eth1/20(S)
Page 410
Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See dot1q-tunnel tpid.) Configure the QinQ tunnel access port to join the SPVLAN as an untagged...
Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)# Related Commands show dot1q-tunnel (413) show interfaces switchport (305) dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value for all ports. Use the no form to restore the default setting. Syntax dot1q-tunnel tpid tpid no dot1q-tunnel tpid...
Chapter 17 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#dot1q-tunnel tpid 9100 Console(config)# Related Commands show interfaces switchport (305) switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode...
Chapter 17 | VLAN Commands Configuring Protocol-based VLANs show dot1q-tunnel This command displays information about QinQ tunnel ports. Command Mode Privileged Exec Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel Current double-tagged status of the system is Enabled The dot1q-tunnel mode of the set interface 1/1 is Access mode, TPID is 0x8100.
Chapter 17 | VLAN Commands Configuring Protocol-based VLANs To configure protocol-based VLANs, follow these steps: First configure VLAN groups for the protocols you want to use (page 400). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time.
Chapter 17 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. protocol-group (Configuring Interfaces) Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group.
Chapter 17 | VLAN Commands Configuring Protocol-based VLANs show protocol-vlan This command shows the frame and protocol type associated with protocol groups. protocol-group Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group. (Range: 1-2147483647) Default Setting All protocol groups are displayed.
Chapter 17 | VLAN Commands Configuring IP Subnet VLANs Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID VLAN ID ---------- ------------------ ----------- Eth 1/1 vlan2...
Chapter 17 | VLAN Commands Configuring IP Subnet VLANs Default Setting Priority: 0 Command Mode Global Configuration Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a subnet mask. The specified VLAN need not be an existing VLAN.
Chapter 17 | VLAN Commands Configuring MAC Based VLANs 192.168.12.224 255.255.255.240 192.168.12.240 255.255.255.248 192.168.12.248 255.255.255.252 192.168.12.252 255.255.255.254 192.168.12.254 255.255.255.255 192.168.12.255 255.255.255.255 Console# Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Chapter 17 | VLAN Commands Configuring MAC Based VLANs Command Mode Global Configuration Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆...
Chapter 17 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
Chapter 17 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN.
Chapter 17 | VLAN Commands Configuring Voice VLANs Example The following example configures the Voice VLAN aging time as 3000 minutes. Console(config)#voice vlan aging 3000 Console(config)# voice vlan This command specifies MAC address ranges to add to the OUI Telephony list. Use mac-address the no form to remove an entry from the list.
Chapter 17 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port. Syntax switchport voice vlan {manual | auto} no switchport voice vlan manual - The Voice VLAN feature is enabled on the port, but the port must be manually added to the Voice VLAN.
Chapter 17 | VLAN Commands Configuring Voice VLANs Default Setting Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN. The priority of any received VoIP packet is overwritten with the new priority when the Voice VLAN feature is active for the port.
Chapter 17 | VLAN Commands Configuring Voice VLANs Example The following example enables the OUI method on port 1 for detecting VoIP traffic. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan rule oui Console(config-if)# switchport voice vlan This command enables security filtering for VoIP traffic on a port. Use the no form to disable filtering on a port.
Page 427
Chapter 17 | VLAN Commands Configuring Voice VLANs Default Setting None Command Mode Privileged Exec Example Console#show voice vlan status Global Voice VLAN Status Voice VLAN Status : Enabled Voice VLAN ID : 1234 Voice VLAN aging time : 1440 minutes Voice VLAN Port Summary Port Mode...
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 18 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 18 | Class of Service Commands Priority Commands (Layer 2) queue is polled for service, and subsequently affects the response time for software applications assigned a specific priority value. ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing.
Chapter 18 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 3. Console(config)#queue weight 1 2 3 4 Console(config)# Related Commands queue mode (430) show queue weight (433)
Chapter 18 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (305) show queue mode This command shows the current queue mode.
Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 95: Priority Commands (Layer 3 and 4) Command Function Mode...
Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the dscp-mutation default settings.
Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain.
Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#qos map phb-queue 0 from 1 2 3 Console(config)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting.
Chapter 18 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp Command Mode Privileged Exec Example Console#show qos map cos-dscp CoS-DSCP Map.
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 19 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an access...
Chapter 19 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 445). The policy map is then bound by a service policy to an interface (page 456). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the...
Chapter 19 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | ip dscp dscp | ip precedence ip-precedence | vlan vlan-id} acl-name - Name of the access control list.
Chapter 19 | Quality of Service Commands This example creates a class map call “rd-class#2, ” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3, ” and sets it to match packets marked for VLAN 1.
Chapter 19 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆...
Chapter 19 | Quality of Service Commands set cos command sets the class of service value in matching packets. ■ (This modifies packet priority in the VLAN tag.) set ip dscp command sets the IP DSCP value in matching packets. ■...
Page 448
Chapter 19 | Quality of Service Commands Default Setting None Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes.
Chapter 19 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action transmit exceed-action {drop | new-dscp}...
Page 450
Chapter 19 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green if it doesn't exceed the CIR and BC, yellow if it does exceed the CIR and BC, but not the BE, and red otherwise.
Chapter 19 | Quality of Service Commands command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the excess burst size.
Page 452
Chapter 19 | Quality of Service Commands new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆...
Chapter 19 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode: If the packet has been precolored as red or if Tp(t)-B < 0, the packet is red, ■...
Chapter 19 | Quality of Service Commands ◆ The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command. Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ”...
Chapter 19 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set ip dscp command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and...
Chapter 19 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure...
Chapter 19 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
Chapter 19 | Quality of Service Commands Example Console#show policy-map Policy Map rd-policy Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input...
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 20 | Multicast Filtering Commands IGMP Snooping Table 101: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping Floods unregistered multicast traffic into the attached unregistered-data-flood VLAN ip igmp snooping Specifies how often the upstream interface should unsolicited-report-interval transmit unsolicited IGMP reports (when proxy reporting is enabled) ip igmp snooping version...
Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP snooping globally on the switch or on a selected VLAN interface. Use the no form to disable it. Syntax [no] ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Disabled...
Chapter 20 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Chapter 20 | Multicast Filtering Commands IGMP Snooping Default Setting Disabled Command Mode Global Configuration Command Usage As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks. One common method of attack is launched by an intruder who takes over the role of querier, and starts overloading multicast hosts by sending a large number of group-and-source-specific queries, each with the Maximum Response Time set to a large value.
Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology change notification (TCN) occurs. Use the no form to disable flooding. tcn-flood Syntax [no] ip igmp snooping tcn-flood Default Setting Disabled Command Mode...
Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation tcn-query-solicit when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. unregistered-data- flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration...
Chapter 20 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default. Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4093) 1 - IGMP Version 1...
Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the ip igmp version-exclusive snooping version command. Use the no form to disable this feature. Syntax ip igmp snooping [vlan vlan-id] version-exclusive no ip igmp snooping version-exclusive...
Chapter 20 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-and- last-memb-query- source-specific query messages that are sent out before the system assumes there are no more local members.
Chapter 20 | Multicast Filtering Commands IGMP Snooping Default Setting 10 (1 second) Command Mode Global Configuration Command Usage ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific query message, and starts a timer.
Chapter 20 | Multicast Filtering Commands IGMP Snooping ◆ Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the expiration of a periodic timer, as a part of a router's start up procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message.
Chapter 20 | Multicast Filtering Commands IGMP Snooping To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command. Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
Chapter 20 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ An IGMP general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined. ◆...
Chapter 20 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the port. static Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4093) ip-address - IP address for multicast group interface...
Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP snooping : Disabled Router port expire time : 300 s Router alert check : Disabled Tcn flood : Disabled Tcn query solicit : Disabled Unregistered data flood...
Chapter 20 | Multicast Filtering Commands IGMP Snooping Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:0 VLAN Group Source Port List -------- ---------------- ---------------- --------------------------------- 224.1.1.12 Eth 1/12(S) 224.1.1.12...
Chapter 20 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 102: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan Adds a multicast router port mrouter show ip igmp snooping Shows multicast router ports...
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 11 as a multicast router port within VLAN Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses;...
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage ◆...
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. (Interface Configuration) Syntax [no] ip igmp filter profile-number...
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting Command Mode Interface Configuration (Ethernet) Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions;...
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups action replace Console(config-if)# show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier.
Chapter 20 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp throttle This command displays the interface settings for IGMP throttling.
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Multicast VLAN Registration This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Default Setting MVR is disabled. No MVR group address is defined. MVR VLAN ID is 1. Command Mode Global Configuration Command Usage ◆ Use the mvr group command to statically configure all multicast group addresses that will join the MVR VLAN.
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration ◆ Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN.
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Command Usage ◆ Multicast groups can be statically assigned to a receiver port using this command. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration MVR VLAN. Or use the members keyword to display information about multicast groups assigned to the MVR VLAN. Example The following shows the global MVR settings: Console#show mvr MVR Config Status : Enabled MVR Running Status : Active...
Chapter 20 | Multicast Filtering Commands Multicast VLAN Registration Table 106: show mvr interface - display description (Continued) Field Description Immediate Leave Shows if immediate leave is enabled or disabled. Static Group Address Shows any static MVR group assigned to an interface, and the receiver VLAN.
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 494
Chapter 21 | LLDP Commands Table 108: LLDP Commands (Continued) Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise the system-description system description lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name Configures an LLDP-enabled port to advertise the lldp dot1-tlv proto-ident supported protocols Configures an LLDP-enabled port to advertise port...
Chapter 21 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP advertisements. multiplier Use the no form to restore the default setting.
Chapter 21 | LLDP Commands lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to count restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Chapter 21 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 21 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables.
Chapter 21 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs.
Chapter 21 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 21 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities...
Chapter 21 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
Chapter 21 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 413). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 21 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 403 “protocol-vlan protocol-group (Configuring Interfaces)” on page 415. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg...
Chapter 21 | LLDP Commands Command Usage Refer to “Frame Size” on page 89 for information on configuring the maximum frame size for this switch. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over- Ethernet (PoE) capabilities.
Chapter 21 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to restore the default settings. civic-addr Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code –...
Chapter 21 | LLDP Commands Table 109: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example Group of streets below the neighborhood level Exchange Street suffix or type Avenue House number House number suffix Landmark or vanity address Tech Center Unit (apartment, suite) Apt 519...
Chapter 21 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP- EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 21 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv ext-poe Console(config-if)# lldp med-tlv inventory This command configures an LLDP-MED-enabled port to advertise its inventory identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv inventory Default Setting Enabled Command Mode...
Chapter 21 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature. Syntax [no] lldp med-tlv med-cap Default Setting Enabled Command Mode...
Chapter 21 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv network-policy Console(config-if)# lldp notification This command enables the transmission of SNMP trap notifications about LLDP changes. Use the no form to disable LLDP notifications. Syntax [no] lldp notification Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel)
LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name System Description : EX-3524 Managed POE/POE+ Switch System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.101 (IPv4) – 513 –...
Chapter 21 | LLDP Commands LLDP Port Information Port PortID Type PortID Port Description -------- ---------------- ----------------- -------------------------------- Eth 1/1 MAC Address 00-1A-7E-AC-2B-13 Ethernet Port on unit 1, port 1 Eth 1/2 MAC Address 00-1A-7E-AC-2B-14 Ethernet Port on unit 1, port 2 Eth 1/3 MAC Address 00-1A-7E-AC-2B-15 Ethernet Port on unit 1, port 3...
Page 515
Port ID Type : MAC Address Port ID : 70-72-CF-95-DC-48 System Name System Description : EX-3524 Managed POE/POE+ Switch Port Description : Ethernet Port on unit 1, port 2 System Capabilities Supported : Bridge System Capabilities Enabled : Bridge Remote Management Address: 192.168.0.2 (IPv4)
Chapter 21 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDP- enabled interfaces. statistics Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CDP Commands Cisco Discovery Protocol (CDP) is a proprietary protocol that discovers information about neighboring devices by passing messages across the Data Link Layer. It is used to share information about nearby network equipment. Participating devices send CDP announcements from each connected network interface to the multicast address 01-00-0C-CC-CC-CC.
Chapter 22 | CDP Commands This command enables CDP globally on the switch. Use the no form to disable CDP. (Global Configuration) Syntax [no] cdp Default Setting Disabled Command Mode Global Configuration Example Console(config)#cdp Console(config)# cdp hold-time This command specifies the amount of time the receiving device should hold a CDP packet sent from this switch.
Chapter 22 | CDP Commands cdp transmit-interval This command specifies the periodic transmission interval for CDP advertisements. Use the no form to restore the default setting. Syntax cdp transmit-interval seconds no cdp transmit-interval seconds - The interval at which the switch send CDP updates. (Range: 5-254 seconds) Default Setting 60 seconds...
Chapter 22 | CDP Commands This command enables CDP on the selected interface. Use the no form to disable CDP on the selected interface. (Interface Configuration) Syntax [no] cdp Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#cdp Console(config-if)# clear cdp table...
Chapter 22 | CDP Commands show cdp interface This command shows whether or not CDP is enabled on an interface. Syntax show cdp interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example...
Chapter 22 | CDP Commands Example Console#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Interface Version Device ID Hold Remain Capability Platform Port ID Time Time...
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Chapter 23 | Domain Name Service Commands Command Mode Global Configuration Command Usage ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Chapter 23 | Domain Name Service Commands Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands...
Chapter 23 | Domain Name Service Commands Related Commands ip domain-list (523) ip name-server (526) ip domain-lookup (524) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host.
Chapter 23 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Command Usage The listed name servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. Example This example adds two domain-name servers to the list and then displays the list.
Chapter 23 | Domain Name Service Commands Command Mode Global Configuration Example This example maps an IPv6 address to a host name. Console(config)#ipv6 host rd6 2001:0db8:1::12 Console(config)#end Console#show hosts Flag Type IP Address Domain ---- ---- ------- -------------------- ----- ------------------------------- 2 Address 192.168.1.55 2 Address 2001:DB8:1::12 Console#...
Chapter 23 | Domain Name Service Commands Example This example clears all dynamic entries from the DNS table. Console(config)#clear host * Console(config)# show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name:...
Chapter 23 | Domain Name Service Commands Table 113: show dns cache - display description (Continued) Field Description IP Address The IP address associated with this record. The time to live reported by the name server. Domain The host name associated with this record. show hosts This command displays the static host name-to-address mapping table.
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. Table 115: DHCP Commands Command Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP Client Use the commands in this section to allow the switch’s VLAN interfaces to dynamically acquire IP address information.
- A text string. (Range: 1-32 characters) hex - A hexadecimal value. (Range: 1-64 characters) Default Setting Class identifier option enabled, with the name Motorola Solutions Inc. Command Mode Interface Configuration (VLAN) Command Usage ◆...
Chapter 24 | DHCP Commands DHCP for IPv4 Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command.
Chapter 24 | DHCP Commands DHCP for IPv6 DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no rapid-commit vlan form to disable this option.
Page 535
Chapter 24 | DHCP Commands DHCP for IPv6 Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 24 | DHCP Commands DHCP for IPv6 Related Commands ipv6 address (550) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage ◆ DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Chapter 25 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch. Table 119: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this router can reach other subnetworks...
Page 539
Chapter 25 | IP Interface Commands IPv4 Interface attached and the router’s host number on that network. In other words, a router interface address defines the network and subnetwork numbers of the segment that is connected to that interface, and allows you to send IP packets to or from the router.
Chapter 25 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (532) ip default-gateway (540) ipv6 address (550) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway...
Chapter 25 | IP Interface Commands IPv4 Interface Related Commands ip address (538) ip route (574) ipv6 default-gateway (549) show ip interface This command displays the settings of an IPv4 interface. Command Mode Privileged Exec Example Console#show ip interface Vlan 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500, Bandwidth: 1g Address Mode is DHCP...
Chapter 25 | IP Interface Commands IPv4 Interface ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one.
Page 544
Chapter 25 | IP Interface Commands IPv4 Interface Default Setting count: 5 size: 32 bytes Command Mode Normal Exec, Privileged Exec Command Usage ◆ Use the ping command to see if another site on the network can be reached. ◆ The following are some results of the ping command: Normal response - The normal response occurs in one to ten seconds, ■...
Chapter 25 | IP Interface Commands IPv4 Interface ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch. Table 120: Address Resolution Protocol Commands Command Function Mode Adds a static entry in the ARP cache ip proxy-arp Enables proxy ARP service clear arp-cache...
Chapter 25 | IP Interface Commands IPv4 Interface Example Console(config)#arp 10.1.0.19 01-02-03-04-05-06 Console(config)# Related Commands clear arp-cache (547) show arp (547) ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP. Syntax [no] ip proxy-arp Default Setting Disabled...
Chapter 25 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.
Chapter 25 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands. Table 121: IPv6 Configuration Commands Command Function Mode Interface Address Configuration and Utilities ipv6 default-gateway Sets an IPv6 default gateway for traffic with no known next ipv6 address Configures an IPv6 global unicast address, and enables IPv6 on an interface...
Chapter 25 | IP Interface Commands IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway. Syntax ipv6 default-gateway ipv6-address no ipv6 address...
Chapter 25 | IP Interface Commands IPv6 Interface ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 25 | IP Interface Commands IPv6 Interface Global Unicast Address(es): 2001:DB8:2222:7272::72/96, subnet is 2001:DB8:2222:7272::/96 Joined Group Address(es): FF02::1:FF00:72 FF02::1:FF34:E63C FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Related Commands...
Chapter 25 | IP Interface Commands IPv6 Interface Example This example assigns a dynamic global unicast address to the switch. Console(config)#interface vlan 1 Console(config-if)#ipv6 address autoconfig Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is stale, AUTOCONFIG is enabled Link-Local Address: FE80::2E0:CFF:FE00:FD/64 Global Unicast Address(es):...
Page 553
Chapter 25 | IP Interface Commands IPv6 Interface Command Usage ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 25 | IP Interface Commands IPv6 Interface Joined Group Address(es): FF02::1:FF00:72 FF02::1:FF34:E63C FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3 ND retransmit interval is 1000 milliseconds ND reachable time is 30000 milliseconds Console# Related Commands ipv6 address autoconfig (551)
Chapter 25 | IP Interface Commands IPv6 Interface Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269. Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::269:3EF9:FE19:6779 link-local Console(config-if)#end...
Chapter 25 | IP Interface Commands IPv6 Interface ◆ If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console. ◆ The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address.
Chapter 25 | IP Interface Commands IPv6 Interface Command Usage ◆ The maximum value set by this command cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented.
Chapter 25 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface.
Chapter 25 | IP Interface Commands IPv6 Interface Table 122: show ipv6 interface - display description (Continued) Field Description Link-local Shows the link-local address assigned to this interface address Global unicast Shows the global unicast address(es) assigned to this interface address(es) Joined group In addition to the unicast addresses assigned to an interface, a host is also...
Chapter 25 | IP Interface Commands IPv6 Interface Example The following example shows the MTU cache for this device: Console#show ipv6 mtu Since Destination Address 1400 00:04:21 5000:1::3 1280 00:04:50 FE80::203:A0FF:FED6:141D Console# Table 123: show ipv6 mtu - display description Field Description Adjusted MTU contained in the ICMP packet-too-big message returned from this...
Chapter 25 | IP Interface Commands IPv6 Interface ICMPv6 Statistics: ICMPv6 received 0 input 0 errors 0 destination unreachable messages 0 packet too big messages 0 time exceeded messages 0 parameter problem message 0 echo request messages 0 echo reply messages 0 redirect messages 0 group membership query messages 0 group membership response messages...
Page 562
Chapter 25 | IP Interface Commands IPv6 Interface Table 124: show ipv6 traffic - display description (Continued) Field Description address errors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity.
Page 563
Chapter 25 | IP Interface Commands IPv6 Interface Table 124: show ipv6 traffic - display description (Continued) Field Description generated fragments The number of output datagram fragments that have been generated as a result of fragmentation at this output interface. fragment succeeded The number of IPv6 datagrams that have been successfully fragmented at this output interface.
Chapter 25 | IP Interface Commands IPv6 Interface Table 124: show ipv6 traffic - display description (Continued) Field Description destination unreachable The number of ICMP Destination Unreachable messages sent by the messages interface. packet too big messages The number of ICMP Packet Too Big messages sent by the interface. time exceeded messages The number of ICMP Time Exceeded messages sent by the interface.
Chapter 25 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture, ”...
Chapter 25 | IP Interface Commands IPv6 Interface Default Setting Command Mode Interface Configuration (VLAN) Command Usage ◆ Configuring a value of 0 disables duplicate address detection. ◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ◆...
Chapter 25 | IP Interface Commands IPv6 Interface FF02::1:FF00:79/104 FF02::1:FF90:0/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 1000 milliseconds Console# Related Commands ipv6 nd ns-interval (568) show ipv6 neighbors (570) ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface.
Chapter 25 | IP Interface Commands IPv6 Interface IPv6 is enabled. Link-local address: FE80::200:E8FF:FE90:0/64 Global unicast address(es): 2009:DB9:2229::79, subnet is 2009:DB9:2229:0::/64 Joined group address(es): FF01::1/16 FF02::1/16 FF02::1:FF00:79/104 FF02::1:FF90:0/104 MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 30000 milliseconds ND router advertisements are sent every 30 seconds Console#...
Chapter 25 | IP Interface Commands IPv6 Interface Example The following sets the reachable time for a remote node to 1000 milliseconds: Console(config)#interface vlan 1 Console(config)#pv6 nd reachable-time 1000 Console(config)# clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example...
Chapter 25 | IP Interface Commands IPv6 Interface Table 125: show ipv6 neighbors - display description Field Description IPv6 Address IPv6 address of neighbor The time since the address was verified as reachable (in seconds). A static entry is indicated by the value “Permanent. ” Link-layer Addr Physical layer MAC address.
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks. However, to forward traffic to devices on other subnetworks, either configure fixed paths with static routing commands, or enable a dynamic routing protocol that exchanges information with other routers on the network to automatically...
Chapter 26 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip –...
Page 575
Chapter 26 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database –...
Chapter 26 | IP Routing Commands Global Routing Configuration show ip route This command displays entries in the Routing Information Base (RIB). database Command Mode Privileged Exec Command Usage The RIB contains all available routes learned through dynamic routing protocols, directly attached networks, and any additionally configured routes such as static routes.
Section I Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 579 ◆ “License Information” on page 581 ◆ “Customer Support” on page 593 – 577 –...
Troubleshooting Problems Accessing the Management Interface Table 205: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered up. Telnet, web browser, or ◆ Check network cabling between the management station and the SNMP software switch. ◆...
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 583
Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 584
Appendix B | License Information GNU Lesser General Public License, version 3.0 If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Appendix B | License Information GNU Lesser General Public License, version 3.0 Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library"...
Appendix B | License Information The BSD License Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Open Source Software Used Motorola's Support Central Web site, located at http://supportcentral.motorolasolutions.com/ provides information and online assistance including developer tools, software downloads, product manuals, support contact information and online repair requests.
Page 588
Appendix B | License Information ISC License WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OFTHIS SOFTWARE. SNMP License (netsnmp5.1) Various copyrights apply to this package, listed in various separate parts below.
Page 589
Appendix B | License Information ISC License ---- Part 3: Cambridge Broadband Ltd. copyright notice (BSD) ----- Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and...
Page 590
Appendix B | License Information ISC License ---- Part 5: Sparta, Inc copyright notice (BSD) ----- Copyright (c) 2003-2009, Sparta, Inc All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 591
Appendix B | License Information ISC License ---- Part 7: Fabasoft R&D Software GmbH & Co KG copyright notice (BSD) ----- Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003 oss@fabasoft.com Author: Bernhard Penz Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and...
Page 592
Appendix B | License Information ISC License ---- Part 9: ScienceLogic, LLC copyright notice (BSD) ----- Copyright (c) 2009, ScienceLogic, LLC All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
◆ Software type and version number Motorola Solutions responds to calls by e-mail, telephone or fax within the time limits set forth in support agreements. If you purchased your product from a Motorola Solutions business partner, contact that business partner for support.
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 596
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a well- defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Page 597
Glossary GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Page 598
Glossary IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 599
Glossary MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest.
Page 600
Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively.
Page 601
Glossary SNTP allows a device to set its internal clock based on periodic Simple Network Time Protocol updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. Secure Shell is a secure replacement for remote access functions, including Telnet.
Page 602
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected. – 602 –...
Index of CLI Commands clear ipv6 neighbors clear ipv6 traffic aaa accounting dot1x clear log aaa accounting exec clear mac-address-table dynamic aaa accounting update clear network-access aaa authorization exec clock summer-time aaa group server clock timezone absolute clock timezone-predefined access-list arp cluster access-list ip cluster commander...
Page 604
Index of CLI Commands enable password ip igmp snooping router-port-expire-time ip igmp snooping tcn-flood exec-timeout 102 ip igmp snooping tcn-query-solicit exit ip igmp snooping unregistered-data-flood ip igmp snooping unsolicited-report-interval 466 ip igmp snooping version ip igmp snooping version-exclusive 468 ip igmp snooping vlan general-query-suppression flow tcp-udp-port-zero flowcontrol ip igmp snooping vlan immediate-leave...
Page 605
Index of CLI Commands lacp port-priority mvr type lacp system-priority mvr vlan group line lldp lldp admin-status lldp basic-tlv management-ip-address name lldp basic-tlv port-description negotiation 299 lldp basic-tlv system-capabilities network-access aging lldp basic-tlv system-description 501 network-access dynamic-qos lldp basic-tlv system-name network-access dynamic-vlan lldp dot1-tlv proto-ident 502 network-access guest-vlan 227...
Page 606
Index of CLI Commands qos map dscp-mutation 436 show flow 265 qos map phb-queue show garp timer qos map trust-mode 438 show gvrp configuration 399 queue mode show history queue weight show hosts quit show interfaces brief show interfaces counters show interfaces protocol-vlan protocol-group show interfaces status show interfaces switchport 305...
Page 607
Index of CLI Commands show mac-vlan snmp-server community 139 show management 216 snmp-server contact show memory snmp-server enable port-traps atc broadcast-alarm- show mvr clear show network-access snmp-server enable port-traps atc broadcast-alarm- show network-access mac-address-table 234 fire 356 show network-access mac-filter snmp-server enable port-traps atc broadcast-control- show nlm oper-status apply...