Download Print this page

NetApp CN1610 Cli Command Reference

NetApp CN1610 Cli Command Reference

Hide thumbs Also See for CN1610:

Administrator's manual (170 pages)

,

Cli command reference (709 pages)

Table Of Contents

page of 546

/ 546
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

See also: Administrator's Manual , Cli Command Reference

NetApp® CN1610 Network Switch

CLI Command Reference

NetApp, Inc.

495 East Java Drive

Sunnyvale, CA 94089 U.S.A.

Telephone: +1 (408) 822-6000

Fax: +1 (408) 822-4501

Support telephone: +1 (888) 4-NETAPP

Documentation comments: doccomments@netapp.com

Information Web:

www.netapp.com

Part number: 215-06286_B0

July 2013

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the CN1610 and is the answer not in the manual?

Questions and answers

Summary of Contents for NetApp CN1610

Page 1 NetApp® CN1610 Network Switch CLI Command Reference NetApp, Inc. 495 East Java Drive Sunnyvale, CA 94089 U.S.A. Telephone: +1 (408) 822-6000 Fax: +1 (408) 822-4501 Support telephone: +1 (888) 4-NETAPP Documentation comments: doccomments@netapp.com Information Web: www.netapp.com Part number: 215-06286_B0 July 2013...
Page 2: Copyright Information
NetApp assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by NetApp. The use or purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of NetApp.
Page 3 States, certain other countries and/or the EU. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. NetApp, Inc. is a licensee of the CompactFlash and CF Logo trademarks. NetApp, Inc. NetCache is certified RealSystem compatible.
Page 5: Table Of Contents
Using the no Form of a Command ..... . . 14 CN1610 Software Modules......15 Command Modes .
Page 6 User Account Commands......90 Chapter 4 Utility Commands .......117 AutoInstall Commands .
Page 7 LLDP (802.1AB) Commands ......292 LLDP-MED Commands ......303 Link Local Protocol Filtering Commands .
Page 8 IP Access Control List Commands ..... . .505 IPv6 Access Control List Commands .....515 MAC Access Control List Commands .
Page 9: About This Document
Introduction This document describes command-line interface (CLI) commands you use to view and configure the CN1610 software. You can access the CLI by using a direct connection to the serial port or by using Telnet or SSH over a remote network connection.
Page 10 About This Document Provide a complete device management portfolio to the network administrator. Scope FASTPATH software encompasses both hardware and software support. The software is partitioned to run in the following processors: This code runs the networking device management portfolio and controls the overall networking device hardware.
Page 11: Chapter 2 Using The Command-Line Interface
“Common Parameter Values” on page 10 “Slot/Port Naming Convention” on page 12 “Using the no Form of a Command” on page 14 “CN1610 Software Modules” on page 15 “Command Modes” on page 16 “Command Completion and Abbreviation” on page 22 “CLI Error...
Page 12: Command Syntax
] is an optional parameter, so you are not required to enter a value gateway in place of the parameter. The NetApp CN1610 Network Switch CLI Command Reference lists each command by the command name and provides a brief description of the command. Each command reference also contains the following information: Format shows the command keywords and the required and optional parameters.
Page 13: Command Conventions
Command Conventions The parameters for a command might include mandatory values, optional values, or keyword choices. Parameters are order-dependent. The following Parameter Conventions table describes the conventions this document uses to distinguish between value types: Symbol Example Description Indicates an optional [] square brackets [value] parameter.
Page 14: Common Parameter Values
Common Parameter Values Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System Name with Spaces” forces the system to accept the spaces. Empty strings (““) are not valid user-defined strings.
Page 15 Parameter Description Character strings Use double quotation marks to identify character strings, for example, “System Name with Spaces”. An empty string (“”) is not valid. Chapter 2: Using the Command-Line Interface...
Page 16: Slot/Port Naming Convention
Slot/Port Naming Convention FASTPATH software references physical entities such as cards and ports by using a slot/port naming convention. The FASTPATH software also uses this convention to identify certain logical entities, such as Port-Channel interfaces. The slot number has two uses. In the case of physical ports, it identifies the card containing the ports.
Page 17 Port Type Description CPU ports CPU ports are handled by the driver as one or more physical entities located on physical slots. Note In the CLI, loopback and tunnel interfaces do not use the slot/port format. To specify a loopback interface, use the loopback ID. To specify a tunnel interface, use the tunnel ID.
Page 18: Using The No Form Of A Command
Using the no Form of a Command keyword is a specific form of an existing command and does not represent a new or distinct command. Almost every configuration command has a form. In general, use the form to reverse the action of a command or reset a value back to the default.
Page 19: Cn1610 Software Modules
CN1610 Software Modules The CN1610 software consists of flexible modules that can be applied in various combinations to develop advanced Layer 2/3/4+ products. The commands and command modes available on your switch depend on the installed modules. Additionally, for some...
Page 20: Command Modes
Command Modes The CLI groups commands into modes according to the command function. Each of the command modes supports specific CN1610 software commands. The commands in one mode are not available until you switch to that particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode commands in the Privileged EXEC mode.
Page 21 Command Mode Prompt Mode Description Interface Config Manages the operation (CN1610) (Interface slot/port)# of an interface and provides access to the router interface (CN1610) (Interface configuration Loopback id)# commands. Use this mode to set up (CN1610) (Interface a physical port for a...
Page 22 Command Mode Prompt Mode Description Line Telnet Contains commands to (CN1610) (config- telnet)# configure Telnet login/enable authentication. AAA IAS User Config Allows password (CN1610) (Config- IAS-User)# configuration for a user in the IAS database. Mail Server Config Allows configuration of...
Page 23 Command Mode Prompt Mode Description TACACS Config Contains commands to (CN1610) (Tacacs)# configure properties for the TACACS servers. DHCPv6 Pool Contains the DHCPv6 (CN1610) (Config dhcp6-pool)# Config server IPv6 address pool configuration commands. ARP Access-List Contains commands to (CN1610) (Config-...
Page 24 Command Mode Prompt Mode Description Interface Config From the Global Config To exit to the Global mode, enter: Config mode, enter . To return to the exit slot/port or interface Privileged EXEC interface loopback id mode, enter Ctrl-Z. interface tunnel id interface slot/port(startrange)- slot/port(endrange)
Page 25 Command Mode Prompt Mode Description Class-Map From the Global Config To exit to the Global Config mode, enter Config mode, enter , and specify the . To return to the class-map exit optional keyword Privileged EXEC ipv4 specify the Layer 3 protocol mode, enter Ctrl-Z for this class.
Page 26: Command Completion And Abbreviation
Command Completion and Abbreviation Command completion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. Once you have entered enough letters, press the SPACEBAR or TAB key to complete the word. Command abbreviation allows you to execute a command when you have entered enough letters to uniquely identify the command.
Page 27: Cli Error Messages
CLI Error Messages If you enter a command and the system is unable to execute it, an error message appears. The following table describes the most common CLI error messages: Message Text Description % Invalid input detected at '^' marker. Indicates that you entered an incorrect or unavailable command.
Page 28: Cli Line-Editing Conventions
CLI Line-Editing Conventions The following CLI editing conventions table describes the key combinations you can use to edit commands or increase the speed of command entry. You can access this list from the CLI by entering from the User or Privileged EXEC help modes.
Page 29 Key Sequence Description List available commands, keywords, or parameters. Chapter 2: Using the Command-Line Interface...
Page 30: Using Cli Help
Select DHCP, BootP, or None as the network config protocol. If the help output shows a parameter in angle brackets, you must replace the parameter with a value: (CN1610)#network parms ? <ipaddr> Enter the IP address. If there are no additional command keywords or parameters, or if additional parameters are optional, the following message appears in the output: <cr>...
Page 31 You can also enter a question mark (?) after typing one or more characters of a word to list the available command or parameters that begin with the letters, as shown in the following example: (CN1610) #show m? mac-addr-table mac-address-table...
Page 32: Accessing The Cli
Accessing the CLI You can access the CLI by using a direct console connection or by using a Telnet or SSH connection from a remote management host. For the initial connection, you must use a direct connection to the console port. You cannot access the system remotely until the system has an IP address, subnet mask, and default gateway.
Page 33: Chapter 3 Management Commands
Management Commands About this chapter This chapter describes the management commands available with the CN1610 CLI. Topics in this This chapter includes the following sections: chapter “Access Commands” on page 30 “Configuration Scripting Commands” on page 32 “Console Port Access Commands”...
Page 34: Access Commands
Access Commands Introduction Use the commands in this section to close remote connections or to view information about connections to the system. disconnect This command closes HTTP, HTTPS, Telnet, or SSH sessions. Use all to close all active sessions, or use to specify the session ID to close.
Page 35 This command displays the complete user names of the users currently logged in long to the switch. Format show loginsession long Mode Privileged EXEC Example: The following shows an example of the command: (CN1610) #show loginsession long User Name ------------ admin test1111test1111test1111test1111test1111test1111test1111test1111 Chapter 3: Management Commands...
Page 36: Configuration Scripting Commands
Configuration Scripting Commands Introduction Configuration scripting allows you to generate text-formatted script files representing the current configuration of a system. You can upload these configuration script files to a PC or UNIX system and edit them. Then, you can download the edited files to the system and apply the new configuration. You can apply configuration scripts to one or more switches with no or minor modifications.
Page 37 Note To specify a blank password for a user in the configuration script, you must specify it as a space within quotes. For example, to change the password for user jane from a blank password to hello, the script entry is as follows: users passwd jane "...
Page 38 Output Description The size of the script, in bytes. Size Example: The following shows sample output from this command: (CN1610) #script list Configuration Script Name Size(Bytes) --------------------------- ------------ runconfig-17Jan.scr 2586 1 configuration script(s) found. 2045 Kbytes free. script show This command displays the contents of a script file, which is called a...
Page 39: Console Port Access Commands
Mode Global Config Parameter Description Console terminal line. console Virtual terminal for remote console access (Telnet). telnet Virtual terminal for secured remote console access (SSH). Example: The following example shows a CLI display: (CN1610)(config)#line telnet (CN1610)(config-telnet)# Chapter 3: Management Commands...
Page 40 serial baudrate This command specifies the communication rate of the terminal interface. The supported rates are 1200, 2400, 4800, 9600, 19200, 38400, 57600, 115200. Default 9600 Format serial baudrate {1200 | 2400 | 4800 | 9600 | 19200 | 38400 | 57600 | 115200} Mode Line Config no serial baudrate...
Page 41 The Parity Type used on the Serial Port. The Parity Parity Type Type is always None. Example: The following shows sample output from this command: (CN1610) >show serial Serial Port Login Timeout (minutes).... 5 Baud Rate (bps)........ 9600 Character Size (bits)......8 Flow Control........
Page 42: Management Security Commands
Management Security Commands Introduction This section describes commands you use to generate keys and certificates, which you can do in addition to loading them as before. crypto key generate This command generates a DSA key pair for SSH. The new key files will overwrite any existing generated or downloaded DSA key files.
Page 43: Network Interface Commands
Network Interface Commands Introduction This section describes the commands you use to configure a logical interface for management access. To configure the management VLAN, see “network mgmt_vlan” on page 427. enable (Privileged This command gives you access to the Privileged EXEC mode. From the EXEC access) Privileged EXEC mode, you can configure the network interface.
Page 44 network parms This command sets the IP address, subnet mask, and gateway of the device. The IP address and the gateway must be on the same subnet. You can specify the none option to clear the IPv4 address and mask and the default gateway (that is, to reset each of these values to 0.0.0.0).
Page 45 network mac-type This command specifies whether the switch uses the burned-in MAC address or the locally-administered MAC address. Default burnedin Format network mac-type {local | burnedin} Mode Privileged EXEC no network mac- This command resets the value of MAC address to its default. type Format no network mac-type...
Page 46 Format show network Mode Privileged EXEC User EXEC Output Description The network interface status; it is always considered Interface Status to be The IP address of the interface. The factory default IP Address value is 0.0.0.0. The IP subnet mask for this interface. The factory Subnet Mask default value is 0.0.0.0.
Page 47 Output Description If desired, a locally administered MAC address can Locally Administered MAC be configured for in-band connectivity. To take Address effect, must be set to MAC Address Type Locally . Enter the address as twelve Administered hexadecimal digits (6 bytes) with a colon between each byte.
Page 48 Example: The following shows example CLI display output for the network port: (CN1610) #show network Interface Status....... Always Up IP Address........10.250.3.1 Subnet Mask........255.255.255.0 Default Gateway........ 10.250.3.3 IPv6 Administrative Mode....... Enabled IPv6 Prefix is ........ fe80::210:18ff:fe82:64c/64 IPv6 Prefix is ........ 2003::1/128 IPv6 Default Router is ......
Page 49: Pre-Login Banner, System Prompt, And Host Name Commands
Pre-login Banner, System Prompt, and Host Name Commands Introduction This section describes the commands you use to configure the pre-login banner and the system prompt. The pre-login banner is the text that displays before you login at the User: prompt copy (pre-login This command includes the option to upload or download the CLI Banner to or banner)
Page 50 hostname This command sets the system hostname. It also changes the prompt. The length may be up to 64 alphanumeric, case-sensitive characters. hostname Format hostname hostname Mode Privileged EXEC Pre-login Banner, System Prompt, and Host Name Commands...
Page 51: Radius Commands
RADIUS Commands Introduction This section describes the commands you use to configure the switch to use a Remote Authentication Dial-In User Service (RADIUS) server on your network for authentication and accounting. authorization This command enables the switch so it can accept VLAN assignment by the network radius RADIUS server.
Page 52 NAS-IP-Address attribute in RADIUS requests. Format no radius server attribute 4 [ipaddr] Mode Global Config Example: The following shows an example of the command: (CN1610)(Config) #radius server attribute 4 192.168.37.60 (CN1610)(Config) #radius server attribute 4 RADIUS Commands...
Page 53 radius server host This command configures the IP address or DNS name to use for communicating with the RADIUS server of a selected server type. While configuring the IP address or DNS name for the authenticating or accounting servers, you can also configure the port number and server name.
Page 54 Global Config Example: The following shows an example of the command: (CN1610)(Config) #radius server host acct 192.168.37.60 (CN1610)(Config) #radius server host acct 192.168.37.60 port 1813 (CN1610)(Config) #radius server host auth 192.168.37.60 name Network1_RS port 1813 (CN1610)(Config) #radius server host acct 192.168.37.60 name Network2_RS (CN1610)(Config) #no radius server host acct 192.168.37.60...
Page 55 Text-based configuration supports the RADIUS server’s secrets in encrypted and nonencrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running config command’s display, these secret keys are displayed in encrypted format.
Page 56 no radius server version of this command disables the message authenticator attribute to be msgauth used for the specified RADIUS Authenticating server. Format no radius server msgauth ipaddr|dnsname Mode Global Config radius server This command specifies a configured server that should be the primary server in primary the group of servers that have the same server name.
Page 57 Mode Global Config Parameter Description The maximum number of transmission attempts in the range retries of 1 to 15. no radius server version of this command sets the value of this global parameter to the retransmit default value. Format no radius server retransmit Mode Global Config radius server...
Page 58 Mode Global Config show radius This command displays the values configured for the global parameters of the RADIUS client. Format show radius Mode Privileged EXEC Output Description The number of RADIUS Authentication servers that Number of Configured have been configured. Authentication Servers The number of RADIUS Accounting servers that...
Page 59 NAS-IP-Address attribute of RADIUS requests. Example: The following shows example CLI display output for the command: (CN1610) #show radius Number of Configured Authentication Servers..32 Number of Configured Accounting Servers..... 32 Number of Named Authentication Server Groups..15 Number of Named Accounting Server Groups....
Page 60 A global parameter that specifies the IP address to be RADIUS Attribute 4 Value used in the NAS-IP-Address attribute of RADIUS requests. Example: The following shows example CLI display output for the command: (CN1610)#show radius servers Current Host Address Server Name Port Type ------- ---------------- ---------------------- ----- ---------- 192.168.37.200...
Page 61 Network2_RADIUS_Server Primary 192.168.37.202 Network3_RADIUS_Server Secondary 192.168.37.203 Network4_RADIUS_Server Primary (CN1610)#show radius servers name Default_RADIUS_Server Server Name......Default_RADIUS_Server Host Address......192.168.37.58 Secret Configured...... No Message Authenticator ....Enable Number of Retransmits....4 Time Duration......10 RADIUS Accounting Mode....Disable RADIUS Attribute 4 Mode....Enable RADIUS Attribute 4 Value ....
Page 62 (CN1610)#show radius accounting name Host Address Server Name Port Secret Configured -------------- ---------------------- ----- ----------- 192.168.37.200 Network1_RADIUS_Server 1813 192.168.37.201 Network2_RADIUS_Server 1813 192.168.37.202 Network3_RADIUS_Server 1813 192.168.37.203 Network4_RADIUS_Server 1813 (CN1610)#show radius accounting name Default_RADIUS_Server Server Name......Default_RADIUS_Server Host Address......192.168.37.200 RADIUS Commands...
Page 63 RADIUS Accounting Mode....Disable Port ........1813 Secret Configured ..... Yes show radius This command displays a summary of statistics for the configured RADIUS accounting accounting servers. statistics Format show radius accounting statistics {ipaddr|dnsname | name servername} Mode Privileged EXEC Output Description The IP address of the server.
Page 64 Packets Dropped server on the accounting port and dropped for some other reason. Example: The following shows example CLI display output for the command: (CN1610)#show radius accounting statistics 192.168.37.200 RADIUS Accounting Server Name....Default_RADIUS_Server Host Address........192.168.37.200 Round Trip Time....... 0.00 Requests........
Page 65 (CN1610)#show radius accounting statistics name Default_RADIUS_Server RADIUS Accounting Server Name....Default_RADIUS_Server Host Address........192.168.37.200 Round Trip Time....... 0.00 Requests........0 Retransmissions....... 0 Responses........0 Malformed Responses......0 Bad Authenticators......0 Pending Requests......0 Timeouts........0 Unknown Types......... 0 Packets Dropped....... 0...
Page 66 Output Description The number of RADIUS Access-Accept packets, Access Accepts including both valid and invalid packets, that were received from this server. The number of RADIUS Access-Reject packets, Access Rejects including both valid and invalid packets, that were received from this server. The number of RADIUS Access-Challenge packets, Access Challenges including both valid and invalid packets, that were...
Page 67 Malformed Access Responses....0 Bad Authenticators......0 Pending Requests......0 Timeouts........0 Unknown Types......... 0 Packets Dropped....... 0 (CN1610)#show radius statistics name Default_RADIUS_Server RADIUS Server Name......Default_RADIUS_Server Server Host Address......192.168.37.200 Access Requests....... 0.00 Access Retransmissions......0 Access Accepts........ 0 Access Rejects........
Page 68: Secure Shell Commands
Secure Shell Commands Introduction This section describes the commands you use to configure Secure Shell (SSH) access to the switch. Use SSH to access the switch from a remote management host. Note The system allows a maximum of five SSH sessions. ip ssh This command enables SSH access to the system.
Page 69 Mode Privileged EXEC no ip ssh server This command disables the IP secure shell server. enable Format no ip ssh server enable Mode Privileged EXEC sshcon This command specifies the maximum number of SSH connection sessions that maxsessions can be established. A value of 0 indicates that no SSH connection can be established.
Page 70 no sshcon timeout This command sets the SSH connection session timeout value, in minutes, to the default. Changing the timeout value for active sessions does not become effective until the session is reaccessed. Also, any keystroke activates the new timeout duration. Format no sshcon timeout Mode...
Page 71: Snmp Commands
SNMP Commands Introduction This section describes the commands you use to configure Simple Network Management Protocol (SNMP) on the switch. You can configure the switch to act as an SNMP agent so that it can communicate with SNMP managers on your network.
Page 72 no snmp-server This command removes this community name from the table. The is the name community community name to be deleted. Format no snmp-server community name Mode Global Config snmp-server This command sets a client IP address for an SNMP community. The address is community ipaddr the associated community SNMP packet sending address.
Page 73 Format snmp-server community ipmask ipmask name Mode Global Config no snmp-server This command sets a client IP mask for an SNMP community to 0.0.0.0. The name community ipmask is the applicable community name. The community name may be up to 16 alphanumeric characters.
Page 74 snmp-server This command restricts access to switch information. The access mode is read- community ro only (also called public). Format snmp-server community ro name Mode Global Config snmp-server This command restricts access to switch information. The access mode is community rw read/write (also called private).
Page 75 Format snmp-server enable traps Mode Global Config no snmp-server This command disables the Authentication Flag. enable traps Format no snmp-server enable traps Mode Global Config snmp-server enable This command enables Link Up/Down traps for the entire switch. When enabled, traps linkmode link traps are sent only if the Link Trap flag setting associated with the port is enabled.
Page 76 no snmp-server This command disables Multiple User traps. enable traps multiusers Format no snmp-server enable traps multiusers Mode Global Config snmp-server enable This command enables the sending of new root traps and topology change traps stpmode notification traps. Default enabled Format snmp-server enable traps stpmode Mode...
Page 77 [snmpversion snmpversion] Mode Global Config Example: The following shows an example of the CLI command: (CN1610) # snmptrap mytrap ip6addr 3099::2 no snmptrap This command deletes trap receivers for a community. Format no snmptrap name {ipaddr | ip6addr} {ipaddr | ip6addr |...
Page 78 snmptrap ipaddr This command assigns an IP address to a specified community name. The maximum length of is 16 case-sensitive alphanumeric characters. name Note IP addresses in the SNMP trap receiver table must be unique. If you make multiple entries using the same IP address, the first entry is retained and processed.
Page 79 no snmp trap link- This command disables link status traps by interface. status Note This command is valid only when the Link Up/Down Flag is enabled. Format no snmp trap link-status Mode Interface Config snmp trap link- This command enables link status traps for all interfaces. status all Note This command is valid only when the Link Up/Down Flag is enabled.
Page 80 Format show snmpcommunity Mode Privileged EXEC Output Description The community string to which this entry grants SNMP Community Name access. A valid entry is a case-sensitive alphanumeric string of up to 16 characters. Each row of this table must contain a unique community name.
Page 81: Show Snmptrap
Example: The following shows sample output from this command: (CN1610) #show snmpcommunity SNMP Community Name Client IP Address Client IP Mask Access Mode Status ------------------- ----------------- ----------------- ----------- ------- public 0.0.0.0 0.0.0.0 Read Only Enable private 0.0.0.0 0.0.0.0 Read/Write Enable netapp 0.0.0.0...
Page 82 show trapflags This command displays trap conditions. The command’s display shows all the enabled OSPFv2 and OSPFv3 trapflags. Configure which traps the switch should generate by enabling or disabling the trap condition. If a trap condition is enabled and the condition is detected, the SNMP agent on the switch sends the trap to all enabled trap receivers.
Page 83 . Indicates whether PIM traps are Disable sent. Example: The following shows an example of this command: (CN1610) #show trapflags Authentication Flag......Enable Link Up/Down Flag......Enable Multiple Users Flag......Enable Spanning Tree Flag......Enable ACL Traps........Disable...
Page 84: Tacacs+ Commands
TACACS+ Commands Introduction TACACS+ provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network.
Page 85 Text-based configuration supports TACACS server’s secrets in encrypted and nonencrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the “show running-config”...
Page 86 Use this command in TACACS Configuration mode to specify the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the key used on the TACACS+ daemon. parameter specifies the key name. For an empty string use “ ”. key-string The range is 0 to 128 characters.
Page 87 timeout Use this command in TACACS Configuration mode to specify the timeout value, in seconds. If no timeout value is specified, the global value is used. The timeout parameter has a range of 1 to 30 and is the timeout value in seconds. Format timeout timeout Mode...
Page 88: Telnet Commands
Telnet Commands Introduction This section describes the commands you use to configure and view Telnet settings. You can use Telnet to manage the device from a remote management host. ip telnet server This command enables Telnet connections to the system and enables the Telnet enable Server Admin Mode.
Page 89 Mode Privileged EXEC User EXEC transport input This command regulates new Telnet sessions. If enabled, new Telnet sessions can telnet be established until there are no more sessions available. An established session remains active until the session is ended or an abnormal network error ends the session.
Page 90 Format no transport output telnet Mode Line Config session-limit This command specifies the maximum number of simultaneous outbound Telnet sessions. A value of 0 indicates that no outbound Telnet session can be established. Default Format session-limit 0-5 Mode Line Config no session-limit This command sets the maximum number of simultaneous outbound Telnet sessions to the default value.
Page 91 telnetcon This command specifies the maximum number of Telnet connection sessions that maxsessions can be established. A value of 0 indicates that no Telnet connection can be established. The range is 0 to 5. Default Format telnetcon maxsessions 0-5 Mode Privileged EXEC no telnetcon This command sets the maximum number of Telnet connection sessions that can...
Page 92 show telnet This command displays the current outbound Telnet settings. In other words, these settings apply to Telnet connections initiated from the switch to a remote system. show telnet Format Privileged EXEC Mode User EXEC Output Description The number of minutes an outbound Telnet session Outbound Telnet Login Timeout is allowed to remain inactive before being logged...
Page 93 Output Description New Telnet sessions will not be allowed when this field is set Allow New Telnet to no. The factory default value is yes. Sessions Chapter 3: Management Commands...
Page 94: User Account Commands
User Account Commands Introduction This section describes the commands you use to add, manage, and delete system users. FASTPATH software has two default users: admin and guest. The admin user can view and configure system settings, and the guest user can view settings. Note You cannot delete the admin user.
Page 95 . Uses the list of all TACACS+ servers tacacs for authentication. Example: The following shows an example of the command: (CN1610)(config)# aaa authentication login default radius local enable none no aaa This command returns to the default. authentication login...
Page 96 aaa authentication This command sets authentication for accessing higher privilege levels. The enable default enable list is . It is used by console, Telnet, and SSH and only enableList contains the method none The default and optional list names created with the aaa authentication enable command are used with the command.
Page 97 . Uses the list of all TACACS+ servers for tacacs authentication. Example: The following example sets authentication when accessing higher privilege levels: (CN1610)(config)# aaa authentication enable default enable no aaa This command returns to the default configuration. authentication enable Format...
Page 98 Example: The following example specifies the default authentication method when accessing a higher privilege level console: (CN1610)(config)# line console (CN1610)(config-line)# enable authentication default no enable This command returns to the default specified by the enable authentication authentication command.
Page 99 Example: The following example configures user with password xxxyyymmmm and user level 15: (CN1610)(config)# username bob password xxxyyymmmm level 15 Example: The following example configures user with password test and assigns a user level of 1 (read-only). The password strength testPassword will not be validated.
Page 100 username name This command removes an existing user’s password (NULL password). nopassword Format username name nopassword [level level] Mode Global Config Parameter Description The name of the user. The range is 1 to 32 characters name in length. The user level. Level 0 can be assigned by a level 15 level user to another user to suspend that user’s access.
Page 101 no username This command sets the SNMPv3 access privileges for the specified user as snmpv3 for the admin user and for all other users. The readwrite readonly username accessmode value is the user name for which the specified access mode will apply. Format no username snmpv3 accessmode username Mode...
Page 102 username snmpv3 This command specifies the encryption protocol used for the specified user. The encryption valid encryption protocols are none If you select , you can specify the required key on the command line. The encryption key must be 8 to 64 characters long. If you select the protocol but do not provide a key, the user is prompted for the key.
Page 103 show users This command displays the configured user names and their settings. The show command displays truncated user names. Use the users show users long command to display the complete usernames. The command is only show users available for users with Read/Write privileges. The SNMPv3 fields will only be displayed if SNMP is available on the system.
Page 104 This command displays the complete usernames of the configured users on the switch. Format show users long Mode Privileged EXEC Example: The following shows an example of this command: (CN1610)#show users long User Name ------------ admin guest test1111test1111test1111test1111 show users...
Page 105 Password Strength field is displayed only if the Password Strength feature is enabled. Example: The following example displays information about the local user database: (CN1610)#show users accounts UserName Privilege Password Password Lockout Aging Expiry date ------------------- --------- -------- ------------ -------...
Page 106 show users login- This command displays information about the login history of users. history Format show users login-history [long] Mode Privileged EXEC Output Description Name of the user. The name is 1 to 20 characters in length. Username Example: The following example shows user login history output: Login Time Username Protocol...
Page 107 Example: The following example specifies the default authentication method for a console: (CN1610)(config)# line console (CN1610)(config-line)# login authentication default no login This command returns to the default specified by the authentication login authentication command. Format no login authentication Mode Line Configuration password (Line This command specifies a password on a line.
Page 108 Mode User EXEC Example: The following example shows the prompt sequence for executing the password command: (CN1610)>password Enter old password: ******** Enter new password: ******** Confirm new password: ******** enable password This command prompts you to change the Privileged EXEC password. Passwords are a maximum of 64 alphanumeric characters.
Page 109 Parameter Description Encrypted password entered or copied from another switch encrypted configuration. passwords min- This command enforces a minimum password length for local users. The value length also applies to the enable password. The valid range is 8 to 64 characters. Default Format passwords min-length 8–64...
Page 110 passwords aging This command implements aging on passwords for local users. When a user’s password expires, the user will be prompted to change it before logging in again. The valid range is 1 to 365 days. The default is 0, or no aging. Default Format passwords aging 1–365...
Page 111 passwords This command enables the password strength feature. It is used to verify the strength-check strength of a password during configuration. Default disable Format passwords strength-check Mode Global Config no passwords This command enables the password strength checking to the default value. strength-check Format no passwords strength-check...
Page 112 passwords strength This command enforces a minimum number of lowercase letters that a password minimum should contain. The valid range is 0 to 16. The default is 2; 0 means that there is lowercase-letters no restriction on that set of characters. Default Format passwords strength minimum lowercase-letters 0-16...
Page 113 passwords strength This command enforces a minimum number of special characters that a password minimum special- should contain. The valid range is 0 to 16. The default is 2; 0 means that there is characters no restriction on that set of characters. Default Format passwords strength minimum special–characters 0-16...
Page 114 passwords strength This command enforces a minimum number of repeated characters that a minimum repeated- password should contain. An example of repeated characters is .The valid aaaa characters range is 0 to 16. If a password has a repetition of characters more than the configured limit, it fails to configure.
Page 115 passwords strength This command excludes the specified keyword while configuring the password. exclude-keyword The password does not accept the keyword in any form (in between the string, case-insensitive and reverse) as a substring. The user can configure up to a maximum of three keywords.
Page 116 Output Description Number of failed password login attempts before Lockout Attempts lockout. Minimum number of uppercase characters required Minimum Password Uppercase Letters when configuring passwords. Minimum number of lowercase characters required Minimum Password Lowercase Letters when configuring passwords. Minimum number of numeric characters required Minimum Password Numeric Characters when configuring passwords.
Page 117 Output Description Shows whether password strength checking is Password Strength Check enabled. Shows whether the attempt to set a password was Last Password Set Result successful. If the attempt failed, the reason for the failure is included. memory free low- This command configures the CPU Free Memory monitoring threshold.
Page 118 no aaa ias-user This command removes the specified user from the internal user database. username Format no aaa ias-user username user Mode Global Config password (AAA IAS This command specifies a password for a user in the IAS database. User Configuration) Format password password [encrypted] Mode...
Page 119 show aaa ias-users This command displays configured IAS users and their attributes. Passwords configured are not shown in the command output. show Format show aaa ias-users Mode Privileged EXEC Chapter 3: Management Commands...
Page 120 User Account Commands...
Page 121: Chapter 4 Utility Commands
Utility Commands About this chapter This chapter describes the utility commands available in the CN1610 command line interface (CLI). Topics in this This chapter includes the following sections: chapter “AutoInstall Commands” on page 118 “Cable Test Command” on page 122 “DNS Client...
Page 122: Autoinstall Commands
AutoInstall Commands Introduction The AutoInstall feature enables the automatic update of the image and configuration of the switch. This feature enables touchless or low-touch provisioning to simplify switch configuration and imaging. AutoInstall includes the following support: Downloading an image from a TFTP server using DHCP option 125. The image update can result in a downgrade or upgrade of the firmware on the switch.
Page 123 Default stopped Format boot autoinstall {start | stop} Mode Privileged EXEC boot host This command sets the number of attempts to download a configuration file from retrycount the TFTP server. The valid range is 1 to 3 attempts. The default is 3. Default Format boot host retrycount 1-3...
Page 124 command. If memory copy system:running-config nvram:startup-config the switch reboots and the downloaded configuration has not been saved, the AutoInstall process begins, if the feature is enabled. The default value is disabled Default disabled Format boot host autosave Mode Privileged EXEC no boot host This command automatically disables saving the downloaded configuration on autosave...
Page 125: Show Autoinstall
This command displays the current status of the AutoInstall process. Format show autoinstall Mode Privileged EXEC Example: The following example shows CLI display output for the command: (CN1610)#show autoinstall AutoInstall Mode....... Stopped AutoInstall Persistent Mode....Disabled AutoSave Mode........Disabled AutoReboot Mode........ Enabled AutoInstall Retry Count......3...
Page 126: Cable Test Command
The cable test feature enables you to determine the cable connection status on a selected port. Note The cable test feature is supported only for copper cable. It is not supported for optical fiber cable and NetApp twinax cables. cablestatus This command returns the status of the specified port. Note The shipped configuration and supported molex cables are not supported by this command.
Page 127 Output Description If this feature is supported by the PHY for the Cable Length current link speed, the cable length is displayed as a range between the shortest estimated length and the longest estimated length. Note that if the link is down and a cable is attached to a 10/100 Ethernet adapter, then the cable status may display as Open or Short because some Ethernet adapters leave unused...
Page 128: Dns Client Commands
DNS Client Commands Introduction These commands are used in the Domain Name System (DNS), an Internet directory service. DNS is how domain names are translated into IP addresses. When enabled, the DNS client provides a hostname lookup service to other components of FASTPATH.
Page 129 Example: The CLI command will configure ip domain name yahoo.com as a default domain name. For an unqualified hostname , a DNS yahoo.com query is made to find the IP address corresponding to xxx.yahoo.com no ip domain name This command removes the default domain name configured using the ip domain name command.
Page 130 no ip name server This command removes a name server. Format no ip name server address1 address2 Mode Global Config ip host This command defines static host name-to-address mapping in the host cache. The parameter is the host name and is the IP address of the host.
Page 131 no ipv6 host This command removes the static host name-to-ipv6 address mapping in the host cache. Format no ipv6 host name Mode Global Config ip domain retry This command specifies the number of times to retry sending Domain Name System (DNS) queries. The parameter indicates the number of times to number retry sending a DNS query to the DNS server.
Page 132 Mode Global Config clear host This command deletes entries from the host name-to-address cache. This command clears the entries from the DNS cache maintained by the software. This command clears both IPv4 and IPv6 entries. Format clear host {name | all} Mode Privileged EXEC Parameter...
Page 133 Amount of time to wait for a response to a DNS query. Retry timeout period Configured name servers. Name servers Example: The following shows example CLI display output for the command: (CN1610)> show hosts Host name......Device Default domain....gm.com Default domain list....yahoo.com, Stanford.edu, rediff.com Domain Name lookup....Enabled Number of retries....
Page 134: Dual Image Commands
Dual Image Commands Introduction FASTPATH software supports a dual image feature that allows the switch to have two software images in the permanent storage. You can specify which image is the active image to be loaded in subsequent reboots. This feature allows reduced downtime when you upgrade or downgrade the software.
Page 135 Format filedescr {active | backup} text-description Mode Privileged EXEC update bootcode This command updates the bootcode (boot loader) on the switch. The bootcode is read from the active image for subsequent reboots. Format update bootcode Mode Privileged EXEC Chapter 4: Utility Commands...
Page 136: Email Alerting And Mail Server Commands
Email Alerting and Mail Server Commands Introduction Email Alerting is an extension of the logging system. The logging system allows you to configure a set of destinations for log messages. The feature includes email configuration, through which the log messages are sent to a configured SMTP server such that an administrator may receive the log in an email account of the administrator’s choice.
Page 137 This command configures the email address of the sender (the switch). No dashes addr or dots can be included in the hostname in the e-mail addresses. Default switch@NetApp.com Format logging email from-addr from-email-addr Chapter 4: Utility Commands...
Page 138 Mode Global Config no logging email This command removes the configured email source address. from-addr Format no logging email from-addr from-email-addr Mode Global Config logging email This command configures the subject line of the email for the specified type. message-type subject Default For urgent messages:...
Page 139 no logging email This command resets the non-urgent log time to the default value. logtime Format no logging email logtime Mode Global Config logging traps This command sets the severity at which SNMP traps are logged and sent in an email.
Page 140 Output Description The administrative status of the feature: enabled or Email Alert Logging disabled. The email address of the sender (the switch). Email Alert From Address The lowest severity level that is considered urgent. Email Alert Urgent Severity Level Messages of this type are sent immediately. The lowest severity level that is considered non- Email Alert Non Urgent Severity...
Page 141 Output Description The operational status of the email alerting feature. Email Alert Operation Status The number of email messages that have attempted No of Email Failures to be sent but were unsuccessful. The number of email messages that were sent from No of Email Sent the switch since the counter was cleared.
Page 142 security This command sets the email alerting security protocol by enabling the switch to use TLS authentication with the SMTP Server. If the TLS mode is enabled on the switch but the SMTP sever does not support TLS mode, no email is sent to the SMTP server.
Page 143 show mail-server This command displays information about the email alert configuration. config Format show mail-server {ip-address | hostname | all} config Mode Privileged EXEC Output Description The number of SMTP servers configured on the No. of mail servers configured switch. The IPv4/IPv6 address or DNS host name of the Email Alert Mail Server Address...
Page 144: Ip Address Conflict Commands
IP Address Conflict Commands Introduction The commands in this section help troubleshoot IP address conflicts. ip address-conflict- This command triggers the switch to run active address conflict detection by detect run sending gratuitous ARP packets for IPv4 addresses on the switch. Format ip address-conflict-detect run Mode...
Page 145: Logging Commands
Logging Commands Introduction This section describes the commands you use to configure system logging, and to view logs and the logging settings. logging buffered This command enables logging to an in-memory log that keeps up to 128 logs. Default when enabled disabled critical Format...
Page 146 logging cli- This command enables the CLI command logging feature, which enables the command FASTPATH software to log all CLI commands entered on the system. Default enabled Format logging cli-command Mode Global Config no logging cli- This command disables the CLI command logging feature. command Format no logging cli-command...
Page 147 either an integer from 0 to 7 or symbolically through one of the following keywords: emergency (0) alert (1), critical (2) error (3) warning , or notice (5) info (6) debug (7) Default port: 514 severitylevel: critical (2) logging host {ipaddr|hostname} addresstype Format [port][severitylevel] Mode...
Page 148 Format no logging port Mode Global Config logging syslog This command enables syslog logging. The portid parameter is an integer with a range of 1 to 65535. Default disabled Format logging syslog [port portid] Mode Global Config no logging syslog This command disables syslog logging.
Page 149 Output Description The minimum severity to log to the console log. Messages Console Logging with an equal or lower numerical severity are logged. Severity Filter Buffered Shows whether buffered logging is enabled. Logging Shows whether syslog logging is enabled. Syslog Logging Number of messages received by the log process.
Page 150 Format show logging hosts Mode Privileged EXEC Output Description (Used for deleting hosts.) Host Index IP address or hostname of the logging host. IP Address / Hostname The minimum severity to log to the specified Severity Level address. The possible values are emergency (0) alert (1) critical (2)
Page 151: Serviceability Packet Tracing Commands
Serviceability Packet Tracing Commands Introduction These commands improve the capability of diagnosing conditions affecting FASTPATH. Attention The output of commands can be long and may adversely affect system debug performance. debug clear This command disables all previously enabled “debug” traces. Default disabled Format...
Page 152 debug dhcp packet This command displays “debug” information about DHCPv4 client activities and traces DHCPv4 packets to and from the local DHCPv4 client. Default disabled Format debug dhcp packet [transmit | receive] Mode Privileged EXEC no debug dhcp This command disables the display of “debug” trace output for DHCPv4 client packet activity.
Page 153 Mode Privileged EXEC no debug This command disables tracing of IGMP Snooping packets. igmpsnooping packet Format no debug igmpsnooping packet Mode Privileged EXEC debug This command enables tracing of IGMP Snooping packets transmitted by the igmpsnooping switch. Snooping should be enabled on the device and the interface in order to packet transmit monitor packets for a particular interface.
Page 154 Output Description The destination multicast IP address in the packet. Dest_IP The type of IGMP packet. can be one of the Type Type following: Membership Query – IGMP Membership Query V1_Membership_Report – IGMP Version 1 Membership Report V2_Membership_Report – IGMP Version 2 Membership Report V3_Membership_Report –...
Page 155 Src_IP: 11.1.1.1 Dest_IP: 225.0.0.5 Type: Membership_Query Group: 225.0.0.5 The following parameters are displayed in the trace message: Output Description A packet received by the device. The interface that the packet went out on. The Intf format used is slot/port (internal interface number). The unit is always shown as 1 for interfaces on a nonstacking device.
Page 156 debug ping packet This command enables tracing of ICMP echo requests and responses. The command traces pings on the network port/ serviceport for switching packages. For routing packages, pings are traced on the routing ports as well. Default disabled Format debug ping packet Mode Privileged EXEC...
Page 157 Mode Privileged EXEC debug sflow packet This command enables sFlow debug packet trace. Default disabled Format debug sflow packet Mode Privileged EXEC no debug sflow This command disables sFlow debug packet trace. packet Format no debug sflow packet Mode Privileged EXEC debug spanning- This command enables tracing of spanning tree BPDUs received and transmitted tree bpdu...
Page 158 Default disabled Format debug spanning-tree bpdu receive Mode Privileged EXEC A sample output of the trace message is shown in the following example: <15> JAN 01 01:02:04 192.168.17.29-1 DOT1S[191096896]: dot1s_debug.c(1249) 101 % Pkt RX - Intf: 1/0/9(9), Source_Mac: 00:11:88:4e:c2:10 Version: 3, Root Mac: 00:11:88:4e:c2:00, Root Priority: 0x8000 Path Cost: 0 The following parameters are displayed in the trace message: Output...
Page 159 debug spanning- This command enables tracing of spanning tree BPDUs transmitted by the tree bpdu transmit switch. The spanning tree should be enabled on the device and on the interface in order to monitor packets on a particular interface. Default enabled Format debug spanning-tree bpdu transmit...
Page 160 Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610)#debug arp Arp packet tracing enabled. (CN1610)# show debugging Arp packet tracing enabled. no show debugging Use this command to disable packet tracing configurations. Format no show debugging...
Page 161: Sflow Commands
sFlow Commands Introduction ® sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into network equipment and gives complete visibility into network activity, enabling effective management and control of network resources. sflow receiver This command configures the sFlow collector parameters (owner string, receiver timeout, max datagram size, IP address, and port).
Page 162 Output Description The destination Layer4 UDP port for sFlow datagrams. The range Receiver Port is 1 to 65535. The default is 6343. no sflow receiver This command sets the sFlow collector parameters back to the defaults. Format no sflow receiver indx {ip ip-address | maxdatagram size | owner string timeout interval | port 14-port} Mode Global Config...
Page 163 no sflow sampler This command resets the sFlow sampler instance to the default settings. Format no sflow sampler {rcvr-indx | rate sampling-rate | maxheadersize size} Mode Interface Config sflow poller A data source configured to collect counter samples is called a poller. This command enables a new sFlow poller instance on an interface or range of interfaces for this data source if is valid.
Page 164 Revision: 1.0 The IP address associated with this agent. IP Address Example: The following shows example CLI display output for the command: (CN1610)#show sflow agent sFlow Version........1.3;NetApp Corp;1.0 IP Address........10.131.12.66 show sflow pollers This command displays the sFlow polling instances created on the switch. To indicate a range, use a hyphen (-).
Page 165 The sFlow protocol version to be used while sending samples Datagram Version to sFlow receiver. Example: The following shows example CLI display output for the command: (CN1610)#show sflow receivers 1 Receiver Index......... 1 Owner String........Time out........0 IP Address:........0.0.0.0 Address Type........
Page 166 Output Description The maximum number of bytes that should be copied from Max Header Size a sampled packet to form a flow sample. sFlow Commands...
Page 167: Simple Network Time Protocol Commands
Simple Network Time Protocol Commands Introduction This section describes the commands you use to automatically configure the system time and date by using Simple Network Time Protocol (SNTP). sntp broadcast This command sets the poll interval for SNTP broadcast clients in seconds as a client poll-interval power of two where can be a value from 6 to 16.
Page 168 Mode Global Config sntp client port This command sets the SNTP client port ID to a value from 1 to 65535. The default value is 0, which means that the SNTP port is not configured by the user. In the default case, the actual client port value used in SNTP packets is assigned by the underlying operating system.
Page 169 sntp unicast client This command will set the poll timeout for SNTP unicast clients, in seconds, to a poll-timeout value from 1 to 30. The default is 5 seconds. Default Format sntp unicast client poll-timeout poll-timeout Mode Global Config no sntp unicast This command will reset the poll timeout for SNTP unicast clients to its default client poll-timeout value.
Page 170 Format sntp multicast client poll-interval poll-interval Mode Global Config no sntp multicast This command resets the poll interval for SNTP multicast clients to its default client poll-interval value. Format no sntp multicast client poll-interval Mode Global Config sntp server This command configures an SNTP server (a maximum of three). The server address can be either an IPv4 address or an IPv6 address.
Page 171 Output Description Time of last clock update. Last Update Time Time of last transmit query (in unicast mode). Last Attempt Time Status of the last SNTP request (in unicast mode) or Last Attempt Status unsolicited message (in broadcast mode). Current number of unsolicited broadcast messages that Broadcast Count have been received and processed by the SNTP client since...
Page 172 show sntp server This command displays SNTP server settings and configured servers. Format show sntp server Mode Privileged EXEC Output Description IP address or hostname of the configured SNTP Server IP Address / Hostname server. Address type of server (IPv4, IPv6, or DNS). Server Type Claimed stratum of the server for the last received Server Stratum...
Page 173 Output Description Last server attempt status for the server. Last Update Status Number of requests to the server. Total Unicast Requests Number of failed requests from server. Failed Unicast Requests Chapter 4: Utility Commands...
Page 174: System Information And Statistics Commands
System Information and Statistics Commands Introduction This section describes the commands you use to view information about system features, components, and configurations. show arp switch This command displays the contents of the IP stack’s Address Resolution Protocol (ARP) table. The IP stack only learns ARP entries associated with the management interfaces, which are the network or service ports.
Page 175 Output Description The file in which the event originated. File The line number of the event. Line The task ID of the event. Task Id The event code. Code The time this event occurred. Time show hardware This command displays inventory information for the switch. Note command and the command display the same...
Page 176 Output Description Text used to identify the product name of this System Description switch. The machine model as defined by the Vital Product Machine Type Data. The machine model as defined by the Vital Product Machine Model Data The unique box serial number for this switch. Serial Number The field replaceable unit number.
Page 177 Output Description The total number of packets (including broadcast Packets Received Without Error packets and multicast packets) received by the processor. The number of inbound packets that contained errors Packets Received With Error preventing them from being deliverable to a higher- layer protocol.
Page 178 Output Description The total number of packets that higher-level Broadcast Packets Transmitted protocols requested to be transmitted to the broadcast address, including those that were discarded or not sent. The number of outbound packets that could not be Transmit Packet Errors transmitted because of errors.
Page 179 Output Description - The total Packets Total Packets Received (Octets) Received number of octets of data (including those in bad packets) received on the network (excluding framing bits but including Frame Check Sequence (FCS) octets). This object can be used as a reasonable estimate of Ethernet utilization.
Page 180 Output Description - The total Packets Received 128–255 Octets number of packets (including bad packets) received that were between 128 and 255 octets in length inclusive (excluding framing bits but including FCS octets). - The total Packets Received 256–511 Octets number of packets (including bad packets) received that were between 256 and 511 octets in length inclusive (excluding framing bits but including FCS...
Page 181 Output Description - The total Packets Packets RX and TX 256–511 Octets number of packets (including bad packets) received Received and transmitted that were between 256 and 511 octets (con’t) in length inclusive (excluding framing bits but including FCS octets). - The total Packets RX and TX 512–1023 Octets number of packets (including bad packets) received...
Page 182 Output Description - The total Packets Total Packets Received Without Error Received number of packets received that were without errors. Successfully - The number of Unicast Packets Received subnetwork-unicast packets delivered to a higher-layer protocol. - The total number of Multicast Packets Received good packets received that were directed to a multicast address.
Page 183 Output Description - The total number of inbound packets that Packets Total Received with contained errors preventing them from being MAC Errors deliverable to a higher-layer protocol. - The total number of packets Jabbers Received received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-...
Page 184 Output Description - A count of valid frames received which were Received Total Packets Not discarded (in other words, filtered) by the forwarding Forwarded process - The total number of frames Local Traffic Frames dropped in the forwarding process because the destination address was located off of this port.
Page 185 Output Description - The total number of octets of data Packets Total Bytes Transmitted (including those in bad packets) received on the Octets network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of Ethernet utilization. If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval.
Page 186 Output Description - The number of frames that have been Packets Total Transmitted transmitted by this port to its segment. Successfully - The total number of Unicast Packets Transmitted packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Page 187 Output Description - The sum of single collision frames Transmit Total Discards Discards discarded, multiple collision frames discarded, and excessive frames discarded. - A count of the number Single Collision Frames of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision.
Page 188 Output Description - A count of Protocol 802.3x Pause Frames Transmitted Statistics MAC Control frames transmitted on this interface with an opcode indicating the PAUSE operation. This counter does not increment when the interface is operating in half-duplex mode. - The count of GVRP PDUs GVRP PDUs Received received in the GARP layer.
Page 189 Output Description The elapsed time, in days, hours, minutes, and seconds Time Since Counters Last since the statistics for this port were last cleared. Cleared If you use the keyword, the following information appears: switchport Output Description The total number of octets of data received by the processor Octets Received (excluding framing bits but including FCS octets).
Page 190 Output Description The total number of packets that higher-level protocols Unicast Packets requested be transmitted to a subnetwork-unicast address, Transmitted including those that were discarded or not sent. The total number of packets that higher-level protocols Multicast Packets requested be transmitted to a Multicast address, including Transmitted those that were discarded or not sent.
Page 191 Output Description The elapsed time, in days, hours, minutes, and seconds, Time Since Counters Last since the statistics for this switch were last cleared. Cleared show mac-addr- This command displays the forwarding database entries. These entries are used table by the transparent bridging function to determine how to forward a received frame.
Page 192 Output Description The status of this entry. The meanings of the values Status are: —The value of the corresponding Static instance was added by the system or a user when a static MAC filter was defined. It cannot be relearned. —The value of the corresponding Learned instance was learned by observing the source...
Page 193 This command is available in VxWorks and Linux 2.6 only. Format show process cpu Mode Privileged EXEC Example: The following shows example CLI display output for the command using Linux: (CN1610) #show process cpu Memory Utilization Report status bytes ------ ---------- free 106450944...
Page 194 0.11% 0.12% ----------------------------------------------------------------- Total CPU Utilization 1.55% 1.58% 1.50% Example: The following shows example CLI display output for the command using VxWorks: (CN1610)#show process cpu Memory Utilization Report status bytes ------ ---------- free 192980480 alloc 53409968 Task Utilization Report Task...
Page 195 Note command does not display the User Password, even show running-config if you set one different from the default. The output is displayed in script format, which can be used to configure another switch with the same configuration. If the optional is provided with scriptname a file name extension of .scr, the output is redirected to a script file.
Page 196 Output Description Text used to identify this switch. Switch Description Name used to identify the switch.The factory default is System Name blank. To configure the system name, see “snmp-server” on page 67. Text used to identify the location of the switch. The factory System Location default is blank.
Page 197 Mode Privileged EXEC terminal length This command sets the number of lines of output to be displayed on the screen, that is, pagination, for the show running-config show running-config commands. The terminal length size is either 0 (zero) or a number in the range of 5 to 48.
Page 198: System Utility And Clear Commands
System Utility and Clear Commands Introduction This section describes the commands you use to help troubleshoot connectivity issues and to restore various configurations to their factory defaults. traceroute This command finds the routes that packets actually take when traveling to their destination through the network on a hop-by-hop basis.
Page 199 The following are examples that use the command: traceroute Example of a successful traceroute (CN1610)# traceroute 10.240.10.115 initTtl 1 maxTtl 4 maxFail 0 interval 1 count 3 port 33434 size 43 Traceroute to 10.240.10.115 ,4 hops max 43 byte packets: 1 10.240.4.1 708 msec...
Page 200 Example of a failure: traceroute (CN1610)# traceroute 10.40.1.1 initTtl 1 maxFail 0 interval 1 count port 33434 size 43 Traceroute to 10.40.1.1 ,30 hops max 43 byte packets: 1 10.240.4.1 19 msec 18 msec 9 msec 2 10.240.1.252 0 msec...
Page 201 clear counters This command clears the statistics for a specified slot/port, for all the ports, or for the entire switch based upon the argument. Format clear counters {slot/port | all} Mode Privileged EXEC clear igmpsnooping This command clears the tables managed by the IGMP Snooping function and attempts to delete these entries from the Multicast Forwarding Database.
Page 202 logout This command closes the current Telnet connection or resets the current serial connection. Note Save the configuration changes before logging out. Format logout Mode Privileged EXEC User EXEC ping This command determines whether another computer is on the network. It provides a synchronous response when initiated from the CLI and Web interfaces.
Page 203 Example of a successful ping (CN1610) #ping 10.254.2.160 count 3 interval 1 size 255 Pinging 10.254.2.160 with 255 bytes of data: Received response for icmp_seq = 0. time = 275268 usec Received response for icmp_seq = 1. time = 274009 usec Received response for icmp_seq = 2.
Page 204 quit This command closes the current Telnet connection or resets the current serial connection. The system asks you whether to save configuration changes before quitting. Format quit Mode Privileged EXEC User EXEC reload This command resets the switch without powering it off. Reset means that all network connections are terminated and the boot code executes.
Page 205 For TFTP, SFTP and SCP, the parameter is the IP address or ipaddr|hostname host name of the server, is the path to the file, and is the filepath filename name of the file you want to upload or download. For SFTP and SCP, the parameter is the username for logging into the remote server via SSH.
Page 206 An example of the CLI command follows: (CN1610)#copy tftp://1.1.1.1/file.scr nvram:script file.scr noval (CN1610)#copy tftp://1.1.1.1/file.scr nvram:script file.scr noval Downloads an SSH key file. For more nvram:sshkey- information, see “Secure Shell Commands” on page 64. Downloads an SSH key file.
Page 207 Source Destination Description Uploads either image to the remote {active | backup} server. Copies the active image to the backup active backup image. Copies the backup image to the active backup active image. environment This command sets the allowed temperature range for normal operations. temprange Format environment temprange min -100-100 max -100-100...
Page 208 Mode Global Config environment trap This command enables the temperature status trap. temperature Format environment trap temperature Mode Global Config show environment This command displays vital environment status data. Format show environment Mode Privileged EXEC slot This command configures a slot in the system. The slot/port is the slot identifier of the slot.
Page 209 Note You can get the by entering the command cardindex show supported cardtype in User EXEC mode. set slot disable This command configures the administrative mode of the slot(s). If you specify ], the command is applied to all slots, otherwise the command is applied to the slot identified by slot/port.
Page 210 no set slot power This command unconfigures the power mode of the slot(s), and prohibits power from being supplied to a card located in the slot. If you specify , the command prohibits power to all slots, otherwise the command prohibits power to the slot identified by slot/port.
Page 211 Enable Enable BCM53716-16FE No Example: The following shows example CLI display output for the show slot command: [slot] (CN1610) #show slot 0 Slot......0 Slot Status....... Full Admin State....... Enable Power State....... Enable Inserted Card: Model Identifier....BCM53716-16FE Card Description....Broadcom BCM53716 - 16 Port 10GB...
Page 212 BCM53716-16FE Example: The following shows example CLI display output for the command when you supply a value for cardindex (CN1610) #show supported cardtype 3 Card Type......0x56820001 Model Identifier....BCM53716-16FE Card Description....Broadcom BCM53716 - 16 Port 10GB Ethernet Line Card...
Page 213: Chapter 5 Switching Commands
Switching Commands About this chapter This chapter describes the switching commands available in the CN1610 command line interface (CLI). Topics in this This chapter includes the following sections: chapter “Denial of Service Commands” on page 211 “DHCP Client Commands” on page 222 “DHCP L2 Relay Agent...
Page 214 “Storm-Control Commands” on page 414 “VLAN Commands” on page 427 “Voice VLAN Commands” on page 444 CAUTION The commands in this chapter are in one of three functional groups: Show commands display switch settings, statistics, and other information. Configuration commands configure features and options of the switch. For every configuration command, there is a command that displays the show...
Page 215: Denial Of Service Commands
Denial of Service Commands Introduction This section describes the commands you use to configure Denial of Service (DoS) Control. FASTPATH software provides support for classifying and blocking specific types of Denial of Service attacks. You can configure your system to monitor and block these types of attacks: SIP = DIP: Source IP address = Destination IP address.
Page 216 no dos-control all This command disables Denial of Service prevention checks globally. Format no dos-control all Mode Global Config dos-control sipdip This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack.
Page 217 Mode Global Config dos-control tcpfrag This command enables TCP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having IP Fragment Offset equal to one (1), the packets will be dropped if the mode is enabled.
Page 218 dos-control l4port This command enables L4 Port Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having Source TCP/UDP Port Number equal to Destination TCP/UDP Port Number, the packets will be dropped if the mode is enabled. Note Some applications mirror source and destination L4 ports –...
Page 219 dos-control This command enables Source MAC address = Destination MAC address smacdmac (SMAC = DMAC) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SMAC = DMAC, the packets will be dropped if the mode is enabled.
Page 220 Default disabled Format dos-control udpport Mode Global Config no dos-control This command disables UDP L4 source = destination port number (Source UDP udpport Port = Destination UDP Port) Denial of Service protection. Format no dos-control udpport Mode Global Config dos-control This command enables TCP Flag and Sequence Denial of Service protections.
Page 221 Mode Global Config no dos-control This command disables TCP Offset Denial of Service protection. tcpoffset Format no dos-control tcpoffset Mode Global Config dos-control tcpsyn This command enables TCP SYN and L4 source = 0-1023 Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack.
Page 222 Mode Global Config dos-control This command enables TCP FIN and URG and PSH and SEQ = 0 checking tcpfinurgpsh Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP FIN, URG, and PSH all set and TCP Sequence Number set to 0, the packets will be dropped if the mode is enabled.
Page 223 dos-control icmpv6 This command enables Maximum ICMPv6 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv6 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.
Page 224 Output Description May be enabled or disabled. The factory default is First Fragment Mode disabled. The factory default is 20. Min TCP Hdr Size <0- 255> May be enabled or disabled. The factory default is ICMP Mode disabled. The range is 0 to 1023. The factory default is 512. Max ICMPv4 Pkt Size The range is 0 to 16384.
Page 225 Output Description The VLAN ID. Enter VLAN IDs in the range of 1 vlan–list to 4093. Use a dash (–) to specify a range. Use a comma (,) to separate non-consecutive IDs in a list. Spaces and zeros are not permitted. Chapter 5: Switching Commands...
Page 226: Dhcp Client Commands
DHCP Client Commands Introduction FASTPATH can include vendor and configuration information in DHCP client requests relayed to a DHCP server. This information is included in DHCP Option 60, Vendor Class Identifier. The information is a string of 128 octets. dhcp client vendor- This command enables the inclusion of DHCP Option-60, Vendor Class id-option Identifier included in the requests transmitted to the DHCP server by the DHCP...
Page 227 Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610)#show dhcp client vendor-id-option DHCP Client Vendor Identifier Option is Enabled DHCP Client Vendor Identifier Option string is FastpathClient. Chapter 5: Switching Commands...
Page 228: Dhcp L2 Relay Agent Commands
DHCP L2 Relay Agent Commands You can enable the switch to operate as a DHCP Layer 2 relay agent to relay DHCP requests from clients to a Layer 3 relay agent or server. The Circuit ID and Remote ID can be added to DHCP requests relayed from clients to a DHCP server.
Page 229 no dhcp l2relay This command resets the Option 82 Circuit ID for a given service subscription circuit-id identified by on a given interface. The subscription-string subscription- subscription-name is a character string that needs to be matched with a configured DOT1AD string subscription string for correct operation.
Page 230 Format dhcp l2relay remote-id remoteid-string subscription-name subscription-string Mode Interface Config no dhcp l2relay This command resets the Option 82 Remote ID string for a given service remote-id subscription identified by on a given interface. The subscription-string subscription-name is a character string which needs to be matched with a subscription-string configured DOT1AD subscription string for correct operation.
Page 231 dhcp l2relay This command enables relaying DHCP packets on an interface or range of subscription-name interfaces that fall under the specified service subscription. The subscription- is a character string that needs to be matched with configured DOT1AD string subscription string for correct operation. Default (that is, no DHCP packets are relayed) disabled...
Page 232 This command displays the summary of DHCP L2 Relay configuration. Format show dhcp l2relay all Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610)#show dhcp l2relay all DHCP L2 Relay is Enabled. Interface L2RelayMode TrustMode ----------...
Page 233 This command displays DHCP L2 relay configuration specific to interfaces. interface Format show dhcp l2relay interface {all | interface-num} Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610)#show dhcp l2relay interface all DHCP L2 Relay is Enabled. Interface L2RelayMode TrustMode ----------...
Page 234: Show Dhcp L2Relay Stats Interface
Format show dhcp l2relay stats interface {all | interface-num} Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610)#show dhcp l2relay stats interface all DHCP L2 Relay is Enabled. Interface UntrustedServer UntrustedClient TrustedServer...
Page 235 VLAN. Format show dhcp l2relay agent-option vlan vlan-range Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610)#show dhcp l2relay agent-option vlan 5-10 DHCP L2 Relay is Enabled. VLAN Id L2 Relay CircuitId RemoteId...
Page 236: Dhcp Snooping Configuration Commands
DHCP Snooping Configuration Commands Introduction This section describes commands you can use to configure DHCP Snooping. ip dhcp snooping This command enables DHCP Snooping globally. Default disabled Format ip dhcp snooping Mode Global Config no ip dhcp This command disables DHCP Snooping globally. snooping Format no ip dhcp snooping...
Page 237 Format ip dhcp snooping verify mac-address Mode Global Config no ip dhcp This command disables verification of the source MAC address with the client snooping verify hardware address. mac-address Format no ip dhcp snooping verify mac-address Mode Global Config ip dhcp snooping This command configures the persistent location of the DHCP Snooping database database.
Page 238 no ip dhcp This command removes the DHCP static entry from the DHCP Snooping snooping binding database. Format no ip dhcp snooping binding mac-address Mode Global Config ip verify binding This command configures static IP source guard (IPSG) entries. Format ip verify binding mac-address vlan vlan id ip address interface interface id Mode...
Page 239 ip dhcp snooping This command controls the logging DHCP messages filtration by the DHCP log-invalid Snooping application. Use this command to configure a single interface or a range of interfaces. Default disabled Format ip dhcp snooping log-invalid Mode Interface Config no ip dhcp This command disables the logging DHCP messages filtration by the DHCP snooping log-...
Page 240 Log Invalid Pkts on the specified interface. Example: The following shows example CLI display output for the command: (CN1610)#show ip dhcp snooping DHCP snooping is Disabled DHCP snooping source MAC verification is enabled DHCP snooping is enabled on the following VLANs:...
Page 241 Binding type; statically configured from the CLI or dynamically Type learned. The remaining lease time for the entry. Lease (sec) Example: The following shows example CLI display output for the command: (CN1610)#show ip dhcp snooping binding Total number of bindings: 2 MAC Address IP Address VLAN Interface...
Page 242 Interface Trust State Rate LimitBurst Interval (pps) (seconds) ----------- ---------- ---------- -------------- 1/g1 1/g2 1/g3 (CN1610)#show ip dhcp snooping interfaces ethernet 1/g15 Interface Trust State Rate LimitBurst Interval (pps) (seconds) ----------- ---------- ---------- -------------- 1/g15 show ip dhcp This command lists statistics for DHCP Snooping security violations on snooping statistics untrusted ports.
Page 243 DHCP Server Represents the number of DHCP server messages received on Msgs Rec’d Untrusted ports. Example: The following shows example CLI display output for the command: (CN1610)#show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures...
Page 244 MAC Address field is empty. If port security is disabled on the interface, then the MAC Address field displays permit-all The VLAN for the binding rule. VLAN Example: The following shows example CLI display output for the command: (CN1610)#show ip verify source Interface Filter Type IP Address MAC Address Vlan...
Page 245 --------- ----------- --------------- ----------------- ----- ip-mac 210.1.1.3 00:02:B3:06:60:80 ip-mac 210.1.1.4 00:0F:FE:00:13:04 show ip verify This command displays the IPSG filter type for a specific interface. interface Format show ip verify interface slot/port Mode Privileged EXEC User EXEC Output Description Interface address in slot/port format. Interface Is one of two values: Filter Type...
Page 246 DHCP Snooping. VLAN for the entry. VLAN IP address of the interface in slot/port format. Interface Example: The following shows example CLI display output for the command: (CN1610)#show ip source binding MAC Address IP Address Type VLAN Interface ----------------- --------------- ---------- ----- ------------- 00:00:00:00:00:08 1.2.3.4 dhcp-snooping...
Page 247: Double Vlan Commands
Double VLAN Commands Introduction This section describes the commands you can use to configure double VLAN (DVLAN). Double VLAN tagging is a way to pass VLAN traffic from one customer domain to another through a Metro Core in a simple and cost-effective manner.
Page 248 Parameter Description Configure the ethertype as 0x8100. 802.1Q Configure the value of the custom tag in the range from 0 to custom 65535. Represents the commonly used value of 0x88A8. vman no dvlan-tunnel Use the form of this command to disassociate globally defined TPID(s) to an ethertype (Interface interface.
Page 249 no dvlan-tunnel Use the form of this command to set the TPID register to 0. (At initialization, ethertype default– all TPID registers will be set to their default values.) tpid Format no dvlan-tunnel ethertype {802.1Q | vman | custom 0– 65535} [default-tpid] Mode Global Config...
Page 250 no mode dvlan- This command disables double VLAN tunneling on the specified interface. By tunnel default, Double VLAN Tunneling is disabled. Format no mode dvlan-tunnel Mode Interface Config show dot1q-tunnel Use this command without the optional parameters to display all interfaces enabled for double VLAN tunneling.
Page 251 Example: The following shows examples of the CLI display for this command: (CN1610) #show dvlan-tunnel TPIDs Configured....... 0x88a8 Default TPID........0x88a8 Interfaces Enabled for DVLAN Tunneling..None (CN1610)# (CN1610)#show dvlan-tunnel interface 1/0/1 Interface Mode EtherType --------- ------- ------------ 1/0/1 Disable 0x88a8...
Page 252: Dynamic Arp Inspection Commands
Dynamic ARP Inspection Commands Introduction Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses mapping another station’s IP address to its own MAC address.
Page 253 Default disabled Format ip arp inspection validate {[src-mac] [dst-mac] [ip]} Mode Global Config no ip arp inspection This command disables the additional validation checks on the received ARP validate packets. Format no ip arp inspection validate {[src-mac] [dst-mac] [ip]} Mode Global Config ip arp inspection This command enables logging of invalid ARP packets on a list of comma-...
Page 254 Mode Interface Config ip arp inspection This command configures the rate limit and burst interval values for an interface limit or range of interfaces. Configuring none for the limit means the interface is not rate limited for Dynamic ARP Inspections. The maximum value shown in the range for the rate option might be more than the hardware allowable limit.
Page 255 Format no ip arp inspection filter acl-name vlan vlan-list [static] Mode Global Config arp access-list This command creates an ARP ACL. Format arp access-list acl-name Mode Global Config no arp access-list This command deletes a configured ARP ACL. Format no arp access-list acl-name Mode Global Config permit ip host mac...
Page 256 ACL Name If the ARP ACL is configured static on the VLAN. Static Flag Example: The following shows example CLI display output for the command: (CN1610)#show ip arp inspection vlan 10-12 Source Mac Validation : Disabled Destination Mac Validation : Disabled...
Page 257 (CN1610)# show ip arp inspection statistics VLAN Forwarded Dropped ---- --------- ------- The following shows example CLI display output for the command: Example: (CN1610)# show ip arp inspection statistics vlan vlan-list VLAN DHCP DHCP Bad Src Bad Dest Invalid Drops Drops...
Page 258 The configured rate limit value in packets per second. Rate Limit The configured burst interval value in seconds. Burst Interval Example: The following shows example CLI display output for the command: (CN1610)#show ip arp inspection interfaces Interface Trust State Rate Limit Burst Interval (pps) (seconds) ---------------...
Page 259 Mode Privileged EXEC User EXEC Example: The following shows example CLI display output for the command: (CN1610)#show arp access-list ARP access list H2 permit ip host 1.1.1.1 mac host 00:01:02:03:04:05 permit ip host 1.1.1.2 mac host 00:03:04:05:06:07 ARP access list H3 ARP access list H4 permit ip host 2.1.1.2 mac host 00:03:04:05:06:08...
Page 260: 802.1X Supplicant Commands
802.1X Supplicant Commands Introduction CN1610 supports 802.1X (dot1x) supplicant functionality on point-to-point ports. The administrator can configure the user name and password used in authentication and capabilities of the supplicant port. dot1x pae This command sets the port’s dot1x role. The port can serve as either a supplicant or an authenticator.
Page 261 Parameter Description Sets the authorization state of the port to force-unauthorized Unauthorized, bypassing the authentication process. no dot1x supplicant This command sets the mode to the default, auto. port-control port-control Format no dot1x supplicant port-control Mode Interface Config dot1x supplicant This command configures the number of attempts that the supplicant makes to max-start find the authenticator before the supplicant assumes that there is no authenticator.
Page 262 no dot1x supplicant This command sets the value to the default. start-period timeout start-period Format no dot1x supplicant timeout start-period Mode Interface Config dot1x supplicant This command configures the timer interval to wait for the next held-period timeout held-period authentication on previous authentication fail. Default 30 seconds Format...
Page 263 dot1x supplicant This command maps the given user to the port. user Format dot1x supplicant user Mode Interface Config show dot1x This command displays the dot1x port statistics in detail. statistics Format show dot1x statistics slot/port Mode Privileged EXEC User EXEC Output Description Displays the number of valid EAPOL frames received on...
Page 264 Displays the source MAC Address attached to the most Last EAPOL Frames Source recently received EAPOL frame. Example: The following shows example CLI display output for the command: (CN1610)#show dot1x statistics 0/1 Port........... 0/1 EAPOL Frames Received......0 EAPOL Frames Transmitted....... 0 EAPOL Start Frames Transmitted....3 EAPOL Logoff Frames Received....
Page 265: Garp Commands
GARP Commands Introduction This section describes the commands you use to configure Generic Attribute Registration Protocol (GARP) and view GARP status. These commands affect both GARP VLAN Registration Protocol (GVRP) and GARP Multicast Registration Protocol (GMRP). GARP is a protocol that allows client stations to register with the switch for membership in VLANS (by using GVMP) or multicast groups (by using GVMP).
Page 266 to maintain uninterrupted service. The leave time is 20 to 600 (centiseconds). The value 60 centiseconds is 0.6 seconds. The leave time must be greater than or equal to three times the join time. Default Format set garp timer leave 20-600 Mode Interface Config Global Config...
Page 267 show garp This command displays GARP information. Format show garp Mode Privileged EXEC User EXEC Output Description The administrative mode of GARP Multicast Registration GMRP Admin Mode Protocol (GMRP) for the system. The administrative mode of GARP VLAN Registration Protocol GVRP Admin Mode (GVRP) for the system.
Page 268: Gmrp Commands
GMRP Commands Introduction This section describes the commands you use to configure and view GARP Multicast Registration Protocol (GMRP) information. Like IGMP snooping, GMRP helps control the flooding of multicast packets.GMRP-enabled switches dynamically register and deregister group membership information with the MAC networking devices attached to the same segment.
Page 269 Format set gmrp interfacemode Mode Interface Config Global Config no set gmrp This command disables GARP Multicast Registration Protocol on a single interfacemode interface or all interfaces. If an interface which has GARP enabled is enabled for routing or is enlisted as a member of a port channel (LAG), GARP functionality is disabled.
Page 270 Output Description The period of time to wait after receiving an unregister request for Leave Timer an attribute before deleting the attribute. Current attributes are a VLAN or multicast group. This may be considered a buffer time for another station to assert registration for the same attribute in order to maintain uninterrupted service.
Page 271 Output Description The type of the entry. Static entries are those that are configured Type by the end user. Dynamic entries are added to the table as a result of a learning process or protocol. The text description of this multicast table entry. Description The list of interfaces that are designated for forwarding (Fwd:) Interfaces...
Page 272: Gvrp Commands
GVRP Commands Introduction This section describes the commands you use to configure and view GARP VLAN Registration Protocol (GVRP) information. GVRP-enabled switches exchange VLAN configuration information, which allows GVRP to provide dynamic VLAN creation on trunk ports and automatic VLAN pruning. Note If GVRP is disabled, the system does not forward GVRP messages.
Page 273 no set gvrp This command disables GVRP on a single port (Interface Config mode) or all interfacemode ports (Global Config mode). If GVRP is disabled, Join Time, Leave Time, and Leave All Time have no effect. Format no set gvrp interfacemode Mode Interface Config Global Config...
Page 274 Output Description Controls how frequently LeaveAll PDUs are generated. A LeaveAll Timer LeaveAll PDU indicates that all registrations will shortly be deregistered. Participants will need to rejoin in order to maintain registration. There is an instance of this timer on a per-port, per- GARP participant basis.
Page 275: Igmp Snooping Configuration Commands
IGMP Snooping Configuration Commands Introduction This section describes the commands you use to configure IGMP snooping. FASTPATH software supports IGMP Versions 1, 2, and 3. The IGMP snooping feature can help conserve bandwidth because it allows the switch to forward IP multicast traffic only to connected hosts that request multicast traffic.
Page 276 Format no set igmp [vlan_id] Mode Global Config Interface Config VLAN Config set igmp This command enables IGMP snooping on all interfaces. If an interface has interfacemode IGMP snooping enabled and you enable this interface for routing or enlist it as a member of a port channel (LAG), IGMP snooping functionality is disabled on that interface.
Page 277 Default disabled Format set igmp fast-leave [vlan_id] Mode Interface Config Interface Range VLAN Config no set igmp fast- This command disables IGMP snooping fast-leave admin mode on a selected leave interface. Format no set igmp fast-leave [vlan_id] Mode Interface Config Interface Range VLAN Config set igmp...
Page 278 Mode Interface Config Global Config VLAN Config set igmp This command sets the IGMP Maximum Response time for the system, on a maxresponse particular interface or VLAN, or on a range of interfaces. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface.
Page 279 Format set igmp mcrtrexpiretime [vlan_id] 0-3600 Mode Global Config Interface Config VLAN Config no set igmp This command sets the Multicast Router Present Expiration time to 0. The time is mcrtrexpiretime set for the system, on a particular interface or a VLAN. Format no set igmp mcrtrexpiretime [vlan_id] Mode...
Page 280 Format set igmp mrouter interface Mode Interface Config no set igmp mrouter This command disables the status of the interface as a statically configured interface multicast router interface. Format no set igmp mrouter interface Mode Interface Config set igmp router- This command enables Router-Alert validation for IGMP packets.
Page 281 Output Description Indicates whether or not IGMP snooping is active on the Admin Mode switch. The number of multicast control frames that are processed Multicast Control Frame by the CPU. Count The list of interfaces on which IGMP snooping is enabled. Interface Enabled for IGMP Snooping...
Page 282 When you specify a value for , the following information appears. vlan_id Output Description The VLAN ID. VLAN ID Indicates whether IGMP snooping is active on the VLAN. IGMP Snooping Admin Mode Indicates whether IGMP snooping Fast-leave is active on Fast Leave Mode the VLAN.
Page 283 Output Description The list of VLANs of which the interface is a VLAN ID member. show This command displays information about statically configured ports. igmpsnooping mrouter vlan Format show igmpsnooping mrouter vlan slot/port Mode Privileged EXEC Output Description The port on which multicast router information is Interface being displayed.
Page 284 Output Description The text description of this multicast table entry. Description The list of interfaces that are designated for Interfaces forwarding (Fwd:) and filtering (Flt:). IGMP Snooping Configuration Commands...
Page 285: Igmp Snooping Querier Commands
IGMP Snooping Querier Commands Introduction IGMP snooping requires that one central switch or router periodically query all end-devices on the network to announce their multicast memberships. This central device is the “IGMP Querier”. The IGMP query responses, known as IGMP reports, keep the switch updated with the current multicast group membership on a port-by-port basis.
Page 286 no set igmp querier This command disables IGMP snooping querier on the system. Use the optional address parameter to reset the querier address to 0.0.0.0. Format no set igmp querier [vlan-id] [address] Mode Global Config VLAN Mode set igmp querier This command sets the IGMP Querier Query Interval time.
Page 287 Mode Global Config set igmp querier This command sets the IGMP version of the query that the snooping switch is version going to send periodically. Default Format set igmp querier version 1–2 Mode Global Config no set igmp querier This command sets the IGMP Querier version to its default value. version Format no set igmp querier version...
Page 288 Mode VLAN Config show This command displays IGMP snooping querier information. Configured igmpsnooping information is displayed whether or not IGMP snooping querier is enabled. querier Format show igmpsnooping querier [{detail | vlan vlanid}] Mode Privileged EXEC When the optional argument is not used, the command displays the vlanid following information:...
Page 289 Output Description Indicates whether IGMP snooping querier is in VLAN Querier Operational state. When the switch is in Non-Querier Querier State state, it will send out periodic general queries. When in state, it will wait for moving to Non-Querier Querier state and does not send out any queries.
Page 290: Isdp Commands
ISDP Commands Introduction This section describes the commands you use to configure the industry standard Discovery Protocol (ISDP). isdp run This command enables ISDP on the switch. Default Enabled Format isdp run Mode Global Config no isdp run This command disables ISDP on the switch. Format no isdp run Mode...
Page 291 isdp advertise-v2 This command enables the sending of ISDP Version 2 packets from the device. Default Enabled Format isdp advertise-v2 Mode Global Config no isdp advertise- This command disables the sending of ISDP Version 2 packets from the device. Format no isdp advertise-v2 Mode Global Config...
Page 292 Mode Privileged EXEC show isdp This command displays global ISDP settings. Format show isdp Mode Privileged EXEC Output Description The frequency with which this device sends ISDP Timer packets. This value is given in seconds. Hold Time The length of time the receiving device should save information sent by this device.
Page 293 show isdp interface This command displays ISDP settings for the specified interface. Format show isdp interface {all | slot/port} Mode Privileged EXEC Output Description ISDP mode enabled/disabled status for the interface(s). Mode show isdp entry This command displays ISDP entries. If the device ID is specified, then only entries for that device are shown.
Page 294 Entry Last Changed Time The software version that the neighbor is running. Version Example: The following shows example CLI display output for the command: (CN1610)#show isdp neighbors detail Device ID 0001f45f1bc0 Address(es): IP Address: 10.27.7.57 Capability Router Trans Bridge Switch IGMP...
Page 295 Output Description Total number of ISDP packets received. ISDP Packets Received Total number of ISDP packets transmitted. ISDP Packets Transmitted Total number of ISDPv1 packets received. ISDPv1 Packets Received Total number of ISDPv1 packets transmitted. ISDPv1 Packets Transmitted Total number of ISDPv2 packets received. ISDPv2 Packets Received Total number of ISDPv2 packets transmitted.
Page 296: Lldp (802.1Ab) Commands
LLDP (802.1AB) Commands Introduction This section describes the commands you use to configure Link Layer Discovery Protocol (LLDP), which is defined in the IEEE 802.1AB specification. LLDP allows stations on an 802 LAN to advertise major capabilities and physical descriptions. The advertisements allow a network management system (NMS) to access and display this information.
Page 297 Format no lldp receive Mode Interface Config lldp timers This command sets the timing parameters for local data transmission on ports enabled for LLDP. The determines the number of seconds to interval-seconds wait between transmitting local data LLDPDUs. The range is 1 to 32768 seconds. is the multiplier on the transmit interval that sets the TTL in hold-value local data LLDPDUs.
Page 298 Mode Interface Config no lldp transmit-tlv This command removes an optional TLV from the LLDPDUs. Use the command without parameters to remove all optional TLVs from the LLDPDU. Format no lldp transmit-tlv [sys-desc] [sys-name] [sys-cap] [port-desc] Mode Interface Config lldp transmit-mgmt This command includes transmission of the local system management address information in the LLDPDUs.
Page 299 Default disabled Format no lldp notification Mode Interface Config lldp notification– This command configures how frequently the system sends remote data change interval notifications. The parameter is the number of seconds to wait between interval sending notifications. The valid interval range is 5 to 3600 seconds. Default Format lldp notification-interval interval...
Page 300 show lldp This command displays a summary of the current LLDP configuration. Format show lldp Mode Privileged EXEC Output Description How frequently the system transmits local data Transmit Interval LLDPDUs, in seconds. The multiplier on the transmit interval that sets the Transmit Hold Multiplier TTL in local data LLDPDUs.
Page 301 Output Description Shows whether the interface sends optional TLVs in the TLVs LLDPDUs. The TLV codes can be 0 (Port Description), 1 (System Name), 2 (System Description), or 3 (System Capability). Shows whether the interface transmits system management Mgmt address information in the LLDPDUs. show lldp statistics This command displays the current LLDP traffic and remote table statistics for a specified interface or for all interfaces.
Page 302 Output Description Total number of LLDP packets received on the port. Receive Total Total number of LLDP frames discarded on the port for any Discards reason. The number of invalid LLDP frames received on the port. Errors Total number of times a complete remote data entry was Ageouts deleted for the port because the Time to Live interval expired.
Page 303 (CN1610)#show lldp remote-device all LLDP Remote Device Summary Local Interface RemID Chassis ID Port ID System Name ------- ------- -------------------- ------------------ ------ 00:FC:E3:90:01:0F 00:FC:E3:90:01:11 00:FC:E3:90:01:0F 00:FC:E3:90:01:12 00:FC:E3:90:01:0F 00:FC:E3:90:01:13 00:FC:E3:90:01:0F 00:FC:E3:90:01:14 00:FC:E3:90:01:0F 00:FC:E3:90:03:11 00:FC:E3:90:01:0F 00:FC:E3:90:04:11 0/10 0/11 0/12 --More-- or (q)uit show lldp remote–...
Page 304 Time To Live information received in the LLDPDU should be treated as valid information. Example: The following shows example CLI display output for the command: (CN1610)#show lldp remote-device detail 0/7 LLDP Remote Device Detail Local Interface: 0/7 LLDP (802.1AB) Commands...
Page 305 Remote Identifier: 2 Chassis ID Subtype: MAC Address Chassis ID: 00:FC:E3:90:01:0F Port ID Subtype: MAC Address Port ID: 00:FC:E3:90:01:11 System Name: System Description: Port Description: System Capabilities Supported: System Capabilities Enabled: Time to Live: 24 seconds show lldp local– This command displays summary information about the advertised LLDP local device data.
Page 306 Output Description The type of identification used in the Chassis ID field. Chassis ID Subtype The chassis of the local device. Chassis ID The type of port on the local device. Port ID Subtype The port number that transmitted the LLDPDU. Port ID The system name of the local device.
Page 307: Lldp-Med Commands
LLDP-MED Commands Introduction Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) (ANSI-TIA-1057) provides an extension to the LLDP standard. Specifically, LLDP-MED provides extensions for network configuration and policy, device location, Power over Ethernet (PoE) management and inventory management. lldp med This command enables MED on an interface or a range of interfaces.
Page 308 lldp med transmit- This command specifies which optional Type Length Values (TLVs) in the LLDP-MED set will be transmitted in the Link Layer Discovery Protocol Data Units (LLDPDUs) from this interface or a range of interfaces. Default By default, the capabilities and network policy TLVs are included. Format lldp med transmit-tlv [capabilities] [ex-pd] [ex-pse] [inventory] [location] [network-policy]...
Page 309 lldp med faststart- This command sets the value of the fast start repeat count. [ ] is the count repeatcount number of LLDP PDUs that will be transmitted when the product is enabled. The range is 1 to 10. Default Format lldp med faststartrepeatcount [count] Mode...
Page 310 LLDP interfaces. Format show lldp med interface {slot/port | all} Mode Privileged Exec Example: The following shows example CLI display output for the command: (CN1610) #show lldp med interface all Interface Link configMED operMED ConfigNotify TLVsTx ---------...
Page 311 Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610) #show lldp med local-device detail 1/0/8 LLDP-MED Local Device Detail Interface: 1/0/8 Network Policies Media Policy Application Type : voice...
Page 312 Inventory Hardware Rev: xxx xxx xxx Firmware Rev: xxx xxx xxx Software Rev: xxx xxx xxx Serial Num: xxx xxx xxx Mfg Name: xxx xxx xxx Model Name: xxx xxx xxx Asset ID: xxx xxx xxx Location Subtype: elin Info: xxx xxx xxx Extended POE Device Type: pseDevice Extended POE PSE...
Page 313 Format show lldp med remote-device detail slot/port Mode Privileged EXEC Example: The following shows example CLI display output for the command: (CN1610) #show lldp med remote-device detail 1/0/8 LLDP-MED Remote Device Detail Local Interface: 1/0/8 Remote Identifier: 18 Capabilities MED Capabilities Supported: capabilities, networkpolicy, location,...
Page 314 Tagged: True Media Policy Application Type : streamingvideo Vlan ID: 20 Priority: 1 DSCP: 2 Unknown: False Tagged: True Inventory Hardware Rev: xxx xxx xxx Firmware Rev: xxx xxx xxx Software Rev: xxx xxx xxx Serial Num: xxx xxx xxx Mfg Name: xxx xxx xxx Model Name: xxx xxx xxx Asset ID: xxx xxx xxx...
Page 315: Link Local Protocol Filtering Commands
Link Local Protocol Filtering Commands Introduction Link Local Protocol Filtering (LLPF) allows the switch to filter out multiple proprietary protocol PDUs, such as Port Aggregation Protocol (PAgP), if the problems occur with proprietary protocols running on standards-based switches. If certain protocol PDUs cause unexpected results, LLPF can be enabled to prevent those protocol PDUs from being processed by the switch.
Page 316 Output Description Shows whether the port blocks SSTP PDUs. Block SSTP Shows whether the port blocks all proprietary PDUs available for Block All the LLDP feature. Link Local Protocol Filtering Commands...
Page 317: Mac Database Commands
MAC Database Commands Introduction This section describes the commands you use to configure and view information about the Media Access Control (MAC) databases. bridge aging-time This command configures the forwarding database address aging timeout in seconds. The parameter must be within the range of 10 to 1,000,000 seconds seconds.
Page 318 Output Description In an IVL system, this parameter displays the address aging Agetime timeout for the associated forwarding database. show mac-address- This command displays the Multicast Forwarding Database (MFDB) table multicast information. If you enter the command with no parameter, the entire table is displayed.
Page 319 Output Description The total number of entries that can possibly be in the Multicast Total Entries Forwarding Database table. The largest number of entries that have been present in the Most MFDB Entries Multicast Forwarding Database table. This value is also known as Ever Used the MFDB high-water mark.
Page 320: Mld Snooping Commands
MLD Snooping Commands Introduction This section describes commands used for MLD snooping. In IPv4, Layer 2 switches can use IGMP Snooping to limit the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded only to those interfaces associated with IP multicast addresses.
Page 321 Format set mld vlanid Mode Global Config Interface Config VLAN Mode set mld This command enables MLD snooping on all interfaces. If an interface has MLD interfacemode snooping enabled and you enable this interface for routing or enlist it as a member of a port channel (LAG), MLD snooping functionality is disabled on that interface.
Page 322 Default disabled Format set mld fast-leave vlanid Mode Interface Config VLAN Mode no set mld fast- This command disables MLD snooping fast-leave admin mode on a selected leave interface. Format no set mld fast-leave vlanid Mode Interface Config VLAN Mode set mld This command sets the MLD Group Membership Interval time on a VLAN, one groupmembership-...
Page 323 set mld This command sets the MLD Maximum Response time for the system, on a maxresponse particular interface or VLAN. The Maximum Response time is the amount of time in seconds that a switch will wait after sending a query on an interface because it did not receive a report for a particular group in that interface.
Page 324 Format no set mld mcrtexpiretime vlanid Mode Global Config Interface Config set mld mrouter This command configures the VLAN ID for the VLAN that has the multicast router attached mode enabled. Format set mld mrouter vlanid Mode Interface Config no set mld mrouter This command disables multicast router attached mode for a VLAN with a particular VLAN ID.
Page 325 Format show mldsnooping [slot/port | vlanid] Mode Privileged EXEC When the optional arguments slot/port or are not used, the command vlanid displays the following information. Output Description Indicates whether or not MLD snooping is active on the switch. Admin Mode Interfaces on which MLD snooping is enabled.
Page 326 When you specify a value for , the following information appears. vlanid Output Description Indicates whether MLD snooping is active on the VLAN. VLAN Admin Mode show mldsnooping This command displays information about statically configured multicast router mrouter interface attached interfaces. Format show mldsnooping mrouter interface slot/port Mode...
Page 327 Mode Privileged EXEC Output Description VLAN ID The VLAN in which the MAC address is learned. A multicast MAC address for which the switch has forwarding or MAC Address filtering information. The format is 6 two-digit hexadecimal numbers that are separated by colons, for example, 01:23:45:67:89:AB.
Page 328: Mld Snooping Querier Commands
MLD Snooping Querier Commands Introduction In an IPv6 environment, MLD snooping requires that one central switch or router periodically query all end-devices on the network to announce their multicast memberships. This central device is the MLD querier. The MLD query responses, known as MLD reports, keep the switch updated with the current multicast group membership on a port-by-port basis.
Page 329 Mode Global Config VLAN Mode set mld querier This command sets the MLD querier Query Interval time. It is the amount of time query_interval in seconds that the switch waits before sending another general query. Default disabled Format set mld querier query_interval 1-18000 Mode Global Config no set mld querier...
Page 330 address is better (less) than the snooping querier’s address, it stops sending periodic queries. If the snooping querier wins the election, then it will continue sending periodic queries. Default disabled Format set mld querier election participate Mode VLAN Config no set mld querier This command sets the snooping querier not to participate in querier election but election participate go into a non-querier mode as soon as it discovers the presence of another querier...
Page 331 When you specify a value for vlanid, the following information appears: Output Description Indicates whether MLD snooping querier is active on the VLAN Admin Mode VLAN. Indicates whether MLD snooping querier is in “Querier” VLAN Operational or “Non-Querier” state. When the switch is in Querier State state, it will send out periodic general queries.
Page 332: Port-Based Network Access Control Commands
Port-Based Network Access Control Commands Introduction This section describes the commands you use to configure port-based network access control (IEEE 802.1X). Port-based network access control allows you to permit access to network services only to devices that are authorized and authenticated.
Page 333 clear radius This command clears all of the RADIUS statistics. statistics Format clear radius statistics Mode Privileged EXEC dot1x dynamic-vlan This command enables the switch to create VLANs dynamically when a enable RADIUS-assigned VLAN does not exist in the switch. Default disabled Format...
Page 334 dot1x initialize This command begins the initialization sequence on the specified port. This command is only valid if the control mode for the specified port is auto or MAC- based. If the control mode is not auto or MAC-based, an error will be returned. Format dot1x initialize slot/port Mode...
Page 335 no dot1x max-users This command resets the maximum number of clients allowed per port to its default value. Format no dot1x max-users count Mode Interface Config dot1x port-control This command sets the authentication mode to use on the specified interface or range of interfaces.
Page 336 Default auto Format dot1x port-control all {force-unauthorized | force- authorized | auto | mac-based} Mode Global Config no dot1x port- This command sets the authentication mode on all ports to the default value. control all Format no dot1x port-control all Mode Global Config dot1x re-...
Page 337 Mode Interface Config dot1x system-auth- This command enables the dot1x authentication support on the switch. While control disabled, the dot1x configuration is retained and can be changed, but is not activated. Default disabled Format dot1x system-auth-control Mode Global Config no dot1x system- This command disables the dot1x authentication support on the switch.
Page 338 dot1x timeout This command sets the value, in seconds, of the timer used by the authenticator state machine on an interface or range of interfaces. Default guest-vlan-period: 90 seconds reauth-period: 3600 seconds quiet-period: 60 seconds tx-period: 30 seconds supp-timeout: 30 seconds server-timeout: 30 seconds Format dot1x timeout {{guest-vlan-period seconds} |{reauth-...
Page 339 Tokens Description The value, in seconds, of the timer used by the quiet-period authenticator state machine on this port to define periods of time in which it will not attempt to acquire a supplicant. The must be a quiet-period value in the range 0 to 65535. The value, in seconds, of the timer used by the tx-period authenticator state machine on this port to determine...
Page 340 VLAN database to be operational. By default, the unauthenticated VLAN is 0, that is, invalid and not operational. Default Format dot1x unauthenticated-vlan vlan id Mode Interface Config no dot1x This command resets the unauthenticated VLAN associated with the port to its unauthenticated- default value.
Page 341 Format users defaultlogin listname Mode Global Config users login This command assigns the specified authentication login list to the specified user for system login. The user must be a configured and the must user listname be a configured login list. If the user is assigned a login list that requires remote authentication, all access to the interface from all CLI, web, and Telnet sessions will be blocked until the authentication is complete.
Page 342 This command displays information about the authentication methods. authentication methods Format show authentication methods Mode Privileged EXEC Example: The following example displays the authentication configuration: (CN1610)#show authentication methods Login Authentication Method Lists --------------------------------- defaultList local Enable Authentication Method Lists ---------------------------------- enableList...
Page 343 show dot1x This command shows a summary of the global dot1x configuration, summary information of the dot1x configuration for a specified port or all ports, the detailed dot1x configuration for a specified port, and the dot1x statistics for a specified port, depending on the tokens used. Format show dot1x [{summary {slot/port | all} | detail slot/port | statistics slot/port]...
Page 344 Indicates whether the port is authorized or Port Status unauthorized. Possible values are authorized | unauthorized Example: The following shows example CLI display output for the command: (CN1610)#show dot1x summary 0/1 Operating Interface Control Mode Control Mode Port Status --------- ------------...
Page 345 Output Description Current state of the authenticator PAE state machine. Authenticator PAE State Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized. When MAC-based authentication is enabled on the port, this parameter is deprecated. Current state of the backend authentication state Backend Authentication machine.
Page 346 Output Description The timer used by the authenticator on this port to Server Timeout timeout the authentication server. The value is expressed in seconds and will be in the range of 1 to 65535. The maximum number of times the authenticator state Maximum Requests machine on this port will retransmit an EAPOL EAP Request/Identity before timing out the supplicant.
Page 347 This value is valid for the port only when the port control mode is not MAC-based. Example: The following shows example CLI display output for the command: (CN1610)#show dot1x detail 0/1 Port........... 0/1 Protocol Version....... 1 PAE Capabilities....... Supplicant Control Mode........
Page 348 Output Description Current state of the authenticator PAE state machine. Authenticator PAE State Possible values are Initialize, Disconnected, Connecting, Authenticating, Authenticated, Aborting, Held, ForceAuthorized, and ForceUnauthorized. Current state of the backend authentication state Backend Authentication machine. Possible values are Request, Response, State Success, Fail, Timeout, Idle, and Initialize.
Page 349 Output Description The number of EAP response/identity frames that have Response/Id been received by this authenticator. Frames Received EAP Response The number of valid EAP response frames (other than Frames resp/id frames) that have been received by this Received authenticator. The number of EAP request/identity frames that have EAP Request/Id Frames...
Page 350 Output Description Physical port on which the event occurs. Interface The supplicant/client MAC address. MAC-Address The VLAN assigned to the client/port on VLAN Assigned authentication. The type of VLAN ID assigned, which can be Guest VLAN Assigned Reason VLAN, Unauth, Default, RADIUS Assigned, or Montior Mode VLAN ID.
Page 351 Output Description The user name used by the client to authenticate to User Name the server. The supplicant device MAC address. Supplicant MAC Address The time since the supplicant is logged on. Session Time Identifies the Filter ID returned by the RADIUS Filter ID server when the client was authenticated.
Page 352 Mode Privileged EXEC Output Description Users configured locally to have access to the specified Users port. Port-Based Network Access Control Commands...
Page 353: Port Channel/Lag (802.3Ad) Commands
Port Channel/LAG (802.3ad) Commands Introduction This section describes the commands you use to configure port channels, which are defined in the 802.3ad specification, and that are also known as link aggregation groups (LAGs). Link aggregation allows you to combine multiple full-duplex Ethernet links into a single logical link.
Page 354 Format no port-channel {logical slot/port | all} Mode Global Config addport This command adds one port to the port channel (LAG). The first interface is a logical slot/port number of a configured port channel. You can add a range of ports by specifying the port range when you enter Interface Config mode (for example, interface 1/0/1-1/0/4...
Page 355 lacp admin key This command configures the administrative value of the key for the port channel. The value range of is 0 to 65535. This command can be used to configure a single interface or a range of interfaces. Note This command is applicable only to port channel interfaces.
Page 356 lacp actor admin This command configures the LACP actor admin parameters. Format lacp actor admin Mode Interface Config lacp actor admin This command configures the administrative value of the LACP actor admin key on an interface or range of interfaces. The valid range for is 0 to 65535.
Page 357 no lacp actor admin This command configures the default administrative values of actor state as state transmitted by the actor in LACPDUs. Format no lacp actor admin state {individual|longtimeout|passive} Mode Interface Config lacp actor admin This command sets the LACP actor admin state to individual. state individual Note This command is applicable only to physical interfaces.
Page 358 Note This command is applicable only to physical interfaces. Format no lacp actor admin state longtimeout Mode Interface Config lacp actor admin This command sets the LACP actor admin state to passive. state passive Note This command is applicable only to physical interfaces. Format lacp actor admin state passive Mode...
Page 359 Default 0x80 Format lacp actor port priority 0–255 Mode Interface Config no lacp actor port This command configures the default priority value assigned to the aggregation priority port. Format no lacp actor port priority Mode Interface Config lacp partner admin This command configures the administrative value of the key for the protocol partner.
Page 360 Note This command is applicable only to physical interfaces. Default 0x07 Format lacp partner admin state {individual|longtimeout|passive} Mode Interface Config no lacp partner This command configures the default current administrative value of the actor admin state state for the protocol partner. You can use this command to configure a single interface or a range of interfaces.
Page 361 Note This command is applicable only to physical interfaces. Format lacp partner admin state longtimeout Mode Interface Config no lacp partner This command sets the LACP partner admin state to short timeout. admin state Note longtimeout This command is applicable only to physical interfaces. Format no lacp partner admin state longtimeout Mode...
Page 362 Note This command is applicable only to physical interfaces. Default 0x80 Format lacp partner port-id port-id Mode Interface Config no lacp partner port This command sets the LACP partner port ID to the default. Format no lacp partner port-id Mode Interface Config lacp partner port This command configures the LACP partner port priority.
Page 363 lacp partner This command configures the 6-octet MAC Address value representing the system-id administrative value of the aggregation port’s protocol partner’s system ID. You can use this command to configure a single interface or a range of interfaces. The valid range of is 00:00:00:00:00:00–FF:FF:FF:FF:FF.
Page 364 Mode Interface Config port-channel static This command enables the static mode on a port channel (LAG) interface or range of interfaces. By default the static mode for a new port channel is disabled, which means the port channel is dynamic. However if the maximum number of allowable dynamic port channels are already present in the system, the static mode for a new port channel is enabled, which means the port channel is static.You can only use this command on port channel interfaces.
Page 365 Mode Interface Config port lacpmode all This command enables Link Aggregation Control Protocol (LACP) on all ports. Format port lacpmode all Mode Global Config no port lacpmode This command disables Link Aggregation Control Protocol (LACP) on all ports. Format no port lacpmode all Mode Global Config port lacptimeout...
Page 366 Format port lacptimeout {actor | partner} {long | short} Mode Global Config no port lacptimeout This command sets the timeout for all physical interfaces of a particular device (Global Config) type (actor or partner) back to their default values. Format no port lacptimeout {actor | partner} Mode Global Config...
Page 367 no port-channel This command disables link trap notifications for the port channel (LAG). The linktrap interface is a logical slot and port for a configured port channel. The option sets every configured port channel with the same administrative mode setting. Format no port-channel linktrap {logical slot/port | all} Mode...
Page 368 Parameter Description Destination IP and Destination TCP/UDP Port fields of the packet Source/Destination IP and source/destination TCP/UDP Port fields of the packet Global Config Mode only: The interface is a logical slot/port| all slot/port number of a configured port channel. applies the command to all currently configured port channels.
Page 369 port-channel This command configures port channel system priority. The valid range of system priority is 0 to 65535. priority Default 0x8000 Format port-channel system priority priority Mode Global Config no port-channel This command configures the default port channel system priority value. system priority Format no port-channel system priority...
Page 370 The following output parameters are displayed: Output Description The administrative value of priority associated with System Priority the partner’s system ID. Represents the administrative value of the System-ID aggregation port’s protocol partner’s system ID. The administrative value of the key for the protocol Admin Key partner.
Page 371 Output Description The status designating whether a particular port Type channel (LAG) is statically or dynamically maintained. - The port channel is statically Static maintained. - The port channel is dynamically Dynamic maintained. A listing of the ports that are members of this port Mbr Ports channel (LAG), in slot/port notation.
Page 372 Output Description Shows whether the link is up or down. Link-State Shows whether trap flags are enabled or disabled. Trap Flag Shows whether the port channel is statically or Type dynamically maintained. The members of this port channel. Mbr Ports The ports that are actively participating in the port Active Ports channel.
Page 373: Port Configuration Commands
{slot/port | slot/port(startrange)- slot/port(endrange)} Mode Global Config Example: The following example enters Interface Config mode for port 1/0/1: (CN1610)#configure (CN1610)(config)#interface 1/0/1 (CN1610)(interface 1/0/1)# Example: The following example enters Interface Config mode for ports 1/0/1 through 1/0/4: (CN1610)#configure (CN1610)(config)#interface 1/0/1-1/0/4...
Page 374 Mode Interface Config no auto-negotiate This command disables automatic negotiation on a port. Note Automatic sensing is disabled when automatic negotiation is disabled. Format no auto-negotiate Mode Interface Config auto-negotiate all This command enables automatic negotiation on all ports. Default enabled Format auto-negotiate all...
Page 375 Use the mtu command to set the maximum transmission unit (MTU) size, in bytes, for frames that ingress or egress the interface. You can use the mtu command to configure jumbo frame support for physical and port channel (LAG) interfaces. For the standard FASTPATH implementation, the MTU size is a valid integer between 1522 to 9216 for tagged packets and a valid integer between 1518 to 9216 for untagged packets.
Page 376 Mode Interface Config shutdown all This command disables all ports. Note You can use the command on physical and port channel (LAG) shutdown all interfaces, but not on VLAN routing interfaces. Default enabled Format shutdown all Mode Global Config no shutdown all This command enables all ports.
Page 377 speed all This command lets you set the speed and duplex setting for all interfaces. Format speed all {100 | 10} {half-duplex | full-duplex} Mode Global Config Acceptable Values Description 100h 100BASE-T half duplex 100f 100BASE-T full duplex 10BASE-T half duplex 10BASE-T full duplex show port This command displays port information.
Page 378 Output Description The port control administration state. The port must be Admin Mode enabled in order for it to be allowed into the network. May be enabled or disabled. The factory default is enabled. The desired port speed and duplex mode. If auto- Physical Mode negotiation support is selected, then the duplex mode and speed is set from the auto-negotiation process.
Page 379: Port Mirroring Commands
Note Since the current version of CN1610 software only supports one session, if you do not supply optional parameters, the behavior of this command is similar to the behavior of the command.
Page 380 Mode Global Config no monitor This command removes all the source ports and a destination port and restores the default value for mirroring session mode for all the configured sessions. Note This is a standalone command. This command does not have a normal form. Default enabled Format...
Page 381 Output Description Probe port (destination port) for the session identified Probe Port with . If the probe port is not set then this session-id field is blank. The port, which is configured as a mirrored port (source Source Port port) for the session identified with If no session-id source port is configured for the session then this field is...
Page 382: Port Security Commands
Port Security Commands Introduction This section describes the commands you use to configure port security on the switch. Port security, which is also known as port MAC locking, allows you to secure the network by locking allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally, and all other packets are discarded.
Page 383 Mode Interface Config no port-security This command resets the maximum number of dynamically locked MAC max-dynamic addresses allowed on a specific port to its default value. Format no port-security max-dynamic Mode Interface Config port-security max- This command sets the maximum number of statically locked MAC addresses static allowed on a port.
Page 384 port-security mac- This command converts dynamically locked MAC addresses to statically locked address move addresses for an interface or range of interfaces. Format port-security mac-address move Mode Interface Config show port-security This command displays the port security settings. If you do not use a parameter, the command displays the settings for the entire system.
Page 385 Mode Privileged EXEC Output Description MAC Address MAC address of statically locked MAC. show port-security This command displays the source MAC address of the last packet discarded on a violation locked port. Format show port-security violation slot/port Mode Privileged EXEC Output Description MAC address of discarded packet on locked port.
Page 386: Protected Ports Commands
Protected Ports Commands Introduction This section describes the commands you use to configure and view protected ports on a switch. Protected ports do not forward traffic to each other, even if they are on the same VLAN. However, protected ports can forward traffic to all unprotected ports in their group.
Page 387 Mode Global Config switchport This command adds an interface to a protected port group. The groupid protected (Interface parameter identifies the set of protected ports to which this interface is assigned. Config) You can only configure an interface as protected in one group. Note Port protection occurs within a single switch.
Page 388 Output Description An optional name of the protected port group. The Name name can be up to 32 alphanumeric characters long, including blanks. The default is blank. List of ports, which are configured as protected for List of Physical Ports the group identified with .
Page 389: Provisioning (Ieee 802.1P) Commands
Provisioning (IEEE 802.1p) Commands Introduction This section describes the commands you use to configure provisioning (IEEE 802.1p,) which allows you to prioritize ports. vlan port priority all This command configures the port priority assigned for untagged packets for all ports presently plugged into the device. The range for the priority is 0 to 7. Any subsequent per port configuration will override this configuration setting.
Page 390: Spanning Tree Protocol Commands
Spanning Tree Protocol Commands Introduction This section describes the commands you use to configure Spanning Tree Protocol (STP). STP helps prevent network loops, duplicate messages, and network instability. Note STP is enabled on the switch and on all ports and LAGs by default. Note If STP is disabled, the system does not forward BPDU messages.
Page 391 no spanning-tree This command sets the command to false. spanning-tree auto-edge auto-edge Format no spanning-tree auto-edge Mode Interface Config spanning-tree This command enables BPDU Filter on an interface or range of interfaces. bpdufilter Default disabled Format spanning-tree bpdufilter Mode Interface Config no spanning-tree This command disables BPDU Filter on an interface or range of interfaces.
Page 392 Default disabled Format spanning-tree bpduflood Mode Interface Config no spanning-tree This command disables BPDU Flood on an interface or range of interfaces. bpduflood Format no spanning-tree bpduflood Mode Interface Config spanning-tree This command enables BPDU Guard on the switch. bpduguard Default disabled Format...
Page 393 spanning-tree This command sets the Configuration Identifier Name for use in identifying the configuration name configuration that this switch is currently using. The is a string of up to 32 name characters. Default base MAC address in hexadecimal notation Format spanning-tree configuration name name Mode Global Config...
Page 394 Format spanning-tree cost 1-200000000 Mode Interface Config spanning-tree cost This command sets the external path cost value automatically on the basis of the auto link speed. Format spanning-tree cost auto Mode Interface Config spanning-tree This command specifies that an interface (or range of interfaces) is an edge port edgeport within the common and internal spanning tree.
Page 395 to specify that the switch transmits MST BPDUs (IEEE 802.1s 802.1s functionality supported). to specify that the switch transmits RST BPDUs rather than 802.1w MST BPDUs (IEEE 802.1w functionality supported). no spanning-tree This command sets the Force Protocol Version parameter to the default value. forceversion Format no spanning-tree forceversion...
Page 396 Mode Interface Config no spanning-tree This command disables loop guard or root guard on the interface. guard Format no spanning-tree guard Mode Interface Config spanning-tree hold- This command sets the Bridge Tx parameter to a new value for the hold-count count common and internal spanning tree.
Page 397 no spanning-tree This command sets the Bridge parameter for the common and internal max-age max-age spanning tree to the default value. Format no spanning-tree max-age Mode Global Config spanning-tree max- This command sets the MSTP parameters to a new value for the max-hops hops common and internal spanning tree.
Page 398 number in the range of 1 to 200000000 or . If you specify auto, the external auto path cost value is set based on Link Speed. If you specify the option, this command sets the priority for this port-priority port within a specific multiple spanning tree instance or the common and internal spanning tree instance, depending on the parameter.
Page 399 Format no spanning-tree mst mstid {cost | external-cost | port-priority} Mode Interface Config spanning-tree mst This command adds a multiple spanning tree instance to the switch. The mstid instance a number within a range of 1 to 4094, which corresponds to the new instance ID to be added.
Page 400 If 0 (defined as the default CIST ID) is passed as the parameter, this mstid command sets the bridge priority parameter for the common and internal spanning tree to the default value. Format no spanning-tree mst priority mstid Mode Global Config spanning-tree mst This command adds an association between a multiple spanning tree instance and vlan...
Page 401 no spanning-tree This command sets the Administrative Switch Port State for this port to disabled. port mode Format no spanning-tree port mode Mode Interface Config spanning-tree port This command sets the Administrative Switch Port State for all ports to enabled. mode all Default enabled...
Page 402 Output Description Specifies the bridge priority for the Common and Bridge Priority Internal Spanning tree (CST). The value lies between 0 and 61440. It is displayed in multiples of 4096. The bridge identifier for the CST. It is made up using the Bridge Identifier bridge priority and the base MAC address of the bridge.
Page 403 Output Description Bridge Identifier of the CST Regional Root. It is made up CST Regional Root using the bridge priority and the base MAC address of the bridge. Path Cost to the CST Regional Root. Regional Root Path Cost List of forwarding database identifiers currently Associated FIDs associated with this instance.
Page 404 Output Description Minimum time between transmission of Configuration Bridge Hold Time Bridge Protocol Data Units (BPDUs). show spanning-tree This command displays the settings and parameters for a specific switch port interface within the common and internal spanning tree. The slot/port is the desired switch port.
Page 405 Output Description Time since port was reset, displayed in days, hours, Port Up Time Since Counters minutes, and seconds. Last Cleared Spanning Tree Protocol Bridge Protocol Data Units sent. STP BPDUs Transmitted Spanning Tree Protocol Bridge Protocol Data Units STP BPDUs Received received.
Page 406 Format show spanning-tree mst port detailed mstid slot/port Mode Privileged EXEC User EXEC Output Description The ID of the existing MST instance. MST Instance ID The port identifier for the specified port within the Port Identifier selected MST instance. It is made up from the port priority and the interface number of the port.
Page 407 Output Description The current loop inconsistent state of this port in this Loop Inconsistent MST instance. When in loop inconsistent state, the port State has failed to receive BPDUs while configured with loop guard enabled. Loop inconsistent state maintains the port in a blocking state until a subsequent BPDU is received.
Page 408 Output Description The cost to get to the root bridge of the CIST across External Port Path Cost the boundary of the region. This means that if the port is a boundary port for an MSTP region, then the external path cost is used. Identifier of the designated root for this port within Designated Root the CST.
Page 409 Output Description The number of times this interface has transitioned Transitions Into Loop Inconsistent into loop inconsistent state. State The number of times this interface has transitioned Transitions Out of Loop Inconsistent out of loop inconsistent state. State show spanning-tree This command displays the settings of one or all ports within the specified mst port summary multiple spanning tree instance.
Page 410 Output Description Indicates whether the port is in loop inconsistent Desc state or not. This field is blank if the loop guard feature is not available. show spanning-tree This command displays settings for the ports within the specified multiple mst port summary spanning tree instance that are active links.
Page 411 Mode Privileged EXEC User EXEC On execution, the following details are displayed: Output Description List of multiple spanning tree IDs currently MST Instance ID List configured. For each MSTID: List of forwarding database identifiers associated with this instance. Associated FIDs List of VLAN IDs associated with this instance.
Page 412 Output Description Identifier used to identify the configuration currently Configuration Revision Level being used. A generated key used in the exchange of the BPDUs. Configuration Digest Key Specifies the version of the configuration format Configuration Format Selector being used in the exchange of BPDUs. The default value is zero.
Page 413: Static Mac Filtering Commands
MAC filters supported is 20. For multicast MAC address filters with destination ports configured, the maximum number of static filters supported is 256. For the NetApp CN1610 switches, you can configure the following combinations: Unicast MAC and source port (max = 20)
Page 414 parameter must identify a valid VLAN. vlanid Format no macfilter macaddr vlanid Mode Global Config macfilter adddest This command adds the interface or range of interfaces to the destination filter set for the MAC filter with the given and VLAN of .
Page 415 no macfilter This command removes all ports from the destination filter set for the MAC filter adddest all with the given and VLAN of . The parameter must be macaddr vlanid macaddr specified as a 6-byte hexadecimal number in the format of b1:b2:b3:b4:b5:b6. parameter must identify a valid VLAN.
Page 416 parameter must identify a valid VLAN. vlanid Format no macfilter addsrc all macaddr vlanid Mode Global Config show mac-address- This command displays the static MAC filtering information for all static MAC table static filters. If you specify , all the static MAC filters in the system are displayed. If you supply a value for , you must also enter a value for , and the...
Page 417 Output Description A unicast MAC address for which the switch has forwarding and/ MAC Address or filtering information. As the data is gleaned from the MFDB, the address will be a multicast address. The format is six 2-digit hexadecimal numbers that are separated by colons, for example, 01:23:45:67:89:AB.
Page 418: Storm-Control Commands
Storm-Control Commands Introduction This section describes commands you use to configure storm-control and view storm-control configuration information. A traffic storm is a condition that occurs when incoming packets flood the LAN, which creates performance degradation in the network. The Storm-Control feature protects against this condition.
Page 419 storm-control This command enables broadcast storm recovery mode for a specific interface or broadcast range of interfaces. If the mode is enabled, broadcast storm recovery is active and, if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
Page 420 Mode Interface Config storm-control This command configures the broadcast storm recovery threshold for an interface broadcast rate in packets per second. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic is dropped.
Page 421 Mode Global Config storm-control This command configures the broadcast storm recovery threshold for all broadcast all level interfaces as a percentage of link speed and enables broadcast storm recovery. If the mode is enabled, broadcast storm recovery is active, and if the rate of L2 broadcast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
Page 422 Format no storm-control broadcast all rate Mode Global Config storm-control This command enables multicast storm recovery mode for an interface or range multicast of interfaces. If the mode is enabled, multicast storm recovery is active, and if the rate of L2 multicast traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
Page 423 no storm-control This command sets the multicast storm recovery threshold to the default value for multicast level an interface and disables multicast storm recovery. Format no storm-control multicast level 0-100 Mode Interface Config storm-control This command configures the multicast storm recovery threshold for an interface multicast rate in packets per second.
Page 424 no storm-control This command disables multicast storm recovery mode for all interfaces. multicast all Format no storm-control multicast all Mode Global Config storm-control This command configures the multicast storm recovery threshold for all multicast all level interfaces as a percentage of link speed and enables multicast storm recovery mode.
Page 425 no storm-control This command sets the multicast storm recovery threshold to the default value for multicast all rate all interfaces and disables multicast storm recovery. Format no storm-control multicast all rate Mode Global Config storm-control This command enables unicast storm recovery mode for an interface or range of unicast interfaces.
Page 426 no storm-control This command sets the unicast storm recovery threshold to the default value for unicast level an interface and disables unicast storm recovery. Format no storm-control unicast level Mode Interface Config storm-control This command configures the unicast storm recovery threshold for an interface in unicast rate packets per second.
Page 427 no storm-control This command disables unicast storm recovery mode for all interfaces. unicast all Format no storm-control unicast all Mode Global Config storm-control This command configures the unicast storm recovery threshold for all interfaces unicast all level as a percentage of link speed, and enables unicast storm recovery. If the mode is enabled, unicast storm recovery is active, and if the rate of unknown L2 unicast (destination lookup failure) traffic ingressing on an interface increases beyond the configured threshold, the traffic will be dropped.
Page 428 no storm-control This command sets the multicast storm recovery threshold to the default value for unicast all rate an interface and disables multicast storm recovery. Format no storm-control unicast all rate Mode Global Config storm-control This command enables 802.3x flow control for the switch and applies only to flowcontrol full-duplex mode ports.
Page 429 Failure) storm control level. Example: The following shows example CLI display output for the command: (CN1610)#show storm-control 802.3x Flow Control Mode....... Disable Example: The following shows example CLI display output for the command: (CN1610)#show storm-control 1/0/1 Bcast Bcast Mcast Mcast...
Page 430 Example: The following shows an example of part of the CLI display output for the command: (CN1610)#show storm-control all Bcast Bcast Mcast Mcast Ucast Ucast Intf Mode Level Mode Level Mode Level ------ ------- -------- ------- -------- ------- -------- 1/0/1...
Page 431: Vlan Commands
VLAN Commands Introduction This section describes the commands you use to configure VLAN settings. vlan database This command gives you access to the VLAN Config mode, which allows you to configure VLAN characteristics. Format vlan database Mode Privileged EXEC network mgmt_vlan This command configures the Management VLAN ID.
Page 432 no vlan This command deletes an existing VLAN. The ID is a valid VLAN identification number (ID 1 is reserved for the default VLAN). The VLAN range is 2 to 4093. Format no vlan 2-4093 Mode VLAN Config vlan acceptframe This command sets the frame acceptance mode on an interface or range of interfaces.
Page 433 no vlan ingressfilter This command disables ingress filtering. If ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.
Page 434 Format vlan participation {exclude | include | auto} 1-4093 Mode Interface Config Participation options are: Parameter Description The interface is always a member of this VLAN. This is include equivalent to registration fixed. The interface is never a member of this VLAN. This is exclude equivalent to registration forbidden.
Page 435 Parameter Description The interface is never a member of this VLAN. This is exclude equivalent to registration forbidden. The interface is dynamically registered in this VLAN by auto GVRP and will not participate in this VLAN unless a join request is received on this interface. This is equivalent to registration normal.
Page 436 Mode Global Config vlan port This command enables ingress filtering for all ports. If ingress filtering is ingressfilter all disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN.
Page 437 vlan port tagging all This command configures the tagging behavior for all interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.
Page 438 Mode Global Config vlan protocol group This command adds the to the protocol-based VLAN identified by protocol add protocol A group may have more than one protocol associated with it. Each groupid. interface and protocol combination can only be associated with one group. If adding a protocol to a group causes any conflicts with interfaces currently associated with the group, this command fails and the protocol is not added to the group.
Page 439 no protocol group This command removes the from this protocol-based VLAN group that is vlanid identified by this groupid Format no protocol group groupid vlanid Mode VLAN Config protocol vlan group This command adds a physical interface or a range of interfaces to the protocol- based VLAN identified by .
Page 440 no protocol vlan This command removes all interfaces from this protocol-based VLAN group that group all is identified by this groupid Format no protocol vlan group all groupid Mode Global Config show port protocol This command displays the Protocol-Based VLAN information for either the entire system, or for the indicated group.
Page 441 Format no vlan pvid Mode Interface Config vlan tagging This command configures the tagging behavior for a specific interface or range of interfaces in a VLAN to enabled. If tagging is enabled, traffic is transmitted as tagged frames. If tagging is disabled, traffic is transmitted as untagged frames. The ID is a valid VLAN identification number.
Page 442 vlan association This command associates a MAC address to a VLAN. Format vlan association mac macaddr vlanid Mode VLAN database no vlan association This command removes the association of a MAC address to a VLAN. Format no vlan association mac macaddr Mode VLAN database show vlan...
Page 443 Output Description slot/port It is possible to set the parameters for all ports Interface by using the selectors on the top line. The degree of participation of this port in this VLAN. Current The permissible values are: - This port is always a member of this Include VLAN.
Page 444 show vlan internal This command displays a list of all configured VLANs. usage Format show vlan internal usage Mode Privileged EXEC User EXEC Output Description Identifies the base VLAN ID for internal allocation Base VLAN ID of VLANs to the routing interface. Identifies whether the system allocates VLAN IDs Allocation Policy in ascending or descending order.
Page 445 show vlan port This command displays VLAN port information. Format show vlan port {slot/port|all} Mode Privileged EXEC User EXEC Output Description slot/port. It is possible to set the parameters for all Interface ports by using the selectors on the top line. The VLAN ID that this port will assign to untagged Port VLAN ID frames or priority tagged frames received on this...
Page 446 Output Description The 802.1p priority assigned to tagged packets Default Priority arriving on the port. show vlan This command displays the VLAN associated with a specific configured IP- association subnet Address and net mask. If no IP address and net mask are specified, the VLAN associations of all the configured IP-subnets are displayed.
Page 447 Output Description There is a VLAN Identifier (VID) associated with each VLAN ID VLAN. Chapter 5: Switching Commands...
Page 448: Voice Vlan Commands
Voice VLAN Commands Introduction This section describes the commands you use for Voice VLAN. Voice VLAN enables switch ports to carry voice traffic with defined priority so as to enable separation of voice and data traffic coming onto the port. The benefits of using Voice VLAN is to ensure that the sound quality of an IP phone could be safeguarded from deteriorating when the data traffic on the port is high.
Page 449 Parameter Description Configure the IP phone to forward all voice traffic through the vlanid specified VLAN. Valid VLAN ID’s are from 1 to 4093 (the maximum supported by the platform). Configure the IP phone to use 802.1p priority tagging for voice dot1p traffic and to use the default native VLAN (VLAN 0) to carry all traffic.
Page 450 When the is specified: interface Output Description The admin mode of the Voice VLAN on the interface. Voice VLAN Mode The Voice VLAN ID. Voice VLAN ID The do1p priority for the Voice VLAN on the port. Voice VLAN Priority The tagging option for the Voice VLAN traffic.
Page 451: Chapter 6 Ipv6 Management Commands
IPv6 Commands Management About this chapter This chapter describes the IPv6 commands available in the CN1610 CLI. Topics in this This chapter includes the following sections: chapter “IPv6 Management Commands” on page 448 CAUTION The commands in this chapter are in one of three functional groups: Show commands display switch settings, statistics, and other information.
Page 452: Ipv6 Management Commands
IPv6 Management Commands Introduction IPv6 Management commands allow a device to be managed via an IPv6 address in a switch or IPv4 routing (that is, independent from the IPv6 Routing package). For Routing/IPv6 builds of FASTPATH, dual IPv4/IPv6 operation over the service port is enabled.
Page 453 no network ipv6 This command disables IPv6 operation on the network port. enable Format no network ipv6 enable Mode Privileged EXEC serviceport ipv6 Use the options of this command to manually configure IPv6 global address, address enable/disable stateless global address autoconfiguration, and to enable/disable dhcpv6 client protocol information on the service port.
Page 454 Use the command with the option to disable the dhcpv6 client protocol on dhcp the service port. Format no serviceport ipv6 address {address/prefix-length [eui64] | autoconfig | dhcp} Mode Privileged EXEC serviceport ipv6 This command configures IPv6 gateway (for example, default routers) gateway information for the service port.
Page 455 Format network ipv6 address {address/prefix-length [eui64] | autoconfig | dhcp} Mode Privileged EXEC Parameter Description IPv6 prefix in IPv6 global address format. address IPv6 prefix length value. prefix- length Formulate IPv6 address in eui64 format. eui64 autoconfig Configure stateless global address autoconfiguration capability.
Page 456 Mode Privileged EXEC Parameter Description Gateway address in IPv6 global or link-local address gateway- address format. no network ipv6 This command removes IPv6 gateways on the network port interface. gateway Format no network ipv6 gateway Mode Privileged EXEC show network ndp This command displays NDP cache information for the network port.
Page 457 Example: The following shows example CLI display output for the command: (CN1610) #show network ndp Neighbor Age IPv6 Address MAC Address isRtr State Updated --------------------- -------------- ------- -------- ----- 3017::204:76FF:FE73:423A 00:04:76:73:42:3a Reachable 447535 FE80::204:76FF:FE73:423A 00:04:76:73:42:3a Delay 447540 show serviceport This command displays service port configuration information.
Page 458 The burned in MAC address used for in-band Burned In MAC Address connectivity. Example: The following shows example CLI display output for the service port: (CN1610) #show serviceport Interface Status....... Up IP Address........10.230.3.51 Subnet Mask........255.255.255.0 Default Gateway........ 10.230.3.1 IPv6 Administrative Mode.......
Page 459 show serviceport This command displays the neighbor entries cached on the service port. Default enabled Format show serviceport ndp Mode Privileged EXEC User EXEC Output Description The IPv6 address of the neighbor. IPv6 Address MAC Address The MAC address of the neighbor. The state of the neighbor cache entry.
Page 460 with which the switch is connected through the default VLAN (VLAN 1), as long as there is a physical path between the switch and the workstation. The terminal interface sends three pings to the target station. Use the ipv6-address|hostname parameter to ping an interface by using the global IPv6 address of the interface. Use the optional keyword to specify the size of the ping packet.
Page 461 Mode Privileged EXEC User EXEC traceroute ipv6 This command discovers the routes that packets actually take when traveling to their destination through the network on a hop-by-hop basis. The ipv6-address parameter must be a valid IPv6 address. The optional parameter is the UDP port port used as the destination of packets sent as part of the traceroute.
Page 462 Total DHCPv6 Packets network interface. Transmitted Example: The following shows example CLI display output for this command: (CN1610) #show network ipv6 dhcp statistics DHCPv6 Client Statistics ------------------------- DHCPv6 Advertisement Packets Received..0 DHCPv6 Reply Packets Received....0 Received DHCPv6 Advertisement Packets Discard.. 0 Received DHCPv6 Reply Packets Discarded..
Page 463 DHCPv6 Malformed Packets Received....0 Total DHCPv6 Packets Received....0 DHCPv6 Solicit Packets Transmitted..... 0 DHCPv6 Request Packets Transmitted..... 0 DHCPv6 Renew Packets Transmitted....0 DHCPv6 Rebind Packets Transmitted....0 DHCPv6 Release Packets Transmitted..... 0 Total DHCPv6 Packets Transmitted....0 show serviceport This command displays IPv6 DHCP statistics.
Page 464 Total DHCPv6 Packets network interface. Transmitted Example: The following shows example CLI display output for the command: (CN1610) >show serviceport ipv6 dhcp statistics DHCPv6 Client Statistics ------------------------- DHCPv6 Advertisement Packets Received..0 DHCPv6 Reply Packets Received....0 Received DHCPv6 Advertisement Packets Discard.. 0 Received DHCPv6 Reply Packets Discarded..
Page 465: Chapter 7 Quality Of Service Commands
Quality of Service Commands About this chapter This chapter describes the Quality of Service (QoS) commands available with the CN1610 CLI. Topics in this This chapter includes the following sections: chapter “Auto-Voice over IP Commands” on page 462 “Class of Service Commands”...
Page 466: Auto-Voice Over Ip Commands
Auto-Voice over IP Commands Introduction This section describes the commands you use to configure Auto-Voice over IP (VoIP) commands. The Auto-VoIP feature explicitly matches VoIP streams in Ethernet switches and provides them with a better class-of-service than ordinary traffic. When you enable the Auto-VoIP feature on an interface, the interface scans incoming traffic for the following call-control protocols: Session Initiation Protocol (SIP) H.323...
Page 467 no auto-voip This command disables VoIP Profile on the interface. Format no auto-voip all Mode Interface Config show auto-voip This command displays the VoIP Profile settings on the interface or interfaces of the switch. Format show auto-voip interface {slot/port | all} Mode Privileged EXEC Output...
Page 468: Class Of Service Commands
Class of Service Commands Introduction This section describes the commands you use to configure and view Class of Service (CoS) settings for the switch. The commands in this section allow you to control the priority and transmission rate of traffic. Note Commands you enter in the Interface Config mode only affect a single interface.
Page 469 Format classofservice ip-dscp-mapping ipdscp trafficclass Mode Global Config no classofservice This command maps each IP DSCP value to its default internal traffic class value. ip-dscp-mapping Format no classofservice ip-dscp-mapping Mode Global Config classofservice trust This command sets the class of service trust mode of an interface or range of interfaces.
Page 470 cos-queue min- This command specifies the minimum transmission bandwidth guarantee for bandwidth each interface queue on an interface, a range of interfaces, or all interfaces. The total number of queues supported per interface is platform specific. A value from 0 to 100 (percentage of link rate) must be specified for each supported queue, with 0 indicating no guaranteed minimum bandwidth.
Page 471 no cos-queue This command disables WRED, which restores the default tail drop operation for random-detect the specified queues on the interface. Format no cos-queue random-detect queue-id-1 [queue-id-2 … queue-id-n] Mode Global Config Interface Config cos-queue strict This command activates the strict priority scheduler mode for each specified queue for an interface queue on an interface, a range of interfaces, or all interfaces.
Page 472 When specified in Interface Config mode, this command affects a single interface only, whereas in Global Config mode, it applies to all interfaces. The Interface Config mode command is only available on platforms that support independent per-port class of service queue configuration. no random-detect This command disables WRED, which restores the default tail drop operation for all queues on the interface.
Page 473 Parameter Description The minimum threshold the queue depth (as a min-thresh percentage) where WRED starts marking and dropping traffic. The maximum threshold is the queue depth (as a max-thresh percentage) above which WRED marks / drops all traffic. The percentage probability that WRED will drop-probability mark/drop a packet, when the queue depth is at the maximum threshold.
Page 474 no traffic-shape This command restores the interface shaping rate to the default value. Format no traffic-shape Mode Global Config Interface Config show This command displays the current Dot1p (802.1p) priority mapping to internal classofservice traffic classes for a specific interface. The slot/port parameter is optional and is dot1p-mapping only valid on platforms that support independent per-port class of service mappings.
Page 475 Output Description The IP Precedence value. IP Precedence The traffic class internal queue identifier to which the IP Traffic Class Precedence value is mapped. show This command displays the current IP DSCP mapping to internal traffic classes classofservice ip- for the global configuration settings. dscp-mapping Format show classofservice ip-dscp-mapping...
Page 476 Output Description The traffic class used for non-IP traffic. This is only Non-IP Traffic Class displayed when the CoS trust mode is set to trust IP Precedence or IP DSCP (on platforms that support IP DSCP). The traffic class used for all untrusted traffic. This is only Untrusted Traffic Class displayed when the CoS trust mode is set to...
Page 477 If you specify the interface, the command also displays the following information: Output Description The slot/port of the interface. If displaying the Interface global configuration, this output line is replaced with a Global Config indication. The maximum transmission bandwidth limit for the Interface Shaping Rate interface as a whole.
Page 478 Output Description The configured percentage probability that WRED WRED Drop Probability will mark/drop a packet, when the queue depth is at the maximum threshold. (The drop probability increases linearly from 0 just before the minimum threshold, to this value at the maximum threshold, then goes to 100% for larger queue depths).
Page 479: Differentiated Services Commands
Differentiated Services Commands Introduction This section describes the commands you use to configure QoS Differentiated Services (DiffServ). You configure DiffServ in several stages by specifying three DiffServ components: 1. Class a. Creating and deleting classes b. Defining match criteria for a class 2.
Page 480 The only way to remove an individual match criterion from an existing class definition is to delete the class and re-create it. Note The mark possibilities for policing include CoS, IP DSCP, and IP precedence. While the latter two are only meaningful for IP packet types, CoS marking is allowed for both IP and non-IP packets, since it updates the 802.1p user priority field contained in the VLAN tag of the Layer 2 packet header.
Page 481: Diffserv Class Commands
DiffServ Class Commands Introduction Use the DiffServ commands to define traffic classification. To classify class traffic, specify Behavior Aggregate (BA) which is based on DSCP and Multi- Field (MF) classes of traffic (name, match criteria) This set of commands consists of class creation/deletion and matching, with the class match commands specifying Layer 3, Layer 2, and general match criteria.
Page 482 Note The CLI mode is changed to Class-Map Config when this command is successfully executed depending on the keyword specified. [{ipv4 | ipv6}] Format class-map match-all class-map-name [{ipv4 | ipv6}] Mode Global Config no class-map This command eliminates an existing DiffServ class. The is the class-map-name name of an existing DiffServ class.
Page 483 match any This command adds to the specified class definition a match condition whereby all packets are considered to belong to the class. Default none Format match any Mode Class-Map Config match class-map This command adds to the specified class definition the set of match conditions defined for another class.
Page 484 Format no match class-map refclassname Mode Class-Map Config match cos This command adds to the specified class definition a match condition for the Class of Service (CoS) value (the only tag in a single tagged packet or the first or outer 802.1Q tag of a double VLAN tagged packet).
Page 485 match dstip This command adds to the specified class definition a match condition based on the destination IP address of a packet. The parameter specifies an IP ipaddr address. The parameter specifies an IP address bit mask and must consist ipmask of a contiguous set of leading 1 bits.
Page 486 Mode Class-Map Config match ip This command adds to the specified class definition a match condition based on precedence the value of the IP Precedence field in a packet, which is defined as the high- order three bits of the Service Type octet in the IP header (the low-order five bits are not checked).
Page 487 Mode Class-Map Config match protocol This command adds to the specified class definition a match condition based on the value of the IP Protocol field in a packet using a single keyword notation or a numeric value notation. To specify the match condition using a single keyword notation, the value for is one of the supported protocol name keywords.
Page 488 match srcip This command adds to the specified class definition a match condition based on the source IP address of a packet. The parameter specifies an IP address. ipaddr parameter specifies an IP address bit mask and must consist of a ipmask contiguous set of leading 1 bits.
Page 489 Default none Format match vlan 0-4095 Mode Class-Map Config match secondary- This command adds to the specified class definition a match condition based on vlan the value of the Layer 2 secondary VLAN Identifier field (the inner 802.1Q tag of a double VLAN tagged packet).
Page 490: Diffserv Policy Commands
DiffServ Policy Commands Introduction Use the Diffserv policy commands to specify traffic conditioning actions, such as policing and marking, to apply to traffic classes. Use the policy commands to associate a traffic class that you define by using the class command set with one or more QoS policy attributes. Assign the class/policy association to an interface to form a service.
Page 491 drop This command specifies that all packets for the associated traffic stream are to be dropped at ingress. Format drop Mode Policy-Class-Map Config Incompatibilities Assign Queue, Mark (all forms), Mirror, Police, Redirect mirror This command specifies that all incoming packets for the associated traffic stream are copied to a specific egress interface (physical port or LAG).
Page 492 class This command creates an instance of a class definition within the specified policy for the purpose of defining treatment of the traffic class through subsequent policy attribute statements. The is the name of an existing DiffServ classname class. Note This command causes the specified policy to create a reference to the class definition.
Page 493 Policy-Class-Map Config Incompatibilities Drop, Mark IP DSCP, IP Precedence, Police Example: The following shows an example of this command: (CN1610) (Config-policy-classmap)#mark cos-as-sec-cos mark ip-dscp This command marks all packets for the associated traffic stream with the specified IP DSCP value.
Page 494 Incompatibilities Drop, Mark CoS, Mark IP Precedence, Police Policy Type police-simple This command establishes the traffic policing style for the specified class. The simple form of the command uses a single data rate and burst size, police resulting in two outcomes: conform and violate. The conforming data rate is specified in kilobits-per-second (Kbps) and is an integer from 1 to 4294967295.
Page 495 (CN1610) (Config-policy-classmap)#police-simple 1 128 conform- action transmit violate-action drop police-single-rate This command is the single-rate form of the command and is used to police establish the traffic policing style for the specified class. For each outcome, the only possible actions are...
Page 496 Format police-two-rate {1-4294967295 1-4294967295 1-128 1-128 conform-action {drop | set-cos-as-sec-cos | set-cos- transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec- transmit 0-7 | set-dscp-transmit 0-63 | transmit} exceed-action {drop | set-cos-as-sec-cos | set-cos- transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec- transmit 0-7 | set-dscp-transmit 0-63 | transmit} [violate-action {drop | set-cos-as-sec-cos | set-cos- transmit 0-7 | set-sec-cos-transmit 0-7 | set-prec- transmit 0-7 | set-dscp-transmit 0-63 | transmit}]}...
Page 497 policy-map rename This command changes the name of a DiffServ policy. The is the policyname name of an existing DiffServ class. The parameter is a case- newpolicyname sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy. Format policy-map rename policy-name newpolicyname Mode Global Config...
Page 498: Diffserv Service Commands
DiffServ Service Commands Introduction Use the DiffServ commands to assign a DiffServ traffic conditioning service policy, which you specified by using the commands, to an interface in the policy incoming direction. These commands attach a defined policy to a directional interface. You can assign only one policy at any one time to an interface in the inbound direction.
Page 499 Note This command causes a service to remove its reference to the policy. This command effectively disables DiffServ on an interface in the inbound direction. There is no separate interface administrative command for DiffServ. mode Format no service-policy in policymapname Modes Global Config Interface Config...
Page 500: Diffserv Show Commands
DiffServ Show Commands Introduction Use the DiffServ commands to display configuration and status information show for classes, policies, and services. You can display DiffServ information in summary or detailed formats. The status information is only shown when the DiffServ administrative mode is enabled. show class-map This command displays all configuration information for the specified class.
Page 501 Output Description The name of this class. (Note that the order in which classes are Class Name displayed is not necessarily the same order in which they were created.) A class type of means every match criterion defined for the Class Type class is evaluated simultaneously and must all be true to indicate a class match.
Page 502 Output Description Maximum allowed entries (rows) for the Policy Policy Instance Table Instance Table. Current number of entries (rows) in the Policy Policy Attribute Table Size Attribute Table. Maximum allowed entries (rows) for the Policy Policy Attribute Table Attribute Table. The current number of entries (rows) in the Service Table Size Service Table.
Page 503 Output Description The current setting for the action taken on a packet considered to Conform Action conform to the policing parameters. This is not displayed if policing is not in use for the class under this policy. The current setting for the color mode. Policing uses either color Conform Color Mode blind or color aware mode.
Page 504 (physical port or LAG). This can occur in addition to any marking or policing action. It may also be specified along with a QoS queue assignment. This field does not display on CN1610 switches. The current setting for the action taken on a packet considered to...
Page 505 Members Example: The following shows example CLI display output including the mark- option specified in the policy action: cos-as-sec-cos (CN1610) #show policy-map p1 Policy Name........p1 Policy Type........In Class Name........c1 Mark CoS as Secondary CoS...... Yes Example: The following shows example CLI display output including the...
Page 506 Mode Privileged EXEC Output Description The current setting of the DiffServ administrative mode. An DiffServ Admin Mode attached policy is only in effect on an interface while DiffServ is in an enabled mode. slot/port Interface The traffic direction of this interface service, inbound or Direction outbound.
Page 507 Output Description The current operational status of this DiffServ service interface. OperStatus The name of the policy attached to the interface in the indicated Policy Name direction. show policy-map This command displays policy-oriented statistics information for the specified interface interface and direction. The slot/port parameter specifies a valid interface for the system.
Page 508 Format show service-policy [in|out] Mode Privileged EXEC The following information is repeated for each interface and direction (only those interfaces configured with an attached policy are shown): Output Description slot/port Interface The current operational status of this DiffServ service interface. Operational Status The name of the policy attached to the interface.
Page 509: Ip Access Control List Commands
ACLs, regardless of type. The maximum number of rules per IP ACL is hardware dependent. On CN1610 switches, if you configure a MAC ACL on an interface, you cannot configure an IP ACL on the same interface.
Page 510 IP Extended ACL: Format access-list 100-199 {deny | permit} {every | {{icmp | igmp | ip | tcp | udp | number} srcip srcmask[{eq {portkey | 0-65535} dstip dstmask [{eq {portkey| 0- 65535}] [precedence precedence | tos tos tosmask | dscp dscp][log][time-range time-range-name][assign-queue queue-id] [{mirror | redirect} slot/port] Mode...
Page 511 , which is the queue identifier [assign- assign-queue queue queue- to which packets matching this rule are assigned. For CN1610 switches, specifies the mirror or redirect [{mirror | redirect} interface which is the slot/port to which packets matching slot/port] this rule are copied or forwarded, respectively. The...
Page 512 ip access-list This command creates an extended IP Access Control List (ACL) identified by , consisting of classification fields defined for the IP header of an IPv4 name frame. The parameter is a case-sensitive alphanumeric string from 1 to 31 name characters uniquely identifying the IP access list.
Page 513 {deny|permit} (IP This command creates a new rule for the current IP access list. Each rule is ACL) appended to the list of configured rules for the list. Note form of this command is not supported, since the rules within an IP ACL cannot be deleted individually.
Page 514 ip access-group This command either attaches a specific IP Access Control List (ACL) identified to an interface, range of interfaces, or all interfaces; or accesslistnumber associates it with a VLAN ID in a given direction. The parameter is the name name of the ACL.
Page 515 acl-trapflags This command enables the ACL trap mode. Default disabled Format acl-trapflags Mode Global Config no acl-trapflags This command disables the ACL trap mode. Format no acl-trapflags Mode Global Config show ip access-lists This command displays summary information about all IP ACLs configured on the switch.
Page 516 If you specify an IP ACL number or name, the following information displays: Note Only the access list fields that you configure are displayed. Output Description The number identifier for each rule that is defined for the IP Rule Number ACL.
Page 517 Output Description The slot/port to which packets matching this rule are Mirror Interface copied. The slot/port to which packets matching this rule are Redirect Interface forwarded. Displays the name of the time-range if the IP ACL rule has Time Range Name referenced a time range.
Page 518 Output Description –Display Access List information for a in|out particular interface in the direction. –Display Access List information for a particular interface in the direction. show access-lists This command displays Access List information for a particular VLAN ID and vlan direction.
Page 519: Ipv6 Access Control List Commands
IPv6 Access Control List Commands Introduction This section describes the commands you use to configure IPv6 Access Control List (ACL) settings. IPv6 ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources.
Page 520 ipv6 access-list This command changes the name of an IPv6 ACL. The parameter is the name rename name of an existing IPv6 ACL. The parameter is a case-sensitive newname alphanumeric string from 1 to 31 characters uniquely identifying the IPv6 access list.
Page 521 The parameter is valid only for a permit rule. assign-queue For the CN1610 switch, the parameter allows the traffic matching this mirror rule to be copied to the specified slot/port, while the redirect parameter allows the traffic matching this rule to be forwarded to the specified slot/port.
Page 522 no ipv6 traffic-filter This command removes an IPv6 ACL identified by name from the interface(s) in a given direction. Format no ipv6 traffic-filter name [vlan vlan-id] in [sequence 1-4294967295] Modes Global Config Interface Config show ipv6 access- This command displays an IPv6 access list and all of the rules that are defined for lists the IPv6 ACL.
Page 523 Output Description The slot/port to which packets matching this rule are copied. Mirror Interface The slot/port to which packets matching this rule are forwarded. Redirect Interface Displays the name of the time-range if the IPv6 ACL rule has Time Range Name referenced a time range.
Page 524: Mac Access Control List Commands
The system supports only Ethernet II frame types. The maximum number of rules per MAC ACL is hardware-dependent. For the CN1610 switch, if you configure an IP ACL on an interface, you cannot configure a MAC ACL on the same interface.
Page 525 mac access-list This command changes the name of a MAC Access Control List (ACL). The extended rename parameter is the name of an existing MAC ACL. The newname parameter name is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the MAC access list.
Page 526 The parameter is valid only for a rule. assign-queue permit For the CN1610 switch, the parameter allows the traffic matching this mirror rule to be copied to the specified slot/port, while the parameter allows redirect the traffic matching this rule to be forwarded to the specified slot/port.
Page 527 Note The special command form is used to match all {deny | permit} any any Ethernet Layer 2 packets, and is the equivalent of the IP access list match every rule. Format {deny|permit} {srcmac | any} {dstmac | any} [ethertypekey | 0x0600-0xFFFF] [vlan {eq 0-4095}] [cos 0-7] [[log] [time-range time-range-name] [assign-queue queue-id]] [{mirror | redirect} slot/port] Mode...
Page 528 Displays when you enable logging for the rule. The queue identifier to which packets matching this rule Assign Queue are assigned. On CN1610 switches, the slot/port to which packets Mirror Interface matching this rule are copied. MAC Access Control List Commands...
Page 529 Output Description On CN1610 switches, the slot/port to which packets Redirect Interface matching this rule are forwarded. Displays the name of the time-range if the MAC ACL rule Time Range Name has referenced a time range. Status (Active/Inactive) of the MAC ACL rule.
Page 530: Time Range Commands For Time-Based Acls
Time Range Commands for Time-Based ACLs Introduction Time-based ACLs allow one or more rules within an ACL to be based on time. Each ACL rule within an ACL except for the implicit rule can be deny all configured to be active and operational only during a specific time period. The time range commands allow you to define specific times of the day and week in order to implement time-based ACLs.
Page 531 absolute This command adds an absolute time entry to a time range. Only one absolute time entry is allowed per time range. The parameter is based on the time currently configured time zone. The [ ] parameters indicate the time and date at which the start time date configuration that referenced the time range starts going into effect.
Page 532 The first occurrence of the argument is the starting hours:minutes which the time configuration that referenced the time range starts going into effect. The second occurrence is the ending hours:minutes at which the configuration that referenced the time range is no longer in effect. The hours:minutes are expressed in a 24-hour clock.
Page 533 Mode Privileged EXEC show time-range This command displays a time range and all the absolute/periodic time entries that are defined for the time range. Use the parameter to identify a specific name time range to display. When is not specified, all the time ranges defined in name the system are displayed.
Page 534 Time Range Commands for Time-Based ACLs...
Page 535: Command Index
Command Index Symbols clear aaa ias-users clear config {deny / permit} (MAC ACL) clear counters {deny|permit} (IP ACL) clear dot1x authentication-history clear dot1x statistics Numerics clear host clear igmpsnooping 802.1X Supplicant Commands clear ip address-conflict-detect clear isdp counters clear isdp table clear lldp remote–data aaa authentication dot1x default clear lldp statistics...
Page 536 delete backup dot1x system-auth-control monitor deleteport (Global Config) dot1x timeout deleteport (Interface Config) dot1x unauthenticated-vlan Denial of Service Commands dot1x user description Dual Image Commands device configuration commands 201 commands ??– , ??– , ??– , ??– , ??– , ??– , ??–...
Page 537 ip domain lookup lldp med ip domain name lldp med all ip domain retry lldp med confignotification ip domain timeout lldp med confignotification all ip host lldp med faststart-repeatcount ip name server lldp med transmit-tlv ip ssh lldp med transmit-tlv all ip ssh protocol lldp notification ip ssh server enable...
Page 538 macfilter adddest no crypto key generate dsa macfilter adddest all no crypto key generate rsa macfilter addsrc no debug console macfilter addsrc all no debug dhcp packet mail-server no debug dot1x packet Management Commands no debug igmpsnooping packet management commands no debug igmpsnooping packet receive 201 commands ??–...
Page 539 no dot1x unauthenticated-vlan no lldp transmit-mgmt no dot1x user no lldp transmit-tlv no enable authentication no logging buffered no enable password no logging buffered wrap no ip access-group no logging cli-command no ip access-list no logging console no ip domain list no logging email no ip domain lookup no logging email from-addr...
Page 540 no set igmp mcrtrexpiretime no passwords strength minimum numeric- no set igmp mrouter characters no set igmp mrouter interface no passwords strength minimum repeated- no set igmp querier characters no set igmp querier election participate no passwords strength minimum special-characters no set igmp querier query-interval no set igmp querier timer expiry no passwords strength minimum uppercase-letters...
Page 541 no spanning-tree max-hops no vlan name no spanning-tree mst no vlan port acceptframe all no spanning-tree mst priority no vlan port ingressfilter all no spanning-tree mst vlan no vlan port pvid all no spanning-tree port mode no vlan port tagging all no spanning-tree port mode all no vlan pvid no sshcon maxsessions...
Page 542 port lacptimeout (Global Config) port lacptimeout (Interface Config) script apply Port Mirroring Commands script delete Port Security Commands script list Port-Based Network Access Control Commands script show script validate port-channel Secure Shell Commands port-channel adminmode security port-channel linktrap serial baudrate port-channel load-balance serial timeout port-channel name...
Page 543 show clock detail show lldp remote–device show commands show lldp remote–device detail show inventory show lldp statistics show debugging show logging show dos-control show logging buffered show dot1x show logging email config show dot1x authentication-history show logging email statistics show dot1x clients show logging hosts show dot1x statistics show logging traplogs...
Page 544 show sntp snmp-server community ro show sntp client snmp-server community rw show sntp server snmp-server enable traps show spanning-tree snmp-server enable traps linkmode show spanning-tree brief snmp-server enable traps multiusers show spanning-tree interface snmp-server enable traps stpmode show spanning-tree mst detailed snmp-server enable traps violation show spanning-tree mst port detailed snmptrap...
Page 545 storm-control broadcast all storm-control broadcast all level update bootcode storm-control broadcast all rate User Account Commands storm-control broadcast level user password storm-control broadcast rate username Storm-Control Commands username name nopassword storm-control flowcontrol username name unlock storm-control multicast username snmpv3 accessmode storm-control multicast all username snmpv3 authentication storm-control multicast all level...
Page 546 Command Index...